189 lines
4.9 KiB
HCL
189 lines
4.9 KiB
HCL
# Enable foundational APIs required for Terraform to manage other services
|
|
resource "google_project_service" "cloudresourcemanager" {
|
|
provider = google-beta
|
|
project = var.project_id
|
|
service = "cloudresourcemanager.googleapis.com"
|
|
disable_on_destroy = false
|
|
}
|
|
|
|
resource "google_project_service" "serviceusage" {
|
|
provider = google-beta
|
|
project = var.project_id
|
|
service = "serviceusage.googleapis.com"
|
|
disable_on_destroy = false
|
|
}
|
|
|
|
# Enable required APIs
|
|
resource "google_project_service" "firebase" {
|
|
provider = google-beta
|
|
project = var.project_id
|
|
service = "firebase.googleapis.com"
|
|
disable_on_destroy = false
|
|
|
|
depends_on = [
|
|
google_project_service.cloudresourcemanager,
|
|
google_project_service.serviceusage
|
|
]
|
|
}
|
|
|
|
resource "google_project_service" "identitytoolkit" {
|
|
provider = google-beta
|
|
project = var.project_id
|
|
service = "identitytoolkit.googleapis.com"
|
|
disable_on_destroy = false
|
|
}
|
|
|
|
resource "google_project_service" "firestore" {
|
|
provider = google-beta
|
|
project = var.project_id
|
|
service = "firestore.googleapis.com"
|
|
disable_on_destroy = false
|
|
}
|
|
|
|
resource "google_project_service" "firebaserules" {
|
|
provider = google-beta
|
|
project = var.project_id
|
|
service = "firebaserules.googleapis.com"
|
|
disable_on_destroy = false
|
|
}
|
|
|
|
# Firebase Project
|
|
resource "google_firebase_project" "default" {
|
|
provider = google-beta
|
|
project = var.project_id
|
|
|
|
depends_on = [
|
|
google_project_service.firebase,
|
|
]
|
|
}
|
|
|
|
# Firebase Web App
|
|
resource "google_firebase_web_app" "default" {
|
|
provider = google-beta
|
|
project = var.project_id
|
|
display_name = "Haumdaucher Web"
|
|
|
|
depends_on = [google_firebase_project.default]
|
|
}
|
|
|
|
data "google_firebase_web_app_config" "default" {
|
|
provider = google-beta
|
|
web_app_id = google_firebase_web_app.default.app_id
|
|
project = var.project_id
|
|
}
|
|
|
|
# Identity Platform (Auth)
|
|
resource "google_identity_platform_config" "default" {
|
|
provider = google-beta
|
|
project = var.project_id
|
|
|
|
# Authorized Domains for OAuth
|
|
authorized_domains = [
|
|
"localhost",
|
|
"${var.project_id}.firebaseapp.com",
|
|
"${var.project_id}.web.app",
|
|
"haumdaucher.de",
|
|
]
|
|
|
|
# Enable Google Sign-In (and others if needed, but keeping it simple)
|
|
sign_in {
|
|
allow_duplicate_emails = false
|
|
|
|
anonymous {
|
|
enabled = false
|
|
}
|
|
|
|
email {
|
|
enabled = false # We only want Google Sign-In
|
|
}
|
|
}
|
|
|
|
depends_on = [google_project_service.identitytoolkit]
|
|
}
|
|
|
|
# Enable Google Default Identity Provider
|
|
resource "google_identity_platform_default_supported_idp_config" "google" {
|
|
provider = google-beta
|
|
project = var.project_id
|
|
enabled = true
|
|
idp_id = "google.com"
|
|
client_id = data.google_secret_manager_secret_version.oauth_client_id.secret_data
|
|
client_secret = data.google_secret_manager_secret_version.oauth_client_secret.secret_data
|
|
|
|
depends_on = [google_project_service.identitytoolkit]
|
|
}
|
|
|
|
# NOTE: OAuth Client ID usually needs to be configured in console for Identity Platform
|
|
# or imported. Terraform support for *creating* the OAuth client for IAP/Identity is limited/complex.
|
|
# We will assume the default one created by Firebase is used or documented.
|
|
|
|
# Firestore Database (Native)
|
|
resource "google_firestore_database" "database" {
|
|
provider = google-beta
|
|
project = var.project_id
|
|
name = "(default)"
|
|
location_id = var.region
|
|
type = "FIRESTORE_NATIVE"
|
|
concurrency_mode = "OPTIMISTIC"
|
|
app_engine_integration_mode = "DISABLED"
|
|
|
|
depends_on = [google_project_service.firestore]
|
|
}
|
|
|
|
# Allowlist Configuration Document
|
|
resource "google_firestore_document" "allowlist" {
|
|
provider = google-beta
|
|
project = var.project_id
|
|
database = google_firestore_database.database.name
|
|
collection = "config"
|
|
document_id = "allowlist"
|
|
|
|
# Serialize the list of emails into a JSON string map for the fields
|
|
fields = jsonencode({
|
|
emails = {
|
|
arrayValue = {
|
|
values = [
|
|
for email in var.allowed_users : {
|
|
stringValue = email
|
|
}
|
|
]
|
|
}
|
|
}
|
|
})
|
|
}
|
|
|
|
# Firestore Security Rules
|
|
resource "google_firebaserules_ruleset" "firestore" {
|
|
provider = google
|
|
|
|
source {
|
|
files {
|
|
name = "firestore.rules"
|
|
content = <<-EOT
|
|
rules_version = '2';
|
|
service cloud.firestore {
|
|
match /databases/{database}/documents {
|
|
match /config/allowlist {
|
|
allow read: if request.auth != null;
|
|
}
|
|
}
|
|
}
|
|
EOT
|
|
}
|
|
}
|
|
|
|
depends_on = [
|
|
google_project_service.firestore,
|
|
google_project_service.firebaserules
|
|
]
|
|
}
|
|
|
|
resource "google_firebaserules_release" "firestore" {
|
|
provider = google
|
|
project = var.project_id
|
|
name = "cloud.firestore" # This specific name targets the default Firestore database
|
|
ruleset_name = google_firebaserules_ruleset.firestore.name
|
|
|
|
depends_on = [google_firebaserules_ruleset.firestore]
|
|
}
|