本頁面由 Cloud Translation API 翻譯而成。

開始使用 Terraform 和 Firebase

Firebase 開始支援 Terraform。如果您所屬的團隊想自動建立 Firebase 專案，並標準化專案的建立程序，同時佈建特定資源及啟用服務，那麼使用 Terraform 搭配 Firebase 可能很適合您。

使用 Terraform 和 Firebase 的基本工作流程包括：

建立及自訂 Terraform 設定檔 (.tf 檔案)，指定要佈建的基礎架構 (即要佈建的資源和要啟用的服務)。
使用與 Terraform 互動的 gcloud CLI 指令，佈建 .tf 檔案中指定的基礎架構。

Terraform 和 Firebase 搭配使用有哪些優點？

本指南中的一般工作流程範例是建立含有 Android 應用程式的新 Firebase 專案。不過，您可以使用 Terraform 執行更多操作，例如：

使用 Terraform 刪除及修改現有基礎架構。
使用 Terraform 管理產品專屬設定和工作，例如：
- 啟用 Firebase Authentication 登入資訊提供者。
- 建立 Cloud Storage 值區或資料庫執行個體，並為其部署 Firebase Security Rules。
- 建立 Firebase App Hosting 後端、建構作業和其他相關資源。

您可以使用標準 Terraform 設定檔和指令完成所有這些工作。為協助您完成這項作業，我們提供幾種常見用途的範例 Terraform 設定檔。

本指南和目前支援 Terraform 的 Firebase 資源，是 Firebase 支援 Terraform 的首批發行項目。如有任何意見或遇到問題，歡迎與我們聯絡！請在 GitHub 存放區中回報問題 (請務必附上適用的 resource 類型)。

使用 Terraform 搭配 Firebase 的一般工作流程

必要條件

本指南是 Firebase Terraform 使用入門，因此假設您已具備 Terraform 的基本能力。開始這個工作流程前，請務必完成下列必要條件。

安裝 Terraform，並透過官方教學課程熟悉 Terraform。
安裝 Google Cloud CLI (gcloud CLI)。使用使用者帳戶或服務帳戶登入。
查看使用者帳戶和服務帳戶的需求條件
- 如果是使用使用者帳戶，您必須接受 Firebase 服務條款。如果您可以在 Firebase 控制台中查看 Firebase 專案，即表示您已接受 Firebase 服務條款。
- 如要讓 Terraform 執行特定動作 (例如建立專案)，必須符合下列條件：
  - 使用者或服務帳戶必須具備這些動作的適用 IAM 存取權。
  - 如果使用者或服務帳戶隸屬於Google Cloud機構，則機構政策必須允許該帳戶執行這些動作。

步驟 1：建立及自訂 Terraform 設定檔

Terraform 設定檔需要兩個主要部分 (詳情請見下文)：

設定部分 (provider)，用於指定可存取的 Terraform 資源
指定要建立哪些基礎架構的個別 resource 區塊

設定 `provider`

無論涉及哪些 Firebase 產品或服務，都必須進行 provider 設定。

在本地目錄中建立 Terraform 設定檔 (例如 main.tf 檔案)。

在本指南中，您將使用這個設定檔指定provider設定，以及要 Terraform 建立的所有基礎架構。請注意，您可以選擇如何納入供應商設定。
查看如何納入 provider 設定的選項
您可以透過下列選項，將 provider 設定納入其餘的 Terraform 設定：
- 選項 1：將其納入單一 Terraform .tf 設定檔的頂端 (如本指南所示)。
  - 如果您剛開始使用 Terraform，或只是想試用 Terraform 搭配 Firebase，請選取這個選項。
- 方法 2：將其納入獨立的 .tf 檔案 (例如 provider.tf 檔案)，與指定要建立基礎架構的 .tf 檔案 (例如 main.tf 檔案) 分開。
  - 如果您所屬的團隊規模較大，需要標準化設定，請使用這個選項。
  - 執行 Terraform 指令時，provider.tf 檔案和 main.tf 檔案必須位於相同目錄中。

在 main.tf 檔案頂端加入下列 provider 設定。

您必須使用 google-beta 提供者，因為這是透過 Terraform 使用 Firebase 的 Beta 版。在正式環境中使用時請務必謹慎。

# Terraform configuration to set up providers by version.
terraform {
  required_providers {
    google-beta = {
      source  = "hashicorp/google-beta"
      version = "~> 6.0"
    }
  }
}

# Configures the provider to use the resource block's specified project for quota checks.
provider "google-beta" {
  user_project_override = true
}

# Configures the provider to not use the resource block's specified project for quota checks.
# This provider should only be used during project creation and initializing services.
provider "google-beta" {
  alias = "no_user_project_override"
  user_project_override = false
}

進一步瞭解使用 Terraform 和 Firebase 時的不同專案相關屬性 (包括本指南中稱為「配額檢查專案」的屬性)。

請繼續前往下一節，完成設定檔並指定要建立的基礎架構。

使用 `resource` 區塊指定要建立的基礎架構

在 Terraform 設定檔 (本指南中為 main.tf 檔案) 中，您需要指定要 Terraform 建立的所有基礎架構 (也就是要佈建的所有資源，以及要啟用的所有服務)。在本指南中，您可以找到支援 Terraform 的所有 Firebase 資源完整清單。

開啟 main.tf 檔案。

在 provider 設定下方，加入 resource 區塊的下列設定。

這個基本範例會建立新的 Firebase 專案，然後在該專案中建立 Firebase Android 應用程式。

# Terraform configuration to set up providers by version.
...

# Configures the provider to use the resource block's specified project for quota checks.
...

# Configures the provider to not use the resource block's specified project for quota checks.
...

# Creates a new Google Cloud project.
resource "google_project" "default" {
  provider   = google-beta.no_user_project_override

  name       = "Project Display Name"
  project_id = "project-id-for-new-project"
  # Required for any service that requires the Blaze pricing plan
  # (like Firebase Authentication with GCIP)
  billing_account = "000000-000000-000000"

  # Required for the project to display in any list of Firebase projects.
  labels = {
    "firebase" = "enabled"
  }
}

# Enables required APIs.
resource "google_project_service" "default" {
  provider = google-beta.no_user_project_override
  project  = google_project.default.project_id
  for_each = toset([
    "cloudbilling.googleapis.com",
    "cloudresourcemanager.googleapis.com",
    "firebase.googleapis.com",
    # Enabling the ServiceUsage API allows the new project to be quota checked from now on.
    "serviceusage.googleapis.com",
  ])
  service = each.key

  # Don't disable the service if the resource block is removed by accident.
  disable_on_destroy = false
}

# Enables Firebase services for the new project created above.
resource "google_firebase_project" "default" {
  provider = google-beta
  project  = google_project.default.project_id

  # Waits for the required APIs to be enabled.
  depends_on = [
    google_project_service.default
  ]
}

# Creates a Firebase Android App in the new project created above.
resource "google_firebase_android_app" "default" {
  provider = google-beta

  project      = google_project.default.project_id
  display_name = "My Awesome Android app"
  package_name = "awesome.package.name"

  # Wait for Firebase to be enabled in the Google Cloud project before creating this App.
  depends_on = [
    google_firebase_project.default,
  ]
}

查看這個設定檔範例的詳細註解版本

如果您不熟悉專案和應用程式的基礎架構 (以資源形式)，請參閱下列說明文件：

瞭解 Firebase 專案
Firebase 專案管理參考說明文件

# Terraform configuration to set up providers by version.
...

# Configures the provider to use the resource block's specified project for quota checks.
...

# Configures the provider to not use the resource block's specified project for quota checks.
...

# Creates a new Google Cloud project.
resource "google_project" "default" {
  # Use the provider that enables the setup of quota checks for a new project
  provider   = google-beta.no_user_project_override

  name            = "Project Display Name"        // learn more about the project name
  project_id      = "project-id-for-new-project"  // learn more about the project ID
  # Required for any service that requires the Blaze pricing plan
  # (like Firebase Authentication with GCIP)
  billing_account = "000000-000000-000000"

  # Required for the project to display in any list of Firebase projects.
  labels = {
    "firebase" = "enabled"  // learn more about the Firebase-enabled label
  }
}

# Enables required APIs.
resource "google_project_service" "default" {
  # Use the provider without quota checks for enabling APIS
  provider = google-beta.no_user_project_override
  project  = google_project.default.project_id
  for_each = toset([
    "cloudbilling.googleapis.com",
    "cloudresourcemanager.googleapis.com",
    "firebase.googleapis.com",
    # Enabling the ServiceUsage API allows the new project to be quota checked from now on.
    "serviceusage.googleapis.com",
  ])
  service = each.key

  # Don't disable the service if the resource block is removed by accident.
  disable_on_destroy = false
}

# Enables Firebase services for the new project created above.
# This action essentially "creates a Firebase project" and allows the project to use
# Firebase services (like Firebase Authentication) and
# Firebase tooling (like the Firebase console).
# Learn more about the relationship between Firebase projects and Google Cloud.
resource "google_firebase_project" "default" {
  # Use the provider that performs quota checks from now on
  provider = google-beta

  project  = google_project.default.project_id

  # Waits for the required APIs to be enabled.
  depends_on = [
    google_project_service.default
  ]
}

# Creates a Firebase Android App in the new project created above.
# Learn more about the relationship between Firebase Apps and Firebase projects.
resource "google_firebase_android_app" "default" {
  provider = google-beta

  project      = google_project.default.project_id
  display_name = "My Awesome Android app"  # learn more about an app's display name
  package_name = "awesome.package.name"    # learn more about an app's package name

  # Wait for Firebase to be enabled in the Google Cloud project before creating this App.
  depends_on = [
    google_firebase_project.default,
  ]
}

步驟 2：執行 Terraform 指令，建立指定基礎架構

如要佈建資源並啟用 main.tf 檔案中指定的服務，請從 main.tf 檔案所在的目錄執行下列指令。如要進一步瞭解這些指令，請參閱 Terraform 說明文件。

如果這是您第一次在目錄中執行 Terraform 指令，請先初始化設定目錄，並安裝 Google Terraform 供應商。如要執行這項操作，請執行下列指令：
```
terraform init
```
執行下列指令，在 main.tf 檔案中建立指定的基礎架構：
```
terraform apply
```
確認所有項目都已佈建或啟用：
- 選項 1：執行下列指令，在終端機中查看列印的設定：
```
terraform show
```
- 選項 2：在 Firebase 控制台中查看 Firebase 專案。

支援 Terraform 的 Firebase 資源

下列 Firebase 和 Google 資源支援 Terraform。我們也會不斷新增資源！因此，如果找不到想透過 Terraform 管理的資源，請稍後再回來查看是否已推出，或在 GitHub 存放區中提出問題來要求。

Firebase 專案和應用程式管理

google_firebase_project：在現有的 Google Cloud 專案中啟用 Firebase 服務
Firebase 應用程式
- google_firebase_apple_app：建立或管理 Firebase Apple 平台應用程式
- google_firebase_android_app - 建立或管理 Firebase Android 應用程式
- google_firebase_web_app - 建立或管理 Firebase 網頁應用程式
重要事項： 建立 Firebase 應用程式時，您也需要設定應用程式的程式碼集，以便使用 Firebase，包括新增應用程式的 Firebase 設定，以及要使用的產品適用的 Firebase SDK。

Firebase Authentication

google_identity_platform_config：啟用 Google Cloud Identity Platform (GCIP，即 Firebase Authentication 的後端)，並提供專案層級的驗證設定
- 如要透過 Terraform 設定 Firebase Authentication，必須啟用 GCIP。請務必查看範例 .tf 檔案，瞭解如何設定 Firebase Authentication。
- Terraform 將在其中啟用 GCIP 和/或 Firebase Authentication 的專案必須採用 Blaze 定價方案 (也就是說，專案必須有相關聯的 Cloud Billing 帳戶)。如要以程式輔助方式執行這項操作，請在 google_project 資源中設定 billing_account 屬性。
- 這個資源也支援更多設定，例如匿名、電子郵件/密碼和電話驗證等本機登入方法，以及封鎖函式和授權網域。
google_identity_platform_default_supported_idp_config - 設定常見的聯合身分識別提供者，例如 Google、Facebook 或 Apple
identity_platform_oauth_idp_config：設定任意 OAuth 識別資訊提供者 (IdP) 來源
google_identity_platform_inbound_saml_config - 設定 SAML 整合

目前不支援：

透過 Terraform 設定多重驗證 (MFA)

Firebase App Hosting

google_firebase_app_hosting_backend 建立及管理Firebase App Hosting後端，包括 GitHub 存放區連線和持續部署的即時分支。
google_firebase_app_hosting_build — 為後端建立建構版本，並指定程式碼集參照標記和時間點。
google_firebase_app_hosting_traffic — 推出建構版本或設定持續 GitHub 部署。

Firebase Data Connect

google_firebase_data_connect_service - 建立 Data Connect 服務

Firebase Realtime Database

google_firebase_database_instance：建立 Realtime Database 執行個體

目前不支援：

透過 Terraform 部署 Firebase Realtime Database Security Rules (瞭解如何使用其他工具 (包括程式輔助選項) 部署這些 Rules)

Cloud Firestore

google_firestore_database：建立 Cloud Firestore 執行個體

重要事項： 設定下列欄位，即可搭配 Firebase 使用 Cloud Firestore： type = "FIRESTORE_NATIVE"
google_firestore_index：可針對 Cloud Firestore 啟用有效率的查詢
google_firestore_document：使用集合中的特定文件，為 Cloud Firestore 執行個體提供種子

重要事項：請勿在這個種子文件中使用真實的消費者或生產資料。

Cloud Storage for Firebase

google_firebase_storage_bucket：讓 Firebase SDK、驗證和 Firebase Security Rules 存取現有的 Cloud Storage 儲存空間
google_storage_bucket_object：將物件新增至 Cloud Storage 值區

重要事項：請勿在此檔案中使用真實的終端使用者或製作資料。

Firebase Security Rules (適用於 Cloud Firestore 和 Cloud Storage)

請注意，Firebase Realtime Database 使用的佈建系統與 Firebase Security Rules 不同。

google_firebaserules_ruleset：定義適用於 Cloud Firestore 例項或 Cloud Storage 值區的 Firebase Security Rules
google_firebaserules_release - 將特定規則集部署至 Cloud Firestore 執行個體或 Cloud Storage 值區

重要事項： ruleset 必須在最新部署的release中指定為 Cloud Firestore 執行個體和/或 Cloud Storage 值區的生效值，才會生效。
ruleset

Firebase App Check

google_firebase_app_check_service_config - 為服務啟用 App Check 強制執行
google_firebase_app_check_app_attest_config：向 App Attest 供應商註冊 Apple 平台應用程式
google_firebase_app_check_device_check_config：向 DeviceCheck 供應商註冊 Apple 平台應用程式
google_firebase_app_check_play_integrity_config - 向 Play Integrity 供應商註冊 Android 應用程式
google_firebase_app_check_recaptcha_enterprise_config - 使用 reCAPTCHA Enterprise 供應商註冊網頁應用程式
google_firebase_app_check_recaptcha_v3_config - 使用 reCAPTCHA v3 提供者註冊網頁應用程式
google_firebase_app_check_debug_token - 使用偵錯權杖進行測試

Firebase Extensions

google_firebase_extensions_instance：安裝或更新 Firebase Extension 的執行個體

常見用途的 Terraform 設定檔範例

使用 GCIP 設定 Firebase Authentication

這項設定會建立新的 Google Cloud 專案、將專案與 Cloud Billing 帳戶建立關聯 (Firebase Authentication 必須採用 GCIP 才能使用 Blaze 定價方案)、為專案啟用 Firebase 服務、設定 Firebase Authentication (採用 GCIP)，以及向專案註冊三種不同類型的應用程式。

請注意，如要透過 Terraform 設定 Firebase Authentication，必須先啟用 GCIP。

# Creates a new Google Cloud project.
resource "google_project" "auth" {
  provider  = google-beta.no_user_project_override
  folder_id = "folder-id-for-new-project"
  name            = "Project Display Name"
  project_id      = "project-id-for-new-project"

  # Associates the project with a Cloud Billing account
  # (required for Firebase Authentication with GCIP).
  billing_account = "000000-000000-000000"
}

# Enables required APIs.
resource "google_project_service" "auth" {
  provider = google-beta.no_user_project_override
  project  = google_project.auth.project_id
  for_each = toset([
    "cloudbilling.googleapis.com",
    "cloudresourcemanager.googleapis.com",
    "serviceusage.googleapis.com",
    "identitytoolkit.googleapis.com",
  ])
  service = each.key

  # Don't disable the service if the resource block is removed by accident.
  disable_on_destroy = false
}

# Enables Firebase services for the new project created above.
resource "google_firebase_project" "auth" {
  provider = google-beta
  project  = google_project.auth.project_id

  depends_on = [
    google_project_service.auth,
  ]
}

# Creates an Identity Platform config.
# Also enables Firebase Authentication with Identity Platform in the project if not.
resource "google_identity_platform_config" "auth" {
  provider = google-beta
  project  = google_firebase_project.auth.project

  # Auto-deletes anonymous users
  autodelete_anonymous_users = true

  # Configures local sign-in methods, like anonymous, email/password, and phone authentication.
  sign_in {
    allow_duplicate_emails = true

    anonymous {
      enabled = true
    }

    email {
      enabled = true
      password_required = false
    }

    phone_number {
      enabled = true
      test_phone_numbers = {
        "+11231231234" = "000000"
      }
    }
  }

  # Sets an SMS region policy.
  sms_region_config {
    allowlist_only {
      allowed_regions = [
        "US",
        "CA",
      ]
    }
  }

  # Configures blocking functions.
  blocking_functions {
    triggers {
      event_type = "beforeSignIn"
      function_uri = "https://us-east1-${google_project.auth.project_id}.cloudfunctions.net/before-sign-in"
    }
    forward_inbound_credentials {
      refresh_token = true
      access_token = true
      id_token = true
    }
  }

  # Configures a temporary quota for new signups for anonymous, email/password, and phone number.
  quota {
    sign_up_quota_config {
      quota = 1000
      start_time = ""
      quota_duration = "7200s"
    }
  }

  # Configures authorized domains.
  authorized_domains = [
    "localhost",
    "${google_project.auth.project_id}.firebaseapp.com",
    "${google_project.auth.project_id}.web.app",
  ]
}

# Creates a Firebase Android App in the new project created above.
resource "google_firebase_android_app" "auth" {
  provider     = google-beta
  project      = google_firebase_project.auth.project
  display_name = "My Android app"
  package_name = "android.package.name"
}

# Creates a Firebase Apple-platforms App in the new project created above.
resource "google_firebase_apple_app" "auth" {
  provider     = google-beta
  project      = google_firebase_project.auth.project
  display_name = "My Apple app"
  bundle_id    = "apple.app.12345"
}

# Creates a Firebase Web App in the new project created above.
resource "google_firebase_web_app" "auth" {
  provider     = google-beta
  project      = google_firebase_project.auth.project
  display_name = "My Web app"
}

佈建 Firebase Data Connect 服務

這項設定會建立新的 Google Cloud 專案、為專案啟用 Firebase 服務，並佈建 Data Connect 服務。

# Creates a new Google Cloud project.
resource "google_project" "dataconnect" {
  provider   = google-beta.no_user_project_override
  folder_id  = "folder-id-for-new-project"
  name       = "Project Display Name"
  project_id = "project-id-for-new-project"

  # Associates the project with a Cloud Billing account
  # (required to use Firebase Data Connect).
  billing_account = "000000-000000-000000"

  # Required for the project to display in a list of Firebase projects.
  labels = {
    "firebase" = "enabled"
  }
}

# Enables required APIs.
resource "google_project_service" "services" {
  provider = google-beta.no_user_project_override
  project  = google_project.dataconnect.project_id
  for_each = toset([
    "serviceusage.googleapis.com",
    "cloudresourcemanager.googleapis.com",
    "firebasedataconnect.googleapis.com",
  ])
  service = each.key

  # Don't disable the service if the resource block is removed by accident.
  disable_on_destroy = false
}

# Enables Firebase services for the new project created earlier.
resource "google_firebase_project" "dataconnect" {
  provider = google-beta
  project  = google_project.dataconnect.project_id

  depends_on = [google_project_service.services]
}

# Create a Firebase Data Connect service
resource "google_firebase_data_connect_service" "dataconnect-default" {
  project         = google_firebase_project.dataconnect.project
  location        = "name-of-region-for-service"
  service_id      = "${google_firebase_project.dataconnect.project}-default-fdc"
  deletion_policy = "DEFAULT"
}

佈建預設 Firebase Realtime Database 執行個體

這項設定會建立新的 Google Cloud 專案、為專案啟用 Firebase 服務、佈建專案的預設 Realtime Database 執行個體，並向專案註冊三種不同的應用程式類型。

# Creates a new Google Cloud project.
resource "google_project" "rtdb" {
  provider   = google-beta.no_user_project_override
  folder_id  = "folder-id-for-new-project"
  name       = "Project Display Name"
  project_id = "project-id-for-new-project"
}

# Enables required APIs.
resource "google_project_service" "rtdb" {
  provider = google-beta.no_user_project_override
  project  = google_project.rtdb.project_id
  for_each = toset([
    "serviceusage.googleapis.com",
    "cloudresourcemanager.googleapis.com",
    "firebasedatabase.googleapis.com",
  ])
  service = each.key

  # Don't disable the service if the resource block is removed by accident.
  disable_on_destroy = false
}

# Enables Firebase services for the new project created above.
resource "google_firebase_project" "rtdb" {
  provider = google-beta
  project  = google_project.rtdb.project_id

  depends_on = [google_project_service.rtdb]
}

# Provisions the default Realtime Database default instance.
resource "google_firebase_database_instance" "database" {
  provider    = google-beta
  project     = google_firebase_project.rtdb.project
  # See available locations: https://firebase.google.com/docs/database/locations
  region      = "name-of-region"
  # This value will become the first segment of the database's URL.
  instance_id = "${google_project.rtdb.project_id}-default-rtdb"
  type        = "DEFAULT_DATABASE"
}

# Creates a Firebase Android App in the new project created above.
resource "google_firebase_android_app" "rtdb" {
  provider     = google-beta
  project      = google_firebase_project.rtdb.project
  display_name = "My Android app"
  package_name = "android.package.name"
}

# Creates a Firebase Apple-platforms App in the new project created above.
resource "google_firebase_apple_app" "rtdb" {
  provider     = google-beta
  project      = google_firebase_project.rtdb.project
  display_name = "My Apple app"
  bundle_id    = "apple.app.12345"
}

# Creates a Firebase Web App in the new project created above.
resource "google_firebase_web_app" "rtdb" {
  provider     = google-beta
  project      = google_firebase_project.rtdb.project
  display_name = "My Web app"
}

佈建多個 Firebase Realtime Database 執行個體

這項設定會建立新的Google Cloud專案、將專案與Cloud Billing帳戶建立關聯 (多個 Realtime Database 執行個體需要 Blaze 定價方案)、為專案啟用 Firebase 服務、佈建多個 Realtime Database 執行個體 (包括專案的預設 Realtime Database 執行個體)，以及向專案註冊三種不同類型的應用程式。

# Creates a new Google Cloud project.
resource "google_project" "rtdb-multi" {
  provider   = google-beta.no_user_project_override
  folder_id  = "folder-id-for-new-project"
  name       = "Project Display Name"
  project_id = "project-id-for-new-project"

  # Associate the project with a Cloud Billing account
  # (required for multiple Realtime Database instances).
  billing_account = "000000-000000-000000"
}

# Enables required APIs.
resource "google_project_service" "rtdb-multi" {
  provider = google-beta.no_user_project_override
  project  = google_project.rtdb-multi.project_id
  for_each = toset([
    "cloudbilling.googleapis.com",
    "serviceusage.googleapis.com",
    "cloudresourcemanager.googleapis.com",
    "firebasedatabase.googleapis.com",
  ])
  service = each.key

  # Don't disable the service if the resource block is removed by accident.
  disable_on_destroy = false
}

# Enables Firebase services for the new project created above.
resource "google_firebase_project" "rtdb-multi" {
  provider = google-beta
  project  = google_project.rtdb-multi.project_id

  depends_on = [google_project_service.rtdb-multi]
}

# Provisions the default Realtime Database default instance.
resource "google_firebase_database_instance" "database-default" {
  provider    = google-beta
  project     = google_firebase_project.rtdb-multi.project
  # See available locations: https://firebase.google.com/docs/database/locations
  region      = "name-of-region"
  # This value will become the first segment of the database's URL.
  instance_id = "${google_project.rtdb-multi.project_id}-default-rtdb"
  type        = "DEFAULT_DATABASE"
}

# Provisions an additional Realtime Database instance.
resource "google_firebase_database_instance" "database-additional" {
  provider    = google-beta
  project     = google_firebase_project.rtdb-multi.project
  # See available locations: https://firebase.google.com/docs/projects/locations#rtdb-locations
  # This location doesn't need to be the same as the default database instance.
  region      = "name-of-region"
  # This value will become the first segment of the database's URL.
  instance_id = "name-of-additional-database-instance"
  type        = "USER_DATABASE"
}

# Creates a Firebase Android App in the new project created above.
resource "google_firebase_android_app" "rtdb-multi" {
  provider     = google-beta
  project      = google_firebase_project.rtdb-multi.project
  display_name = "My Android app"
  package_name = "android.package.name"
}

# Creates a Firebase Apple-platforms App in the new project created above.
resource "google_firebase_apple_app" "rtdb-multi" {
  provider     = google-beta
  project      = google_firebase_project.rtdb-multi.project
  display_name = "My Apple app"
  bundle_id    = "apple.app.12345"
}

# Creates a Firebase Web App in the new project created above.
resource "google_firebase_web_app" "rtdb-multi" {
  provider     = google-beta
  project      = google_firebase_project.rtdb-multi.project
  display_name = "My Web app"
}

佈建預設 Cloud Firestore 執行個體

這項設定會建立新的 Google Cloud 專案、為專案啟用 Firebase 服務、佈建專案的預設 Cloud Firestore 執行個體，並向專案註冊三種不同的應用程式類型。

此外，這項工具也會為預設 Cloud Firestore 執行個體佈建 Firebase Security Rules、建立 Cloud Firestore 索引，並新增含有種子資料的 Cloud Firestore 文件。

# Creates a new Google Cloud project.
resource "google_project" "firestore" {
  provider   = google-beta.no_user_project_override
  folder_id  = "folder-id-for-new-project"
  name       = "Project Display Name"
  project_id = "project-id-for-new-project"
}

# Enables required APIs.
resource "google_project_service" "firestore" {
  provider = google-beta.no_user_project_override
  project  = google_project.firestore.project_id
  for_each = toset([
    "cloudresourcemanager.googleapis.com",
    "serviceusage.googleapis.com",
    "firestore.googleapis.com",
    "firebaserules.googleapis.com",
  ])
  service = each.key

  # Don't disable the service if the resource block is removed by accident.
  disable_on_destroy = false
}

# Enables Firebase services for the new project created above.
resource "google_firebase_project" "firestore" {
  provider = google-beta
  project  = google_project.firestore.project_id

  depends_on = [google_project_service.firestore]
}

# Provisions the Firestore database instance.
resource "google_firestore_database" "firestore" {
  provider                    = google-beta
  project                     = google_firebase_project.firestore.project
  name                        = "(default)"
  # See available locations: https://firebase.google.com/docs/firestore/locations
  location_id                 = "name-of-region"
  # "FIRESTORE_NATIVE" is required to use Firestore with Firebase SDKs, authentication, and Firebase Security Rules.
  type                        = "FIRESTORE_NATIVE"
  concurrency_mode            = "OPTIMISTIC"
}

# Creates a ruleset of Firestore Security Rules from a local file.
resource "google_firebaserules_ruleset" "firestore" {
  provider = google-beta
  project  = google_firestore_database.firestore.project
  source {
    files {
      name = "firestore.rules"
      # Write security rules in a local file named "firestore.rules".
      # Learn more: https://firebase.google.com/docs/firestore/security/get-started
      content = file("firestore.rules")
    }
  }
}

# Releases the ruleset for the Firestore instance.
resource "google_firebaserules_release" "firestore" {
  provider     = google-beta
  name         = "cloud.firestore"  # must be cloud.firestore
  ruleset_name = google_firebaserules_ruleset.firestore.name
  project      = google_firestore_database.firestore.project
}

# Adds a new Firestore index.
resource "google_firestore_index" "indexes" {
  provider = google-beta
  project  = google_firestore_database.firestore.project

  collection  = "quiz"
  query_scope = "COLLECTION"

  fields {
    field_path = "question"
    order      = "ASCENDING"
  }

  fields {
    field_path = "answer"
    order      = "ASCENDING"
  }
}

# Adds a new Firestore document with seed data.
# Don't use real end-user or production data in this seed document.
resource "google_firestore_document" "doc" {
  provider    = google-beta
  project     = google_firestore_database.firestore.project
  collection  = "quiz"
  document_id = "question-1"
  fields      = "{\"question\":{\"stringValue\":\"Favorite Database\"},\"answer\":{\"stringValue\":\"Firestore\"}}"
}

# Creates a Firebase Android App in the new project created above.
resource "google_firebase_android_app" "firestore" {
  provider     = google-beta
  project      = google_firebase_project.firestore.project
  display_name = "My Android app"
  package_name = "android.package.name"
}

# Creates a Firebase Apple-platforms App in the new project created above.
resource "google_firebase_apple_app" "firestore" {
  provider     = google-beta
  project      = google_firebase_project.firestore.project
  display_name = "My Apple app"
  bundle_id    = "apple.app.12345"
}

# Creates a Firebase Web App in the new project created above.
resource "google_firebase_web_app" "firestore" {
  provider     = google-beta
  project      = google_firebase_project.firestore.project
  display_name = "My Web app"
}

這是 Cloud Firestore Security Rules 的規則集，應位於名為 firestore.rules 的本機檔案中。

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /some_collection/{document} {
      allow read, create, update: if request.auth != null;
    }
  }
}

佈建預設 Cloud Storage bucket

佈建額外 Cloud Storage bucket

這項設定會建立新的 Google Cloud 專案、將專案與 Cloud Billing 帳戶建立關聯 (如需額外值區，必須採用 Blaze 定價方案)、為專案啟用 Firebase 服務、佈建額外的非預設 Cloud Storage 值區，以及向專案註冊三種不同類型的應用程式。

此外，它也會為每個 Cloud Storage bucket 提供 Firebase Security Rules，並將檔案上傳至其中一個 Cloud Storage bucket。

# Creates a new Google Cloud project.
resource "google_project" "storage-multi" {
  provider  = google-beta.no_user_project_override
  folder_id = "folder-id-for-new-project"
  name            = "Project Display Name"
  project_id      = "project-id-for-new-project"

  # Associates the project with a Cloud Billing account
  # (required for multiple Cloud Storage buckets).
  billing_account = "000000-000000-000000"
}

# Enables required APIs.
resource "google_project_service" "storage-multi" {
  provider = google-beta.no_user_project_override
  project  = google_project.storage-multi.project_id
  for_each = toset([
    "cloudbilling.googleapis.com",
    "serviceusage.googleapis.com",
    "cloudresourcemanager.googleapis.com",
    "firebaserules.googleapis.com",
    "firebasestorage.googleapis.com",
    "storage.googleapis.com",
  ])
  service = each.key

  # Don't disable the service if the resource block is removed by accident.
  disable_on_destroy = false
}

# Enables Firebase services for the new project created above.
resource "google_firebase_project" "storage-multi" {
  provider = google-beta
  project  = google_project.storage-multi.project_id

  depends_on = [google_project_service.storage-multi]
}

# Provisions a Cloud Storage bucket.
resource "google_storage_bucket" "bucket-1" {
  provider = google-beta
  project  = google_firebase_project.storage-multi.project
  name     = "name-of-storage-bucket"
  # See available locations: https://cloud.google.com/storage/docs/locations#available-locations
  location = "name-of-region-for-bucket"
}

# Provisions an additional Cloud Storage bucket.
resource "google_storage_bucket" "bucket-2" {
  provider = google-beta
  project  = google_firebase_project.storage-multi.project
  name     = "name-of-additional-storage-bucket"
  # See available locations: https://cloud.google.com/storage/docs/locations#available-locations
  # This location does not need to be the same as the existing Storage bucket.
  location = "name-of-region-for-additional-bucket"
}

# Makes the first Storage bucket accessible for Firebase SDKs, authentication, and Firebase Security Rules.
resource "google_firebase_storage_bucket" "bucket-1" {
  provider  = google-beta
  project   = google_firebase_project.storage-multi.project
  bucket_id = google_storage_bucket.bucket-1.name
}

# Makes the additional Storage bucket accessible for Firebase SDKs, authentication, and Firebase Security Rules.
resource "google_firebase_storage_bucket" "bucket-2" {
  provider  = google-beta
  project   = google_firebase_project.storage-multi.project
  bucket_id = google_storage_bucket.bucket-2.name
}

# Creates a ruleset of Firebase Security Rules from a local file.
resource "google_firebaserules_ruleset" "storage-multi" {
  provider = google-beta
  project  = google_firebase_project.storage-multi.project
  source {
    files {
      # Write security rules in a local file named "storage.rules"
      # Learn more: https://firebase.google.com/docs/storage/security/get-started
      name    = "storage.rules"
      content = file("storage.rules")
    }
  }
}

# Releases the ruleset to the first Storage bucket.
resource "google_firebaserules_release" "bucket-1" {
  provider     = google-beta
  name         = "firebase.storage/${google_storage_bucket.bucket-1.name}"
  ruleset_name = "projects/${google_project.storage-multi.project_id}/rulesets/${google_firebaserules_ruleset.storage-multi.name}"
  project      = google_firebase_project.storage-multi.project
}

# Releases the ruleset to the additional Storage bucket.
resource "google_firebaserules_release" "bucket-2" {
  provider     = google-beta
  name         = "firebase.storage/${google_storage_bucket.bucket-2.name}"
  ruleset_name = "projects/${google_project.storage-multi.project_id}/rulesets/${google_firebaserules_ruleset.storage-multi.name}"
  project      = google_firebase_project.storage-multi.project
}

# Uploads a new file to the first Storage bucket.
# Do not use real end-user or production data in this file.
resource "google_storage_bucket_object" "cat-picture-multi" {
  provider = google-beta
  name     = "cat.png"
  source   = "path/to/cat.png"
  bucket   = google_storage_bucket.bucket-1.name
}

# Creates a Firebase Android App in the new project created above.
resource "google_firebase_android_app" "storage-multi" {
  provider     = google-beta
  project      = google_firebase_project.storage-multi.project
  display_name = "My Android app"
  package_name = "android.package.name"
}

# Creates a Firebase Apple-platforms App in the new project created above.
resource "google_firebase_apple_app" "storage-multi" {
  provider     = google-beta
  project      = google_firebase_project.storage-multi.project
  display_name = "My Apple app"
  bundle_id    = "apple.app.12345"
}

# Creates a Firebase Web App in the new project created above.
resource "google_firebase_web_app" "storage-multi" {
  provider     = google-beta
  project      = google_firebase_project.storage-multi.project
  display_name = "My Web app"
}

這是 Cloud Storage Security Rules 的規則集，應位於名為 storage.rules 的本機檔案中。

rules_version = '2';
service firebase.storage {
  match /b/{bucket}/o {
    match /some_folder/{fileName} {
      allow read, write: if request.auth != null;
    }
  }
}

使用 Firebase App Check 保護 API 資源

這項設定會建立新的 Google Cloud 專案、為專案啟用 Firebase 服務，並設定及啟用 Cloud Firestore 的 Firebase App Check 強制執行功能，確保只能從 Android 應用程式存取。

# Creates a new Google Cloud project.
resource "google_project" "appcheck" {
  provider   = google-beta.no_user_project_override
  folder_id  = "folder-id-for-new-project"
  name       = "Project Display Name"
  project_id = "project-id-for-new-project"
}

# Enables required APIs.
resource "google_project_service" "services" {
  provider = google-beta.no_user_project_override
  project  = google_project.appcheck.project_id
  for_each = toset([
    "cloudresourcemanager.googleapis.com",
    "firebase.googleapis.com",
    "firebaseappcheck.googleapis.com",
    "firestore.googleapis.com",
    "serviceusage.googleapis.com",
  ])
  service = each.key

  # Don't disable the service if the resource block is removed by accident.
  disable_on_destroy = false
}

# Enables Firebase services for the new project created earlier.
resource "google_firebase_project" "appcheck" {
  provider = google-beta
  project  = google_project.appcheck.project_id

  depends_on = [google_project_service.services]
}

# Provisions the Firestore database instance.
resource "google_firestore_database" "database" {
  provider = google-beta
  project  = google_firebase_project.appcheck.project
  name     = "(default)"
  # See available locations: https://firebase.google.com/docs/projects/locations#default-cloud-location
  location_id = "name-of-region"
  # "FIRESTORE_NATIVE" is required to use Firestore with Firebase SDKs, authentication, and Firebase Security Rules.
  type             = "FIRESTORE_NATIVE"
  concurrency_mode = "OPTIMISTIC"
}

# Creates a Firebase Android App in the new project created earlier.
resource "google_firebase_android_app" "appcheck" {
  provider     = google-beta
  project      = google_firebase_project.appcheck.project
  display_name = "Play Integrity app"
  package_name = "package.name.playintegrity"
  sha256_hashes = [
    # TODO: insert your Android app's SHA256 certificate
  ]
}

# Register the Android app with the Play Integrity provider
resource "google_firebase_app_check_play_integrity_config" "appcheck" {
  provider = google-beta
  project  = google_firebase_project.appcheck.project
  app_id   = google_firebase_android_app.appcheck.app_id

  depends_on = [google_firestore_database.database]

  lifecycle {
    precondition {
      condition     = length(google_firebase_android_app.appcheck.sha256_hashes) > 0
      error_message = "Provide a SHA-256 certificate on the Android App to use App Check"
    }
  }
}

# Enable enforcement of App Check for Firestore
resource "google_firebase_app_check_service_config" "firestore" {
  provider = google-beta

  project    = google_firebase_project.appcheck.project
  service_id = "firestore.googleapis.com"

  depends_on = [google_project_service.services]
}

安裝 Firebase Extension 的例項

這項設定會建立新的 Google Cloud 專案、為專案啟用 Firebase 服務，並在專案中安裝新的 Firebase Extension 執行個體。如果執行個體已存在，系統會根據設定中提供的值更新其參數。

# Creates a new Google Cloud project.
resource "google_project" "extensions" {
  provider   = google-beta.no_user_project_override
  folder_id  = "folder-id-for-new-project"
  name       = "Project Display Name"
  project_id = "project-id-for-new-project"

  # Associates the project with a Cloud Billing account
  # (required to use Firebase Extensions).
  billing_account = "000000-000000-000000"
}

# Enables required APIs.
resource "google_project_service" "extensions" {
  provider = google-beta.no_user_project_override
  project  = google_project.extensions.project_id
  for_each = toset([
    "cloudbilling.googleapis.com",
    "cloudresourcemanager.googleapis.com",
    "serviceusage.googleapis.com",
    "firebase.googleapis.com",
    "firebaseextensions.googleapis.com",
  ])
  service = each.key

  # Don't disable the service if the resource block is removed by accident.
  disable_on_destroy = false
}

# Enables Firebase services for the new project created above.
resource "google_firebase_project" "extensions" {
  provider = google-beta
  project  = google_project.extensions.project_id

  depends_on = [
    google_project_service.extensions,
  ]
}

# Installs an instance of the "Translate Text in Firestore" extension.
# Or updates the extension if the specified instance already exists.
resource "google_firebase_extensions_instance" "translation" {
  provider = google-beta
  project = google_firebase_project.extensions.project

  instance_id = "translate-text-in-firestore"
  config {
    extension_ref = "firebase/firestore-translate-text"

    params = {
      COLLECTION_PATH      = "posts/comments/translations"
      DO_BACKFILL          = true
      LANGUAGES            = "ar,en,es,de,fr"
      INPUT_FIELD_NAME     = "input"
      LANGUAGES_FIELD_NAME = "languages"
      OUTPUT_FIELD_NAME    = "translated"
    }

    system_params = {
      "firebaseextensions.v1beta.function/location"                   = "us-central1"
      "firebaseextensions.v1beta.function/memory"                     = "256"
      "firebaseextensions.v1beta.function/minInstances"               = "0"
      "firebaseextensions.v1beta.function/vpcConnectorEgressSettings" = "VPC_CONNECTOR_EGRESS_SETTINGS_UNSPECIFIED"
    }
  }
}

啟用並保護 Firebase AI Logic

這項設定會建立新的 Google Cloud 專案、為專案啟用 Firebase 服務 (包括 Firebase AI Logic)，並為 Firebase AI Logic 設定及啟用 Firebase App Check 強制執行功能，確保只有您的應用程式可以存取。

# Creates a new Google Cloud project.
resource "google_project" "vertex" {
  provider   = google-beta.no_user_project_override
  folder_id  = "folder-id-for-new-project"
  name       = "Project Display Name"
  project_id = "project-id-for-new-project"

  # Associate the project with a Cloud Billing account
  # (required for Vertex AI in Firebase).
  billing_account = "000000-000000-000000"
}

# Enables required APIs.
resource "google_project_service" "services" {
  provider   = google-beta.no_user_project_override

  project  = google_project.vertex.project_id
  for_each = toset([
    "cloudresourcemanager.googleapis.com",
    "firebase.googleapis.com",
    "serviceusage.googleapis.com",
    # Required APIs for Vertex AI in Firebase
    "aiplatform.googleapis.com",
    "firebasevertexai.googleapis.com",
    # App Check is recommended to protect Vertex AI in Firebase from abuse
    "firebaseappcheck.googleapis.com",
  ])
  service = each.key

  # Don't disable the service if the resource block is removed by accident.
  disable_on_destroy = false
}

# Enables Firebase services for the new project created earlier.
resource "google_firebase_project" "vertex" {
  provider = google-beta
  project  = google_project.vertex.project_id

  depends_on = [google_project_service.services]
}

# Creates a Firebase Web App in the new project created earlier.
resource "google_firebase_web_app" "app" {
  provider = google-beta
  project  = google_firebase_project.vertex.project

  display_name = "My Web App"
}

# Creates a Firebase Android App in the new project created earlier.
resource "google_firebase_android_app" "app" {
  provider     = google-beta
  project      = google_firebase_project.vertex.project
  display_name = "My Android App"
  package_name = "package.name.playintegrity"
  sha256_hashes = [
    # TODO: insert your Android app's SHA256 certificate
  ]
}

# Creates a Firebase Apple App in the new project created earlier.
resource "google_firebase_apple_app" "app" {
  provider     = google-beta
  project      = google_firebase_project.vertex.project
  display_name = "My Apple App"
  bundle_id    = "bundle.id"
  team_id      = "1234567890"
}

### Protects Vertex AI in Firebase with App Check.

# Turns on enforcement for Vertex AI in Firebase
resource "google_firebase_app_check_service_config" "vertex" {
  provider = google-beta

  project          = google_firebase_project.vertex.project
  service_id       = "firebaseml.googleapis.com"
  enforcement_mode = "ENFORCED"
}

# Enables the reCAPTCHA Enterprise API
resource "google_project_service" "recaptcha_enterprise" {
  provider = google-beta

  project = google_firebase_project.vertex.project
  service = "recaptchaenterprise.googleapis.com"

  # Don't disable the service if the resource block is removed by accident.
  disable_on_destroy = false
}

# Enables the Play Integrity API
resource "google_project_service" "play_integrity" {
  provider = google-beta

  project = google_firebase_project.vertex.project
  service = "playintegrity.googleapis.com"

  # Don't disable the service if the resource block is removed by accident.
  disable_on_destroy = false
}

# Allows the web app to use reCAPTCHA Enterprise with App Check
resource "google_firebase_app_check_recaptcha_enterprise_config" "appcheck" {
  provider = google-beta

  project   = google_firebase_project.vertex.project
  app_id    = google_firebase_web_app.app.app_id
  site_key  = "your site key"
  token_ttl = "7200s" # Optional

  depends_on = [google_project_service.recaptcha_enterprise]
}

# Registers the Android app with the Play Integrity provider
resource "google_firebase_app_check_play_integrity_config" "appcheck" {
  provider  = google-beta
  project   = google_firebase_project.vertex.project
  app_id    = google_firebase_android_app.app.app_id
  token_ttl = "7200s" # Optional

  lifecycle {
    precondition {
      condition     = length(google_firebase_android_app.app.sha256_hashes) > 0
      error_message = "Provide a SHA-256 certificate on the Android App to use App Check"
    }
  }

  depends_on = [google_project_service.play_integrity]
}

# Registers the Apple app with the AppAttest provider
resource "google_firebase_app_check_app_attest_config" "appcheck" {
  provider  = google-beta
  project   = google_firebase_project.vertex.project
  app_id    = google_firebase_apple_app.app.app_id
  token_ttl = "7200s" # Optional

  lifecycle {
    precondition {
      condition     = google_firebase_apple_app.app.team_id != ""
      error_message = "Provide a Team ID on the Apple App to use App Check"
    }
  }
}

手動佈建 App Hosting 後端

這項設定示範如何使用 Terraform 手動佈建 App Hosting 後端。這種做法可讓您精細控管建立的資源，但需要個別定義每個資源。如果您需要自訂後端，但預設選項無法滿足需求，這個方法就非常實用。

# Creates a new Google Cloud project.
resource "google_project" "apphosting" {
  provider   = google-beta.no_user_project_override
  folder_id  = "folder-id-for-new-project"
  name       = "Project Display Name"
  project_id = "project-id-for-new-project"

  # Associates the project with a Cloud Billing account
  # (required to use Firebase App Hosting).
  billing_account = "000000-000000-000000"
}

# Enables required APIs.
resource "google_project_service" "services" {
  provider = google-beta.no_user_project_override
  project  = google_project.apphosting.project_id
  for_each = toset([
    "cloudresourcemanager.googleapis.com",
    "firebase.googleapis.com",
    "firebaseapphosting.googleapis.com",
    "serviceusage.googleapis.com",
  ])
  service = each.key

  # Don't disable the service if the resource block is removed by accident.
  disable_on_destroy = false
}

# Enables Firebase services for the new project created earlier.
resource "google_firebase_project" "apphosting" {
  provider = google-beta
  project  = google_project.apphosting.project_id

  depends_on = [google_project_service.services]
}

# Creates a Firebase Web App in the new project created earlier.
resource "google_firebase_web_app" "apphosting" {
  provider     = google-beta
  project      = google_firebase_project.apphosting.project
  display_name = "My web app"
}

# Creates a Firebase App Hosting Backend
resource "google_firebase_app_hosting_backend" "example" {
  provider = google-beta
  project  = google_firebase_project.apphosting.project

  # Choose the region closest to your users
  location         = "name-of-region-for-service"
  backend_id       = "name-of-backend-for-service"
  app_id           = google_firebase_web_app.apphosting.app_id
  display_name     = "My Backend"
  serving_locality = "GLOBAL_ACCESS" # or "REGIONAL_STRICT"
  service_account  = google_service_account.service_account.email
}

# Creates the service account for Firebase App Hosting
resource "google_service_account" "service_account" {
  provider = google-beta
  project  = google_firebase_project.apphosting.project

  # Must be firebase-app-hosting-compute
  account_id                   = "firebase-app-hosting-compute"
  display_name                 = "Firebase App Hosting compute service account"

  # Do not throw if already exists
  create_ignore_already_exists = true
}

# Adds permission to the App Hosting service account
resource "google_project_iam_member" "app_hosting_sa" {
  provider = google-beta
  project  = google_firebase_project.apphosting.project

  for_each = toset([
    "roles/firebase.sdkAdminServiceAgent",
    "roles/firebaseapphosting.computeRunner"
  ])

  role   = each.key
  member = google_service_account.service_account.member
}

# Creates a Build
resource "google_firebase_app_hosting_build" "example" {
  provider = google-beta

  project          = google_firebase_app_hosting_backend.example.project
  location         = google_firebase_app_hosting_backend.example.location
  backend          = google_firebase_app_hosting_backend.example.backend_id
  build_id         = "my-build"

  source {
    container {
      # TODO: use your own image
      image = "us-docker.pkg.dev/cloudrun/container/hello"
    }
  }
}

# Rolls out the Build
resource "google_firebase_app_hosting_traffic" "example" {
  provider = google-beta

  project          = google_firebase_app_hosting_backend.example.project
  location         = google_firebase_app_hosting_backend.example.location
  backend          = google_firebase_app_hosting_backend.example.backend_id

  target {
    splits {
      build = google_firebase_app_hosting_build.example.name
      percent = 100
    }
  }
}

使用 GitHub 佈建後端 App Hosting

這項設定示範如何使用 GitHub 存放區中儲存的應用程式碼，佈建 App Hosting 後端。這種做法可讓您透過 GitHub 提取要求和 CI/CD 管道，根據 App Hosting 部署的典型模型管理及更新基礎架構。

# Creates a new Google Cloud project.
resource "google_project" "apphosting" {
  provider   = google-beta.no_user_project_override
  folder_id  = "folder-id-for-new-project"
  name       = "Project Display Name"
  project_id = "project-id-for-new-project"

  # Associates the project with a Cloud Billing account
  # (required to use Firebase App Hosting).
  billing_account = "000000-000000-000000"
}

# Enables required APIs.
resource "google_project_service" "services" {
  provider = google-beta.no_user_project_override
  project  = google_project.apphosting.project_id
  for_each = toset([
    "cloudresourcemanager.googleapis.com",
    "firebase.googleapis.com",
    "firebaseapphosting.googleapis.com",
    "serviceusage.googleapis.com",
    "developerconnect.googleapis.com",
  ])
  service = each.key

  # Don't disable the service if the resource block is removed by accident.
  disable_on_destroy = false
}

# Enables Firebase services for the new project created earlier.
resource "google_firebase_project" "apphosting" {
  provider = google-beta
  project  = google_project.apphosting.project_id

  depends_on = [google_project_service.services]
}

# Creates a Firebase Web App in the new project created earlier.
resource "google_firebase_web_app" "apphosting" {
  provider     = google-beta
  project      = google_firebase_project.apphosting.project
  display_name = "My web app"
}

### Setting up Firebase App Hosting ###

# Creates a Firebase App Hosting Backend
resource "google_firebase_app_hosting_backend" "example" {
  provider = google-beta
  project  = google_firebase_project.apphosting.project

  # Choose the region closest to your users
  location         = "name-of-region-for-service"
  backend_id       = "name-of-backend-for-service"
  app_id           = google_firebase_web_app.apphosting.app_id
  display_name     = "My Backend"
  serving_locality = "GLOBAL_ACCESS" # or "REGIONAL_STRICT"
  service_account  = google_service_account.service_account.email

  codebase {
    repository = google_developer_connect_git_repository_link.my-repository.name
    root_directory = "/"
  }
}

# Creates the service account for Firebase App Hosting
resource "google_service_account" "service_account" {
  provider = google-beta
  project  = google_firebase_project.apphosting.project

  # Must be firebase-app-hosting-compute
  account_id                   = "firebase-app-hosting-compute"
  display_name                 = "Firebase App Hosting compute service account"

  # Do not throw if already exists
  create_ignore_already_exists = true
}

# Adds permission to the App Hosting service account
resource "google_project_iam_member" "app_hosting_sa" {
  provider = google-beta
  project  = google_firebase_project.apphosting.project

  for_each = toset([
    "roles/developerconnect.readTokenAccessor",
    "roles/firebase.sdkAdminServiceAgent",
    "roles/firebaseapphosting.computeRunner"
  ])

  role   = each.key
  member = google_service_account.service_account.member
}

# Configures auto rollout from GitHub
resource "google_firebase_app_hosting_traffic" "example" {
  provider = google-beta

  project  = google_firebase_app_hosting_backend.example.project
  location = google_firebase_app_hosting_backend.example.location
  backend  = google_firebase_app_hosting_backend.example.backend_id

  rollout_policy {
    codebase_branch = "main" # Or another branch
  }
}

###

### Setting up a connection to GitHub ###

# Provisions Service Agent for Developer Connect
resource "google_project_service_identity" "devconnect-p4sa" {
  provider = google-beta
  project  = google_firebase_project.apphosting.project

  service  = "developerconnect.googleapis.com"
}

# Adds permission to Developer Connect Service Agent to manager GitHub tokens
resource "google_project_iam_member" "devconnect-secret" {
  provider = google-beta
  project  = google_firebase_project.apphosting.project

  role     = "roles/secretmanager.admin"
  member   = google_project_service_identity.devconnect-p4sa.member
}

# Connects to a GitHub account
resource "google_developer_connect_connection" "my-connection" {
  provider = google-beta
  project  = google_firebase_project.apphosting.project

  # Must match the google_firebase_app_hosting_backend's location
  location = "name-of-region-for-service"

  # Must be `firebase-app-hosting-github-oauth`
  connection_id = "firebase-app-hosting-github-oauth"
  github_config {
    github_app = "FIREBASE"
  }
  depends_on = [google_project_iam_member.devconnect-secret]
}

# Follow the next steps to set up the GitHub connection
# Tip: Run terraform refresh to obtain the output
output "next_steps" {
  description = "Follow the action_uri if present to continue setup"
  value = google_developer_connect_connection.my-connection.installation_state
}

# Links a GitHub repo to the project
resource "google_developer_connect_git_repository_link" "my-repository" {
  provider = google-beta
  project  = google_firebase_project.apphosting.project
  location = google_developer_connect_connection.my-connection.location

  git_repository_link_id = "my-repo-id"
  parent_connection = google_developer_connect_connection.my-connection.connection_id
  clone_uri = "https://github.com/myuser/myrepo.git"
}

###

疑難排解與常見問題

您會收到這項錯誤訊息： `generic::permission_denied: Firebase Tos Not Accepted`。

請確認用來執行gcloud CLI指令的使用者帳戶已接受 Firebase 服務條款。

如要進行這項檢查，請在瀏覽器中登入使用者帳戶，然後嘗試在 Firebase 控制台中查看現有的 Firebase 專案。如果可以查看現有的 Firebase 專案，表示使用者帳戶已接受 Firebase 服務條款。
如果無法查看任何現有 Firebase 專案，可能是因為使用者帳戶尚未接受 Firebase 服務條款。如要修正這個問題，請透過 Firebase 控制台建立新的 Firebase 專案，並在建立專案時接受 Firebase 服務條款。您可以透過管理中心的「專案設定」立即刪除這個專案。

執行 `terraform apply` 後，您會收到以下錯誤訊息： `generic::permission_denied: IAM authority does not have the permission`。

請稍候片刻，然後再試一次執行 terraform apply。

資源建立失敗，但再次執行 `terraform apply` 時，系統會顯示 `ALREADY_EXISTS`。

這可能是因為各系統的傳播延遲所致。請嘗試執行 terraform import，將資源匯入 Terraform 狀態，解決這個問題。然後再次執行 terraform apply。

如要瞭解如何匯入各項資源，請參閱 Terraform 說明文件的「匯入」部分 (例如 Cloud Firestore 的「匯入」說明文件)。

使用 Cloud Firestore 時，您會收到以下錯誤訊息：`Error creating Index: googleapi: Error 409;...Concurrent access -- try again`

如錯誤訊息所示，Terraform 可能嘗試同時佈建多個索引和/或建立文件，因此發生並行錯誤。請再次執行 terraform apply。

您會收到以下錯誤訊息： `"you may need to specify 'X-Goog-User-Project' HTTP header for quota and billing purposes"`。

這項錯誤表示 Terraform 不知道要檢查哪個專案的配額。如要排解問題，請檢查 resource 區塊中的下列項目：

請確認你已為 project 屬性指定值。
請務必使用供應商 (沒有別名)，在 Firebase 範例中為 google-beta。user_project_override = true

建立新的 Google Cloud 專案時，您會收到錯誤訊息，指出為新專案指定的專案 ID 已存在。

專案 ID 可能已存在的原因如下：

與該 ID 相關聯的專案屬於他人。
- 解決方法：選擇其他專案 ID。
與該 ID 相關聯的專案最近已刪除 (處於軟刪除狀態)。
- 解決方法：如果您認為與 ID 相關聯的專案屬於您，請使用 projects.get REST API 檢查專案狀態。
與該 ID 相關聯的專案在目前使用者底下正確存在。錯誤的可能原因為先前的 terraform apply遭到中斷。
- 解決方法：執行下列指令：
  terraform import google_project.default PROJECT_ID 然後
  terraform import google_firebase_project.default PROJECT_ID

嘗試佈建 Cloud Storage (透過 `google_app_engine_application`)，然後佈建預設 Cloud Firestore 執行個體時，會收到這項錯誤：`Error: Error creating Database: googleapi: Error 409: Database already exists. Please use another database_id`。

當您佈建專案的預設 Cloud Storage 值區 (透過 google_app_engine_application)，且專案尚未有預設 Cloud Firestore 執行個體時，google_app_engine_application 會自動佈建專案的預設 Cloud Firestore 執行個體。

因此，由於專案的預設 Cloud Firestore 執行個體已佈建，如果您嘗試再次明確佈建該預設執行個體，google_firestore_database 會發生錯誤。

專案的預設 Cloud Firestore 執行個體佈建完成後，您就無法「重新佈建」或變更其位置。請注意，佈建的資料庫執行個體處於 Datastore 模式，因此無法透過 Firebase SDK、驗證或 Firebase Security Rules 存取。如要搭配使用 Cloud Firestore 與這些 Firebase 服務，請先清空資料庫，然後在 Google Cloud 控制台中變更資料庫類型。

開始使用 Terraform 和 Firebase 透過集合功能整理內容 你可以依據偏好儲存及分類內容。

Terraform 和 Firebase 搭配使用有哪些優點？

使用 Terraform 搭配 Firebase 的一般工作流程

必要條件

步驟 1：建立及自訂 Terraform 設定檔

設定 provider

使用 resource 區塊指定要建立的基礎架構

查看這個設定檔範例的詳細註解版本

步驟 2：執行 Terraform 指令，建立指定基礎架構

支援 Terraform 的 Firebase 資源

Firebase 專案和應用程式管理

Firebase Authentication

Firebase App Hosting

Firebase Data Connect

Firebase Realtime Database

Cloud Firestore

Cloud Storage for Firebase

Firebase Security Rules (適用於 Cloud Firestore 和 Cloud Storage)

Firebase App Check

Firebase Extensions

常見用途的 Terraform 設定檔範例

使用 GCIP 設定 Firebase Authentication

佈建 Firebase Data Connect 服務

佈建預設 Firebase Realtime Database 執行個體

佈建多個 Firebase Realtime Database 執行個體

佈建預設 Cloud Firestore 執行個體

佈建預設 Cloud Storage bucket

佈建額外 Cloud Storage bucket

使用 Firebase App Check 保護 API 資源

安裝 Firebase Extension 的例項

啟用並保護 Firebase AI Logic

手動佈建 App Hosting 後端

使用 GitHub 佈建後端 App Hosting

疑難排解與常見問題

您想進一步瞭解所有不同的專案相關屬性 (例如 project 和 user_project_override)

您會收到這項錯誤訊息： generic::permission_denied: Firebase Tos Not Accepted。

執行 terraform apply 後，您會收到以下錯誤訊息： generic::permission_denied: IAM authority does not have the permission。

資源建立失敗，但再次執行 terraform apply 時，系統會顯示 ALREADY_EXISTS。

使用 Cloud Firestore 時，您會收到以下錯誤訊息：Error creating Index: googleapi: Error 409;...Concurrent access -- try again

您會收到以下錯誤訊息： "you may need to specify 'X-Goog-User-Project' HTTP header for quota and billing purposes"。

建立新的 Google Cloud 專案時，您會收到錯誤訊息，指出為新專案指定的專案 ID 已存在。

為什麼需要先佈建預設 Cloud Firestore 執行個體，再佈建預設 Cloud Storage 值區？

嘗試佈建 Cloud Storage (透過 google_app_engine_application)，然後佈建預設 Cloud Firestore 執行個體時，會收到這項錯誤：Error: Error creating Database: googleapi: Error 409: Database already exists. Please use another database_id。

開始使用 Terraform 和 Firebase

設定 `provider`

使用 `resource` 區塊指定要建立的基礎架構

您想進一步瞭解所有不同的專案相關屬性 (例如 `project` 和 `user_project_override`)

您會收到這項錯誤訊息： `generic::permission_denied: Firebase Tos Not Accepted`。

執行 `terraform apply` 後，您會收到以下錯誤訊息： `generic::permission_denied: IAM authority does not have the permission`。

資源建立失敗，但再次執行 `terraform apply` 時，系統會顯示 `ALREADY_EXISTS`。

使用 Cloud Firestore 時，您會收到以下錯誤訊息：`Error creating Index: googleapi: Error 409;...Concurrent access -- try again`

您會收到以下錯誤訊息： `"you may need to specify 'X-Goog-User-Project' HTTP header for quota and billing purposes"`。

嘗試佈建 Cloud Storage (透過 `google_app_engine_application`)，然後佈建預設 Cloud Firestore 執行個體時，會收到這項錯誤：`Error: Error creating Database: googleapi: Error 409: Database already exists. Please use another database_id`。