fix(postgres/iam): explicitly set billing-project flag for projects subcommands

All invocations to Google Cloud APIs must be attributed to a project,
subject to billing and quotas.

The `projects` subcommand invokes an API that is
_non-resource-oriented_, which means that the API doesn't have a clear
association with a Google project.

When using this subcommand in the `gcloud` CLI, usage will thus be
attributed to the client's project, as we're authenticating using
its OAuth client ID. This is of course owned by a Google controlled
project, namely `project_number:32555940559`.

As the client and project is shared by all installations of gcloud, this
means that everyone is subject to the same quotas for that project.

To alleviate resource quota issues, we set the `--billing-project` flag
explicitly for relevant `gcloud projects` subcommands to the same project
that is operated on.

See also
https://jpassing.com/2022/10/31/which-project-quota-are-my-api-calls-charged-against/.

Author: tronghn

pkg/postgres/iam.go

@@ -103,6 +103,7 @@ func grantUserAccess(ctx context.Context, projectID, role string, duration time.
 		projectID,
 		"--member", "user:" + email,
 		"--role", role,
+		"--billing-project", projectID,
 	}
 
 	if duration > 0 {
@@ -130,6 +131,7 @@ func cleanupPermissions(ctx context.Context, projectID, email, role, conditionNa
 		"get-iam-policy",
 		projectID,
 		"--format", "json",
+		"--billing-project", projectID,
 	}
 	cmd := exec.CommandContext(ctx, "gcloud", args...)
 	out, err := cmd.Output()
@@ -173,6 +175,7 @@ OUTER:
 		"--member", "user:" + email,
 		"--role", role,
 		"--condition", expr,
+		"--billing-project", projectID,
 	}
 	cmd = exec.CommandContext(ctx, "gcloud", args...)
 	buf := &bytes.Buffer{}