Update docs for using `google_project_service` to cover case where service account lacks permissions

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
If you are interested in working on this issue or have submitted a pull request, please leave a comment.
If an issue is assigned to a user, that user is claiming responsibility for the issue.
Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Description

There's a guide here about use of google_project_service : https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/google_project_service

One of the problems with enabling the service usage API in projects by default (https://github.com/hashicorp/terraform-provider-google/issues/14174) is that users need to set user_project_override correctly. This avoids a situation where a project resource can become tainted by the API call to activate the service usage API failing due to lack of permissions.

One way to support that GH issue is to improve our existing guides and prevent users using it incorrectly.

The guide would need to cover concepts like:

"consumer projects"
"resource projects"
Where an API needs to be enabled relative to the service account used to authenticate Terraform
How user project overrides can impact the above, and how that intersects with consumer/resource projects
- X-Goog-User-Project header

New or Affected Resource(s)

google_project_service

Potential Terraform Configuration

N/A

References

b/343221059

hashicorp / terraform-provider-google