Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Send billing_project for every request when set #3539

Merged
merged 1 commit into from
Aug 18, 2021
Merged

Send billing_project for every request when set #3539

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .changelog/5086.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:enhancement
provider: added support for `billing_project` across all resources. If `user_project_override` is set to `true` and a `billing_project` is set, the `X-Goog-User-Project` header will be sent for all resources.
```
7 changes: 7 additions & 0 deletions google-beta/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -397,6 +397,7 @@ func (c *Config) LoadAndValidate(ctx context.Context) error {
if err != nil {
return err
}

// Userinfo is fetched before request logging is enabled to reduce additional noise.
err = c.logGoogleIdentities()
if err != nil {
Expand All @@ -419,6 +420,12 @@ func (c *Config) LoadAndValidate(ctx context.Context) error {
headerTransport.Set("X-Goog-Request-Reason", c.RequestReason)
}

// Ensure $userProject is set for all HTTP requests using the client if specified by the provider config
// See https://cloud.google.com/apis/docs/system-parameters
if c.UserProjectOverride && c.BillingProject != "" {
headerTransport.Set("X-Goog-User-Project", c.BillingProject)
}

// Set final transport value.
client.Transport = headerTransport

Expand Down
2 changes: 1 addition & 1 deletion google-beta/resource_gke_hub_feature_membership_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ import (
"fmt"
"testing"

dcl "github.com/GoogleCloudPlatform/declarative-resource-client-library/dcl"
"github.com/GoogleCloudPlatform/declarative-resource-client-library/dcl"
gkehub "github.com/GoogleCloudPlatform/declarative-resource-client-library/services/google/gkehub/beta"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
Expand Down
70 changes: 39 additions & 31 deletions website/docs/guides/provider_reference.html.markdown
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,15 +121,18 @@ authenticate HTTP requests to GCP APIs. This is an alternative to `credentials`,
and ignores the `scopes` field. If both are specified, `access_token` will be
used over the `credentials` field.

* `user_project_override` - (Optional) Defaults to false. If true, uses the
resource project for preconditions, quota, and billing, instead of the project
the credentials belong to. Not all resources support this- see the
documentation for each resource to learn whether it does.

* `billing_project` - (Optional) This fields specifies a project that's used for
preconditions, quota, and billing for requests. All resources that support user project
overrides will use this project instead of the resource's project (if available). This
field is ignored if `user_project_override` is set to false or unset.
* `user_project_override` - (Optional) Defaults to `false`. Controls the quota
project used in requests to GCP APIs for the purpose of preconditions, quota,
and billing. If `false`, the quota project is determined by the API and may be
the project associated with your credentials, or the resource project. If `true`,
most resources in the provider will explicitly supply their resource project, as
described in their documentation. Otherwise, a `billing_project` value must be
supplied.

* `billing_project` - (Optional) A quota project to send in `user_project_override`,
used for all requests sent from the provider. If set on a resource that supports
sending the resource project, this value will supersede the resource project.
This field is ignored if `user_project_override` is set to false or unset.

* `{{service}}_custom_endpoint` - (Optional) The endpoint for a service's APIs,
such as `compute_custom_endpoint`. Defaults to the production GCP endpoint for
Expand Down Expand Up @@ -212,13 +215,6 @@ following ordered by precedence.

---

* `billing_project` - (Optional) This fields allows Terraform to set X-Goog-User-Project
for APIs that require a billing project to be specified like Access Context Manager APIs if
User ADCs are being used. This can also be
specified using the `GOOGLE_BILLING_PROJECT` environment variable.

---

* `region` - (Optional) The default region to manage resources in. If another
region is specified on a regional resource, it will take precedence.
Alternatively, this can be specified using the `GOOGLE_REGION` environment
Expand Down Expand Up @@ -450,18 +446,30 @@ to create the resource. This may help in those cases.

---

* `user_project_override` - (Optional) Defaults to false. If true, uses the
resource project for preconditions, quota, and billing, instead of the project
the credentials belong to. Not all resources support this- see the
documentation for each resource to learn whether it does. Alternatively, this can
be specified using the `USER_PROJECT_OVERRIDE` environment variable.

When set to false, the project the credentials belong to will be billed for the
request, and quota / API enablement checks will be done against that project.
For service account credentials, this is the project the service account was
created in. For credentials that come from the gcloud tool, this is a project
owned by Google. In order to properly use credentials that come from gcloud
with Terraform, it is recommended to set this property to true.

When set to true, the caller must have `serviceusage.services.use` permission
on the resource project.
* `user_project_override` - (Optional) Defaults to `false`. Controls the quota
project used in requests to GCP APIs for the purpose of preconditions, quota,
and billing. If `false`, the quota project is determined by the API and may be
the project associated with your credentials, or the resource project. If `true`,
most resources in the provider will explicitly supply their resource project, as
described in their documentation. Otherwise, a `billing_project` value must be
supplied. Alternatively, this can be specified using the `USER_PROJECT_OVERRIDE`
environment variable.

Service account credentials are associated with the project the service account
was created in. Credentials that come from the gcloud tool are associated with a
project owned by Google. In order to properly use credentials that come from
gcloud with Terraform, it is recommended to set this property to true.

`user_project_override` uses the `X-Goog-User-Project`
[system parameter](https://cloud.google.com/apis/docs/system-parameters). When
set to true, the caller must have `serviceusage.services.use` permission on the
quota project.

---

* `billing_project` - (Optional) A quota project to send in `user_project_override`,
used for all requests sent from the provider. If set on a resource that supports
sending the resource project, this value will supersede the resource project.
This field is ignored if `user_project_override` is set to false or unset.
Alternatively, this can be specified using the `GOOGLE_BILLING_PROJECT`
environment variable.