Add Support for Firebase

[josephlewis42]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

Firebase is Google's "preferred" way to do various common tasks in GCP, so being able to at least set up a GCP project to use Firebase with Terraform would unlock a lot of potenaitl. For example:

• User account management
  • Login, signup, account recovery, billing, experiments.
• Static site hosting
  • GCP buckets only provide HTTP, Firebase can do HTTPS which some company decided would heavily influence search ranking...
  • Sites can be scheduled for deployment at a future date and rolled back
• Realtime database
• Cloud messaging
  • If you're going to trust any company to help you build a chat app...

New or Affected Resource(s)

• google_firebase

Potential Terraform Configuration

# Propose what you think the configuration to take advantage of this feature should look like.
# We may not use it verbatim, but it's helpful in understanding your intent.

resource "google_firebase" "my-firebase" {
    time_zone       = "America/Los_Angeles"
    region_code     = "US"
    location_id     = "us-central1"
    project_id      = "my-project-id"
}

References

Request comes from:

• Support Firebase Authentication as Service Broker GoogleCloudPlatform/gcp-service-broker#359

See this doc for API:

• https://firebase.google.com/docs/projects/api/reference/rest/?authuser=0

Discovery Docs:

• https://firebase.googleapis.com/$discovery/rest?version=v1
• https://firebase.googleapis.com/$discovery/rest?version=v1beta1

[cippaciong]

Hello, I started looking into this issue since I would like to create firebase projects from terraform but I ran into a couple of issues.
First of all, if my understanding is right, at the moment only Java, Python and Node SKDs have project management support but none of them expose functions to create a project, only to create apps on existing projects.
I tried do create a project using the REST API as described in the docs with the following code

package main

import (
	"bytes"
	"context"
	"fmt"
	"io/ioutil"
	"log"
	"net/http"

	"golang.org/x/oauth2/google"
	"google.golang.org/api/cloudresourcemanager/v1"
)

func main() {
	ctx := context.Background()

	oauthClient, err := google.DefaultClient(ctx, cloudresourcemanager.CloudPlatformScope,
		"https://www.googleapis.com/auth/firebase")
	if err != nil {
		log.Fatal("Error creating oauth client: ", err)
	}

	projectID := "firebase-test-36cdd55e"

	createFirebaseResource(oauthClient, projectID)
}

func createFirebaseResource(client *http.Client, projectID string) {
	url := fmt.Sprintf("https://firebase.googleapis.com/v1beta1/projects/%s:addFirebase", projectID)
	body := []byte(`{"timeZone":"Europe/Rome", "regionCode":"IT", "locationId":"europe-west" }`)

	resp, err := client.Post(url, "application/json", bytes.NewReader(body))
	if err != nil {
		log.Fatal("Error creating Firebase resource: ", err)
	}

	defer resp.Body.Close()
	respBody, err := ioutil.ReadAll(resp.Body)
	if err != nil {
		log.Fatal("Error reading response body: ", err)
	}

	log.Println(string(respBody[:]))
}

The result is a PERMISSION_DENIED error even though I used the key from a service account which is owner of the project:

2019/02/27 17:05:05 {
  "error": {
    "code": 403,
    "message": "The caller does not have permission",
    "status": "PERMISSION_DENIED"
  }
}

The strange thing is that if I try to perform the request on the API Explorer from the addFirebase Reference with the same body and same project parameter, the Firebase project is created successfully.
Any idea?

[avdhoot]

Facing same issue. As per link can not call addFirebase using service account.

[nat-henderson]

That does make this issue a bit of a nonstarter for Terraform - it is very uncommon to use Terraform from a user account, and so this resource will not work for the majority of users. Given that, I do not think we want to add it right now, even though it has (as of now) 155 votes. I have re-raised this issue internally at Google, and will update if anything comes of it.

[xaricx]

Came here interested in this as well.

Digging a little deeper, Google APIs already have Go support, and support for firebase v1beta1 and a lot more stuff ...

[nat-henderson]

Yes, that is not the issue - it would work if you used a user account, but if you use a service account (as most people do, and as we strongly recommend) it will not work correctly. I expect this issue to be permanent after looking into it further internally, unfortunately. I'll leave this open so people searching can find it and see the explanation for why it doesn't exist.

[veeral-patel]

@josephlewis42 Hi - doesn't this already exist?

https://github.com/elislusarczyk/terraform-provider-firebase

[ExalDraen]

@veeral-patel that provider will configure firebase resources given an existing firebase user and service account key file.

This issue is about setting up firebase inside a GCP project in the first place.

However, as per @ndmckinley's comment, it seems like there is no interest at Google internally to support this particular workflow so we may have to be content with not having it.

[mleonhard]

@ndmckinley wrote:

I'll leave this open so people searching can find it and see the explanation for why it doesn't exist.

I don't see any explanation, just "it will not work correctly" and "I expect this issue to be permanent".

This issue creates several manual steps in our deployment of services that send push notifications to our Android app. Google Firebase Cloud Messaging is the only way to send Android push notifications.

This is an example of API Practices If You Hate Your Customers - Technique #8: Ignore the IaC revolution.

I read the Google SRE book and learned how Google strives to eliminate toil, especially manual operations tasks. But they do that for themselves, not for us customers. By ignoring this issue, Google Cloud is preventing us from using SRE best-practices.

[koesper]

I contacted our google accountmanager about this issue, and after that he disappeared completly. Hasn't replied to any mail or call in three weeks.

It looks like firebase + terraform is a a no-go area for Google :-(

[duffenterprises]

My TAM pointed me here:

https://cloud.google.com/sdk/gcloud/reference/alpha/firestore/databases/create.

I'm hopeful that this will migrate up the chain, but haven't researched more.

[rileykarson]

I'm removing the upstream label on this issue for now, so that it gets evaluated as part of our team's issue review process.

It's possible for us to implement, given the API exists, although it's a frustrating limitation that service accounts can't call it. Not only does that conflict with our (and generally the rest of GCP's) guidance to prefer service accounts, but it means that we won't be able to run our nightly tests to check for regressions as they're using SA credentials. It's possible we'll need to work out how to get gcloud credentials into those, or some other solution as pre-work for this change.

Regardless, we'll evaluate the request again and post an update here, likely around early next week.

---

@duffenterprises: That's more relevant for enabling Firestore I think, #3657.

[eriksw]

@rileykarson Is there anything we can do other than beating the drum at our respective TAM / sales contacts to apply pressure on the service account aspect of this issue?

[duffenterprises]

@rileykarson Would quoting the Bezos mandate a few times help?

@eriksw I'll drum my TAM / Account Partner as well.

1 yr from the issue being raised, 300 or so up votes, and "Cloud Firestore is the next generation of Cloud Datastore. Learn more about upgrading to Cloud Firestore" and I'm surprised we are no further forward in either issue.

I acknowledge the naming of the products makes it difficult to make sure we are on the same page, alas.

That being said, appreciate the promise of an update.

[rileykarson]

@eriksw @duffenterprises: I just added a paragraph about how GCP-internal folks like TAMs can raise awareness of your requests with my team: https://github.com/terraform-providers/terraform-provider-google/wiki/Customer-Contact#raising-gcp-internal-issues-with-the-provider-development-team. I don't think Firebase has come up before internally, and I can't find any internal bugs my team has been CC'ed on. That should help focus efforts some more, at least.

Re: Firestore, we're tracking the bug requesting the team publishes an API endpoint for Firestore enablement on projects.

[chrisst]

It looks firebase team has just recently added support for service accounts even though much of the documentation hasn't caught up yet. GoogleCloudPlatform/magic-modules#3281 is to support the addFirebase behavior to enable this on a given google project which I believe is the most critical part of supporting Firebase.

The surface area of the Firebase APIs is pretty large and evolving and not all of it makes sense to provision with Terraform resources (like hosting site). I'm going to ask that if there are other features of Firebase that people want to manage that you file a new resource request and link back to this issue so we can keep use-cases, context and discussion per feature.

[chrisst]

Closing this as it will be added in 3.15.0

[chrisst]

Finalize location resource coming in 3.16.0 thanks to @yinzara

[yinzara]

I've got the "WebApp" resource working locally in my development environment now. I just gotta get an official release of it.

[yinzara]

WebApp resource coming soon too

[missinglink]

Did this make it into 3.15.0?
I didn't see any mention of Firebase in the release notes

[rileykarson]

It's available in google-beta 3.15.0: https://github.com/terraform-providers/terraform-provider-google-beta/releases/tag/v3.15.0

[mleonhard]

Thanks for adding the google_firebase_project resource.

How about also adding more resources?

• google_firebase_ios_app resource
  • google_firebase_project_id
  • bundle_id
  • app_store_id
  • team_id
  • apns_auth_key
  • google_service_info_plist attribute
• google_firebase_android_app resource
  • google_firebase_project_id
  • package_name
  • google_services_json attribute
• google_firebase_cloud_messaging_server_key resource
  • google_firebase_project_id
  • key attribute

The project elislusarczyk/terraform-provider-firebase is maintained by individuals and provides only a firebase_user resource.

[chrisst]

@mleonhard We can add more resources but can you file them as new issues please? This allows us to prioritize our work based on the need per resource by letting the community weigh in with 👍's. Feel free to link back to this issue for discoverability.

[yinzara]

@chrisst I think with our recent merge of "google_firebase_project_location" somehow we messed up the doc generation:
https://www.terraform.io/docs/providers/google/r/firebase_project_location.html

The side menu now only shows "google_firebase_project_location" under the Firebase Resources and does not show "google_firebase_project.

[chrisst]

@yinzara just me being bad at html. GoogleCloudPlatform/magic-modules#3390 will fix. Thanks for catching.

[kardiff18]

Is there support for enabling the google signon or redirect domains?

[yinzara]

Unfortunately this API doesn't even exist for that yet. The UI is the only way to set that up. So there's no way we could enhance the terraform provider to do that at this time.

[wvanderdeijl]

@chrisst could you elaborate why it would not make sense to provision Firebase Hosting with Terraform? I would love to try to get firebasehosting to work with Magic Modules, and thus terraform. But I am wondering why/if this is a bad idea I should abbandon.

The surface area of the Firebase APIs is pretty large and evolving and not all of it makes sense to provision with Terraform resources (like hosting site). I'm going to ask that if there are other features of Firebase that people want to manage that you file a new resource request and link back to this issue so we can keep use-cases, context and discussion per feature.

[yinzara]

I believe, with the additional of "google_firebase_web_app", you can provision Firebase Hosting. The issue is with the custom domain mapping. There are no APIs to manage that as of yet.

[wvanderdeijl]

AFAIK the firebase_web_app resource is from https://firebase.google.com/docs/projects/api/reference/rest/v1beta1/projects.webApps which only registers a web app, which gives you the configuration to include in the html/js code to communicate to the Firebase backend. But this doesn’t setup hosting.

Hosting is from the API at https://firebase.google.com/docs/hosting/reference/rest
You are right that the API doesn’t seem to support custom domain mapping (yet?). But most (development) firebase hosting sites we setup would work just fine with the default APPNAME.web.app and APPNAME.firebaseapp.com domains that are by default mapped to all firebase hosting projects.

I could give the firebase hosting API a try, but it probably needs some custom coding as it has an API that is a bit awkward. It’s not just a simple reference to a storage bucket, but you first need to register the number of files and their hashes, then wait for a response which files are still unknown to firebase hosting and should be uploaded. The flow is explained at https://firebase.google.com/docs/hosting/api-deploy
I can write the api.yaml, but am a bit confused how I should handle this awkward upload flow.

[yinzara]

Oh ok. now I understand what you're meaning. Hmmmm I probably would have to agree with @chrisst on this one. The whole idea of application code deployment is not something in general Terraform is best used for. Terraform is great for infrastructure as code (i.e. setting up the infrastructure for an application) but deploying a version of that application is usually left up to other tools. I won't say there aren't cases where this is handled (i.e. the "helm" provider is a good example) but I feel like using an automated build process with the "firebase" CLI is much better suited for the use case you describe.

[chrisst]

@wvanderdeijl In my experience Terraform isn't always the best tool for managing software (like) deployments. It can be difficult to declaratively manage things like incremental roll outs, canary deploys or automated rollbacks of code. This isn't to say it's not possible but if Terraform redeploys a broken version of code that had been rolled back it wouldn't be ideal. There are many release pipeline type solutions that are usually a better choice for these types of actions.

However we aren't always aware of the context that people will be using these features in so if you think it makes sense for your workflow then feel free to open a new issue/feature request. In it I recommend adding as much context as you can for how you intend to use the feature. The issue can serve as a place to discuss these use cases and possible alternatives in more detail.

[chrisst]

I'm locking this conversation as most of these discussions are more relevant in individual feature requests instead of this broader forum. Feel free to back link for discoverability.