Hello all:
My environment:
Terraform v1.12.2
Google Cloud Provider: v6.46.0
MacOS Sonoma: v15.5
I am redoing my test Google Cloud environment and having an issue setting an organization policy (compute.skipDefaultNetworkCreation
) using the google_org_policy_policy
resource.
My simplified resource configuration:
resource "google_org_policy_policy" "spec_boolean_constraint" {
name = "${var.parent}/policies/${var.constraint}"
parent = var.parent
spec {
rules {
enforce = var.enforce ? "TRUE" : "FALSE"
}
}
}
Here is the output of terraform plan
:
+ resource "google_org_policy_policy" "spec_boolean_constraint" {
+ etag = (known after apply)
+ id = (known after apply)
+ name = "organizations/nnn.../policies/compute.skipDefaultNetworkCreation"
+ parent = "organizations/nnn..."
+ spec {
+ etag = (known after apply)
+ update_time = (known after apply)
+ rules {
+ enforce = "TRUE"
}
}
}
Here is the error I get when attempting to apply the policy:
Error: Error creating Policy: googleapi: Error 409: Requested entity already exists
│
│ with module.foundation_org_policies["skipDefaultNetworkCreation"].google_org_policy_policy.spec_boolean_constraint[0],
│ on .terraform/modules/foundation_org_policies/main.tf line 10, in resource "google_org_policy_policy" "spec_boolean_constraint":
│ 10: resource "google_org_policy_policy" "spec_boolean_constraint" {
If I understand the error, it appears to be trying to create a constraint. But compute.skipDefaultNetworkCreation
is a managed policy. I am just trying to set this constraint at the org level. I am unsure what is wrong here, as I used this same resource to set this constraint in the past.
I have tried manually resetting the constraint:
gcloud org-policies describe compute.skipDefaultNetworkCreation --organization="nnn..."
etag: CNzMyMQGEKCapt0C-
name: organizations/nnn.../policies/compute.skipDefaultNetworkCreation
spec:
etag: CNzMyMQGEKCapt0C
reset: true
updateTime: '2025-08-05T15:42:20.732532Z'
I also have the Policy Admin role assigned to my account:
gcloud organizations get-iam-policy nnn... --flatten=bindings \
--filter=bindings.members~$(gcloud config list --format="get(core.account)") \
--format="get(bindings.role)"
roles/orgpolicy.policyAdmin
I am looking for another set of eyes to help me with this error.
Please let me know if you require anything else.
Thanks