feat: support user_project_override in spanner iam resources

Author: timothyklee

mmv1/third_party/terraform/services/spanner/iam_spanner_database.go

@@ -65,13 +65,21 @@ func (u *SpannerDatabaseIamUpdater) GetResourceIamPolicy() (*cloudresourcemanage
 		return nil, err
 	}
 
-	p, err := u.Config.NewSpannerClient(userAgent).Projects.Instances.Databases.GetIamPolicy(SpannerDatabaseId{
+	call := u.Config.NewSpannerClient(userAgent).Projects.Instances.Databases.GetIamPolicy(SpannerDatabaseId{
 		Project:  u.project,
 		Database: u.database,
 		Instance: u.instance,
 	}.databaseUri(), &spanner.GetIamPolicyRequest{
 		Options: &spanner.GetPolicyOptions{RequestedPolicyVersion: tpgiamresource.IamPolicyVersion},
-	}).Do()
+	})
+	if u.Config.UserProjectOverride {
+		billingProject := u.project
+		if u.Config.BillingProject != "" {
+			billingProject = u.Config.BillingProject
+		}
+		call.Header().Set("X-Goog-User-Project", billingProject)
+	}
+	p, err := call.Do()
 
 	if err != nil {
 		return nil, errwrap.Wrapf(fmt.Sprintf("Error retrieving IAM policy for %s: {{err}}", u.DescribeResource()), err)
@@ -102,13 +110,21 @@ func (u *SpannerDatabaseIamUpdater) SetResourceIamPolicy(policy *cloudresourcema
 		return err
 	}
 
-	_, err = u.Config.NewSpannerClient(userAgent).Projects.Instances.Databases.SetIamPolicy(SpannerDatabaseId{
+	call := u.Config.NewSpannerClient(userAgent).Projects.Instances.Databases.SetIamPolicy(SpannerDatabaseId{
 		Project:  u.project,
 		Database: u.database,
 		Instance: u.instance,
 	}.databaseUri(), &spanner.SetIamPolicyRequest{
 		Policy: spannerPolicy,
-	}).Do()
+	})
+	if u.Config.UserProjectOverride {
+		billingProject := u.project
+		if u.Config.BillingProject != "" {
+			billingProject = u.Config.BillingProject
+		}
+		call.Header("X-Goog-User-Project", billingProject)
+	}
+	_, err = call.Do()
 
 	if err != nil {
 		return errwrap.Wrapf(fmt.Sprintf("Error setting IAM policy for %s: {{err}}", u.DescribeResource()), err)

mmv1/third_party/terraform/services/spanner/iam_spanner_instance.go

@@ -75,12 +75,20 @@ func (u *SpannerInstanceIamUpdater) GetResourceIamPolicy() (*cloudresourcemanage
 		return nil, err
 	}
 
-	p, err := u.Config.NewSpannerClient(userAgent).Projects.Instances.GetIamPolicy(SpannerInstanceId{
+	call := u.Config.NewSpannerClient(userAgent).Projects.Instances.GetIamPolicy(SpannerInstanceId{
 		Project:  u.project,
 		Instance: u.instance,
 	}.instanceUri(), &spanner.GetIamPolicyRequest{
 		Options: &spanner.GetPolicyOptions{RequestedPolicyVersion: tpgiamresource.IamPolicyVersion},
-	}).Do()
+	})
+	if u.Config.UserProjectOverride {
+		billingProject := u.project
+		if u.Config.BillingProject != "" {
+			billingProject = u.Config.BillingProject
+		}
+		call.Header().Set("X-Goog-User-Project", billingProject)
+	}
+	p, err := call.Do()
 
 	if err != nil {
 		return nil, errwrap.Wrapf(fmt.Sprintf("Error retrieving IAM policy for %s: {{err}}", u.DescribeResource()), err)
@@ -111,12 +119,20 @@ func (u *SpannerInstanceIamUpdater) SetResourceIamPolicy(policy *cloudresourcema
 		return err
 	}
 
-	_, err = u.Config.NewSpannerClient(userAgent).Projects.Instances.SetIamPolicy(SpannerInstanceId{
+	call := u.Config.NewSpannerClient(userAgent).Projects.Instances.SetIamPolicy(SpannerInstanceId{
 		Project:  u.project,
 		Instance: u.instance,
 	}.instanceUri(), &spanner.SetIamPolicyRequest{
 		Policy: spannerPolicy,
-	}).Do()
+	})
+	if u.Config.UserProjectOverride {
+		billingProject := u.project
+		if u.Config.BillingProject != "" {
+			billingProject = u.Config.BillingProject
+		}
+		call.Header("X-Goog-User-Project", billingProject)
+	}
+	_, err = call.Do()
 
 	if err != nil {
 		return errwrap.Wrapf(fmt.Sprintf("Error setting IAM policy for %s: {{err}}", u.DescribeResource()), err)

mmv1/third_party/terraform/website/docs/r/spanner_database_iam.html.markdown

@@ -49,7 +49,7 @@ data "google_iam_policy" "admin" {
     members = [
       "user:jane@example.com",
     ]
-    
+
     condition {
       title       = "My Role"
       description = "Grant permissions on my_role"
@@ -90,7 +90,7 @@ resource "google_spanner_database_iam_binding" "database" {
   members = [
     "user:jane@example.com",
   ]
-  
+
   condition {
     title       = "My Role"
     description = "Grant permissions on my_role"
@@ -118,7 +118,7 @@ resource "google_spanner_database_iam_member" "database" {
   database = "your-database-name"
   role     = "roles/compute.networkUser"
   member   = "user:jane@example.com"
-  
+
   condition {
     title       = "My Role"
     description = "Grant permissions on my_role"
@@ -250,4 +250,8 @@ The [`terraform import` command](https://developer.hashicorp.com/terraform/cli/c
 
 ```
 $ terraform import google_spanner_database_iam_policy.default {{project}}/{{instance}}/{{database}}
-```
+```
+
+## User Project Overrides
+
+This resource supports [User Project Overrides](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#user_project_override).

mmv1/third_party/terraform/website/docs/r/spanner_instance_iam.html.markdown

@@ -162,4 +162,8 @@ The [`terraform import` command](https://developer.hashicorp.com/terraform/cli/c
 
 ```
 $ terraform import google_spanner_instance_iam_policy.default {{project}}/{{instance}}
-```
+```
+
+## User Project Overrides
+
+This resource supports [User Project Overrides](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#user_project_override).