# Error: Error creating resource: google_project_service: googleapi: Error 403: Cloud Resource Manager API has not been used in project before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=my-project then retry. - **ID:** `policy/terraform-org-policy-blocked-resource-type` - **Domain:** policy - **Category:** config_error - **Error Code:** `403` - **Verification:** ai_generated - **Fix Rate:** 90% ## Root Cause The required Google Cloud API (Cloud Resource Manager) is not enabled for the project, which is a policy enforced by the organization to prevent unauthorized API usage. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | Terraform 1.5.x | active | — | — | | Google Provider 5.0.0 | active | — | — | ## Workarounds 1. **Enable the Cloud Resource Manager API via gcloud before running Terraform: `gcloud services enable cloudresourcemanager.googleapis.com --project=my-project`. Then re-run `terraform apply`.** (90% success) ``` Enable the Cloud Resource Manager API via gcloud before running Terraform: `gcloud services enable cloudresourcemanager.googleapis.com --project=my-project`. Then re-run `terraform apply`. ``` 2. **Add a `google_project_service` resource in Terraform to enable the API automatically: `resource "google_project_service" "cloudresourcemanager" { project = "my-project" service = "cloudresourcemanager.googleapis.com" disable_on_destroy = false }`. Ensure this runs before other resources.** (85% success) ``` Add a `google_project_service` resource in Terraform to enable the API automatically: `resource "google_project_service" "cloudresourcemanager" { project = "my-project" service = "cloudresourcemanager.googleapis.com" disable_on_destroy = false }`. Ensure this runs before other resources. ``` 3. **Grant the 'Service Usage Admin' role to the Terraform service account: `gcloud projects add-iam-policy-binding my-project --member='serviceAccount:terraform-sa@my-project.iam.gserviceaccount.com' --role='roles/serviceusage.serviceUsageAdmin'`.** (80% success) ``` Grant the 'Service Usage Admin' role to the Terraform service account: `gcloud projects add-iam-policy-binding my-project --member='serviceAccount:terraform-sa@my-project.iam.gserviceaccount.com' --role='roles/serviceusage.serviceUsageAdmin'`. ``` ## Dead Ends - **** — Enabling the API is necessary, but Terraform may still fail if the service account lacks the 'serviceusage.services.enable' permission. (50% fail) - **** — Terraform does not auto-enable APIs; the error will persist until the API is explicitly enabled. (95% fail) - **** — The error is enforced by Google Cloud's API, not the provider; provider version changes won't help. (80% fail)