使用入门：将 Terraform 与 Firebase 搭配使用

下面是此示例配置文件的详尽注释版本

如果您还不熟悉将项目和应用作为资源进行部署的基础架构，请参阅以下文档：

• 了解 Firebase 项目
• Firebase 项目管理参考文档

# Terraform configuration to set up providers by version.
...

# Configures the provider to use the resource block's specified project for quota checks.
...

# Configures the provider to not use the resource block's specified project for quota checks.
...

# Creates a new Google Cloud project.
resource "google_project" "default" {
  # Use the provider that enables the setup of quota checks for a new project
  provider   = google-beta.no_user_project_override

  name            = "Project Display Name"        // learn more about the project name
  project_id      = "project-id-for-new-project"  // learn more about the project ID
  # Required for any service that requires the Blaze pricing plan
  # (like Firebase Authentication with GCIP)
  billing_account = "000000-000000-000000"

  # Required for the project to display in any list of Firebase projects.
  labels = {
    "firebase" = "enabled"  // learn more about the Firebase-enabled label
  }
}

# Enables required APIs.
resource "google_project_service" "default" {
  # Use the provider without quota checks for enabling APIS
  provider = google-beta.no_user_project_override
  project  = google_project.default.project_id
  for_each = toset([
    "cloudbilling.googleapis.com",
    "cloudresourcemanager.googleapis.com",
    "firebase.googleapis.com",
    # Enabling the ServiceUsage API allows the new project to be quota checked from now on.
    "serviceusage.googleapis.com",
  ])
  service = each.key

  # Don't disable the service if the resource block is removed by accident.
  disable_on_destroy = false
}

# Enables Firebase services for the new project created above.
# This action essentially "creates a Firebase project" and allows the project to use
# Firebase services (like Firebase Authentication) and
# Firebase tooling (like the Firebase console).
# Learn more about the relationship between Firebase projects and Google Cloud.
resource "google_firebase_project" "default" {
  # Use the provider that performs quota checks from now on
  provider = google-beta

  project  = google_project.default.project_id

  # Waits for the required APIs to be enabled.
  depends_on = [
    google_project_service.default
  ]
}

# Creates a Firebase Android App in the new project created above.
# Learn more about the relationship between Firebase Apps and Firebase projects.
resource "google_firebase_android_app" "default" {
  provider = google-beta

  project      = google_project.default.project_id
  display_name = "My Awesome Android app"  # learn more about an app's display name
  package_name = "awesome.package.name"    # learn more about an app's package name

  # Wait for Firebase to be enabled in the Google Cloud project before creating this App.
  depends_on = [
    google_firebase_project.default,
  ]
}

设置 Firebase Authentication with GCIP

此配置会创建一个新的 Google Cloud 项目，将该项目与一个 Cloud Billing 帐号关联（若要使用 Firebase Authentication with GCIP，您的项目必须采用 Blaze 定价方案），为项目启用所需的 Firebase 服务，设置 Firebase Authentication with GCIP，并在项目中注册三种不同的应用类型。

请注意，必须启用 GCIP，才能通过 Terraform 设置 Firebase Authentication。

# Creates a new Google Cloud project.
resource "google_project" "auth" {
  provider  = google-beta.no_user_project_override
  folder_id = "folder-id-for-new-project"
  name            = "Project Display Name"
  project_id      = "project-id-for-new-project"

  # Associates the project with a Cloud Billing account
  # (required for Firebase Authentication with GCIP).
  billing_account = "000000-000000-000000"

  # Required for the project to display in a list of Firebase projects.
  labels = {
    "firebase" = "enabled"
  }
}

# Enables required APIs.
resource "google_project_service" "auth" {
  provider = google-beta.no_user_project_override
  project  = google_project.auth.project_id
  for_each = toset([
    "cloudbilling.googleapis.com",
    "cloudresourcemanager.googleapis.com",
    "serviceusage.googleapis.com",
    "identitytoolkit.googleapis.com",
  ])
  service = each.key

  # Don't disable the service if the resource block is removed by accident.
  disable_on_destroy = false
}

# Enables Firebase services for the new project created above.
resource "google_firebase_project" "auth" {
  provider = google-beta
  project  = google_project.auth.project_id

  depends_on = [
    google_project_service.auth,
  ]
}

# Creates an Identity Platform config.
# Also enables Firebase Authentication with Identity Platform in the project if not.
resource "google_identity_platform_config" "auth" {
  provider = google-beta
  project  = google_project.auth.project_id

  # For example, you can configure to auto-delete Anonymous users.
  autodelete_anonymous_users = true

  # Wait for identitytoolkit.googleapis.com to be enabled before initializing Authentication.
  depends_on = [
    google_project_service.auth,
  ]
}

# Adds more configurations, like for the email/password sign-in provider.
resource "google_identity_platform_project_default_config" "auth" {
  provider = google-beta
  project  = google_project.auth.project_id
  sign_in {
    allow_duplicate_emails = false

    anonymous {
      enabled = true
    }

    email {
      enabled           = true
      password_required = false
    }
  }

  # Wait for Authentication to be initialized before enabling email/password.
  depends_on = [
    google_identity_platform_config.auth
  ]
}

# Creates a Firebase Android App in the new project created above.
resource "google_firebase_android_app" "auth" {
  provider     = google-beta
  project      = google_project.auth.project_id
  display_name = "My Android app"
  package_name = "android.package.name"

  # Wait for Firebase to be enabled in the Google Cloud project before creating this App.
  depends_on = [
    google_firebase_project.auth,
  ]
}

# Creates a Firebase Apple-platforms App in the new project created above.
resource "google_firebase_apple_app" "auth" {
  provider     = google-beta
  project      = google_project.auth.project_id
  display_name = "My Apple app"
  bundle_id    = "apple.app.12345"

  # Wait for Firebase to be enabled in the Google Cloud project before creating this App.
  depends_on = [
    google_firebase_project.auth,
  ]
}

# Creates a Firebase Web App in the new project created above.
resource "google_firebase_web_app" "auth" {
  provider     = google-beta
  project      = google_project.auth.project_id
  display_name = "My Web app"

  # The other App types (Android and Apple) use "DELETE" by default.
  # Web apps don't use "DELETE" by default due to backward-compatibility.
  deletion_policy = "DELETE"

  # Wait for Firebase to be enabled in the Google Cloud project before creating this App.
  depends_on = [
    google_firebase_project.auth,
  ]
}

预配默认的 Firebase Realtime Database 实例

此配置会创建一个新的 Google Cloud 项目，为项目启用所需的 Firebase 服务，为项目预配默认的 Realtime Database 实例，并在项目中注册三种不同的应用类型。

# Creates a new Google Cloud project.
resource "google_project" "rtdb" {
  provider   = google-beta.no_user_project_override
  folder_id  = "folder-id-for-new-project"
  name       = "Project Display Name"
  project_id = "project-id-for-new-project"

  # Required for the project to display in a list of Firebase projects.
  labels = {
    "firebase" = "enabled"
  }
}

# Enables required APIs.
resource "google_project_service" "rtdb" {
  provider = google-beta.no_user_project_override
  project  = google_project.rtdb.project_id
  for_each = toset([
    "serviceusage.googleapis.com",
    "cloudresourcemanager.googleapis.com",
    "firebasedatabase.googleapis.com",
  ])
  service = each.key

  # Don't disable the service if the resource block is removed by accident.
  disable_on_destroy = false
}

# Enables Firebase services for the new project created above.
resource "google_firebase_project" "rtdb" {
  provider = google-beta
  project  = google_project.rtdb.project_id
}

# Provisions the default Realtime Database default instance.
resource "google_firebase_database_instance" "database" {
  provider    = google-beta
  project     = google_project.rtdb.project_id
  # See available locations: https://firebase.google.com/docs/projects/locations#rtdb-locations
  region      = "name-of-region"
  # This value will become the first segment of the database's URL.
  instance_id = "${google_project.rtdb.project_id}-default-rtdb"
  type        = "DEFAULT_DATABASE"

  # Wait for Firebase to be enabled in the Google Cloud project before initializing Realtime Database.
  depends_on = [
    google_firebase_project.rtdb,
  ]
}

# Creates a Firebase Android App in the new project created above.
resource "google_firebase_android_app" "rtdb" {
  provider     = google-beta
  project      = google_project.rtdb.project_id
  display_name = "My Android app"
  package_name = "android.package.name"

  # Wait for Firebase to be enabled in the Google Cloud project before creating this App.
  depends_on = [
    google_firebase_project.rtdb,
  ]
}

# Creates a Firebase Apple-platforms App in the new project created above.
resource "google_firebase_apple_app" "rtdb" {
  provider     = google-beta
  project      = google_project.rtdb.project_id
  display_name = "My Apple app"
  bundle_id    = "apple.app.12345"

  # Wait for Firebase to be enabled in the Google Cloud project before creating this App.
  depends_on = [
    google_firebase_project.rtdb,
  ]
}

# Creates a Firebase Web App in the new project created above.
resource "google_firebase_web_app" "rtdb" {
  provider     = google-beta
  project      = google_project.rtdb.project_id
  display_name = "My Web app"

  # The other App types (Android and Apple) use "DELETE" by default.
  # Web apps don't use "DELETE" by default due to backward-compatibility.
  deletion_policy = "DELETE"

  # Wait for Firebase to be enabled in the Google Cloud project before creating this App.
  depends_on = [
    google_firebase_project.rtdb,
  ]
}

预配多个 Firebase Realtime Database 实例

此配置会创建一个新的 Google Cloud 项目，将该项目与一个 Cloud Billing 帐号关联（若有多个 Realtime Database 实例，则必须采用 Blaze 定价方案），为项目启用所需的 Firebase 服务，预配多个 Realtime Database 实例（包括项目的默认 Realtime Database 实例），并在项目中注册三种不同的应用类型。

# Creates a new Google Cloud project.
resource "google_project" "rtdb-multi" {
  provider   = google-beta.no_user_project_override
  folder_id  = "folder-id-for-new-project"
  name       = "Project Display Name"
  project_id = "project-id-for-new-project"

  # Associate the project with a Cloud Billing account
  # (required for multiple Realtime Database instances).
  billing_account = "000000-000000-000000"

  # Required for the project to display in a list of Firebase projects.
  labels = {
    "firebase" = "enabled"
  }
}

# Enables required APIs.
resource "google_project_service" "rtdb-multi" {
  provider = google-beta.no_user_project_override
  project  = google_project.rtdb-multi.project_id
  for_each = toset([
    "cloudbilling.googleapis.com",
    "serviceusage.googleapis.com",
    "cloudresourcemanager.googleapis.com",
    "firebasedatabase.googleapis.com",
  ])
  service = each.key

  # Don't disable the service if the resource block is removed by accident.
  disable_on_destroy = false
}

# Enables Firebase services for the new project created above.
resource "google_firebase_project" "rtdb-multi" {
  provider = google-beta
  project  = google_project.rtdb-multi.project_id
}

# Provisions the default Realtime Database default instance.
resource "google_firebase_database_instance" "database-default" {
  provider    = google-beta
  project     = google_project.rtdb-multi.project_id
  # See available locations: https://firebase.google.com/docs/projects/locations#rtdb-locations
  region      = "name-of-region"
  # This value will become the first segment of the database's URL.
  instance_id = "${google_project.rtdb-multi.project_id}-default-rtdb"
  type        = "DEFAULT_DATABASE"

  # Wait for Firebase to be enabled in the Google Cloud project before initializing Realtime Database.
  depends_on = [
    google_firebase_project.rtdb-multi,
  ]
}

# Provisions an additional Realtime Database instance.
resource "google_firebase_database_instance" "database-additional" {
  provider    = google-beta
  project     = google_project.rtdb-multi.project_id
  # See available locations: https://firebase.google.com/docs/projects/locations#rtdb-locations
  # This location doesn't need to be the same as the default database instance.
  region      = "name-of-region"
  # This value will become the first segment of the database's URL.
  instance_id = "name-of-additional-database-instance"
  type        = "USER_DATABASE"

  # Wait for Firebase to be enabled in the Google Cloud project before initializing Realtime Database.
  depends_on = [
    google_firebase_project.rtdb-multi,
  ]
}

# Creates a Firebase Android App in the new project created above.
resource "google_firebase_android_app" "rtdb-multi" {
  provider     = google-beta
  project      = google_project.rtdb-multi.project_id
  display_name = "My Android app"
  package_name = "android.package.name"

  # Wait for Firebase to be enabled in the Google Cloud project before creating this App.
  depends_on = [
    google_firebase_project.rtdb-multi,
  ]
}

# Creates a Firebase Apple-platforms App in the new project created above.
resource "google_firebase_apple_app" "rtdb-multi" {
  provider     = google-beta
  project      = google_project.rtdb-multi.project_id
  display_name = "My Apple app"
  bundle_id    = "apple.app.12345"

  # Wait for Firebase to be enabled in the Google Cloud project before creating this App.
  depends_on = [
    google_firebase_project.rtdb-multi,
  ]
}

# Creates a Firebase Web App in the new project created above.
resource "google_firebase_web_app" "rtdb-multi" {
  provider     = google-beta
  project      = google_project.rtdb-multi.project_id
  display_name = "My Web app"

  # The other App types (Android and Apple) use "DELETE" by default.
  # Web apps don't use "DELETE" by default due to backward-compatibility.
  deletion_policy = "DELETE"

  # Wait for Firebase to be enabled in the Google Cloud project before creating this App.
  depends_on = [
    google_firebase_project.rtdb-multi,
  ]
}

预配 Cloud Firestore 实例

此配置会创建一个新的 Google Cloud 项目，为项目启用所需的 Firebase 服务，为项目预配 Cloud Firestore 实例，并在项目中注册三种不同的应用类型。

此外，还会为 Cloud Firestore 实例预配 Firebase 安全规则，创建 Cloud Firestore 索引，并添加包含种子数据的 Cloud Firestore 文档。

# Creates a new Google Cloud project.
resource "google_project" "firestore" {
  provider   = google-beta.no_user_project_override
  folder_id  = "folder-id-for-new-project"
  name       = "Project Display Name"
  project_id = "project-id-for-new-project"

  # Required for the project to display in a list of Firebase projects.
  labels = {
    "firebase" = "enabled"
  }
}

# Enables required APIs.
resource "google_project_service" "firestore" {
  provider = google-beta.no_user_project_override
  project  = google_project.firestore.project_id
  for_each = toset([
    "cloudresourcemanager.googleapis.com",
    "serviceusage.googleapis.com",
    "firestore.googleapis.com",
    "firebaserules.googleapis.com",
  ])
  service = each.key

  # Don't disable the service if the resource block is removed by accident.
  disable_on_destroy = false
}

# Enables Firebase services for the new project created above.
resource "google_firebase_project" "firestore" {
  provider = google-beta
  project  = google_project.firestore.project_id
}

# Provisions the Firestore database instance.
resource "google_firestore_database" "firestore" {
  provider                    = google-beta
  project                     = google_project.firestore.project_id
  name                        = "(default)"
  # See available locations: https://firebase.google.com/docs/projects/locations#default-cloud-location
  location_id                 = "name-of-region"
  # "FIRESTORE_NATIVE" is required to use Firestore with Firebase SDKs, authentication, and Firebase Security Rules.
  type                        = "FIRESTORE_NATIVE"
  concurrency_mode            = "OPTIMISTIC"

  # Wait for Firebase to be enabled in the Google Cloud project before initializing Firestore.
  depends_on = [
    google_firebase_project.firestore,
  ]
}

# Creates a ruleset of Firestore Security Rules from a local file.
resource "google_firebaserules_ruleset" "firestore" {
  provider = google-beta
  project  = google_project.firestore.project_id
  source {
    files {
      name = "firestore.rules"
      # Write security rules in a local file named "firestore.rules".
      # Learn more: https://firebase.google.com/docs/firestore/security/get-started
      content = file("firestore.rules")
    }
  }

  # Wait for Firestore to be provisioned before creating this ruleset.
  depends_on = [
    google_firestore_database.firestore,
  ]
}

# Releases the ruleset for the Firestore instance.
resource "google_firebaserules_release" "firestore" {
  provider     = google-beta
  name         = "cloud.firestore"  # must be cloud.firestore
  ruleset_name = google_firebaserules_ruleset.firestore.name
  project      = google_project.firestore.project_id

  # Wait for Firestore to be provisioned before releasing the ruleset.
  depends_on = [
    google_firestore_database.firestore,
  ]
}

# Adds a new Firestore index.
resource "google_firestore_index" "indexes" {
  provider = google-beta
  project  = google_project.firestore.project_id

  collection  = "quiz"
  query_scope = "COLLECTION"

  fields {
    field_path = "question"
    order      = "ASCENDING"
  }

  fields {
    field_path = "answer"
    order      = "ASCENDING"
  }

  # Wait for Firestore to be provisioned before adding this index.
  depends_on = [
    google_firestore_database.firestore,
  ]
}

# Adds a new Firestore document with seed data.
# Don't use real end-user or production data in this seed document.
resource "google_firestore_document" "doc" {
  provider    = google-beta
  project     = google_project.firestore.project_id
  collection  = "quiz"
  document_id = "question-1"
  fields      = "{\"question\":{\"stringValue\":\"Favorite Database\"},\"answer\":{\"stringValue\":\"Firestore\"}}"

  # Wait for Firestore to be provisioned before adding this document.
  depends_on = [
    google_firestore_database.firestore,
  ]
}

# Creates a Firebase Android App in the new project created above.
resource "google_firebase_android_app" "firestore" {
  provider     = google-beta
  project      = google_project.firestore.project_id
  display_name = "My Android app"
  package_name = "android.package.name"

  # Wait for Firebase to be enabled in the Google Cloud project before creating this App.
  depends_on = [
    google_firebase_project.firestore,
  ]
}

# Creates a Firebase Apple-platforms App in the new project created above.
resource "google_firebase_apple_app" "firestore" {
  provider     = google-beta
  project      = google_project.firestore.project_id
  display_name = "My Apple app"
  bundle_id    = "apple.app.12345"

  # Wait for Firebase to be enabled in the Google Cloud project before creating this App.
  depends_on = [
    google_firebase_project.firestore,
  ]
}

# Creates a Firebase Web App in the new project created above.
resource "google_firebase_web_app" "firestore" {
  provider     = google-beta
  project      = google_project.firestore.project_id
  display_name = "My Web app"

  # The other App types (Android and Apple) use "DELETE" by default.
  # Web apps don't use "DELETE" by default due to backward-compatibility.
  deletion_policy = "DELETE"

  # Wait for Firebase to be enabled in the Google Cloud project before creating this App.
  depends_on = [
    google_firebase_project.firestore,
  ]
}

这是应包含在名为 firestore.rules 的本地文件中的 Cloud Firestore 安全规则的规则集。

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    allow read: if request.auth != null;
    allow create: if request.auth != null;
    allow update: if request.auth != null;
  }
}

预配默认的 Cloud Storage 存储桶

此配置会创建一个新的 Google Cloud 项目，为项目启用所需的 Firebase 服务，为项目预配默认的 Cloud Storage 存储桶，并在项目中注册三种不同的应用类型。

此外，还会为 Cloud Storage 存储桶预配 Firebase 安全规则，并向该存储桶上传文件。

# Creates a new Google Cloud project.
resource "google_project" "storage" {
  provider   = google-beta.no_user_project_override
  folder_id  = "folder-id-for-new-project"
  name       = "Project Display Name"
  project_id = "project-id-for-new-project"

  # Required for the project to display in a list of Firebase projects.
  labels = {
    "firebase" = "enabled"
  }
}

# Enables required APIs.
resource "google_project_service" "storage" {
  provider = google-beta.no_user_project_override
  project  = google_project.storage.project_id
  for_each = toset([
    "serviceusage.googleapis.com",
    "cloudresourcemanager.googleapis.com",
    "firebaserules.googleapis.com",
    "firebasestorage.googleapis.com",
    "storage.googleapis.com",
  ])
  service = each.key

  # Don't disable the service if the resource block is removed by accident.
  disable_on_destroy = false
}

# Enables Firebase services for the new project created above.
resource "google_firebase_project" "storage" {
  provider = google-beta
  project  = google_project.storage.project_id
}

# Provisions the default Cloud Storage bucket for the project via Google App Engine.
resource "google_app_engine_application" "default" {
  provider    = google-beta
  project     = google_project.storage.project_id
  # See available locations: https://firebase.google.com/docs/projects/locations#default-cloud-location
  # This will set the location for the default Storage bucket and the App Engine App.
  location_id = "name-of-region-for-default-bucket"

  # If you use Firestore, uncomment this to make sure Firestore is provisioned first.
  # depends_on = [
    # google_firestore_database.firestore
  # ]
}

# Makes the default Storage bucket accessible for Firebase SDKs, authentication, and Firebase Security Rules.
resource "google_firebase_storage_bucket" "default-bucket" {
  provider  = google-beta
  project   = google_project.storage.project_id
  bucket_id = google_app_engine_application.default.default_bucket
}

# Creates a ruleset of Cloud Storage Security Rules from a local file.
resource "google_firebaserules_ruleset" "storage" {
  provider = google-beta
  project  = google_project.storage.project_id
  source {
    files {
      # Write security rules in a local file named "storage.rules".
      # Learn more: https://firebase.google.com/docs/storage/security/get-started
      name    = "storage.rules"
      content = file("storage.rules")
    }
  }

  # Wait for the default Storage bucket to be provisioned before creating this ruleset.
  depends_on = [
    google_firebase_project.storage,
  ]
}

# Releases the ruleset to the default Storage bucket.
resource "google_firebaserules_release" "default-bucket" {
  provider     = google-beta
  name         = "firebase.storage/${google_app_engine_application.default.default_bucket}"
  ruleset_name = "projects/${google_project.storage.project_id}/rulesets/${google_firebaserules_ruleset.storage.name}"
  project      = google_project.storage.project_id
}

# Uploads a new file to the default Storage bucket.
# Don't use real end-user or production data in this file.
resource "google_storage_bucket_object" "cat-picture" {
  provider = google-beta
  name     = "cat.png"
  source   = "path/to/cat.png"
  bucket   = google_app_engine_application.default.default_bucket
}

# Creates a Firebase Android App in the new project created above.
resource "google_firebase_android_app" "storage" {
  provider     = google-beta
  project      = google_project.storage.project_id
  display_name = "My Android app"
  package_name = "android.package.name"

  # Wait for Firebase to be enabled in the Google Cloud project before creating this App.
  depends_on = [
    google_firebase_project.storage,
  ]
}

# Creates a Firebase Apple-platforms App in the new project created above.
resource "google_firebase_apple_app" "storage" {
  provider     = google-beta
  project      = google_project.storage.project_id
  display_name = "My Apple app"
  bundle_id    = "apple.app.12345"

  # Wait for Firebase to be enabled in the Google Cloud project before creating this App.
  depends_on = [
    google_firebase_project.storage,
  ]
}

# Creates a Firebase Web App in the new project created above.
resource "google_firebase_web_app" "storage" {
  provider     = google-beta
  project      = google_project.storage.project_id
  display_name = "My Web app"

  # The other App types (Android and Apple) use "DELETE" by default.
  # Web apps don't use "DELETE" by default due to backward-compatibility.
  deletion_policy = "DELETE"

  # Wait for Firebase to be enabled in the Google Cloud project before creating this App.
  depends_on = [
    google_firebase_project.storage,
  ]
}

这是应包含在名为 storage.rules 的本地文件中的 Cloud Storage 安全规则的规则集。

rules_version = '2';
service firebase.storage {
  match /b/{bucket}/o {
    match /{allPaths=**} {
      allow read, write: if request.auth != null;
    }
  }
}

预配多个 Cloud Storage 存储桶

此配置会创建一个新的 Google Cloud 项目，将该项目与一个 Cloud Billing 帐号关联（若有多个存储桶，则必须采用 Blaze 定价方案），为项目启用所需的 Firebase 服务，预配多个 Cloud Storage 存储桶（包括项目的默认 Cloud Storage 存储桶），并在项目中注册三种不同的应用类型。

此外，还会为 Cloud Storage 存储桶预配 Firebase 安全规则，并向默认的 Cloud Storage 存储桶上传文件。

# Creates a new Google Cloud project.
resource "google_project" "storage-multi" {
  provider  = google-beta.no_user_project_override
  folder_id = "folder-id-for-new-project"
  name            = "Project Display Name"
  project_id      = "project-id-for-new-project"

  # Associates the project with a Cloud Billing account
  # (required for multiple Cloud Storage buckets).
  billing_account = "000000-000000-000000"

  # Required for the project to display in a list of Firebase projects.
  labels = {
    "firebase" = "enabled"
  }
}

# Enables required APIs.
resource "google_project_service" "storage-multi" {
  provider = google-beta.no_user_project_override
  project  = google_project.storage-multi.project_id
  for_each = toset([
    "cloudbilling.googleapis.com",
    "serviceusage.googleapis.com",
    "cloudresourcemanager.googleapis.com",
    "firebaserules.googleapis.com",
    "firebasestorage.googleapis.com",
    "storage.googleapis.com",
  ])
  service = each.key

  # Don't disable the service if the resource block is removed by accident.
  disable_on_destroy = false
}

# Enables Firebase services for the new project created above.
resource "google_firebase_project" "storage-multi" {
  provider = google-beta
  project  = google_project.storage-multi.project_id
}

# Provisions the default Cloud Storage bucket for the project via Google App Engine.
resource "google_app_engine_application" "default-multi" {
  provider = google-beta
  project  = google_project.storage-multi.project_id
  # See available locations: https://firebase.google.com/docs/projects/locations#default-cloud-location
  # This will set the location for the default Storage bucket and the App Engine App.
  location_id = "name-of-region-for-default-bucket"

  # If you use Firestore, uncomment this to make sure Firestore is provisioned first.
  # depends_on = [
  # google_firestore_database.firestore
  # ]
}

# Provisions an additional Cloud Storage bucket.
# Additional Cloud Storage buckets are not provisioned via App Engine.
resource "google_storage_bucket" "bucket-multi" {
  provider = google-beta
  project  = google_project.storage-multi.project_id
  name     = "name-of-additional-storage-bucket"
  # See available locations: https://cloud.google.com/storage/docs/locations#available-locations
  # This location does not need to be the same as the default Storage bucket.
  location = "name-of-region-for-additional-bucket"
}

# Makes the default Storage bucket accessible for Firebase SDKs, authentication, and Firebase Security Rules.
resource "google_firebase_storage_bucket" "default-bucket-multi" {
  provider  = google-beta
  project   = google_project.storage-multi.project_id
  bucket_id = google_app_engine_application.default-multi.default_bucket
}

# Makes the additional Storage bucket accessible for Firebase SDKs, authentication, and Firebase Security Rules.
resource "google_firebase_storage_bucket" "bucket-multi" {
  provider  = google-beta
  project   = google_project.storage-multi.project_id
  bucket_id = google_storage_bucket.bucket-multi.name
}

# Creates a ruleset of Firebase Security Rules from a local file.
resource "google_firebaserules_ruleset" "storage-multi" {
  provider = google-beta
  project  = google_project.storage-multi.project_id
  source {
    files {
      # Write security rules in a local file named "storage.rules"
      # Learn more: https://firebase.google.com/docs/storage/security/get-started
      name    = "storage.rules"
      content = file("storage.rules")
    }
  }

  # Wait for the Storage buckets to be provisioned before creating this ruleset.
  depends_on = [
    google_firebase_project.storage-multi,
  ]
}

# Releases the ruleset to the default Storage bucket.
resource "google_firebaserules_release" "default-bucket-multi" {
  provider     = google-beta
  name         = "firebase.storage/${google_app_engine_application.default-multi.default_bucket}"
  ruleset_name = "projects/${google_project.storage-multi.project_id}/rulesets/${google_firebaserules_ruleset.storage-multi.name}"
  project      = google_project.storage-multi.project_id
}

# Releases the ruleset to the additional Storage bucket.
resource "google_firebaserules_release" "bucket-multi" {
  provider     = google-beta
  name         = "firebase.storage/${google_storage_bucket.bucket-multi.name}"
  ruleset_name = "projects/${google_project.storage-multi.project_id}/rulesets/${google_firebaserules_ruleset.storage-multi.name}"
  project      = google_project.storage-multi.project_id
}

# Uploads a new file to the default Storage bucket.
# Do not use real end-user or production data in this file.
resource "google_storage_bucket_object" "cat-picture-multi" {
  provider = google-beta
  name     = "cat.png"
  source   = "path/to/cat.png"
  bucket   = google_app_engine_application.default-multi.default_bucket
}

# Creates a Firebase Android App in the new project created above.
resource "google_firebase_android_app" "storage-multi" {
  provider     = google-beta
  project      = google_project.storage-multi.project_id
  display_name = "My Android app"
  package_name = "android.package.name"

  # Wait for Firebase to be enabled in the Google Cloud project before creating this App.
  depends_on = [
    google_firebase_project.storage-multi,
  ]
}

# Creates a Firebase Apple-platforms App in the new project created above.
resource "google_firebase_apple_app" "storage-multi" {
  provider     = google-beta
  project      = google_project.storage-multi.project_id
  display_name = "My Apple app"
  bundle_id    = "apple.app.12345"

  # Wait for Firebase to be enabled in the Google Cloud project before creating this App.
  depends_on = [
    google_firebase_project.storage-multi,
  ]
}

# Creates a Firebase Web App in the new project created above.
resource "google_firebase_web_app" "storage-multi" {
  provider     = google-beta
  project      = google_project.storage-multi.project_id
  display_name = "My Web app"

  # The other App types (Android and Apple) use "DELETE" by default.
  # Web apps don't use "DELETE" by default due to backward-compatibility.
  deletion_policy = "DELETE"

  # Wait for Firebase to be enabled in the Google Cloud project before creating this App.
  depends_on = [
    google_firebase_project.storage-multi,
  ]
}

这是应包含在名为 storage.rules 的本地文件中的 Cloud Storage 安全规则的规则集。

rules_version = '2';
service firebase.storage {
  match /b/{bucket}/o {
    match /{allPaths=**} {
      allow read, write: if request.auth != null;
    }
  }
}

预配 Cloud Firestore 实例和默认的 Cloud Storage 存储桶

此配置会创建一个新的 Google Cloud 项目，为项目启用所需的 Firebase 服务，预配 Cloud Firestore 实例，然后预配默认的 Cloud Storage 存储桶。

此外，还会为 Cloud Firestore 实例和默认的 Cloud Storage 存储桶预配 Firebase 安全规则。

# Creates a new Google Cloud project.
resource "google_project" "fs" {  # fs = Firestore + Storage
  provider   = google-beta.no_user_project_override
  folder_id  = "folder-id-for-new-project"
  name       = "Project Display Name"
  project_id = "project-id-for-new-project"

  # Required for the project to display in a list of Firebase projects.
  labels = {
    "firebase" = "enabled"
  }
}

# Enables required APIs.
resource "google_project_service" "fs" {
  provider = google-beta.no_user_project_override
  project  = google_project.fs.project_id
  for_each = toset([
    "serviceusage.googleapis.com",
    "cloudresourcemanager.googleapis.com",
    "firebaserules.googleapis.com",
    "firebasestorage.googleapis.com",
    "storage.googleapis.com",
    "firestore.googleapis.com",
  ])
  service = each.key

  # Don't disable the service if the resource block is removed by accident
  disable_on_destroy = false
}

# Enables Firebase services for the new project created above.
resource "google_firebase_project" "fs" {
  provider = google-beta
  project  = google_project.fs.project_id

}

#### Set up Firestore before default Cloud Storage bucket ####

# Provisions the Firestore database instance.
resource "google_firestore_database" "firestore-fs" {
  provider         = google-beta
  project          = google_project.fs.project_id
  name             = "(default)"
  # See available locations: https://firebase.google.com/docs/projects/locations#default-cloud-location
  location_id      = "name-of-region"
  # "FIRESTORE_NATIVE" is required to use Firestore with Firebase SDKs, authentication, and Firebase Security Rules.
  type             = "FIRESTORE_NATIVE"
  concurrency_mode = "OPTIMISTIC"

  # Wait for Firebase to be enabled in the Google Cloud project before initializing Firestore.
  depends_on = [
    google_firebase_project.fs,
  ]
}

# Creates a ruleset of Firestore Security Rules from a local file.
resource "google_firebaserules_ruleset" "firestore-fs" {
  provider = google-beta
  project  = google_project.fs.project_id
  source {
    files {
      # Write security rules in a local file named "firestore.rules".
      # Learn more: https://firebase.google.com/docs/firestore/security/get-started
      name = "firestore.rules"
      content = file("firestore.rules")
    }
  }

  # Wait for Firestore to be provisioned before creating this ruleset.
  depends_on = [
    google_firestore_database.firestore-fs
  ]
}

# Releases the ruleset for the Firestore instance.
resource "google_firebaserules_release" "firestore-fs" {
  provider     = google-beta
  name         = "cloud.firestore" # must be cloud.firestore
  ruleset_name = google_firebaserules_ruleset.firestore-fs.name
  project      = google_project.fs.project_id

  # Wait for Firestore to be provisioned before releasing the ruleset.
  depends_on = [
    google_firestore_database.firestore-fs,
  ]
}

#### Set up default Cloud Storage default bucket after Firestore ####

# Provisions the default Cloud Storage bucket for the project via Google App Engine.
resource "google_app_engine_application" "default-bucket-fs" {
  provider    = google-beta
  project     = google_project.fs.project_id
  # See available locations: https://firebase.google.com/docs/projects/locations#default-cloud-location
  # This will set the location for the default Storage bucket and the App Engine App.
  location_id = "name-of-region"  # Must be in the same location as Firestore (above)

  # Wait for Firestore to be provisioned first.
  # Otherwise, the Firestore instance will be provisioned in Datastore mode (unusable by Firebase).
  depends_on = [
    google_firestore_database.firestore-fs,
  ]
}

# Makes the default Storage bucket accessible for Firebase SDKs, authentication, and Firebase Security Rules.
resource "google_firebase_storage_bucket" "default-bucket-fs" {
  provider  = google-beta
  project   = google_project.fs.project_id
  bucket_id = google_app_engine_application.default-bucket-fs.default_bucket
}

# Creates a ruleset of Cloud Storage Security Rules from a local file.
resource "google_firebaserules_ruleset" "default-bucket-fs" {
  provider = google-beta
  project  = google_project.fs.project_id
  source {
    files {
      # Write security rules in a local file named "storage.rules".
      # Learn more: https://firebase.google.com/docs/storage/security/get-started
      name    = "storage.rules"
      content = file("storage.rules")
    }
  }

  # Wait for the Cloud Storage bucket to be provisioned before creating this ruleset.
  depends_on = [
    google_firebase_project.fs,
  ]
}

# Releases the ruleset to the default Storage bucket.
resource "google_firebaserules_release" "default-bucket-fs" {
  provider     = google-beta
  name         = "firebase.storage/${google_app_engine_application.default-bucket-fs.default_bucket}"
  ruleset_name = "projects/${google_project.fs.project_id}/rulesets/${google_firebaserules_ruleset.default-bucket-fs.name}"
  project      = google_project.fs.project_id
}

这是应包含在名为 firestore.rules 的本地文件中的 Cloud Firestore 安全规则的规则集。

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    allow read: if request.auth != null;
    allow create: if request.auth != null;
    allow update: if request.auth != null;
  }
}

这是应包含在名为 storage.rules 的本地文件中的 Cloud Storage 安全规则的规则集。

rules_version = '2';
service firebase.storage {
  match /b/{bucket}/o {
    match /{allPaths=**} {
      allow read, write: if request.auth != null;
    }
  }
}

您想要详细了解所有与项目相关的不同属性（如 project 和 user_project_override）

本指南在涉及“项目”时会用到下面的 Terraform 属性。

resource 块中的 project

建议：尽可能在每个 resource 块中添加 project 属性

如果添加了 project 属性，Terraform 将在 resource 块中的指定项目内创建指定基础架构。本指南相关内容及示例配置文件都是采用这种做法。

请参阅 Terraform 官方文档中有关 project 的内容。

provider 块中的 user_project_override

若要预配大多数资源，则应使用 user_project_override = true，这意味着系统会检查您的 Firebase 项目的配额。不过，若要将新项目设置为能够接受配额检查，您需要首先使用 user_project_override = false。

请参阅 Terraform 官方文档中有关 user_project_override 的内容。

您收到以下错误：generic::permission_denied: Firebase Tos Not Accepted。

请确保您用于运行 gcloud CLI 命令的用户帐号已接受 Firebase 服务条款 (Firebase ToS)。

• 您可以使用已登录该用户帐号的浏览器尝试在 Firebase 控制台中查看一个现有 Firebase 项目，以进行确认。如果您可以查看现有 Firebase 项目，则表明该用户帐号已接受 Firebase 服务条款 (TOS)。

• 如果您无法查看任何现有 Firebase 项目，则表明该用户帐号可能尚未接受 Firebase 服务条款 (TOS)。若要解决此问题，您可以通过 Firebase 控制台创建一个新的 Firebase 项目，并在项目创建过程中接受 Firebase 服务条款 (TOS)。您可以在完成此操作后立即通过控制台中的“项目设置”删除此项目。

您在运行 terraform apply 后收到以下错误：generic::permission_denied: IAM authority does not have the permission。

请等待几分钟，然后再次尝试运行 terraform apply。

资源创建失败，但当您再次运行 terraform apply，却显示 ALREADY_EXISTS。

这可能是由于各种系统中的传播延迟造成的。您可以运行 terraform import，将资源导入 Terraform 状态，以尝试解决此问题。然后，尝试再次运行 terraform apply。

如需了解如何导入每种资源，请参阅其相应 Terraform 文档的“导入”部分（如 Cloud Firestore 的“导入”文档）。

您在使用 Cloud Firestore 时收到以下错误：Error creating Index: googleapi: Error 409;...Concurrent access -- try again

如该错误所示，Terraform 可能在尝试同时预配多个索引并/或创建同一个文档，从而遇到并发错误。尝试再次运行 terraform apply。

您收到以下错误："you may need to specify 'X-Goog-User-Project' HTTP header for quota and billing purposes"。

此错误表示 Terraform 不知道要检查哪个项目的配额。如需进行问题排查，请在 resource 块中检查以下内容：

• 确保为 project 属性指定了值。
• 确保为提供方设置了 user_project_override = true（无别名），在 Firebase 示例中该提供方为 google-beta。

您在创建新的 Google Cloud 项目时收到错误，表示为该新项目指定的项目 ID 已存在。

项目 ID 已存在的可能原因如下：

• 与该 ID 关联的项目属于他人。

  • 解决方法：选择其他项目 ID。

• 与该 ID 关联的项目最近被删除（处于软删除状态）。

  • 解决方法：如果您确定与该 ID 关联的项目属于您，则可以使用 projects.getREST API 检查该项目的状态。

• 与该 ID 关联的项目正确地存在于当前用户下。错误的可能原因是先前的 terraform apply 被中断。

  • 解决方法：依次运行以下命令：
    terraform import google_project.default PROJECT_ID 和
    terraform import google_firebase_project.default PROJECT_ID

您在尝试依次预配 Cloud Firestore 和 Cloud Storage（通过 google_app_engine_application）时收到以下错误：Error: Error creating App Engine application: googleapi: Error 409: Cannot create Firestore database resource <resource-name> since it already exists at location <location-id>, alreadyExists。

App Engine 应用需要使用 Cloud Firestore 实例，但每个项目只能有一个 Cloud Firestore 实例。因此，正如该错误消息所提示，当您已经在一个位置预配了项目的 Cloud Firestore 实例，如果您继而又尝试在另一个位置预配 Cloud Firestore 实例，则 App Engine 会出错。App Engine 会认为您在尝试“重新预配”现有的 Cloud Firestore 实例。

如需解决此错误，请为 Cloud Firestore 和 App Engine 应用使用相同的位置。如果您需要使用与 Cloud Firestore 位于不同位置的 Cloud Storage 存储桶，则可以预配额外的存储桶来满足此要求（请参阅创建多个 Cloud Storage 存储桶的示例配置）。

您在尝试依次预配 Cloud Storage（通过 google_app_engine_application）和 Cloud Firestore 时收到以下错误：Error: Error creating Database: googleapi: Error 409: Database already exists. Please use another database_id。

如果您通过 google_app_engine_application 预配项目的默认 Cloud Storage 存储桶，而彼时项目还没有 Cloud Firestore 实例，则 google_app_engine_application 会自动预配项目的 Cloud Firestore 实例。

因此，如果您项目的 Cloud Firestore 实例已预配完毕，而您继而又尝试明确预配 Cloud Firestore 实例，则 google_firestore_database 会出错。

一旦项目的 Cloud Firestore 实例已预配完毕，您便无法“重新预配”或更改其位置。为避免出现此错误，请从配置文件中移除 google_firestore_database 资源块。但请注意，我们建议您先预配 Cloud Firestore，然后再预配项目的默认 Cloud Storage 存储桶（请参阅下文了解原因）。