Firebase Tutorial - DevOps with Google Cloud Build

Google Cloud Build allows developers to easily watch repository changes and start a build process. In this tutorial, I will teach how to utilize Google Cloud Build for deploying Firebase functions.

Prerequisites

1. You currently have a Firebase project with Functions you're actively developing against
2. Firebase CLI installed on your computer npm i -g firebase-tools

Goals

1. Enable Google Cloud Build, Cloud Key Management
2. Create a Symmetric Cryptographic Secret for the Firebase Token
3. Configure Repository within Cloud Build and Cloud Build Trigger
4. Create Container Image for Firebase Tools
5. Build Configuration
6. Commit and Watch Build

Step 1 - Enable Google Cloud Build, Cloud Key Management

After logging into Google Cloud Console, navigate from the left navigation hamburger menu and select Google Cloud Build. This will redirect you to a page enable the Google Cloud Build API.

Next, enable the Cloud Key Management Service (KMS) API. The KMS service handles encryption a Firebase Access Token in the next step.

Step 2 - Create a Symmetric Cryptographic Secret for the Firebase Token

Firebase requires an access token in order to deploy from Cloud Build.

Open a terminal and type firebase login:ci. This opens a web browser window for authentication. Login from the web browser and the command line tool provides and authentication token. Copy the token returned from the login that's outlined in red below.

Should this access token be compromised, revoke the token with the following command firebase logout --token TOKEN.

Go back to the Cloud Console and open the Cloud Shell. In Cloud Shell, create a KeyRing with the following command replacing the KEY_RING_NAME.

gcloud kms keyrings create KEY_RING_NAME --location global

Create a key within the KEY_RING_NAME created using the following command replacing the KEY name.

glcoud kms keys create KEY --keyring KEY_RING_NAME --location global --purpose "encryption"

In the Security Console, the KEY_RING includes the KEY now.

Be mindful of key rotation if you or your organization requires it.

In Cloud Shell, run the command below. FIREBASE_TOKEN will be the shell variable, and TOKEN is the login token created above.

export FIREBASE_TOKEN=TOKEN

Next run the following command to encrypt the FIREBASE_TOKEN to a base64 encoded token. Replace the KEY and KEY_RING_NAME.

echo FIREBASE_TOKEN$ | gcloud kms encrypt --plaintext-file=- --ciphertext-file=- --key=KEY --keyring=KEY_RING_NAME --location=global | base64

The encrypted base64 encoded value will be used in the creation of the Cloud Build Trigger.

Step 3 - Configure Repository within Cloud Build and Cloud Build Trigger

Google Cloud Build supports three different repository types, Google's Cloud Source Repository, Bitbucket, and GitHub. Walk through the steps of connecting a repository to Cloud Build.

After the repository connects in the Cloud Build Menu click Triggers. Once the screen appears for all the triggers in this project, click Create Trigger.

Triggers observe changes made to a branch of repository. The ability to filter and ignore changes to certain files can be done specifically or through glob patterns. Filtering can be useful in the case of builds done through a monorepository such as Nrwl's nx.

Define the cloudbuild.yaml file for the project to be built.

Substitution Variables

Two substitution variables will be used in our cloudbuild.yaml template for replacement. Add the following variables and the values described.

1. _KEY_RING_NAME - The KEY_RING_NAME created in step 2.
2. _KEY_NAME - The KEY_NAME created in step 2

Finally, enable the service accounts needed for the build process to work. In this instance, the Firebase Admin and KMS Secret Manager needs to be enabled. Go to settings of cloud build to enable the service accounts. Other services accounts can be enabled depending on which resources need to be built. This allows an ability to manage these permissions more easily than IAM.

Step 4 - Create Container Image for Firebase Tools

Cloud Build handles each build step through different Docker images. Many different containers exist out of the box, but deploying Firebase Functions or other Firebase services requires Firebase-Tools.

In the Google Cloud Console, click the shell to activate cloud shell. It may take a moment for the instance to show up for first time use.

The following steps can be found here: https://cloud.google.com/cloud-build/docs/deploying-builds/deploy-firebase

1. In the shell clone the repository

git clone https://github.com/GoogleCloudPlatform/cloud-builders-community.git

2. Change the directory

cd cloud-builders-community/firebase

3. Add the docker file to Container Registry

gcloud builds submit .

4. You may remove the clone of this repository once the image has been pushed to your Container Registry.

As a note, the Firebase image installs firebase-tools, the Firebase CLI.

Step 5 - Cloud Build Configuration

The cloud build configuration file consists of the following steps:

1. Install the necessary npm packages.
2. Build the project
3. Deploy the functions

Copy and paste the cloudbuild.yaml file above into the directory defined when setting up the trigger. The FIREBASE_TOKEN needs to be replaced with the base64 encoded string created in step 2.*

*Normally, I would suggest to put this as a substitution variable so it doesn't get checked into source code, and it'd be easier to handle different environmental changes from dev, staging, and production. I'll update if I find a better solution.

Step 6 - Commit and Watch Build

The next commit made triggers the build. Watch the build through each step and make sure it deploys to your Firebase environment.

Summary

Google Cloud Build enables developers to deploy code per a branch commit and filter or ignore certain file changes. Cloud Key Management Service encrypted the Firebase token allowing the Build Service to connect to Firebase via a Docker image created with Firebase-Tools CLI installed. Finally, the build configuration file defines the build steps with Key Management Service secrets and substitution variables to remove sensitive information from source code commits.