diff --git a/.changelog/12411.txt b/.changelog/12411.txt new file mode 100644 index 0000000000..de5781d4c7 --- /dev/null +++ b/.changelog/12411.txt @@ -0,0 +1,3 @@ +```release-note:bug +provider: fixed issue where `GOOGLE_CLOUD_QUOTA_PROJECT` env var would override explicit billing_project +``` \ No newline at end of file diff --git a/google-beta/transport/config.go b/google-beta/transport/config.go index 1fafea4a36..b88e939d58 100644 --- a/google-beta/transport/config.go +++ b/google-beta/transport/config.go @@ -1547,11 +1547,20 @@ func (c *Config) LoadAndValidate(ctx context.Context) error { } c.TokenSource = tokenSource - cleanCtx := context.WithValue(ctx, oauth2.HTTPClient, cleanhttp.DefaultClient()) + clientOptions := []option.ClientOption{option.WithTokenSource(tokenSource)} + + // The client libraries allow setting the GOOGLE_CLOUD_QUOTA_PROJECT environment variable + // directly, which unintentionally takes precedence over provider settings. Ensure that + // provider settings take precedence by applying to the client library's client directly + // b/360405077#comment8 - go/tpg-issue/17882 + if c.UserProjectOverride && c.BillingProject != "" { + quotaProject := c.BillingProject + clientOptions = append(clientOptions, option.WithQuotaProject(quotaProject)) + } // 1. MTLS TRANSPORT/CLIENT - sets up proper auth headers - client, _, err := transport.NewHTTPClient(cleanCtx, option.WithTokenSource(tokenSource)) + client, _, err := transport.NewHTTPClient(cleanCtx, clientOptions...) if err != nil { return err } @@ -1580,6 +1589,10 @@ func (c *Config) LoadAndValidate(ctx context.Context) error { // Ensure $userProject is set for all HTTP requests using the client if specified by the provider config // See https://cloud.google.com/apis/docs/system-parameters + // option.WithQuotaProject automatically sets the quota project in the client. + // However, this setting won't appear in our request logs since our logging + // transport sits above the Google client's internal transport. To ensure + // visibility in debug logging, we explicitly set the quota project here as well. if c.UserProjectOverride && c.BillingProject != "" { headerTransport.Set("X-Goog-User-Project", c.BillingProject) } diff --git a/website/docs/guides/provider_reference.html.markdown b/website/docs/guides/provider_reference.html.markdown index ca628a5d9b..b2e6fbc392 100644 --- a/website/docs/guides/provider_reference.html.markdown +++ b/website/docs/guides/provider_reference.html.markdown @@ -67,11 +67,15 @@ If you are using Terraform on your workstation we recommend that you install as a primary authentication method. You can enable ADCs by running the command `gcloud auth application-default login`. + ### Running Terraform on Google Cloud