add support for user project overrides

[danawillow]

This adds support for the userProject/X-Goog-User-Project system parameter mentioned in https://cloud.google.com/apis/docs/system-parameters. This allows users to opt-in to using resource projects for quota/billing/api checks instead of the project their credentials come from.

Doing this just in transport.go by parsing the project from the URL was an option, but since both projects and urls can contain colons (i.e. project id google.com:my-project and url https://googleapis.com/stuff/projects/my-project:setIamPolicy), I opted to pass the project through everywhere to make sure we didn't introduce bugs with parsing project names.

This change makes it easier for customers who wish to use their gcloud credentials with TF (which they might do for development for ease of IAM), since some APIs are not enabled on the gcloud project.

Also see hashicorp/terraform-provider-google#1538 for user confusion around this (it's old, but still relevant).

Also looking for feedback on the field name. I'm not a huge fan of user_project_override, but I don't have anything better at the moment.

Release Note for Downstream PRs (will be copied)

provider: Adds new provider-level field `user_project_override`, which allows billing, quota checks, and service enablement checks to occur against the project a resource is in instead of the project the credentials are from.

[modular-magician]

Hi! I'm the modular magician, I work on Magic Modules.
This PR seems not to have generated downstream PRs before, as of a2c5b35.

Pull request statuses

No diff detected in Ansible.
No diff detected in Inspec.

New Pull Requests

I built this PR into one or more new PRs on other repositories, and when those are closed, this PR will also be merged and closed.
depends: hashicorp/terraform-provider-google-beta#1010
depends: GoogleCloudPlatform/terraform-google-conversion#148
depends: hashicorp/terraform-provider-google#4202

[modular-magician]

Hi! I'm the modular magician, I work on Magic Modules.
I see that this PR has already had some downstream PRs generated. Any open downstreams are already updated to your most recent commit, 4af090a.

Pull request statuses

terraform-provider-google-beta already has an open PR.
terraform-google-conversion already has an open PR.
terraform-provider-google already has an open PR.
No diff detected in Ansible.
No diff detected in Inspec.

New Pull Requests

I didn't open any new pull requests because of this PR.

[rileykarson]

Code is 👍, there's a few test cases we could add though:

• A test of the "default" case where a user enables this behaviour with a resource inferring the project from their provider while using a service account

• A test where the resource is using an explicit project that's different than the provider / SA project. (General working-ness is sufficient, being able to show we're using the appropriate header would be even better)

• A test where we enable a config that couldn't have otherwise have worked. We talked about this offline briefly- I think if we make a project w/ minimal services enabled and use a service account from that project instead of our normal SA, we can test this behaviour.

[modular-magician]

Hi! I'm the modular magician, I work on Magic Modules.
I see that this PR has already had some downstream PRs generated. Any open downstreams are already updated to your most recent commit, c70be8e.

Pull request statuses

terraform-provider-google-beta already has an open PR.
terraform-google-conversion already has an open PR.
terraform-provider-google already has an open PR.
No diff detected in Ansible.
No diff detected in Inspec.

New Pull Requests

I didn't open any new pull requests because of this PR.

[modular-magician]

Hi! I'm the modular magician, I work on Magic Modules.
I see that this PR has already had some downstream PRs generated. Any open downstreams are already updated to your most recent commit, 0e90bd3.

Pull request statuses

terraform-provider-google-beta already has an open PR.
terraform-google-conversion already has an open PR.
terraform-provider-google already has an open PR.
No diff detected in Ansible.
No diff detected in Inspec.

New Pull Requests

I didn't open any new pull requests because of this PR.

[modular-magician]

Hi! I'm the modular magician, I work on Magic Modules.
I see that this PR has already had some downstream PRs generated. Any open downstreams are already updated to your most recent commit, 26282e4.

Pull request statuses

terraform-provider-google-beta already has an open PR.
terraform-google-conversion already has an open PR.
terraform-provider-google already has an open PR.
No diff detected in Ansible.
No diff detected in Inspec.

New Pull Requests

I didn't open any new pull requests because of this PR.

[modular-magician]

Hi! I'm the modular magician, I work on Magic Modules.
I see that this PR has already had some downstream PRs generated. Any open downstreams are already updated to your most recent commit, ae73463.

Pull request statuses

terraform-provider-google-beta already has an open PR.
terraform-google-conversion already has an open PR.
terraform-provider-google already has an open PR.
No diff detected in Ansible.
No diff detected in Inspec.

New Pull Requests

I didn't open any new pull requests because of this PR.

[danawillow]

I added just the one test, which is pretty comprehensive.