Deploy Rules, Indexes and Functions to multiple projects
56 views
Skip to first unread message
John Rodkey
Mar 4, 2021, 5:50:38 AM3/4/21
to Firebase Google Group
Looking for some solutions to deploy rules, indexes, and functions to dynamically generated projects.
Currently, we are using Terraform to create our GCP resources, including Firebase Project and Firestore as the DB. We have attempted to use Cloud Build in each project and reference our Source Repo code, but it does not seem possible.
We deploy the same rules, indexes and functions to each project to offer our white label solution per the best practices of the docs. Would love some direction on finalizing this last piece of the puzzle.
Sam Stern
Mar 4, 2021, 6:43:01 AM3/4/21
to Firebase Google Group
Hey John,
Can you explain a little more what the difficulty has been? Honestly what you have already achieved (terraform project setup via Cloud Build) sounds harder than deploying rules and indexes so I'm a bit surprised that you're stuck on that.
My general approach for this would be to use the Firebase CLI in Cloud Build, which seems like what you've already done. All you have to do is authorize the Cloud Build default service account to have the appropriate Firebase IAM roles.
- Sam
--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/0eddbe7d-04ac-48d1-9f47-f69735a8a445n%40googlegroups.com.
John Rodkey
Mar 4, 2021, 10:17:39 AM3/4/21
to fireba...@googlegroups.com
Sure happy to provide additional context. We currently have a central project repository in the GCP Source Repo which we would like Cloud Build to use for deployments of firebase functions, firestore rules and indexes, this includes updates and bug fixes too. The issue we are running into is our Cloud Build being able to access our central project Source Repo or perhaps we are just overlooking something simple :(.
On Thu Mar 4, 2021, 11:42 AM GMT, 'Sam Stern' via Firebase Google Group wrote:
Hey John,Can you explain a little more what the difficulty has been? Honestly what you have already achieved (terraform project setup via Cloud Build) sounds harder than deploying rules and indexes so I'm a bit surprised that you're stuck on that.My general approach for this would be to use the Firebase CLI in Cloud Build, which seems like what you've already done. All you have to do is authorize the Cloud Build default service account to have the appropriate Firebase IAM roles.- Sam
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/0eddbe7d-04ac-48d1-9f47-f69735a8a445n%40googlegroups.com.
--
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CAHafJBoZmFL%3DWR9FFve2pwCOp5v6FDcyKe4vsPNq44qVhSNS%3DA%40mail.gmail.com.
On Wed Mar 3, 2021, 06:57 PM GMT, John Rodkey wrote:
Looking for some solutions to deploy rules, indexes, and functions to dynamically generated projects.Currently, we are using Terraform to create our GCP resources, including Firebase Project and Firestore as the DB. We have attempted to use Cloud Build in each project and reference our Source Repo code, but it does not seem possible.We deploy the same rules, indexes and functions to each project to offer our white label solution per the best practices of the docs. Would love some direction on finalizing this last piece of the puzzle.
--
You received this message because you are subscribed to a topic in the Google Groups "Firebase Google Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/firebase-talk/-ne51wEgVUQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to firebase-tal...@googlegroups.com.
Sam Stern
Mar 4, 2021, 10:20:59 AM3/4/21
to Firebase Google Group
Hi John,
It's possible to authorize a service account to more than one project. So you want to take the service account which you're using in Cloud Build and give it the right IAM roles on each customer project. Then you have one "super service account" which can make rules/indexes changes on any of your projects.
- Sam
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CAHEiOC0HWXOf3GxF4ddhp%2BFNVtvU6TqZiVSOQ5m7vBLJNtJShA%40mail.gmail.com.
John Rodkey
Mar 4, 2021, 10:26:29 AM3/4/21
to fireba...@googlegroups.com
Would it be better to create a Cloud Build in each project using Terraform and add the customer project service account to the Central Project? We currently keep our project configs in Firestore in the Central Project - so I guess we could do the Cloud Build from there and just query the Firestore to retrieve the project ids and loop through them to deploy... which would you prefer/recommend?
On Thu Mar 4, 2021, 03:20 PM GMT, 'Sam Stern' via Firebase Google Group wrote:
Hi John,It's possible to authorize a service account to more than one project. So you want to take the service account which you're using in Cloud Build and give it the right IAM roles on each customer project. Then you have one "super service account" which can make rules/indexes changes on any of your projects.- Sam
--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CAHEiOC0HWXOf3GxF4ddhp%2BFNVtvU6TqZiVSOQ5m7vBLJNtJShA%40mail.gmail.com.
--
You received this message because you are subscribed to a topic in the Google Groups "Firebase Google Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/firebase-talk/-ne51wEgVUQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to firebase-tal...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CAHafJBraUXHxQ4TAJm9v%2B755DnEQ1yM1VBOr7EC2eMKmDPf%2BeQ%40mail.gmail.com.
Sam Stern
Mar 4, 2021, 10:31:48 AM3/4/21
to Firebase Google Group
I think you want to add your central service account to all the customer projects. You still do all the Cloud Build stuff in the central project, but there's only one service account in use to do all of the deploys.
- Sam
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CAHEiOC3E_6E92w1_C-_SJmOgFFSK6DJ387PeKrm6vMoWF9Hc0A%40mail.gmail.com.
John Rodkey
Mar 4, 2021, 10:37:29 AM3/4/21
to fireba...@googlegroups.com
Perfect. we already add a master service account to the customer projects, we will add the IAM permission to the master service account to ensure it can do what needs to be done. Will report back if we find any issues with this 😄
On Thu Mar 4, 2021, 03:31 PM GMT, 'Sam Stern' via Firebase Google Group wrote:
I think you want to add your central service account to all the customer projects. You still do all the Cloud Build stuff in the central project, but there's only one service account in use to do all of the deploys.- Sam
--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CAHEiOC3E_6E92w1_C-_SJmOgFFSK6DJ387PeKrm6vMoWF9Hc0A%40mail.gmail.com.
--
You received this message because you are subscribed to a topic in the Google Groups "Firebase Google Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/firebase-talk/-ne51wEgVUQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to firebase-tal...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CAHafJBoZosLJHhBcwgh%3D9tOB%2BHPEfW51NJBAQbyxhA6bAS_ekQ%40mail.gmail.com.
John Rodkey
Mar 4, 2021, 10:44:52 AM3/4/21
to fireba...@googlegroups.com
- Well this may be the blocker - User-specified service accounts only work with manual builds; they don't work with build triggers.
On Thu Mar 4, 2021, 03:39 PM GMT, John Rodkey wrote:
For anybody interested... this looks the like doc needed to make it all work https://cloud.google.com/build/docs/securing-builds/configure-user-specified-service-accounts
John Rodkey
Mar 4, 2021, 10:44:59 AM3/4/21
to fireba...@googlegroups.com
For anybody interested... this looks the like doc needed to make it all work https://cloud.google.com/build/docs/securing-builds/configure-user-specified-service-accounts
John Rodkey
Mar 5, 2021, 10:33:46 AM3/5/21
to fireba...@googlegroups.com
So this does appear to be a blocker, any additional recommendations? I guess we can add the google cloud build service account that is created on project creation to our central account
Sam Stern
Mar 5, 2021, 10:35:29 AM3/5/21
to Firebase Google Group
Hmmm now we're getting outside of my levels of IAM expertise but is it possible you could use service account impersonation? Maybe have the Cloud Build service account impersonate the central one?
- SAm
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CAHEiOC32y%2BO3OrcMgM9YqFXibVXhuqgm75xfUEgwj7y2xv%2BGCg%40mail.gmail.com.
John Rodkey
Mar 5, 2021, 11:07:14 AM3/5/21
to fireba...@googlegroups.com
Will try it out and see what happens
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CAHafJBqH0TayBCnmOXACuFM6JqAQH2hNDkKj6%3Do%2Ba%2BtTmCvZFQ%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages