From b686a6f73027cdc656ee68f1f6453d9e15a3b490 Mon Sep 17 00:00:00 2001 From: Vannick Trinquier Date: Fri, 21 Nov 2025 14:22:17 +0700 Subject: [PATCH] Fix org policy service to be enabled before organization policies applied (#3547) * Fix org policy service to be enabled before organization policies applied --- modules/project/main.tf | 20 ++++++++++++++++++- modules/project/organization-policies.tf | 2 ++ tests/fast/stages/s0_org_setup/hardened.yaml | 12 +++++------ tests/fast/stages/s0_org_setup/simple.yaml | 12 +++++------ .../test_plan_org_policies_modules.py | 3 +++ 5 files changed, 36 insertions(+), 13 deletions(-) diff --git a/modules/project/main.tf b/modules/project/main.tf index c3bf5c2a9..92c0edb8b 100644 --- a/modules/project/main.tf +++ b/modules/project/main.tf @@ -89,10 +89,20 @@ locals { ) universe_prefix = var.universe == null ? "" : "${var.universe.prefix}:" # available services are those declared, minus any unsupported by universe - available_services = tolist(setsubtract( + _available_services = setsubtract( var.services, try(var.universe.unavailable_services, []) + ) + available_services = tolist(setsubtract( + local._available_services, + ["orgpolicy.googleapis.com"] )) + enable_orgpolicy_service = contains(local._available_services, "orgpolicy.googleapis.com") +} + +moved { + from = google_project_service.project_services["orgpolicy.googleapis.com"] + to = google_project_service.org_policy_service[0] } data "google_project" "project" { @@ -132,6 +142,14 @@ resource "google_project_service" "project_services" { depends_on = [google_org_policy_policy.default] } +resource "google_project_service" "org_policy_service" { + count = local.enable_orgpolicy_service ? 1 : 0 + project = local.project.project_id + service = "orgpolicy.googleapis.com" + disable_on_destroy = var.service_config.disable_on_destroy + disable_dependent_services = var.service_config.disable_dependent_services +} + resource "google_compute_project_metadata_item" "default" { for_each = ( contains(local.available_services, "compute.googleapis.com") ? var.compute_metadata : {} diff --git a/modules/project/organization-policies.tf b/modules/project/organization-policies.tf index 358e54f8c..244b8021c 100644 --- a/modules/project/organization-policies.tf +++ b/modules/project/organization-policies.tf @@ -193,4 +193,6 @@ resource "google_org_policy_policy" "default" { } } } + + depends_on = [google_project_service.org_policy_service] } diff --git a/tests/fast/stages/s0_org_setup/hardened.yaml b/tests/fast/stages/s0_org_setup/hardened.yaml index 4828ab665..e41886c85 100644 --- a/tests/fast/stages/s0_org_setup/hardened.yaml +++ b/tests/fast/stages/s0_org_setup/hardened.yaml @@ -2096,12 +2096,6 @@ values: project: ft0-prod-iac-core-0 service: networksecurity.googleapis.com timeouts: null - module.factory.module.projects["iac-0"].google_project_service.project_services["orgpolicy.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: ft0-prod-iac-core-0 - service: orgpolicy.googleapis.com - timeouts: null module.factory.module.projects["iac-0"].google_project_service.project_services["pubsub.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false @@ -2120,6 +2114,12 @@ values: project: ft0-prod-iac-core-0 service: servicenetworking.googleapis.com timeouts: null + module.factory.module.projects["iac-0"].google_project_service.org_policy_service[0]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: orgpolicy.googleapis.com + timeouts: null module.factory.module.projects["iac-0"].google_project_service.project_services["serviceusage.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false diff --git a/tests/fast/stages/s0_org_setup/simple.yaml b/tests/fast/stages/s0_org_setup/simple.yaml index 909e5c34b..c1a6c1a7b 100644 --- a/tests/fast/stages/s0_org_setup/simple.yaml +++ b/tests/fast/stages/s0_org_setup/simple.yaml @@ -1325,12 +1325,6 @@ values: project: ft0-prod-iac-core-0 service: networksecurity.googleapis.com timeouts: null - module.factory.module.projects["iac-0"].google_project_service.project_services["orgpolicy.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: ft0-prod-iac-core-0 - service: orgpolicy.googleapis.com - timeouts: null module.factory.module.projects["iac-0"].google_project_service.project_services["pubsub.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false @@ -1343,6 +1337,12 @@ values: project: ft0-prod-iac-core-0 service: servicenetworking.googleapis.com timeouts: null + module.factory.module.projects["iac-0"].google_project_service.org_policy_service[0]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: orgpolicy.googleapis.com + timeouts: null module.factory.module.projects["iac-0"].google_project_service.project_services["serviceusage.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false diff --git a/tests/modules/organization/test_plan_org_policies_modules.py b/tests/modules/organization/test_plan_org_policies_modules.py index 708c0ce03..0ceaa635b 100644 --- a/tests/modules/organization/test_plan_org_policies_modules.py +++ b/tests/modules/organization/test_plan_org_policies_modules.py @@ -39,6 +39,9 @@ def test_policy_implementation(): '- parent = "projects/${local.project.project_id}"\n', '+ name = "${local.folder_id}/policies/${each.value}"\n', '+ parent = local.folder_id\n', + '@@ -196,2 +195,0 @@\n', + '-\n', + '- depends_on = [google_project_service.org_policy_service]\n', ] diff2 = difflib.unified_diff(lines['folder'], lines['organization'], 'folder',