Add service account setup

Author: rainshen49

mmv1/products/firebaseapphosting/Backend.yaml

@@ -26,35 +26,38 @@ import_format:
   - "projects/{{project}}/locations/{{location}}/backends/{{backend_id}}"
   - "{{project}}/{{location}}/{{backend_id}}"
   - "{{location}}/{{backend_id}}"
+min_version: beta
 examples:
   - name: firebase_app_hosting_backend_basic
     primary_resource_id: example
+    min_version: beta
     vars:
-      location: 'us-central1'
-      backend_id: 'my-backend'
-      app_id: '1:0000000000:web:674cde32020e16fbce9dbd'
-      display_name: 'My Backend'
-      serving_locality: 'GLOBAL_ACCESS'
+      location: "us-central1"
+      backend_id: "my-backend"
+      app_id: "1:0000000000:web:674cde32020e16fbce9dbd"
+      display_name: "My Backend"
+      serving_locality: "GLOBAL_ACCESS"
     test_env_vars:
-      project_id: 'PROJECT_NAME'
+      project_id: "PROJECT_NAME"
     test_vars_overrides:
-      'location': '"us-central1"'
-      'serving_locality': '"GLOBAL_ACCESS"'
-      'app_id': '"1:0000000000:web:674cde32020e16fbce9dbd"'
+      "location": '"us-central1"'
+      "serving_locality": '"GLOBAL_ACCESS"'
+      "app_id": '"1:0000000000:web:674cde32020e16fbce9dbd"'
   - name: firebase_app_hosting_backend_github
     primary_resource_id: example
+    min_version: beta
     vars:
-      location: 'us-central1'
-      backend_id: 'my-backend-gh'
-      app_id: 'firebase:app:id'
-      display_name: 'My Backend'
-      serving_locality: 'GLOBAL_ACCESS'
+      location: "us-central1"
+      backend_id: "my-backend-gh"
+      app_id: "firebase:app:id"
+      display_name: "My Backend"
+      serving_locality: "GLOBAL_ACCESS"
     test_env_vars:
-      project_id: 'PROJECT_NAME'
+      project_id: "PROJECT_NAME"
     test_vars_overrides:
-      'location': '"us-central1"'
-      'serving_locality': '"GLOBAL_ACCESS"'
-    skip_test: true # Can't establish a Github connection in automated tests.
+      "location": '"us-central1"'
+      "serving_locality": '"GLOBAL_ACCESS"'
+    skip_test: true  # Can't establish a Github connection in automated tests.
 autogen_async: true
 async:
   operation:

mmv1/products/firebaseapphosting/product.yaml

@@ -19,6 +19,6 @@ scopes:
 versions:
   - base_url: https://firebaseapphosting.googleapis.com/v1beta/
     name: beta
-  # GA not available yet
-  # - base_url: https://firebaseapphosting.googleapis.com/v1main/
-    # name: ga
+# GA not available yet
+# - base_url: https://firebaseapphosting.googleapis.com/v1main/
+# name: ga

mmv1/templates/terraform/examples/firebase_app_hosting_backend_basic.tf.tmpl

@@ -1,11 +1,57 @@
+# Service account setup only required once per project.
+resource "google_service_account" "service_account" {
+  provider = google-beta
+
+  project = "{{index $.TestEnvVars "project_id"}}"
+
+  # Must be firebase-app-hosting-compute
+  account_id                   = "firebase-app-hosting-compute"
+  display_name                 = "Firebase App Hosting compute service account"
+
+  # Do not throw if already exists
+  create_ignore_already_exists = true
+}
+
+resource "google_project_iam_member" "app_hosting_sa_developerconnect" {
+  provider = google-beta
+
+  project = "{{index $.TestEnvVars "project_id"}}"
+
+  # For reading connected Github repos
+  role   = "roles/developerconnect.readTokenAccessor"
+  member = google_service_account.service_account.member
+}
+
+resource "google_project_iam_member" "app_hosting_sa_adminsdk" {
+  provider = google-beta
+
+  project = "{{index $.TestEnvVars "project_id"}}"
+
+  # For Firebase Admin SDK
+  role   = "roles/firebase.sdkAdminServiceAgent"
+  member = google_service_account.service_account.member
+}
+
+resource "google_project_iam_member" "app_hosting_sa_runner" {
+  provider = google-beta
+
+  project = "{{index $.TestEnvVars "project_id"}}"
+
+  # For App Hosting
+  role   = "roles/firebaseapphosting.computeRunner"
+  member = google_service_account.service_account.member
+}
+
 resource "google_firebase_app_hosting_backend" "example" {
+  provider = google-beta
+
   project          = "{{index $.TestEnvVars "project_id"}}"
   location         = "{{index $.Vars "location"}}"
   backend_id       = "{{index $.Vars "backend_id"}}"
   app_id           = "{{index $.Vars "app_id"}}"
   display_name     = "{{index $.Vars "display_name"}}"
   serving_locality = "{{index $.Vars "serving_locality"}}"
-  service_account  = "firebase-app-hosting-compute@{{index $.TestEnvVars "project_id"}}.iam.gserviceaccount.com"
+  service_account  = google_service_account.service_account.email
   environment      = "prod"
 
   annotations = {

mmv1/templates/terraform/examples/firebase_app_hosting_backend_github.tf.tmpl

@@ -1,4 +1,6 @@
 resource "google_firebase_app_hosting_backend" "example" {
+  provider = google-beta
+
   project          = "{{index $.TestEnvVars "project_id"}}"
   location         = "{{index $.Vars "location"}}"
   backend_id       = "{{index $.Vars "backend_id"}}"
@@ -23,6 +25,8 @@ resource "google_firebase_app_hosting_backend" "example" {
 }
 
 resource "google_developer_connect_connection" "my-connection" {
+  provider = google-beta
+
   project  = "{{index $.TestEnvVars "project_id"}}"
   location = "{{index $.Vars "location"}}"
   connection_id = "tf-test-connection-new"
@@ -33,6 +37,8 @@ resource "google_developer_connect_connection" "my-connection" {
 }
 
 resource "google_developer_connect_git_repository_link" "my-repository" {
+  provider = google-beta
+
   project  = "{{index $.TestEnvVars "project_id"}}"
   location = "{{index $.Vars "location"}}"
 
@@ -48,12 +54,16 @@ output "next_steps" {
 
 # Setup permissions. Only needed once per project
 resource "google_project_service_identity" "devconnect-p4sa" {
+  provider = google-beta
+
   provider = google-beta
   project  = "{{index $.TestEnvVars "project_id"}}"
   service  = "developerconnect.googleapis.com"
 }
 
 resource "google_project_iam_member" "devconnect-secret" {
+  provider = google-beta
+
   project  = "{{index $.TestEnvVars "project_id"}}"
   role     = "roles/secretmanager.admin"
   member   = google_project_service_identity.devconnect-p4sa.member