Stay organized with collectionsSave and categorize content based on your preferences.
Why is a violation I expected not throwing an error?
If you test your validation logic and find that the constraint isn't throwing an
error when it should be, this might be a result of one or more of the following:
Is your policy-library set up correctly?Verify that your policy library
contains apolicies/constraintsdirectory, which contains the constraint
you are expecting to cause a violation.
Is the Terraform resource that contains the violation a supported
resource?gcloud beta terraform vetcan only check for violations for resources
that are supported in its version. Re-run your command with--verbosity=debugand look for a message like:unsupported resource:
google_resource_name. Or you can check whether your resource is in the list
ofsupported resources.
Is your constraint targeting the correct Terraform resource?
Check thekindfield of the constraint. It should be something like:GCPAppengineLocationConstraintV1
Search thepolicies/templatesdirectory for a policy that has the same
value forspec.crd.spec.names.kind
In theregofield, look for something like:asset.asset_type ==
"appengine.googleapis.com/Application". This is theCAI Asset Typethat the
constraint targets.
Why am I getting an error saying that no project is defined?
Resource Ancestry is used to build an accurate CAI Asset Name. Ifgcloud beta terraform vetcan't automatically determine the ancestry for a CAI Asset,
it will return an error saying:project: required field is not set. You can
provide a default project with the--projectflag or by setting one usinggcloud config.
Why am I getting an error sayinggetting resource ancestry for project PROJECT_ID: googleapi: Error 403: The caller does not have permission, forbidden?
Run the command with--verbosity=debugand look for a message likeTerraform
is using this identity:. It should be followed by an email address, which is
the account being used for API requests.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003ePre-General Availability (Pre-GA) products and features are governed by the "Pre-GA Offerings Terms" in the General Service Terms.\u003c/p\u003e\n"],["\u003cp\u003ePre-GA offerings are provided "as is" with potentially limited support, as detailed in the launch stage descriptions.\u003c/p\u003e\n"],["\u003cp\u003eConstraint violations may not trigger errors if the policy library is incorrectly set up, the resource is unsupported, or the constraint targets the wrong resource type.\u003c/p\u003e\n"],["\u003cp\u003eThe error "project: required field is not set" indicates that the tool cannot determine the CAI Asset's ancestry and requires a project to be specified.\u003c/p\u003e\n"],["\u003cp\u003eA "permission denied" error when getting resource ancestry suggests an authentication issue or insufficient permissions for the specified identity.\u003c/p\u003e\n"]]],[],null,["# Troubleshoot gcloud beta terraform vet\n\n| **Preview**\n|\n|\n| This product or feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA products and features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nWhy is a violation I expected not throwing an error?\n----------------------------------------------------\n\nIf you test your validation logic and find that the constraint isn't throwing an\nerror when it should be, this might be a result of one or more of the following:\n\n- **Is your policy-library set up correctly?** Verify that your policy library contains a `policies/constraints` directory, which contains the constraint you are expecting to cause a violation.\n- **Is the Terraform resource that contains the violation a supported\n resource?** `gcloud beta terraform vet` can only check for violations for resources that are supported in its version. Re-run your command with `--verbosity=debug` and look for a message like: `unsupported resource:\n google_resource_name`. Or you can check whether your resource is in the list of [supported resources](/docs/cloud-asset-inventory/overview#supported_resource_types).\n- **Is your constraint targeting the correct Terraform resource?**\n\n 1. Check the `kind` field of the constraint. It should be something like: `GCPAppengineLocationConstraintV1`\n 2. Search the `policies/templates` directory for a policy that has the same value for `spec.crd.spec.names.kind`\n 3. In the `rego` field, look for something like: `asset.asset_type ==\n \"appengine.googleapis.com/Application\"`. This is the [CAI Asset Type](/asset-inventory/docs/supported-asset-types) that the constraint targets.\n 4. Make sure that the CAI Asset Type is in the list of [supported resources](/docs/cloud-asset-inventory/overview#supported_resource_types).\n\nWhy am I getting an error saying that no project is defined?\n------------------------------------------------------------\n\nResource Ancestry is used to build an accurate CAI Asset Name. If\n`gcloud beta terraform vet` can't automatically determine the ancestry for a CAI Asset,\nit will return an error saying: `project: required field is not set`. You can\nprovide a default project with the `--project` flag or by setting one using\n[`gcloud config`](/sdk/gcloud/reference/config).\n\nWhy am I getting an error saying `getting resource ancestry for project PROJECT_ID: googleapi: Error 403: The caller does not have permission, forbidden`?\n----------------------------------------------------------------------------------------------------------------------------------------------------------\n\nRun the command with `--verbosity=debug` and look for a message like `Terraform\nis using this identity:`. It should be followed by an email address, which is\nthe account being used for API requests.\n\n- If there is no email address, then [make sure that your authentication is working properly](/sdk/gcloud/reference/auth).\n- If there is an email address, but it's not the service account that you wanted to impersonate, then [make sure that your service account impersonation is set up correctly](/sdk/gcloud/reference#--impersonate-service-account)\n- If the correct email address is showing, make sure that it has the following permissions on the project:\n - `getIamPolicy`\n - `resourcemanager.projects.get`"]]
