Support Firebase App Check

[rainshen49]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

Support Firebase App Check in Terraform. App Check helps to protect your API resources from abuse by preventing unauthorized clients from accessing your backend resources. To use App Check, one should

1. Register their apps with an attestation provider <-- applicable to Terraform
2. Specify which backend APIs to protect <-- applicable to Terraform
3. Update their client side code to use App Check <-- not applicable to Terraform

New or Affected Resource(s)

Each attestation provider should have a dedicated Terraform resource. I'm planning to start with

• google_firebase_app_check_play_integrity_config for Android Play Integrity
• google_firebase_app_check_device_check_config for Apple Device Check
• google_firebase_app_check_app_attest_config for Apple App Attest
• google_firebase_app_check_recaptcha_enterprise for Web reCAPTCHA Enterprise
• google_firebase_app_check_recaptcha_v3 for Web reCAPTCHA v3
• google_firebase_app_check_debug_token for debug tokens

For protected APIs, there will be a dedicated Terraform resource

• google_firebase_app_check_service_config https://firebase.google.com/docs/app-check/enable-enforcement

Potential Terraform Configuration

To use the App Attest provider and Firestore as an example

resource "google_firebase_apple_app" "default" {
  project = "%{project_id}"
  display_name = "App Attest App"
  bundle_id = "app.attest.app"
  team_id = "%{team_id}"
}

resource "google_firebase_app_check_app_attest_config" "default" {
  project = "%{project_id}"
  app_id = google_firebase_apple_app.default.app_id
}

resource "google_firebase_app_check_service_config" "firestore" {
  project = "%{project_id}"
  service_id = "firestore.googleapis.com"
  enforcement_mode = "ENFORCED"
}

resource "random_uuid" "debug_token" {}

resource "google_firebase_app_check_debug_token" "default" {
  project = "%{project_id}"
  app_id = google_firebase_apple_app.default.app_id
  display_name = "My debug token"
  token = random_uuid.debug_token.result
}

References

• App Check service config GoogleCloudPlatform/magic-modules#9875

b/322602158