Example account provisioning based off Google Cloud Project Factory Terraform Module 
    https://github.com/terraform-google-modules/terraform-google-project-factory

Look at the GCP enterprise onboarding documentation for greater details of initial setup of GCP, also the example use case requires some folder structure based on security risk, but modifiy it what ever structure best fits your organization.
Use existing Script in the terraform-google-project-factory git project to deploy project with rights to be central to provisioning.
Suggest looking at running a small host with ONLY access via the IAP (Identity Aware Proxy) and storing the generated secret in GCP Secrets, auto patching and such to keep system secure.

Lay out on the provisioning host:
we keep a copy of the terraform binary in 
/provisioning/bin
Configuration repo with three folders mapping to three risk levels (inspired by NIST 800-53)
/provisioning/GCP-provisioning/ (this repo)
/provisioning/GCP-provisioning/low-risk
/provisioning/GCP-provisioning/medium-risk
/provisioning/GCP-provisioning/high-risk
/provisioning/GCP-provisioning/template-low
==== Our implementation using Git as master of all configuration ====
Initial setup:
    organizationID: #########
    Project ID: project
    Billing account ID: ######-######-######
    folder ID: ############

Example workflow:
git status
cp -r template-low/ low-risk/test2
cd low-risk/test2
vim terraform.tfvars
    project_name

cd /provisioning/gcp-provisioning/low-risk/test2
/provisioning/bin/terraform init
/provisioning/bin/terraform validate
/provisioning/bin/terraform plan
/provisioning/bin/terraform apply
git add .
git commit -m "added gcp project for CUSTOMER"
git push