Minimal Terraform config for a Firebase app with Google Identity Platform, Cloud Run, and Secrets Manager

main.tf

terraform {
  required_providers {
    google-beta = {
      source  = "hashicorp/google-beta"
      version = "5.15.0"
    }
  }
}

variable "project_id" {
  description = "The project ID to deploy to"
  type        = string
  default     = "jack-learns-terraform-1113"
}

variable "org_id" {
  description = "The organization ID to deploy to"
  type        = string
  default     = "<org_id>"
}

variable "billing_account_id" {
  description = "The billing account ID to associate with the project"
  type        = string
  default     = "<billing_account_id>"
}

provider "google-beta" {
  # This provider uses the gcloud application default credentials from the environment
  alias  = "default"
  region = "us-central1"
  zone   = "us-central1-c"

  user_project_override = true
}

provider "google-beta" {
  alias  = "no_user_project_override"
  region = "us-central1"
  zone   = "us-central1-c"

  user_project_override = false
}

resource "google_project" "default" {
  provider        = google-beta.no_user_project_override
  name            = var.project_id
  project_id      = var.project_id
  org_id          = var.org_id
  billing_account = var.billing_account_id

  labels = {
    "firebase" = "enabled"
  }
}

resource "google_project_service" "default" {
  provider = google-beta.no_user_project_override
  project  = google_project.default.project_id
  for_each = toset([
    "serviceusage.googleapis.com",
    "cloudresourcemanager.googleapis.com",
    "artifactregistry.googleapis.com",
    "iam.googleapis.com",
    "run.googleapis.com",
    "firebase.googleapis.com",
    "secretmanager.googleapis.com",
    "identitytoolkit.googleapis.com"
  ])
  service = each.key

  # Don't disable the service if the resource block is removed by accident.
  disable_on_destroy = false
}

resource "google_firebase_project" "default" {
  # Note if setting this up in a new org, you may have to create a random Firebase
  # project first, otherwise you end up with mysterious 403 errors.
  provider = google-beta.default
  project  = google_project.default.project_id

  depends_on = [google_project_service.default]
}

resource "google_firebase_web_app" "default" {
  provider     = google-beta.default
  project      = google_firebase_project.default.project
  display_name = "Some Simple App"
}

resource "google_service_account" "admin-sdk" {
  provider     = google-beta.default
  project      = google_project.default.project_id
  account_id   = "firebase-admin-sdk"
  display_name = "Firebase Admin SDK"
}

resource "google_service_account_key" "admin-sdk" {
  provider           = google-beta.default
  service_account_id = google_service_account.admin-sdk.email
}

resource "google_secret_manager_secret" "firebase-private-key" {
  provider   = google-beta.default
  project    = google_project.default.project_id
  depends_on = [google_project_service.default]

  secret_id = "firebase_private_key"
  replication {
    auto {} # replicate across all available regions
  }
}

resource "google_secret_manager_secret_version" "firebase-private-key" {
  provider    = google-beta.default
  secret      = google_secret_manager_secret.firebase-private-key.name
  secret_data = google_service_account_key.admin-sdk.private_key
}

resource "google_project_iam_member" "default" {
  provider = google-beta.default
  project  = google_project.default.project_id
  role     = "roles/firebase.admin"
  member   = "serviceAccount:${google_service_account.admin-sdk.email}"
}

resource "google_identity_platform_config" "default" {
  provider   = google-beta.default
  project    = google_project.default.project_id
  depends_on = [google_firebase_project.default]

  sign_in {
    allow_duplicate_emails = false

    anonymous {
      enabled = false
    }
    email {
      enabled           = true
      password_required = false
    }
    phone_number {
      enabled = false
    }
  }
  authorized_domains = [
    "localhost",
    "example.com",
  ]
}

######### Cloud Run #########

resource "google_artifact_registry_repository" "my-repo" {
  provider   = google-beta.default
  project    = google_project.default.project_id
  depends_on = [google_project_service.default]

  repository_id = "my-repository"
  description   = "example docker repository"
  format        = "DOCKER"
}

# Add this after you have added the image to the registry
# resource "google_cloud_run_v2_service" "outro-web" {
#   provider = google-beta.default
#   name     = "outro-web"
#   location = "us-central1"
#   ingress  = "INGRESS_TRAFFIC_ALL"

#   template {
#     containers {
#       image = "us-central1-docker.pkg.dev/<project_id>/my-repository/web:latest"

#       ports {
#         container_port = 3000
#       }

#       # env {
#       #   name  = "FIREBASE_PROJECT_ID"
#       #   value = google_firebase_project.default.project
#       # }

#       env {
#         name = "FIREBASE_PRIVATE_KEY"
#         value_source {
#           secret_key_ref {
#             secret = google_secret_manager_secret.firebase-private-key.secret_id
#           }
#         }
#       }
#     }
#   }
# }

# resource "google_cloud_run_v2_service_iam_member" "noauth" {
#   provider = google-beta.default
#   location = google_cloud_run_v2_service.outro-web.location
#   name     = google_cloud_run_v2_service.outro-web.name
#   role     = "roles/run.invoker"
#   member   = "allUsers"
# }