{
  "id": "policy/terraform-org-policy-blocked-resource-type",
  "signature": "Error: Error creating resource: google_project_service: googleapi: Error 403: Cloud Resource Manager API has not been used in project before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=my-project then retry.",
  "signature_zh": "错误：创建资源时出错：google_project_service：googleapi：错误403：Cloud Resource Manager API 尚未在项目中使用或已被禁用。请访问 https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=my-project 启用它，然后重试。",
  "regex": "Error: Error creating resource: google_project_service: googleapi: Error 403: Cloud Resource Manager API has not been used in project before or it is disabled\\.",
  "domain": "policy",
  "category": "config_error",
  "subcategory": null,
  "root_cause": "The required Google Cloud API (Cloud Resource Manager) is not enabled for the project, which is a policy enforced by the organization to prevent unauthorized API usage.",
  "root_cause_type": "generic",
  "root_cause_zh": "所需的Google Cloud API（Cloud Resource Manager）未在项目中启用，这是组织为防止未经授权的API使用而强制执行的策略。",
  "versions": [
    {
      "version": "Terraform 1.5.x",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "Google Provider 5.0.0",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "",
      "why_fails": "Enabling the API is necessary, but Terraform may still fail if the service account lacks the 'serviceusage.services.enable' permission.",
      "fail_rate": 0.5,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "Terraform does not auto-enable APIs; the error will persist until the API is explicitly enabled.",
      "fail_rate": 0.95,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "The error is enforced by Google Cloud's API, not the provider; provider version changes won't help.",
      "fail_rate": 0.8,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Enable the Cloud Resource Manager API via gcloud before running Terraform: `gcloud services enable cloudresourcemanager.googleapis.com --project=my-project`. Then re-run `terraform apply`.",
      "success_rate": 0.9,
      "how": "Enable the Cloud Resource Manager API via gcloud before running Terraform: `gcloud services enable cloudresourcemanager.googleapis.com --project=my-project`. Then re-run `terraform apply`.",
      "condition": "",
      "sources": []
    },
    {
      "action": "Add a `google_project_service` resource in Terraform to enable the API automatically: `resource \"google_project_service\" \"cloudresourcemanager\" { project = \"my-project\" service = \"cloudresourcemanager.googleapis.com\" disable_on_destroy = false }`. Ensure this runs before other resources.",
      "success_rate": 0.85,
      "how": "Add a `google_project_service` resource in Terraform to enable the API automatically: `resource \"google_project_service\" \"cloudresourcemanager\" { project = \"my-project\" service = \"cloudresourcemanager.googleapis.com\" disable_on_destroy = false }`. Ensure this runs before other resources.",
      "condition": "",
      "sources": []
    },
    {
      "action": "Grant the 'Service Usage Admin' role to the Terraform service account: `gcloud projects add-iam-policy-binding my-project --member='serviceAccount:terraform-sa@my-project.iam.gserviceaccount.com' --role='roles/serviceusage.serviceUsageAdmin'`.",
      "success_rate": 0.8,
      "how": "Grant the 'Service Usage Admin' role to the Terraform service account: `gcloud projects add-iam-policy-binding my-project --member='serviceAccount:terraform-sa@my-project.iam.gserviceaccount.com' --role='roles/serviceusage.serviceUsageAdmin'`.",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "Enable the Cloud Resource Manager API via gcloud before running Terraform: `gcloud services enable cloudresourcemanager.googleapis.com --project=my-project`. Then re-run `terraform apply`.",
    "Add a `google_project_service` resource in Terraform to enable the API automatically: `resource \"google_project_service\" \"cloudresourcemanager\" { project = \"my-project\" service = \"cloudresourcemanager.googleapis.com\" disable_on_destroy = false }`. Ensure this runs before other resources.",
    "Grant the 'Service Usage Admin' role to the Terraform service account: `gcloud projects add-iam-policy-binding my-project --member='serviceAccount:terraform-sa@my-project.iam.gserviceaccount.com' --role='roles/serviceusage.serviceUsageAdmin'`."
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://cloud.google.com/resource-manager/docs/creating-managing-projects",
  "official_doc_section": null,
  "error_code": "403",
  "verification_tier": "ai_generated",
  "confidence": 0.82,
  "fix_success_rate": 0.9,
  "resolvable": "true",
  "first_seen": "2023-05-20",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}