403 policy config_error ai_generated true

Error: Error creating resource: google_project_service: googleapi: Error 403: Cloud Resource Manager API has not been used in project before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=my-project then retry.

ID: policy/terraform-org-policy-blocked-resource-type

Also available as: JSON · Markdown · 中文

90%Fix Rate

82%Confidence

1Evidence

2023-05-20First Seen

Version Compatibility

Version	Status	Introduced	Deprecated	Notes
Terraform 1.5.x	active	—	—	—
Google Provider 5.0.0	active	—	—	—

Root Cause

The required Google Cloud API (Cloud Resource Manager) is not enabled for the project, which is a policy enforced by the organization to prevent unauthorized API usage.

generic

中文

所需的Google Cloud API（Cloud Resource Manager）未在项目中启用，这是组织为防止未经授权的API使用而强制执行的策略。

Official Documentation

https://cloud.google.com/resource-manager/docs/creating-managing-projects

Workarounds

90% success Enable the Cloud Resource Manager API via gcloud before running Terraform: `gcloud services enable cloudresourcemanager.googleapis.com --project=my-project`. Then re-run `terraform apply`.
```
Enable the Cloud Resource Manager API via gcloud before running Terraform: `gcloud services enable cloudresourcemanager.googleapis.com --project=my-project`. Then re-run `terraform apply`.
```
85% success Add a `google_project_service` resource in Terraform to enable the API automatically: `resource "google_project_service" "cloudresourcemanager" { project = "my-project" service = "cloudresourcemanager.googleapis.com" disable_on_destroy = false }`. Ensure this runs before other resources.
```
Add a `google_project_service` resource in Terraform to enable the API automatically: `resource "google_project_service" "cloudresourcemanager" { project = "my-project" service = "cloudresourcemanager.googleapis.com" disable_on_destroy = false }`. Ensure this runs before other resources.
```
80% success Grant the 'Service Usage Admin' role to the Terraform service account: `gcloud projects add-iam-policy-binding my-project --member='serviceAccount:[email protected]' --role='roles/serviceusage.serviceUsageAdmin'`.
```
Grant the 'Service Usage Admin' role to the Terraform service account: `gcloud projects add-iam-policy-binding my-project --member='serviceAccount:[email protected]' --role='roles/serviceusage.serviceUsageAdmin'`.
```

中文步骤

Enable the Cloud Resource Manager API via gcloud before running Terraform: `gcloud services enable cloudresourcemanager.googleapis.com --project=my-project`. Then re-run `terraform apply`.

Add a `google_project_service` resource in Terraform to enable the API automatically: `resource "google_project_service" "cloudresourcemanager" { project = "my-project" service = "cloudresourcemanager.googleapis.com" disable_on_destroy = false }`. Ensure this runs before other resources.

Grant the 'Service Usage Admin' role to the Terraform service account: `gcloud projects add-iam-policy-binding my-project --member='serviceAccount:[email protected]' --role='roles/serviceusage.serviceUsageAdmin'`.

Dead Ends

Common approaches that don't work:

50% fail
Enabling the API is necessary, but Terraform may still fail if the service account lacks the 'serviceusage.services.enable' permission.
95% fail
Terraform does not auto-enable APIs; the error will persist until the API is explicitly enabled.
80% fail
The error is enforced by Google Cloud's API, not the provider; provider version changes won't help.