Stay organized with collections
Save and categorize content based on your preferences.
Why is a violation I expected not throwing an error?
If you test your validation logic and find that the constraint isn't throwing an
error when it should be, this might be a result of one or more of the following:
Is your policy-library set up correctly? Verify that your policy library
contains a policies/constraints directory, which contains the constraint
you are expecting to cause a violation.
Is the Terraform resource that contains the violation a supported
resource?gcloud beta terraform vet can only check for violations for resources
that are supported in its version. Re-run your command with
--verbosity=debug and look for a message like: unsupported resource:
google_resource_name. Or you can check whether your resource is in the list
of
supported resources.
Is your constraint targeting the correct Terraform resource?
Check the kind field of the constraint. It should be something like:
GCPAppengineLocationConstraintV1
Search the policies/templates directory for a policy that has the same
value for spec.crd.spec.names.kind
In the rego field, look for something like: asset.asset_type ==
"appengine.googleapis.com/Application". This is the
CAI Asset Type that the
constraint targets.
Why am I getting an error saying that no project is defined?
Resource Ancestry is used to build an accurate CAI Asset Name. If
gcloud beta terraform vet can't automatically determine the ancestry for a CAI Asset,
it will return an error saying: project: required field is not set. You can
provide a default project with the --project flag or by setting one using
gcloud config.
Why am I getting an error saying getting resource ancestry for project PROJECT_ID: googleapi: Error 403: The caller does not have permission, forbidden?
Run the command with --verbosity=debug and look for a message like Terraform
is using this identity:. It should be followed by an email address, which is
the account being used for API requests.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003ePre-General Availability (Pre-GA) products and features are governed by the "Pre-GA Offerings Terms" in the General Service Terms.\u003c/p\u003e\n"],["\u003cp\u003ePre-GA offerings are provided "as is" with potentially limited support, as detailed in the launch stage descriptions.\u003c/p\u003e\n"],["\u003cp\u003eConstraint violations may not trigger errors if the policy library is incorrectly set up, the resource is unsupported, or the constraint targets the wrong resource type.\u003c/p\u003e\n"],["\u003cp\u003eThe error "project: required field is not set" indicates that the tool cannot determine the CAI Asset's ancestry and requires a project to be specified.\u003c/p\u003e\n"],["\u003cp\u003eA "permission denied" error when getting resource ancestry suggests an authentication issue or insufficient permissions for the specified identity.\u003c/p\u003e\n"]]],[],null,["# Troubleshoot gcloud beta terraform vet\n\n| **Preview**\n|\n|\n| This product or feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA products and features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nWhy is a violation I expected not throwing an error?\n----------------------------------------------------\n\nIf you test your validation logic and find that the constraint isn't throwing an\nerror when it should be, this might be a result of one or more of the following:\n\n- **Is your policy-library set up correctly?** Verify that your policy library contains a `policies/constraints` directory, which contains the constraint you are expecting to cause a violation.\n- **Is the Terraform resource that contains the violation a supported\n resource?** `gcloud beta terraform vet` can only check for violations for resources that are supported in its version. Re-run your command with `--verbosity=debug` and look for a message like: `unsupported resource:\n google_resource_name`. Or you can check whether your resource is in the list of [supported resources](/docs/cloud-asset-inventory/overview#supported_resource_types).\n- **Is your constraint targeting the correct Terraform resource?**\n\n 1. Check the `kind` field of the constraint. It should be something like: `GCPAppengineLocationConstraintV1`\n 2. Search the `policies/templates` directory for a policy that has the same value for `spec.crd.spec.names.kind`\n 3. In the `rego` field, look for something like: `asset.asset_type ==\n \"appengine.googleapis.com/Application\"`. This is the [CAI Asset Type](/asset-inventory/docs/supported-asset-types) that the constraint targets.\n 4. Make sure that the CAI Asset Type is in the list of [supported resources](/docs/cloud-asset-inventory/overview#supported_resource_types).\n\nWhy am I getting an error saying that no project is defined?\n------------------------------------------------------------\n\nResource Ancestry is used to build an accurate CAI Asset Name. If\n`gcloud beta terraform vet` can't automatically determine the ancestry for a CAI Asset,\nit will return an error saying: `project: required field is not set`. You can\nprovide a default project with the `--project` flag or by setting one using\n[`gcloud config`](/sdk/gcloud/reference/config).\n\nWhy am I getting an error saying `getting resource ancestry for project PROJECT_ID: googleapi: Error 403: The caller does not have permission, forbidden`?\n----------------------------------------------------------------------------------------------------------------------------------------------------------\n\nRun the command with `--verbosity=debug` and look for a message like `Terraform\nis using this identity:`. It should be followed by an email address, which is\nthe account being used for API requests.\n\n- If there is no email address, then [make sure that your authentication is working properly](/sdk/gcloud/reference/auth).\n- If there is an email address, but it's not the service account that you wanted to impersonate, then [make sure that your service account impersonation is set up correctly](/sdk/gcloud/reference#--impersonate-service-account)\n- If the correct email address is showing, make sure that it has the following permissions on the project:\n - `getIamPolicy`\n - `resourcemanager.projects.get`"]]
