Feature request for google_org_policy_custom_constraint module

[birmingham]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Description

I have required IAM roles to two Google Cloud Organizations to deploy org policy custom constraints, and I have seen the same Terrform 403 orgpolicy.google.apis issue with both orgs. The module is at this link https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/org_policy_custom_constraint#example-usage---org-policy-custom-constraint-full that I am using.
Similar issue that is being tracked here #17998.

In order to fix the 403 error with both orgs, all I needed was to add a provider block into the module itself. Another solution would be to create another provider.tf alongside the main.tf file. I have not tested the provider.tf idea.

New or Affected Resource(s)

• google_org_policy_custom_constraint

Potential Terraform Configuration

provider "google" {
  project = var.project_id
  region  = var.region
  billing_project       = "CHANGE_ME_PROJECT_ID"
  user_project_override = true
}


resource "google_org_policy_custom_constraint" "constraint" {

  name         = "custom.DevInfraTypeVM"
  parent       = "organizations/CHANGE_ME_ORG_ID_NUMBER"
  display_name = "Labels (business_code/abc123) and (logs_code/my-logs) and (environment/development) required"
  description  = "Labels required and Keys/values must be product_code/abc123, inventory_code/my-logs, environment/development."

  action_type    = "ALLOW"
  condition      = "'business_code' in resource.labels && resource.labels['business_code'] == 'abc123' && 'logs_code' in resource.labels && resource.labels['logs_code'] == 'my-logs' && 'environment' in resource.labels && resource.labels['environment'] == 'development'"
  method_types   = ["CREATE"]
  resource_types = ["compute.googleapis.com/Instance"]
}

resource "google_org_policy_policy" "bool" {

  name   = "organizations/CHANGE_ME_ORG_ID_NUMBER/policies/${google_org_policy_custom_constraint.constraint.name}"
  parent = "organizations/CHANGE_ME_ORG_ID_NUMBER"

  spec {
    rules {
      enforce = "TRUE"
    }
  }
}

References

No response

[SarahFrench]

Note from triage: this seems to be an instance of how it can be confusing using user_project_override and knowing where APIs need to be enabled relative to where the Terraform identity service account is (in a multi-project setup). We have an issue open for creating more documentation to help explain this (#18125).

Closing as duplicate of that issue.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.