# 错误：创建资源时出错：google_project_service：googleapi：错误403：Cloud Resource Manager API 尚未在项目中使用或已被禁用。请访问 https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=my-project 启用它，然后重试。

- **ID:** `policy/terraform-org-policy-blocked-resource-type`
- **领域:** policy
- **类别:** config_error
- **错误码:** `403`
- **验证级别:** ai_generated
- **修复率:** 90%

## 根因

所需的Google Cloud API（Cloud Resource Manager）未在项目中启用，这是组织为防止未经授权的API使用而强制执行的策略。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| Terraform 1.5.x | active | — | — |
| Google Provider 5.0.0 | active | — | — |

## 解决方案

1. ```
   Enable the Cloud Resource Manager API via gcloud before running Terraform: `gcloud services enable cloudresourcemanager.googleapis.com --project=my-project`. Then re-run `terraform apply`.
   ```
2. ```
   Add a `google_project_service` resource in Terraform to enable the API automatically: `resource "google_project_service" "cloudresourcemanager" { project = "my-project" service = "cloudresourcemanager.googleapis.com" disable_on_destroy = false }`. Ensure this runs before other resources.
   ```
3. ```
   Grant the 'Service Usage Admin' role to the Terraform service account: `gcloud projects add-iam-policy-binding my-project --member='serviceAccount:terraform-sa@my-project.iam.gserviceaccount.com' --role='roles/serviceusage.serviceUsageAdmin'`.
   ```

## 无效尝试

- **** — Enabling the API is necessary, but Terraform may still fail if the service account lacks the 'serviceusage.services.enable' permission. (50% 失败率)
- **** — Terraform does not auto-enable APIs; the error will persist until the API is explicitly enabled. (95% 失败率)
- **** — The error is enforced by Google Cloud's API, not the provider; provider version changes won't help. (80% 失败率)