Update provider reference docs on quota usage and always use billing_…

…project as quota project if appropriately specified (#12411) (#9012) [upstream:4103a8e7d7b0baa7923972348aeb9bfbbd0097a7] Signed-off-by: Modular Magician <[email protected]>
hashicorp · Jan 7, 2025 · 4dba306 · 4dba306
1 parent 4249ec0
commit 4dba306
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 3 deletions.
diff --git a/.changelog/12411.txt b/.changelog/12411.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+provider: fixed issue where `GOOGLE_CLOUD_QUOTA_PROJECT` env var would override explicit billing_project
+```
diff --git a/google-beta/transport/config.go b/google-beta/transport/config.go
@@ -1547,11 +1547,20 @@ func (c *Config) LoadAndValidate(ctx context.Context) error {
 	}
 
 	c.TokenSource = tokenSource
-
 	cleanCtx := context.WithValue(ctx, oauth2.HTTPClient, cleanhttp.DefaultClient())
+	clientOptions := []option.ClientOption{option.WithTokenSource(tokenSource)}
+
+	// The client libraries allow setting the GOOGLE_CLOUD_QUOTA_PROJECT environment variable
+	// directly, which unintentionally takes precedence over provider settings. Ensure that
+	// provider settings take precedence by applying to the client library's client directly
+	// b/360405077#comment8 - go/tpg-issue/17882
+	if c.UserProjectOverride && c.BillingProject != "" {
+		quotaProject := c.BillingProject
+		clientOptions = append(clientOptions, option.WithQuotaProject(quotaProject))
+	}
 
 	// 1. MTLS TRANSPORT/CLIENT - sets up proper auth headers
-	client, _, err := transport.NewHTTPClient(cleanCtx, option.WithTokenSource(tokenSource))
+	client, _, err := transport.NewHTTPClient(cleanCtx, clientOptions...)
 	if err != nil {
 		return err
 	}
@@ -1580,6 +1589,10 @@ func (c *Config) LoadAndValidate(ctx context.Context) error {
 
 	// Ensure $userProject is set for all HTTP requests using the client if specified by the provider config
 	// See https://cloud.google.com/apis/docs/system-parameters
+	// option.WithQuotaProject automatically sets the quota project in the client.
+	// However, this setting won't appear in our request logs since our logging
+	// transport sits above the Google client's internal transport. To ensure
+	// visibility in debug logging, we explicitly set the quota project here as well.
 	if c.UserProjectOverride && c.BillingProject != "" {
 		headerTransport.Set("X-Goog-User-Project", c.BillingProject)
 	}

diff --git a/website/docs/guides/provider_reference.html.markdown b/website/docs/guides/provider_reference.html.markdown
@@ -67,11 +67,15 @@ If you are using Terraform on your workstation we recommend that you install
 as a primary authentication method. You can enable ADCs by running the command
 `gcloud auth application-default login`.
 
+<!-- 
+TODO: quota project is not currently read from ADC file b/360405077#comment8
+
 Google Cloud reads the quota project for requests will be read automatically
 from the `core/project` value. You can override this project by specifying the
 `--project` flag when running `gcloud auth application-default login`. `gcloud`
 should return this message if you have set the correct billing project:
-`Quota project "your-project" was added to ADC which can be used by Google client libraries for billing and quota.`
+`Quota project "your-project" was added to ADC which can be used by Google client libraries for billing and quota.` 
+-->
 
 ### Running Terraform on Google Cloud