Terraform: Error creating Policy: googleapi: Error 409: Requested entity already exists

Google Cloud Cloud Foundations & Onboarding
,
1

Hello all:

My environment:
Terraform v1.12.2
Google Cloud Provider: v6.46.0
MacOS Sonoma: v15.5

I am redoing my test Google Cloud environment and having an issue setting an organization policy (compute.skipDefaultNetworkCreation) using the google_org_policy_policy Terraform resource.

My simplified resource configuration:

resource "google_org_policy_policy" "spec_boolean_constraint" {
  name   = "${var.parent}/policies/${var.constraint}"
  parent = var.parent

  spec {
    rules {
      enforce = var.enforce ? "TRUE" : "FALSE"
    }
  }
}

Here is the output of terraform plan:

+ resource "google_org_policy_policy" "spec_boolean_constraint" {
      + etag   = (known after apply)
      + id     = (known after apply)
      + name   = "organizations/nnn.../policies/compute.skipDefaultNetworkCreation"
      + parent = "organizations/nnn..."

      + spec {
          + etag        = (known after apply)
          + update_time = (known after apply)

          + rules {
              + enforce = "TRUE"
            }
        }
    }

Here is the error I get when attempting to apply the configuration:

Error: Error creating Policy: googleapi: Error 409: Requested entity already exists
│ 
│   with module.foundation_org_policies["skipDefaultNetworkCreation"].google_org_policy_policy.spec_boolean_constraint[0],
│   on .terraform/modules/foundation_org_policies/main.tf line 10, in resource "google_org_policy_policy" "spec_boolean_constraint":
│   10: resource "google_org_policy_policy" "spec_boolean_constraint" {

If I understand the error, it appears to be trying to create a constraint. But compute.skipDefaultNetworkCreation is a managed policy. I need to set this constraint at the org level. I am unsure what is wrong here, as I used this same resource to set this constraint in the past (or at least, I think I did previously).

I have tried manually resetting the constraint:

gcloud org-policies describe compute.skipDefaultNetworkCreation --organization="nnn..."
etag: CNzMyMQGEKCapt0C-
name: organizations/nnn.../policies/compute.skipDefaultNetworkCreation
spec:
  etag: CNzMyMQGEKCapt0C
  reset: true
  updateTime: '2025-08-05T15:42:20.732532Z'

I have verified that I have the Policy Admin role assigned to my account:

gcloud organizations get-iam-policy nnn... --flatten=bindings  \
  --filter=bindings.members~$(gcloud config list --format="get(core.account)") \
  --format="get(bindings.role)"
roles/orgpolicy.policyAdmin

I am looking for another set of eyes to help me figure out how org-policies can be managed using Terraform.
Please let me know if you require any other information.

Thanks

2

The problem has been solved after enabling the cloudresourcemanager.googleapis.com service on the billing project configured in Terraform.

Thanks for looking..