Add API Key configuration to google_firebase_project (beta)

[intotecho]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

google_firebase_project in google-beta v4.77 creates an unrestricted api_key.
Because it is not created by terraform directly as a resource, it is necessary to import it to create restrictions.

1. Add API Key restrictions parameter block from google_apikeys_key
2. Add key_display_name to behave as parameters display_name in google_apikeys_key.
3. Add key_name to behave as parameters name in google_apikeys_key. (if possible)

• 1 is more important than 2 and 3.

resource "google_firebase_project" "default" {
  provider = google-beta
  project  = <project_id>
  key_name = "firebase-browser-key"
  display_name = "Firebase Browser Key"
  restrictions {
    api_targets {
      service =    "identitytoolkit.googleapis.com"         # Identity Toolkit API
    }
    api_targets {
      service =     "sts.googleapis.com"                     # Token Service API
    }
    browser_key_restrictions {
      allowed_referrers = [
          # ...
      ]
    }
  }
}

New or Affected Resource(s)

<!--- Please list the new or affected resources and data sources. Use google_* if all resources or data sources are affected. --->

google_firebase_project (beta)

Potential Terraform Configuration

# Propose what you think the configuration to take advantage of this feature should look like.
# We may not use it verbatim, but it's helpful in understanding your intent.

References

• #0000

b/296619021

[melinath]

In general we prefer not to add fields like this that duplicate another resource. It also looks like the API doesn't provide any way to pass these values when setting up a firebase project, which means that we would need to manually do that in a separate API call.

We could potentially add an output field that provides the full ID of the created API key, but that doesn't really solve your use case. Ideally the API resource would not implicitly create another resource. I'm not sure if there's a better workaround.

Similar case: GoogleCloudPlatform/magic-modules#8301 deprecates google_firebase_project_location due to its implicit creation of resources.

It looks like this is a valid request - being able to configure created API keys. It's just a matter of figuring out whether there's a way to do it that doesn't involve duplicating the fields.

[rainshen49]

When you create certain a Firebase project, register an Android app, or register an Apple app, Firebase automatically creates API keys so they could function. Restricting these keys should not be your primary mechanism to protect your backend resources, (see documentation). Firebase recommended protection mechanisms such as Security Rules and App Check offer better protection than simply restriction API keys.

However, there are still valid scenarios to add restriction to API keys, and you're right that the only way right now is to find the ID of the API key and import it.

@intotecho How are you planning to use the API key? Do you plan to use one per web app, or shared among multiple web apps? What products are you using?

[tylerg-dev]

Mostly ApiKeys used in Firebase are used through the App resources ex AndroidApp.api_key_id.

This can mostly be seen as a request to add the api_key_id fields to the App resources in Terraform. If an api_key_id is provided, the API will use that instead of allocating a new one.

The changing the key allocated in the background of provisioning the FirebaseProject resource is a bigger feature request, as it might be effectively a breaking change to the API to alter the behavior.

I'm going to start the discussion with the appropriate folks.

[rainshen49]

Hi @intotecho , we've added a capability to use your own API key for registering a Firebase app https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/firebase_web_app#example-usage---firebase-web-app-custom-api-key
for now, this will be the easiest way to add restrictions to the API key used by your apps.

However, the team agrees with you that automatically provisioning an API key during Firebase project creation is awkward. We are in discussion about what to do there.