How do I delete and replace the default GCP vpc with terraform?

Google recommends deleting and creating your own VPC for prod

This resource manages the default VPC:

But I want to set a different VPC to be the default and delete the auto created one.

How is this possible?

The default network does not have any specific configuration that makes it be the default network. It is just the one network that is always created together with a new project, and whenever a network is not specified (for instance, when deploying a GAE flex application), the network used will be the one with the name default. When you create a project with Terraform, you can specify auto_network_creation = "false".

However, this will not prevent the creation of the default network, it will just delete it before the project is fully created. This means that, during the Terraform creation, it is not possible to create another network called default. That must be done after the original default network is created, hence, after the project creation.

You can try creating projects with Terraform using this tutorial. The next snippet is part of the tutorial, in which I included the line to delete the default network on project creation.

variable "project_name" {}
variable "billing_account" {}
variable "org_id" {}
variable "region" {}

provider "google" {
 region = "${var.region}"

resource "random_id" "id" {
 byte_length = 4
 prefix      = "${var.project_name}-"

resource "google_project" "project" {
 name            = "${var.project_name}"
 project_id      = "${}"
 billing_account = "${var.billing_account}"
 org_id          = "${var.org_id}"
 auto_create_network = "false" //This is supposed to delete default network on project creation

resource "google_project_services" "project" {
 project = "${google_project.project.project_id}"
 services = [

output "project_id" {
 value = "${google_project.project.project_id}"

Nonetheless, I have tried it myself and the default network was still there.

You can avoid/skip the default network creation by setting an Organization Policy Constraint.

gcloud  resource-manager org-policies enable-enforce \
   constraints/compute.skipDefaultNetworkCreation \
   --organization ORGANIZATION_ID

more details in Organization Policy Constraints and Using boolean constraints in organization policy

As in Terraform you describe desired state of your configuration it is not possible to implicit send "destroy request" to a resource that is not managed by Terraform.

However you could try importing it firstly then it will be managed by Terraform and as you do not include it in your *.tf files the default subnet should be deleted during terraform apply step.

Setting property auto_create_network = "false" and mentioning a billing account ID, while creating a GCP project as in the below code snippet, ensures that default network gets deleted.

resource "google_project" "project" {
    name            = "test"
    project_id      = "test-523"
    billing_account = "xxxxx"
    auto_create_network = "false"

  • Terraform can't handle deletions of the default VPC and can only manage the existing default VPC by using that resource. You'll need to use the AWS CLI or otherwise to delete the default VPC instead.
  • gcp im talking about gcp
  • I don't believe this is possible with Terraform.
  • You cannot delete default vpc , you only can create new one and replace it .
  • yes i know, im asking specifically about how to do this with terrafrom
  • The default network is used if you do not explicitly specify a network. How do I set a new network as the default?
  • As mentioned above, the network under the name default will be used as such. That is, if you delete the original default network and create your own, if you give it the name default, it will be the pone used whenever no network is specified.