Open tamselr opened 2 years ago
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "status": { "code": 7, "message": "(Dry Run Mode) Request is prohibited by organization's policy. vpcServiceControlsUniqueIdentifier: Vtjxgzcq2heG_g1ywbIWRW1Aq88cs_NCpVprt2BrU1S32nzbSvctCA", "details": [ { "@type": "type.googleapis.com/google.rpc.PreconditionFailure", "violations": [ { "type": "VPC_SERVICE_CONTROLS", "description": "Vtjxgzcq2heG_g1ywbIWRW1Aq88cs_NCpVprt2BrU1S32nzbSvctCA" } ] } ] }, "authenticationInfo": { "principalEmail": "o1234567890-254182@gcp-sa-logging.iam.gserviceaccount.com" }, "requestMetadata": { "callerIp": "private", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "bigquery.googleapis.com", "methodName": "google.cloud.bigquery.v2.TableDataService.InsertAll", "resourceName": "projects/396903001122", "metadata": { "vpcServiceControlsUniqueId": "Vtjxgzcq2heG_g1ywbIWRW1Aq88cs_NCpVprt2BrU1S32nzbSvctCA", "resourceNames": [ "gcp-prod-sec-logstore-66d6", "organizations/1234567890" ], "ingressViolations": [ { "targetResource": "projects/396903001122", "servicePerimeter": "accessPolicies/1093961377651/servicePerimeters/landingzone_perimeter", "source": "organizations/1234567890" } ], "securityPolicyInfo": { "servicePerimeterName": "accessPolicies/1093961377651/servicePerimeters/landingzone_perimeter", "organizationId": "1234567890" }, "@type": "type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata", "dryRun": true, "violationReason": "RESOURCES_NOT_IN_SAME_SERVICE_PERIMETER" } }, "insertId": "1xx7rlie3gtkf", "resource": { "type": "audited_resource", "labels": { "project_id": "gcp-prod-sec-logstore-66d6", "service": "bigquery.googleapis.com", "method": "google.cloud.bigquery.v2.TableDataService.InsertAll" } }, "timestamp": "2022-01-05T11:07:21.970849917Z", "severity": "ERROR", "logName": "projects/gcp-prod-sec-logstore-66d6/logs/cloudaudit.googleapis.com%2Fpolicy", "receiveTimestamp": "2022-01-05T11:07:22.347746776Z" }
Looks like the error is coming from the API and is not really related to the Terraform provider.
I'd guess the target project is not in the same service perimeter as the sink, but I'm not an expert on these resources
Request to help me resolve this error: Log sink request is prohibited by org policy, "violationReason": "RESOURCES_NOT_IN_SAME_SERVICE_PERIMETER"