Add google_firebase_ios_app resource with apns_auth_key arg

[mleonhard]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

I wish to automate configuring Firebase Cloud Messaging for iOS apps. This has several purposes:

• eliminate error-prone manual steps
• reduce manual handling of credentials
• bring FCM config under our software development process (code reviews, continuous integration, continuous deployment)

New or Affected Resource(s)

• google_firebase_ios_app resource
  • google_firebase_project_id
  • bundle_id
  • app_store_id
  • team_id
  • apns_auth_key
  • apns_auth_key_id
  • google_service_info_plist attribute

Potential Terraform Configuration

resource "google_project" "default" {
  provider = google-beta

  project_id = "app-staging"
  name       = "app-staging"
  org_id     = "123456789"
}

resource "google_firebase_project" "default" {
  provider = google-beta
  project  = google_project.default.project_id
}

resource "google_firebase_ios_app" "default" {
  google_firebase_project_id = google_firebase_project.default.id
  bundle_id = "com.example.app.staging"
  app_store_id = "987654321"
  team_id = "ABC1234567"
  apns_auth_key = var.APNS_AUTH_KEY
  apns_auth_key_id = "DEF987654321"
}
output "google_service_info_plist" {
  value = google_firebase_ios_app.default.google_service_info_plist
}

References

• Add Support for Firebase #2973
• Add google_firebase_android_app resource #8293
• Add google_fcm_server_key resource #8294

EDIT 2021-04-02: Added apns_auth_key_id.

b/277382111

[slevenick]

Hey @mleonhard

I'm unable to find any REST APIs for configuring this resource on Firebase. Are you aware of such APIs? For example here is a link to the documentation for the REST API for Firebase databases: https://firebase.google.com/docs/reference/rest/database/database-management/rest/v1beta/projects.locations.instances

Without a REST API we will be unable to implement this resource in Terraform.

[keisari-ch]

Hi @slevenick , is this what you are requesting ?
https://firebase.google.com/docs/projects/api/reference/rest/v1beta1/projects.iosApps
https://firebase.google.com/docs/projects/api/reference/rest/v1beta1/projects.androidApps

[slevenick]

Yep that looks reasonable. I must have been looking in a different part of firebase.

[mleonhard]

The key feature is the ability to set the APNS auth key. Currently setting the key requires manual steps. Manual steps are error-prone, insecure, waste time learning and performing the operation, bypass deployment review and approval processes, and bypass auditing systems.

Do you think you can support setting the APNS auth key?

[slevenick]

How do you currently set the APNS auth key? When you say manual what do you mean by that?

I don't see the APNS auth key present in that REST API that you linked. If it doesn't exist there it would not work in the Terraform resource, as we call the REST API directly in most cases

[mleonhard]

I set the APNS auth key with these steps:

1. Open my separate "prod" web browser instance
2. Navigate to https://console.firebase.google.com/.
3. Click on the (hopefully) correct project.
4. Click on the unlabeled gear icon in the lefthand menu, next to "Project Overview".
5. A menu pops up. Click on "Project Settings".
6. Click on "Cloud Messaging".
7. Under "APNs Authentication Key", click "Upload".
8. Click "Browse" and select the (hopefully) correct key file.
9. Copy the key ID into the "Key ID" field. I include the key id in the filename. The filename appears on the screen.
10. Copy the team ID from my Apple Developer Account page into the "Team ID" field.
11. Click "Upload".

The key file is 257 bytes of ASCII text. It's a PEM file.

APNS authentication requires the key and key ID. I just added apns_auth_key_id to the resource and example above.

I don't see the APNS auth key present in that REST API that you linked. If it doesn't exist there it would not work in the Terraform resource, as we call the REST API directly in most cases

How about asking the appropriate team to add the APNS auth key fields to the API?

[slevenick]

I set the APNS auth key with these steps:

1. Open my separate "prod" web browser instance
2. Navigate to https://console.firebase.google.com/.
3. Click on the (hopefully) correct project.
4. Click on the unlabeled gear icon in the lefthand menu, next to "Project Overview".
5. A menu pops up. Click on "Project Settings".
6. Click on "Cloud Messaging".
7. Under "APNs Authentication Key", click "Upload".
8. Click "Browse" and select the (hopefully) correct key file.
9. Copy the key ID into the "Key ID" field. I include the key id in the filename. The filename appears on the screen.
10. Copy the team ID from my Apple Developer Account page into the "Team ID" field.
11. Click "Upload".

The key file is 257 bytes of ASCII text. It's a PEM file.

APNS authentication requires the key and key ID. I just added apns_auth_key_id to the resource and example above.

I don't see the APNS auth key present in that REST API that you linked. If it doesn't exist there it would not work in the Terraform resource, as we call the REST API directly in most cases

How about asking the appropriate team to add the APNS auth key fields to the API?

Hmmmm, yeah it doesn't seem like we can support this at the moment.

You can file an issue against the appropriate team here: https://cloud.google.com/support/docs/issue-trackers

[mleonhard]

@slevenick Thanks for your quick reply.

I'm reluctant to add a Buganizer ticket. Most Google teams simply ignore them forever or close them after 1 year with no action. I do not represent an organization with $1M+ annual spend on Google Cloud, so there's little chance of the business folks pushing my ticket forward. Google product managers are the only other folks inside Google that focus on users and they have very little influence. So it's pretty much up to the whims of the Google Cloud API engineers to pick my ticket to work on. Adding a field to an existing API is unlikely to get anybody promoted. The team that made the API left it incomplete so I think that they are not people who take pride in their work or focus on user needs. So I predict my ticket will sit forever with no action, like the other tickets I filed.

The tickets I filed when I worked at Google had about the same success. (My ldap was leonhard). Only the one I filed with Legal got action, after the photos hosting team ignored my ticket about broken photo URL expiration checks.

I filed one about Nexus phones lying to users saying "your phone is up-to-date" when actually Google stopped releasing security updates. Nexus managers ignored it for a year or so until I assigned it to their director. Then it was assigned to another manager who ignored it for another year. Then a designer decided to include it as part of another project. They ended up not fixing the issue, just replacing the false message with weasel words that mislead non-technical (most) users: "your phone has the latest available software". Their behavior demonstrates brazen callousness toward poor people who buy a Nexus phone because they trust Google to make one that doesn't get malware, only to get malware 3 years later when it stops getting security updates. :(

Buganizer is the pointy end of Google's dysfunctional internal incentive structure. Buganizer is Google's most user-hostile process. I would like to avoid it if possible.

Would you be willing to file the ticket?

[tdemaio]

Just checking and found that there still doesn't appear to be an API for configuring this value. Console GUI appears to be the way that it is configured. I didn't see a way to submit from the link provided. I'd suggest requesting API enhancements here: https://firebase.google.com/support/troubleshooter/report/features

[Mcee24]

4 years later, and we still don't have:

• An API to set the APNS Auth Key ?
• A Terraform configuration for APNS Auth Key fields...

How sad it is