Terraform issues with waiting for GCP infrastructure changes to propagate

Question

I am using Terraform and am attempting to deploy a project into a folder which has a GCP organization policy applied to it where service accounts cannot be created within that folder/projects in that folder. I have code which will set that org policy to false as a project is being deployed. Additionally I have some service accounts being deployed within that same main.tf which will depend on the org policy being set to false.

I have attempted to use depends_on statements for service account modules to wait for the org policy to be set to false prior to provisioning the service accounts. I have also used a time_sleep resource block to allow for the project factory and org policy to provision/make changes prior to service accounts being provisioned. I can occasionally get the whole deployment to work whereas other times I come across issues where the apply step will fail due to the organizational policy.

If I check the project in GCP it shows that the org policy has been set to false which is what should happen. If I re-run the apply step in Terraform then everything will provision that was left over. Is there a better way to approach this issue? The fact that sometimes the provisioning works in one apply vs two applies is a bit odd and makes me believe there is some sort of state caching going on but that's just more of me guessing based on what I've seen.

Code is as follows below:

  source  = "terraform-google-modules/project-factory/google"
  version = "~> 10.1"

  name                        = var.project_name
  random_project_id           = var.random_project_id
  org_id                      = var.org_id
  folder_id                   = var.folder_id
  billing_account             = var.billing_account_id
  create_project_sa           = false
  default_service_account     = var.default_service_account
  disable_dependent_services  = var.disable_dependent_services
  disable_services_on_destroy = var.disable_services_on_destroy
  labels                      = var.project_labels
}

module "remove_disable_sa_creation" {
  source      = "terraform-google-modules/org-policy/google"
  version     = "~> 3.0.2"
  constraint  = "constraints/iam.disableServiceAccountCreation"
  policy_type = "boolean"
  policy_for  = "project"
  project_id  = module.project-factory.project_id
  enforce     = false
  depends_on  = [module.project-factory.project_id]
}

resource "time_sleep" "wait_60_seconds" {
  depends_on      = [module.remove_disable_sa_creation]
  create_duration = "60s"
}

module "globus_service_account" {
  source             = "../../../modules/service_account"
  project_id         = module.project-factory.project_id
  prefix             = var.globus_sa_prefix
  names              = var.globus_sa_names
  project_roles      = var.globus_sa_project_roles
  grant_billing_role = var.globus_grant_billing_role
  billing_account_id = var.billing_account_id
  grant_xpn_roles    = var.globus_grant_xpn_roles
  org_id             = var.org_id
  generate_keys      = var.globus_generate_keys
  display_name       = var.globus_sa_display_name
  description        = var.globus_sa_description
  depends_on         = [time_sleep.wait_60_seconds]
}

Answer 1

Changing the sleep timer to 120 seconds was the main factor which helped solved this. What I did was create the project factory, have a depends on for the organization policy to wait on the project factory, have the timer wait on the organization policy, then have all other modules wait on the timer to finish.

Essentially the flow was project > organization policy > timer for 120s > all other modules provisioning after 120 seconds.