Fix org policy service to be enabled before organization policies applied (#3547)

* Fix org policy service to be enabled before organization policies applied

modules/project/main.tf

@@ -89,10 +89,20 @@ locals {
   )
   universe_prefix = var.universe == null ? "" : "${var.universe.prefix}:"
   # available services are those declared, minus any unsupported by universe
-  available_services = tolist(setsubtract(
+  _available_services = setsubtract(
     var.services,
     try(var.universe.unavailable_services, [])
+  )
+  available_services = tolist(setsubtract(
+    local._available_services,
+    ["orgpolicy.googleapis.com"]
   ))
+  enable_orgpolicy_service = contains(local._available_services, "orgpolicy.googleapis.com")
+}
+
+moved {
+  from = google_project_service.project_services["orgpolicy.googleapis.com"]
+  to   = google_project_service.org_policy_service[0]
 }
 
 data "google_project" "project" {
@@ -132,6 +142,14 @@ resource "google_project_service" "project_services" {
   depends_on                 = [google_org_policy_policy.default]
 }
 
+resource "google_project_service" "org_policy_service" {
+  count                      = local.enable_orgpolicy_service ? 1 : 0
+  project                    = local.project.project_id
+  service                    = "orgpolicy.googleapis.com"
+  disable_on_destroy         = var.service_config.disable_on_destroy
+  disable_dependent_services = var.service_config.disable_dependent_services
+}
+
 resource "google_compute_project_metadata_item" "default" {
   for_each = (
     contains(local.available_services, "compute.googleapis.com") ? var.compute_metadata : {}