diff --git a/mmv1/products/networksecurity/FirewallEndpointAssociation.yaml b/mmv1/products/networksecurity/FirewallEndpointAssociation.yaml
index 8516be1e56ef..b93b847cd2df 100644
--- a/mmv1/products/networksecurity/FirewallEndpointAssociation.yaml
+++ b/mmv1/products/networksecurity/FirewallEndpointAssociation.yaml
@@ -23,6 +23,13 @@ description: |
   the same zone. After you define this association, Cloud Firewall forwards the
   zonal workload traffic in your VPC network that requires layer 7 inspection to
   the attached firewall endpoint.
+docs: !ruby/object:Provider::Terraform::Docs
+  warning: |
+    If you are using User ADCs (Application Default Credentials) with this resource,
+    you must specify a `billing_project_id` and set `user_project_override` to true
+    in the provider configuration. Otherwise the ACM API will return a 403 error.
+    Your account must have the `serviceusage.services.use` permission on the
+    `billing_project_id` you defined.
 references:
   !ruby/object:Api::Resource::ReferenceLinks
   api: 'https://cloud.google.com/firewall/docs/reference/network-security/rest/v1/projects.locations.firewallEndpointAssociations#FirewallEndpointAssociation'
diff --git a/mmv1/templates/terraform/examples/network_security_firewall_endpoint_association_basic.tf.erb b/mmv1/templates/terraform/examples/network_security_firewall_endpoint_association_basic.tf.erb
index e819215dce2a..86229b7de681 100644
--- a/mmv1/templates/terraform/examples/network_security_firewall_endpoint_association_basic.tf.erb
+++ b/mmv1/templates/terraform/examples/network_security_firewall_endpoint_association_basic.tf.erb
@@ -1,7 +1,13 @@
+resource "google_compute_network" "foobar" {
+  name                    = "tf-test-my-vpc%{randomSuffix}"
+  auto_create_subnetworks = false
+}
+
 resource "google_network_security_firewall_endpoint" "<%= ctx[:primary_resource_id] %>" {
-  name        = "<%= ctx[:vars]['resource_name_prefix'] %>"
-  parent      = "organizations/<%= ctx[:test_env_vars]['org_id'] %>"
-  location    = "us-central1-a"
+  name               = "<%= ctx[:vars]['resource_name_prefix'] %>"
+  parent             = "organizations/<%= ctx[:test_env_vars]['org_id'] %>"
+  location           = "us-central1-a"
+  billing_project_id = "<%= ctx[:test_env_vars]['project'] %>"
 
   labels = {
     foo = "bar"
@@ -9,9 +15,12 @@ resource "google_network_security_firewall_endpoint" "<%= ctx[:primary_resource_
 }
 
 resource "google_network_security_firewall_endpoint_association" "<%= ctx[:primary_resource_id] %>_association" {
-  name        = "<%= ctx[:vars]['resource_name_prefix'] %>-association"
-  parent      = "projects/<%= ctx[:test_env_vars]['project'] %>"
-  location    = "us-central1-a"
+  name              = "<%= ctx[:vars]['resource_name_prefix'] %>-association"
+  parent            = "projects/<%= ctx[:test_env_vars]['project'] %>"
+  location          = "us-central1-a"
+  network           = google_compute_network.foobar.id
+  firewall_endpoint = google_network_security_firewall_endpoint.<%= ctx[:primary_resource_id] %>.id
+  disabled          = false
 
   labels = {
     foo = "bar"