Configure Firebase witout Identity Platform

hashicorp / terraform-provider-google

Terraform Provider for Google Cloud Platform

https://registry.terraform.io/providers/hashicorp/google/latest/docs

Mozilla Public License 2.0

2.32k stars 1.72k forks source link

Configure Firebase witout Identity Platform #19774

Open josh-burton opened 1 week ago

josh-burton commented 1 week ago

Question

We've recently migrated a bunch of Firebase projects to Terraform, and have no realised that most of them now have Authentication with Identity Platform, rather than just standard Fireabse auth. There is a significant cost increase with identity platform.

What I can't see from the docs is when a project is configured with identity platform.

Does the google_identity_platform_config resource always configure Identity Platform?
Is it a timing issue? Should we be ensuring the google_firebase_project resource is configured first, before configuring the google_identity_platform_config resource?
Is the identitytoolkit.googleapis.com service required for standard Firebase Auth?

Appreciate any help or guidance!

serpro69 commented 5 days ago

According to docs, identity platform is an optional upgrade: https://firebase.google.com/docs/auth/#identity-platform Setting up firebase project beforehand shouldn't be needed because identity platform is a separate google cloud service, and not part of firebase offerings (https://cloud.google.com/identity-platform/docs).

josh-burton commented 5 days ago

Yes it is an optional upgrade via the UI, and should be via Terraform as well.

https://firebase.google.com/docs/projects/terraform/get-started#resources-authentication

These docs mention the following:

[google_identity_platform_config — enable Google Cloud Identity Platform (GCIP) (which is the backend for Firebase Authentication) and provide project-level authentication settings

Configuring Firebase Authentication via Terraform requires enabling GCIP.

serpro69 commented 5 days ago

Ah, I see what you mean now. Since we actually use GCIP in firebase , I haven't even thought to try to setup firebase auth w/o it. Yeah, it shouldn't be mandatory via terraform if it's an optional feature. A bit odd why they'd do it like this, if it's intentional. Maybe better to create a bug/feature request instead?

You could also try to set things up manually via UI (w/o enabling the GCIP) and then export stuff into terraform via gcloud (see https://cloud.google.com/docs/terraform/resource-management/export) and see what resources that will export. It might be that it's possible to set this up w/o GCIP, just not documented.

josh-burton commented 5 days ago

Thats a good tip about exporting the terraform config. I have also filed a feature request with Firebase and created a user voice request: https://firebase.uservoice.com/forums/948424-general/suggestions/48939287-allow-configuring-standard-firebase-authentication