Fix org policy service to be enabled before organization policies applied (#3547)

* Fix org policy service to be enabled before organization policies applied
2025-11-21 14:22:17 +07:00
parent b412fafd6c
commit b686a6f730
5 changed files with 36 additions and 13 deletions
--- a/modules/project/main.tf
+++ b/modules/project/main.tf
@@ -89,10 +89,20 @@ locals {
  )
  universe_prefix = var.universe == null ? "" : "${var.universe.prefix}:"
  # available services are those declared, minus any unsupported by universe
-  available_services = tolist(setsubtract(
+  _available_services = setsubtract(
    var.services,
    try(var.universe.unavailable_services, [])
+  )
+  available_services = tolist(setsubtract(
+    local._available_services,
+    ["orgpolicy.googleapis.com"]
  ))
+  enable_orgpolicy_service = contains(local._available_services, "orgpolicy.googleapis.com")
+}
+
+moved {
+  from = google_project_service.project_services["orgpolicy.googleapis.com"]
+  to   = google_project_service.org_policy_service[0]
 }

 data "google_project" "project" {
@@ -132,6 +142,14 @@ resource "google_project_service" "project_services" {
  depends_on                 = [google_org_policy_policy.default]
 }

+resource "google_project_service" "org_policy_service" {
+  count                      = local.enable_orgpolicy_service ? 1 : 0
+  project                    = local.project.project_id
+  service                    = "orgpolicy.googleapis.com"
+  disable_on_destroy         = var.service_config.disable_on_destroy
+  disable_dependent_services = var.service_config.disable_dependent_services
+}
+
 resource "google_compute_project_metadata_item" "default" {
  for_each = (
    contains(local.available_services, "compute.googleapis.com") ? var.compute_metadata : {}
--- a/modules/project/organization-policies.tf
+++ b/modules/project/organization-policies.tf
@@ -193,4 +193,6 @@ resource "google_org_policy_policy" "default" {
      }
    }
  }
+
+  depends_on = [google_project_service.org_policy_service]
 }
--- a/tests/fast/stages/s0_org_setup/hardened.yaml
+++ b/tests/fast/stages/s0_org_setup/hardened.yaml
@@ -2096,12 +2096,6 @@ values:
    project: ft0-prod-iac-core-0
    service: networksecurity.googleapis.com
    timeouts: null
-  module.factory.module.projects["iac-0"].google_project_service.project_services["orgpolicy.googleapis.com"]:
-    disable_dependent_services: false
-    disable_on_destroy: false
-    project: ft0-prod-iac-core-0
-    service: orgpolicy.googleapis.com
-    timeouts: null
  module.factory.module.projects["iac-0"].google_project_service.project_services["pubsub.googleapis.com"]:
    disable_dependent_services: false
    disable_on_destroy: false
@@ -2120,6 +2114,12 @@ values:
    project: ft0-prod-iac-core-0
    service: servicenetworking.googleapis.com
    timeouts: null
+  module.factory.module.projects["iac-0"].google_project_service.org_policy_service[0]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: ft0-prod-iac-core-0
+    service: orgpolicy.googleapis.com
+    timeouts: null
  module.factory.module.projects["iac-0"].google_project_service.project_services["serviceusage.googleapis.com"]:
    disable_dependent_services: false
    disable_on_destroy: false
--- a/tests/fast/stages/s0_org_setup/simple.yaml
+++ b/tests/fast/stages/s0_org_setup/simple.yaml
@@ -1325,12 +1325,6 @@ values:
    project: ft0-prod-iac-core-0
    service: networksecurity.googleapis.com
    timeouts: null
-  module.factory.module.projects["iac-0"].google_project_service.project_services["orgpolicy.googleapis.com"]:
-    disable_dependent_services: false
-    disable_on_destroy: false
-    project: ft0-prod-iac-core-0
-    service: orgpolicy.googleapis.com
-    timeouts: null
  module.factory.module.projects["iac-0"].google_project_service.project_services["pubsub.googleapis.com"]:
    disable_dependent_services: false
    disable_on_destroy: false
@@ -1343,6 +1337,12 @@ values:
    project: ft0-prod-iac-core-0
    service: servicenetworking.googleapis.com
    timeouts: null
+  module.factory.module.projects["iac-0"].google_project_service.org_policy_service[0]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: ft0-prod-iac-core-0
+    service: orgpolicy.googleapis.com
+    timeouts: null
  module.factory.module.projects["iac-0"].google_project_service.project_services["serviceusage.googleapis.com"]:
    disable_dependent_services: false
    disable_on_destroy: false
--- a/tests/modules/organization/test_plan_org_policies_modules.py
+++ b/tests/modules/organization/test_plan_org_policies_modules.py
@@ -39,6 +39,9 @@ def test_policy_implementation():
      '-  parent = "projects/${local.project.project_id}"\n',
      '+  name   = "${local.folder_id}/policies/${each.value}"\n',
      '+  parent = local.folder_id\n',
+      '@@ -196,2 +195,0 @@\n',
+      '-\n',
+      '-  depends_on = [google_project_service.org_policy_service]\n',
  ]

  diff2 = difflib.unified_diff(lines['folder'], lines['organization'], 'folder',