search

hashicorp / terraform-provider-google

Terraform Provider for Google Cloud Platform
https://registry.terraform.io/providers/hashicorp/google/latest/docs
Mozilla Public License 2.0
2.29k stars 1.72k forks source link

logging sink - Log sink request is prohibited by org policy, "violationReason": "RESOURCES_NOT_IN_SAME_SERVICE_PERIMETER" #10838

Open tamselr opened 2 years ago

tamselr commented 2 years ago

Request to help me resolve this error: Log sink request is prohibited by org policy, "violationReason": "RESOURCES_NOT_IN_SAME_SERVICE_PERIMETER"

tamselr commented 2 years ago

{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "status": { "code": 7, "message": "(Dry Run Mode) Request is prohibited by organization's policy. vpcServiceControlsUniqueIdentifier: Vtjxgzcq2heG_g1ywbIWRW1Aq88cs_NCpVprt2BrU1S32nzbSvctCA", "details": [ { "@type": "type.googleapis.com/google.rpc.PreconditionFailure", "violations": [ { "type": "VPC_SERVICE_CONTROLS", "description": "Vtjxgzcq2heG_g1ywbIWRW1Aq88cs_NCpVprt2BrU1S32nzbSvctCA" } ] } ] }, "authenticationInfo": { "principalEmail": "o1234567890-254182@gcp-sa-logging.iam.gserviceaccount.com" }, "requestMetadata": { "callerIp": "private", "requestAttributes": {}, "destinationAttributes": {} }, "serviceName": "bigquery.googleapis.com", "methodName": "google.cloud.bigquery.v2.TableDataService.InsertAll", "resourceName": "projects/396903001122", "metadata": { "vpcServiceControlsUniqueId": "Vtjxgzcq2heG_g1ywbIWRW1Aq88cs_NCpVprt2BrU1S32nzbSvctCA", "resourceNames": [ "gcp-prod-sec-logstore-66d6", "organizations/1234567890" ], "ingressViolations": [ { "targetResource": "projects/396903001122", "servicePerimeter": "accessPolicies/1093961377651/servicePerimeters/landingzone_perimeter", "source": "organizations/1234567890" } ], "securityPolicyInfo": { "servicePerimeterName": "accessPolicies/1093961377651/servicePerimeters/landingzone_perimeter", "organizationId": "1234567890" }, "@type": "type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata", "dryRun": true, "violationReason": "RESOURCES_NOT_IN_SAME_SERVICE_PERIMETER" } }, "insertId": "1xx7rlie3gtkf", "resource": { "type": "audited_resource", "labels": { "project_id": "gcp-prod-sec-logstore-66d6", "service": "bigquery.googleapis.com", "method": "google.cloud.bigquery.v2.TableDataService.InsertAll" } }, "timestamp": "2022-01-05T11:07:21.970849917Z", "severity": "ERROR", "logName": "projects/gcp-prod-sec-logstore-66d6/logs/cloudaudit.googleapis.com%2Fpolicy", "receiveTimestamp": "2022-01-05T11:07:22.347746776Z" }

slevenick commented 2 years ago

Looks like the error is coming from the API and is not really related to the Terraform provider.

I'd guess the target project is not in the same service perimeter as the sink, but I'm not an expert on these resources