Even when Organization Policy creation fails, it is added to the state

[debakkerb]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

1.0.1

Affected Resource(s)

• google_organization_policy

Terraform Configuration Files

resource "google_organization_policy" "cloud_sql_restrict_public_ip" {
  org_id     = "" // Organization ID
  constraint = "constraints/restrictPublicIp"

  boolean_policy {
    enforced = true
  }
}

Debug Output

N/A

Expected Behavior

Terraform throws an error and, after correcting the Terraform config, the actual organization policy is created.

Actual Behavior

The above code is incorrect, as the constraint should be constraints/sql.restrictPublicIp and not constraints/restrictPublicIp. However, when you run this code, Terraform throws an error:

╷
│ Error: googleapi: Error 400: Request contains an invalid argument., badRequest
│ 
│   with google_organization_policy.cloud_sql_restrict_public_ip,
│   on org_policies.tf line 39, in resource "google_organization_policy" "cloud_sql_restrict_public_ip":
│   39: resource "google_organization_policy" "cloud_sql_restrict_public_ip" {
│ 
╵

When you correct the issue and run terraform apply again, it shows the following error:

╷
│ Error: Error when reading or editing Organization policy for organizations/71580642206: googleapi: Error 400: Request contains an invalid argument., badRequest
│ 
│   with google_organization_policy.cloud_sql_restrict_public_ip,
│   on org_policies.tf line 39, in resource "google_organization_policy" "cloud_sql_restrict_public_ip":
│   39: resource "google_organization_policy" "cloud_sql_restrict_public_ip" {
│ 
╵

If you look at the Terraform state, it contains a reference to the organization policy. However, given that the first apply fails, Terraform shouldn't add it to the state.

Steps to Reproduce

1. Create an organization policy with an incorrect configuration:

resource "google_organization_policy" "cloud_sql_restrict_public_ip" {
  org_id     = "" // Organization ID
  constraint = "constraints/restrictPublicIp"

  boolean_policy {
    enforced = true
  }
}

2. Run terraform apply
3. Fix the organization policy

resource "google_organization_policy" "cloud_sql_restrict_public_ip" {
  org_id     = "" // Organization ID
  constraint = "constraints/sql.restrictPublicIp"

  boolean_policy {
    enforced = true
  }
}

4. Run terraform apply

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.