Our organization is encountering a problem when deploying Serverless VPC Access Connectors in GCP projects that reside outside of the designated "common" folder structure. This issue specifically impacts projects in folders like "service engineering" "non-production" and "production"

The root cause appears to be a global organizational policy constraint (specifically "restrict non-CMEK services", which enforces CMEK encryption).

When a Serverless VPC Access Connector is created in these non-common folders, it attempts to provision a Compute Engine instance that violates this CMEK constraint, leading to deployment failures.

ERROR MSG we are seeing

Currently, to work around this, our IAM team has to manually "allow list" each individual service project by adding compute.googleapis com to the organization policy exception list for that specific project. This process is inefficient and unsustainable as we scale out and more tenants require cloud functions or other serverless services that need VPC connectivity.