google_firebase_project should mention the need for user_project_override provider flag

[serpro69]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Description

Tried using firebase_project resource and was facing the below error:

module.project.google_firebase_project.main: Creating...
╷
│ Error: Error checking if Firebase is already enabled: googleapi: Error 403: Your application is authenticating by using local Application Default Credentials. The firebase.googleapis.com API requires a quota project, which is not set by default. To learn how to set your quota project, see https://cloud.google.com/docs/authentication/adc-troubleshooting/user-creds .
│ Details:
│ [
│   {
│     "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│     "domain": "googleapis.com",
│     "metadata": {
│       "consumer": "projects/32555940559",
│       "service": "firebase.googleapis.com"
│     },
│     "reason": "SERVICE_DISABLED"
│   }
│ ]

Even though I've had quota project set for ADC, it still didn't work and threw the same error.

Then while browsing through issues in the repo, I've stumbled upon #17713 that had some code examples, and I saw they they were setting user_project_override for the provider that was managing firebase resources.
After trying the same in my code - it finally worked.

While the docs do say:

This resource supports User Project Overrides.

I think it would be beneficial to include that this actually must be set to true for this resource.

New or Affected Resource(s)

• google_firebase_project

Potential Terraform Configuration

No response

References

No response

b/351843115

[rainshen49]

Hey @serpro69, just to gather a bit more information, which environment are you running Terraform from? Is it from your local machine or a Cloud environment? If from local machine, are you using terraform directly, or via some wrapper cli? If it's a Cloud environment, is it from the Cloud Shell or somewhere else?

[serpro69]

Hi @rainshen49 ,
I'm running terrafrom from local machine.
I have a makefile that runs terraform commands, but it doesn't do anything special really: https://github.com/serpro69/terraform-makefile/blob/d3ed3acbd8e1932464031babfba581e8ff0ea70d/Makefile#L179

I tried now to run with just terraform executable directly and it produces the same results - if I don't set user_project_override for the google_firebase_project resource - I get an error.

I'm authenticating via ADC from local machine, and I have a quota project set via gcloud auth application-default set-quota-project.
The quota project for ADC is NOT the same as firebase project. But I suppose that doesn't matter (?), since otherwise, how would you create an entirely new project from terraform. But I also tried to set quota project to the firebase project after the failure and then re-run apply, and that failed also with the same error.

[rainshen49]

@melinath the documentation template hard-codes "This resource supports User Project Overrides". Should we add a variant like "This resource requires User Project Overrides"?

[melinath]

Supporting a variant would require adding a way to configure a variant and modifying the template to support it - I'd be a little hesitant to do that now because it wouldn't be a simple change (and we're in the middle of switching the core generation logic to use Go instead of ruby). Also, I don't know how many resources would benefit from it. Alternatives would be:

• Switch the docs to a handwritten file so that you can alter that text.
• Update examples to include setting user_project_override = true
• add a resource-level warning about the requirement

[serpro69]

Just a humble opinion from my side - updating examples is usually a good approach (and should be done anyways because otherwise the examples aren't actually working, right?). Many people also tend to look at example code more often than read full documentation.

On a side note, I think this applies to more than just the resource mentioned in this issue. I think I've encountered at least a few more resources where user_project_override = true was a must (and I'd guess there's likely more), but the example code didn't contain that, and the docs only mentioned "the resource supports user project override"; basically same as the original issue.
So maybe updating the provider documentation would also help? E.g., a note that describes in which cases should user_project_override be set to true.
For example, in the firebase terraform documentation, it says that user_project_override = true can be used for pretty much everything (maybe related to that tutorial only though?) except for initial project creation and enabling services. Not sure if that's actually the case for things beyond firebase, for example, and how up to date that example code is (the provider version is ~> 4.0 , so maybe not very up-to-date?), but I think it kind of highlights the problem I'm trying to describe here - lack of documentation on when this provider parameter is needed or not.
It's probably not a big issue for a person who's worked with terraform google provider for awhile, but for a newcomer, this info is quite hard to put together and make sense of I'd say (from personal experience)

[rainshen49]

@serpro69 The example in the Firebase terraform documentation has two flavors of the google-beta provider, one with user_project_override = true and the other without, and your instinct is right: Firebase recommends user_project_override = true other than google_project. However, that's only a recommendation because there are advanced use cases that call for a different quota/billing project. You can read more about it in the collapsible here

The examples in Terraform registry are resource-scoped. So it doesn't contain the provider "google-beta" {} config. Once the provider is configured with user_project_override = true, no change in the resource block itself is needed. However, if someone just copy-pasted the example without additional provider config, it won't work. I've added a resource-level note per @melinath 's recommendation.

[serpro69]

Once the provider is configured with user_project_override = true, no change in the resource block itself is needed.

Yes, that's exactly what I'm doing now, after having figured out how this works.

However, if someone just copy-pasted the example without additional provider config, it won't work. I've added a resource-level note per @melinath 's recommendation.

This is how my first attempt at using this resource was - just copy-pasting the example in hopes it would work 😁 which led to me opening this issue so that the docs can be improved, hopefully being more helpful for someone who comes to use this resource for the first time and will struggle like me :) Thanks a lot for taking the time to improve this!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.