Created
February 10, 2024 16:46
-
-
Save jckw/b8fc4d7873f2cdcfa010df80aa6e8ba3 to your computer and use it in GitHub Desktop.
Minimal Terraform config for a Firebase app with Google Identity Platform, Cloud Run, and Secrets Manager
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
terraform { | |
required_providers { | |
google-beta = { | |
source = "hashicorp/google-beta" | |
version = "5.15.0" | |
} | |
} | |
} | |
variable "project_id" { | |
description = "The project ID to deploy to" | |
type = string | |
default = "jack-learns-terraform-1113" | |
} | |
variable "org_id" { | |
description = "The organization ID to deploy to" | |
type = string | |
default = "<org_id>" | |
} | |
variable "billing_account_id" { | |
description = "The billing account ID to associate with the project" | |
type = string | |
default = "<billing_account_id>" | |
} | |
provider "google-beta" { | |
# This provider uses the gcloud application default credentials from the environment | |
alias = "default" | |
region = "us-central1" | |
zone = "us-central1-c" | |
user_project_override = true | |
} | |
provider "google-beta" { | |
alias = "no_user_project_override" | |
region = "us-central1" | |
zone = "us-central1-c" | |
user_project_override = false | |
} | |
resource "google_project" "default" { | |
provider = google-beta.no_user_project_override | |
name = var.project_id | |
project_id = var.project_id | |
org_id = var.org_id | |
billing_account = var.billing_account_id | |
labels = { | |
"firebase" = "enabled" | |
} | |
} | |
resource "google_project_service" "default" { | |
provider = google-beta.no_user_project_override | |
project = google_project.default.project_id | |
for_each = toset([ | |
"serviceusage.googleapis.com", | |
"cloudresourcemanager.googleapis.com", | |
"artifactregistry.googleapis.com", | |
"iam.googleapis.com", | |
"run.googleapis.com", | |
"firebase.googleapis.com", | |
"secretmanager.googleapis.com", | |
"identitytoolkit.googleapis.com" | |
]) | |
service = each.key | |
# Don't disable the service if the resource block is removed by accident. | |
disable_on_destroy = false | |
} | |
resource "google_firebase_project" "default" { | |
# Note if setting this up in a new org, you may have to create a random Firebase | |
# project first, otherwise you end up with mysterious 403 errors. | |
provider = google-beta.default | |
project = google_project.default.project_id | |
depends_on = [google_project_service.default] | |
} | |
resource "google_firebase_web_app" "default" { | |
provider = google-beta.default | |
project = google_firebase_project.default.project | |
display_name = "Some Simple App" | |
} | |
resource "google_service_account" "admin-sdk" { | |
provider = google-beta.default | |
project = google_project.default.project_id | |
account_id = "firebase-admin-sdk" | |
display_name = "Firebase Admin SDK" | |
} | |
resource "google_service_account_key" "admin-sdk" { | |
provider = google-beta.default | |
service_account_id = google_service_account.admin-sdk.email | |
} | |
resource "google_secret_manager_secret" "firebase-private-key" { | |
provider = google-beta.default | |
project = google_project.default.project_id | |
depends_on = [google_project_service.default] | |
secret_id = "firebase_private_key" | |
replication { | |
auto {} # replicate across all available regions | |
} | |
} | |
resource "google_secret_manager_secret_version" "firebase-private-key" { | |
provider = google-beta.default | |
secret = google_secret_manager_secret.firebase-private-key.name | |
secret_data = google_service_account_key.admin-sdk.private_key | |
} | |
resource "google_project_iam_member" "default" { | |
provider = google-beta.default | |
project = google_project.default.project_id | |
role = "roles/firebase.admin" | |
member = "serviceAccount:${google_service_account.admin-sdk.email}" | |
} | |
resource "google_identity_platform_config" "default" { | |
provider = google-beta.default | |
project = google_project.default.project_id | |
depends_on = [google_firebase_project.default] | |
sign_in { | |
allow_duplicate_emails = false | |
anonymous { | |
enabled = false | |
} | |
email { | |
enabled = true | |
password_required = false | |
} | |
phone_number { | |
enabled = false | |
} | |
} | |
authorized_domains = [ | |
"localhost", | |
"example.com", | |
] | |
} | |
######### Cloud Run ######### | |
resource "google_artifact_registry_repository" "my-repo" { | |
provider = google-beta.default | |
project = google_project.default.project_id | |
depends_on = [google_project_service.default] | |
repository_id = "my-repository" | |
description = "example docker repository" | |
format = "DOCKER" | |
} | |
# Add this after you have added the image to the registry | |
# resource "google_cloud_run_v2_service" "outro-web" { | |
# provider = google-beta.default | |
# name = "outro-web" | |
# location = "us-central1" | |
# ingress = "INGRESS_TRAFFIC_ALL" | |
# template { | |
# containers { | |
# image = "us-central1-docker.pkg.dev/<project_id>/my-repository/web:latest" | |
# ports { | |
# container_port = 3000 | |
# } | |
# # env { | |
# # name = "FIREBASE_PROJECT_ID" | |
# # value = google_firebase_project.default.project | |
# # } | |
# env { | |
# name = "FIREBASE_PRIVATE_KEY" | |
# value_source { | |
# secret_key_ref { | |
# secret = google_secret_manager_secret.firebase-private-key.secret_id | |
# } | |
# } | |
# } | |
# } | |
# } | |
# } | |
# resource "google_cloud_run_v2_service_iam_member" "noauth" { | |
# provider = google-beta.default | |
# location = google_cloud_run_v2_service.outro-web.location | |
# name = google_cloud_run_v2_service.outro-web.name | |
# role = "roles/run.invoker" | |
# member = "allUsers" | |
# } | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment