Error creating Policy: googleapi: Error 409: Requested entity already exists

originaltrini0 · August 5, 2025, 5:45pm

Hello all:

My environment:
Terraform v1.12.2
Google Cloud Provider: v6.46.0
MacOS Sonoma: v15.5

I am redoing my test Google Cloud environment and having an issue setting an organization policy (compute.skipDefaultNetworkCreation) using the google_org_policy_policy resource.

My simplified resource configuration:

resource "google_org_policy_policy" "spec_boolean_constraint" {
  name   = "${var.parent}/policies/${var.constraint}"
  parent = var.parent

  spec {
    rules {
      enforce = var.enforce ? "TRUE" : "FALSE"
    }
  }
}

Here is the output of terraform plan:

+ resource "google_org_policy_policy" "spec_boolean_constraint" {
      + etag   = (known after apply)
      + id     = (known after apply)
      + name   = "organizations/nnn.../policies/compute.skipDefaultNetworkCreation"
      + parent = "organizations/nnn..."

      + spec {
          + etag        = (known after apply)
          + update_time = (known after apply)

          + rules {
              + enforce = "TRUE"
            }
        }
    }

Here is the error I get when attempting to apply the policy:

Error: Error creating Policy: googleapi: Error 409: Requested entity already exists
│ 
│   with module.foundation_org_policies["skipDefaultNetworkCreation"].google_org_policy_policy.spec_boolean_constraint[0],
│   on .terraform/modules/foundation_org_policies/main.tf line 10, in resource "google_org_policy_policy" "spec_boolean_constraint":
│   10: resource "google_org_policy_policy" "spec_boolean_constraint" {

If I understand the error, it appears to be trying to create a constraint. But compute.skipDefaultNetworkCreation is a managed policy. I am just trying to set this constraint at the org level. I am unsure what is wrong here, as I used this same resource to set this constraint in the past.

I have tried manually resetting the constraint:

gcloud org-policies describe compute.skipDefaultNetworkCreation --organization="nnn..."
etag: CNzMyMQGEKCapt0C-
name: organizations/nnn.../policies/compute.skipDefaultNetworkCreation
spec:
  etag: CNzMyMQGEKCapt0C
  reset: true
  updateTime: '2025-08-05T15:42:20.732532Z'

I also have the Policy Admin role assigned to my account:

gcloud organizations get-iam-policy nnn... --flatten=bindings  \
  --filter=bindings.members~$(gcloud config list --format="get(core.account)") \
  --format="get(bindings.role)"
roles/orgpolicy.policyAdmin

I am looking for another set of eyes to help me with this error.
Please let me know if you require anything else.

Thanks

originaltrini0 · August 5, 2025, 9:20pm

The problem has been solved after enabling the cloudresourcemanager.googleapis.com service on the billing project configured in Terraform.

Thanks for looking..

Topic		Replies	Views
Using terraform-google-org-policy module Google	0	745	March 30, 2020
GCP Billing Tagging Enforcement at Org level Google	0	320	August 29, 2023
Aws_organizations_policy AWS	2	535	March 13, 2023
Googleapi: Error 400: Permission redis.clusters.connect is not supported in custom roles., badRequest Google	0	313	July 26, 2023
Google_iam_policy binding ordering Google	0	948	July 28, 2020

Error creating Policy: googleapi: Error 409: Requested entity already exists

Related topics