search

hashicorp / terraform-provider-google

Terraform Provider for Google Cloud Platform
https://registry.terraform.io/providers/hashicorp/google/latest/docs
Mozilla Public License 2.0
2.28k stars 1.72k forks source link

Add google_firebase_ios_app resource with apns_auth_key arg #8292

Open mleonhard opened 3 years ago

mleonhard commented 3 years ago

Community Note

Description

I wish to automate configuring Firebase Cloud Messaging for iOS apps. This has several purposes:

New or Affected Resource(s)

Potential Terraform Configuration

resource "google_project" "default" {
  provider = google-beta

  project_id = "app-staging"
  name       = "app-staging"
  org_id     = "123456789"
}

resource "google_firebase_project" "default" {
  provider = google-beta
  project  = google_project.default.project_id
}

resource "google_firebase_ios_app" "default" {
  google_firebase_project_id = google_firebase_project.default.id
  bundle_id = "com.example.app.staging"
  app_store_id = "987654321"
  team_id = "ABC1234567"
  apns_auth_key = var.APNS_AUTH_KEY
  apns_auth_key_id = "DEF987654321"
}
output "google_service_info_plist" {
  value = google_firebase_ios_app.default.google_service_info_plist
}

References

EDIT 2021-04-02: Added apns_auth_key_id.

b/277382111

slevenick commented 3 years ago

Hey @mleonhard

I'm unable to find any REST APIs for configuring this resource on Firebase. Are you aware of such APIs? For example here is a link to the documentation for the REST API for Firebase databases: https://firebase.google.com/docs/reference/rest/database/database-management/rest/v1beta/projects.locations.instances

Without a REST API we will be unable to implement this resource in Terraform.

keisari-ch commented 3 years ago

Hi @slevenick , is this what you are requesting ? https://firebase.google.com/docs/projects/api/reference/rest/v1beta1/projects.iosApps https://firebase.google.com/docs/projects/api/reference/rest/v1beta1/projects.androidApps

slevenick commented 3 years ago

Yep that looks reasonable. I must have been looking in a different part of firebase.

mleonhard commented 3 years ago

The key feature is the ability to set the APNS auth key. Currently setting the key requires manual steps. Manual steps are error-prone, insecure, waste time learning and performing the operation, bypass deployment review and approval processes, and bypass auditing systems.

Do you think you can support setting the APNS auth key?

slevenick commented 3 years ago

How do you currently set the APNS auth key? When you say manual what do you mean by that?

I don't see the APNS auth key present in that REST API that you linked. If it doesn't exist there it would not work in the Terraform resource, as we call the REST API directly in most cases

mleonhard commented 3 years ago

I set the APNS auth key with these steps:

  1. Open my separate "prod" web browser instance
  2. Navigate to https://console.firebase.google.com/.
  3. Click on the (hopefully) correct project.
  4. Click on the unlabeled gear icon in the lefthand menu, next to "Project Overview".
  5. A menu pops up. Click on "Project Settings".
  6. Click on "Cloud Messaging".
  7. Under "APNs Authentication Key", click "Upload".
  8. Click "Browse" and select the (hopefully) correct key file.
  9. Copy the key ID into the "Key ID" field. I include the key id in the filename. The filename appears on the screen.
  10. Copy the team ID from my Apple Developer Account page into the "Team ID" field.
  11. Click "Upload".

The key file is 257 bytes of ASCII text. It's a PEM file.

APNS authentication requires the key and key ID. I just added apns_auth_key_id to the resource and example above.

I don't see the APNS auth key present in that REST API that you linked. If it doesn't exist there it would not work in the Terraform resource, as we call the REST API directly in most cases

How about asking the appropriate team to add the APNS auth key fields to the API?

slevenick commented 3 years ago

I set the APNS auth key with these steps:

  1. Open my separate "prod" web browser instance
  2. Navigate to https://console.firebase.google.com/.
  3. Click on the (hopefully) correct project.
  4. Click on the unlabeled gear icon in the lefthand menu, next to "Project Overview".
  5. A menu pops up. Click on "Project Settings".
  6. Click on "Cloud Messaging".
  7. Under "APNs Authentication Key", click "Upload".
  8. Click "Browse" and select the (hopefully) correct key file.
  9. Copy the key ID into the "Key ID" field. I include the key id in the filename. The filename appears on the screen.
  10. Copy the team ID from my Apple Developer Account page into the "Team ID" field.
  11. Click "Upload".

The key file is 257 bytes of ASCII text. It's a PEM file.

APNS authentication requires the key and key ID. I just added apns_auth_key_id to the resource and example above.

I don't see the APNS auth key present in that REST API that you linked. If it doesn't exist there it would not work in the Terraform resource, as we call the REST API directly in most cases

How about asking the appropriate team to add the APNS auth key fields to the API?

Hmmmm, yeah it doesn't seem like we can support this at the moment.

You can file an issue against the appropriate team here: https://cloud.google.com/support/docs/issue-trackers

mleonhard commented 3 years ago

@slevenick Thanks for your quick reply.

I'm reluctant to add a Buganizer ticket. Most Google teams simply ignore them forever or close them after 1 year with no action. I do not represent an organization with $1M+ annual spend on Google Cloud, so there's little chance of the business folks pushing my ticket forward. Google product managers are the only other folks inside Google that focus on users and they have very little influence. So it's pretty much up to the whims of the Google Cloud API engineers to pick my ticket to work on. Adding a field to an existing API is unlikely to get anybody promoted. The team that made the API left it incomplete so I think that they are not people who take pride in their work or focus on user needs. So I predict my ticket will sit forever with no action, like the other tickets I filed.

The tickets I filed when I worked at Google had about the same success. (My ldap was leonhard). Only the one I filed with Legal got action, after the photos hosting team ignored my ticket about broken photo URL expiration checks.

I filed one about Nexus phones lying to users saying "your phone is up-to-date" when actually Google stopped releasing security updates. Nexus managers ignored it for a year or so until I assigned it to their director. Then it was assigned to another manager who ignored it for another year. Then a designer decided to include it as part of another project. They ended up not fixing the issue, just replacing the false message with weasel words that mislead non-technical (most) users: "your phone has the latest available software". Their behavior demonstrates brazen callousness toward poor people who buy a Nexus phone because they trust Google to make one that doesn't get malware, only to get malware 3 years later when it stops getting security updates. :(

Buganizer is the pointy end of Google's dysfunctional internal incentive structure. Buganizer is Google's most user-hostile process. I would like to avoid it if possible.

Would you be willing to file the ticket?

tdemaio commented 1 year ago

Just checking and found that there still doesn't appear to be an API for configuring this value. Console GUI appears to be the way that it is configured. I didn't see a way to submit from the link provided. I'd suggest requesting API enhancements here: https://firebase.google.com/support/troubleshooter/report/features