Add acceptance tests for provider configuration behaviour using user_project_override (#11686)

Author: SarahFrench

mmv1/third_party/terraform/acctest/bootstrap_test_utils.go renamed to mmv1/third_party/terraform/acctest/bootstrap_test_utils.go.tmpl

@@ -156,7 +156,7 @@ func getOrCreateServiceAccount(config *transport_tpg.Config, project, serviceAcc
 
 	sa, err := config.NewIamClient(config.UserAgent).Projects.ServiceAccounts.Get(name).Do()
 	if err != nil && !transport_tpg.IsGoogleApiErrorWithCode(err, 404) {
-		return nil, err
+		return nil, fmt.Errorf("encountered a non-404 error when looking for bootstrapped service account %s: %w", name, err)
 	}
 
 	if sa == nil {
@@ -171,7 +171,7 @@ func getOrCreateServiceAccount(config *transport_tpg.Config, project, serviceAcc
 		}
 		sa, err = config.NewIamClient(config.UserAgent).Projects.ServiceAccounts.Create("projects/"+project, r).Do()
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("error when creating bootstrapped service account %s: %w", name, err)
 		}
 	}
 
@@ -1231,13 +1231,13 @@ func SetupProjectsAndGetAccessToken(org, billing, pid, service string, config *t
 		Timeout: 5 * time.Minute,
 	})
 	if err != nil {
-		return "", err
+		return "", fmt.Errorf("error creating 'project-1' with project id %s: %w", pid, err)
 	}
 
 	// Wait for the operation to complete
 	opAsMap, err := tpgresource.ConvertToMap(op)
 	if err != nil {
-		return "", err
+		return "", fmt.Errorf("error in ConvertToMap while creating 'project-1' with project id %s: %w", pid, err)
 	}
 
 	waitErr := resourcemanager.ResourceManagerOperationWaitTime(config, opAsMap, "creating project", config.UserAgent, 5*time.Minute)
@@ -1250,7 +1250,7 @@ func SetupProjectsAndGetAccessToken(org, billing, pid, service string, config *t
 	}
 	_, err = config.NewBillingClient(config.UserAgent).Projects.UpdateBillingInfo(resourcemanager.PrefixedProject(pid), ba).Do()
 	if err != nil {
-		return "", err
+		return "", fmt.Errorf("error updating billing info for 'project-1' with project id %s: %w", pid, err)
 	}
 
 	p2 := fmt.Sprintf("%s-2", pid)
@@ -1265,7 +1265,7 @@ func SetupProjectsAndGetAccessToken(org, billing, pid, service string, config *t
 		Timeout: 5 * time.Minute,
 	})
 	if err != nil {
-		return "", err
+		return "", fmt.Errorf("error creating 'project-2' with project id %s: %w", p2, err)
 	}
 
 	// Wait for the operation to complete
@@ -1281,7 +1281,7 @@ func SetupProjectsAndGetAccessToken(org, billing, pid, service string, config *t
 
 	_, err = config.NewBillingClient(config.UserAgent).Projects.UpdateBillingInfo(resourcemanager.PrefixedProject(p2), ba).Do()
 	if err != nil {
-		return "", err
+		return "", fmt.Errorf("error updating billing info for 'project-2' with project id %s: %w", p2, err)
 	}
 
 	// Enable the appropriate service in project-2 only
@@ -1293,14 +1293,14 @@ func SetupProjectsAndGetAccessToken(org, billing, pid, service string, config *t
 
 	_, err = suService.Services.BatchEnable(fmt.Sprintf("projects/%s", p2), serviceReq).Do()
 	if err != nil {
-		return "", err
+		return "", fmt.Errorf("error batch enabling services in 'project-2' with project id %s: %w", p2, err)
 	}
 
 	// Enable the test runner to create service accounts and get an access token on behalf of
 	// the project 1 service account
 	curEmail, err := transport_tpg.GetCurrentUserEmail(config, config.UserAgent)
 	if err != nil {
-		return "", err
+		return "", fmt.Errorf("error getting current user email: %w", err)
 	}
 
 	proj1SATokenCreator := &cloudresourcemanager.Binding{
@@ -1322,7 +1322,7 @@ func SetupProjectsAndGetAccessToken(org, billing, pid, service string, config *t
 			},
 		}).Do()
 	if err != nil {
-		return "", err
+		return "", fmt.Errorf("error getting IAM policy for 'project-1' with project id %s: %w", pid, err)
 	}
 
 	p.Bindings = tpgiamresource.MergeBindings(append(p.Bindings, bindings...))
@@ -1332,15 +1332,18 @@ func SetupProjectsAndGetAccessToken(org, billing, pid, service string, config *t
 			UpdateMask: "bindings,etag,auditConfigs",
 		}).Do()
 	if err != nil {
-		return "", err
+		return "", fmt.Errorf("error setting IAM policy for 'project-1' with project id %s: %w", pid, err)
 	}
 
 	// Create a service account for project-1
 	serviceAccountEmail := serviceAccountPrefix + service
 	sa1, err := getOrCreateServiceAccount(config, pid, serviceAccountEmail)
 	if err != nil {
-		return "", err
+		return "", fmt.Errorf("error creating service account %s in 'project-1' with project id %s: %w", serviceAccountEmail, pid, err)
 	}
+	// Setting IAM policies sometimes fails due to the service account not being created yet
+	// Wait a minute to ensure we can use it.
+	time.Sleep(1 * time.Minute)
 
 	// Add permissions to service accounts
 
@@ -1368,14 +1371,29 @@ func SetupProjectsAndGetAccessToken(org, billing, pid, service string, config *t
 		bindings = tpgiamresource.MergeBindings(append(bindings, proj2CryptoKeyBinding))
 	}
 
+
+{{ if ne $.TargetVersionName `ga` -}}
+	// For Firebase test only
+	if service == "firebase" {
+		// Additional permissions besides roles/serviceusage.serviceUsageConsumer and roles/firebase.admin are needed
+		// https://firebase.google.com/docs/reference/firebase-management/rest/v1beta1/projects/addFirebase
+		proj2ServiceUsageBinding := &cloudresourcemanager.Binding{
+			Members: []string{fmt.Sprintf("serviceAccount:%s", sa1.Email)},
+			Role:    "roles/serviceusage.serviceUsageAdmin",
+		}
+
+		bindings = tpgiamresource.MergeBindings(append(bindings, proj2ServiceUsageBinding))
+	}
+{{- end }}
+
 	p, err = rmService.Projects.GetIamPolicy(p2,
 		&cloudresourcemanager.GetIamPolicyRequest{
 			Options: &cloudresourcemanager.GetPolicyOptions{
 				RequestedPolicyVersion: tpgiamresource.IamPolicyVersion,
 			},
 		}).Do()
 	if err != nil {
-		return "", err
+		return "", fmt.Errorf("error getting IAM policy for 'project-2' with project id %s: %w", p2, err)
 	}
 
 	p.Bindings = tpgiamresource.MergeBindings(append(p.Bindings, bindings...))
@@ -1385,7 +1403,7 @@ func SetupProjectsAndGetAccessToken(org, billing, pid, service string, config *t
 			UpdateMask: "bindings,etag,auditConfigs",
 		}).Do()
 	if err != nil {
-		return "", err
+		return "", fmt.Errorf("error setting IAM policy for 'project-2' with project id %s: %w", p2, err)
 	}
 
 	// The token creator IAM API call returns success long before the policy is
@@ -1399,7 +1417,7 @@ func SetupProjectsAndGetAccessToken(org, billing, pid, service string, config *t
 	}
 	atResp, err := iamCredsService.Projects.ServiceAccounts.GenerateAccessToken(fmt.Sprintf("projects/-/serviceAccounts/%s", sa1.Email), tokenRequest).Do()
 	if err != nil {
-		return "", err
+		return "", fmt.Errorf("error generating access token for service account %s: %w", sa1.Email, err)
 	}
 
 	accessToken := atResp.AccessToken