Why is a violation I expected not throwing an error?
If you test your validation logic and find that the constraint isn't throwing an error when it should be, this might be a result of one or more of the following:
- Is your policy-library set up correctly? Verify that your policy library
contains a
policies/constraintsdirectory, which contains the constraint you are expecting to cause a violation. - Is the Terraform resource that contains the violation a supported
resource?
gcloud beta terraform vetcan only check for violations for resources that are supported in its version. Re-run your command with--verbosity=debugand look for a message like:unsupported resource: google_resource_name. Or you can check whether your resource is in the list of supported resources. Is your constraint targeting the correct Terraform resource?
- Check the
kindfield of the constraint. It should be something like:GCPAppengineLocationConstraintV1 - Search the
policies/templatesdirectory for a policy that has the same value forspec.crd.spec.names.kind - In the
regofield, look for something like:asset.asset_type == "appengine.googleapis.com/Application". This is the CAI Asset Type that the constraint targets. - Make sure that the CAI Asset Type is in the list of supported resources.
- Check the
Why am I getting an error saying that no project is defined?
Resource Ancestry is used to build an accurate CAI Asset Name. If
gcloud beta terraform vet can't automatically determine the ancestry for a CAI Asset,
it will return an error saying: project: required field is not set. You can
provide a default project with the --project flag or by setting one using
gcloud config.
Why am I getting an error saying getting resource ancestry for project PROJECT_ID: googleapi: Error 403: The caller does not have permission, forbidden?
Run the command with --verbosity=debug and look for a message like Terraform
is using this identity:. It should be followed by an email address, which is
the account being used for API requests.
- If there is no email address, then make sure that your authentication is working properly.
- If there is an email address, but it's not the service account that you wanted to impersonate, then make sure that your service account impersonation is set up correctly
- If the correct email address is showing, make sure that it has the following
permissions on the project:
getIamPolicyresourcemanager.projects.get