Terraform not detecting the correct Project ID when modifying Org Policy

[jado06]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version

Terraform v1.8.2

Affected Resource(s)

google_org_policy_policy

Terraform Configuration

# Disable the Disable Service Account Key Creation policy for the project
resource "google_org_policy_policy" "disableServiceAccountKeyCreation" {
  name   = "projects/${var.project_id}/policies/iam.disableServiceAccountKeyCreation"
  parent = "projects/${var.project_id}"

  spec {
    inherit_from_parent = false
    rules {
      enforce = "FALSE"
      }
    }
}

Debug Output

Error: Error creating Policy: failed to create a diff: failed to retrieve Policy resource: googleapi: Error 403: Your application is authenticating by using local Application Default Credentials. The orgpolicy.googleapis.com API requires a quota project, which is not set by default. To learn how to set your quota project, see https://cloud.google.com/docs/authentication/adc-troubleshooting/user-creds .
│ Details:
│ [
│   {
│     "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│     "domain": "googleapis.com",
│     "metadata": {
│       "consumer": "projects/7640********",
│       "service": "orgpolicy.googleapis.com"
│     },
│     "reason": "SERVICE_DISABLED"
│   }
│ ]

Expected Behavior

Using Terraform in my local terminal, I'm trying to disable the Disable Service Account Key Creation policy for a specific project and stop it from inheriting the policy from the parent organization.

Actual Behavior

What I noticed from the error message is that the project number from projects/7640******** does not match my project number. I also noticed that it's pulling that number from the first portions of the client_id in the application_default_credentials.json file.

Steps to reproduce

1. gcloud auth login $USER
2. gcloud auth application-default login $USER
3. gcloud auth application-default set-quota-project $PROJECT
4. terraform init
5. terraform apply

Important Factoids

• The Org Policy API is already enabled on this project.
• The authenticated user does have the required Org Policy Admin role.

Did I stumble into a bug? Seems like someone from Google reported the same issue back in February but it was not fixed.

References

• Should check gcloud project Id when fetching ADCs golang/oauth2#702

[ggtisc]

Hi @jado06!

As I'm checking in this and the other references it is more troubleshooting than a bug issue. Your own code was replicated successfully without errors. I suggest you to check your permissions and environment variables as the other users commented and something that is more important is to read the error message that describes the next:

Error: Error creating Policy: failed to create a diff: failed to retrieve Policy resource: googleapi: Error 403: Your application is authenticating by using local Application Default Credentials. **The orgpolicy.googleapis.com API requires a quota project, which is not set by default.** To learn how to set your quota project, see https://cloud.google.com/docs/authentication/adc-troubleshooting/user-creds

It basically says that you need to check the quota of this service in your account configurations, because it is a service which is not set by default, and finally it gives you a link to learn how to fix it.

[jado06]

I'm not sure how you were able to replicate my code without errors, however, that link you mentioned says to use:
gcloud auth application-default set-quota-project $PROJECT in order to fix the error, which as you can see from Step 3, in my reproduction steps, is already done.

Another thing to mention is that the error message clearly shows orgpolicy.googleapis.com being detected as SERVICE_DISABLED (with a project number? that is not mine). This is despite:

1. The quota being already set using the above gcloud command
2. the API being already enabled on my project.

---

After doing some research on the credentials files for ADC, I noticed that the incorrect project number from the error "consumer": "projects/7640********" was actually a number in my ADC credentials file:

{
  "account": "name@domain.com",
  "client_id": "7640********-******************************.apps.googleusercontent.com",
  "client_secret": "******************************",
  "quota_project_id": "jad-*******",
  "refresh_token": "******************************",
  "type": "authorized_user",
  "universe_domain": "googleapis.com"
}

I'm not certain on how Terraform does this behind the scenes, but my theory is that it is potentially pulling the project ID from the wrong line, which is why we're seeing the number from the client_id being pulled, instead of the project ID from quota_project_id.

[ggtisc]

Yes, in some point of your terraform config you have something related to the authentication that is causing issues, because with the most basic code after a terraform apply everything were created successfully without errors. I suggest you to check your project config, because is a common case that devs configure many auth mechanisms and then it creates these conflicts. So ensure you have only one project associated with this resource(google_org_policy_policy). You could create a separate project where you only have the google_org_policy_policy with only 1 auth mechanism to identify what is causing this issue.

This is the terraform code used to replicate this scenario:

resource "google_org_policy_policy" "org_policy_policy_17998" {
  name   = "projects/**my-project**/policies/iam.disableServiceAccountKeyCreation"
  parent = "projects/**my-project**"

  spec {
    inherit_from_parent = false
    rules {
      enforce = "FALSE"
      }
    }
}

[jado06]

Thanks, I'll try to replicate again sometime in the next week and get back to you with the results.

[zebo3k]

Did this work? i have the same issue