Google Cloud Build allows developers to easily watch repository changes and start a build process. In this tutorial, I will teach how to utilize Google Cloud Build for deploying Firebase functions.
- You currently have a Firebase project with Functions you're actively developing against
- Firebase CLI installed on your computer
npm i -g firebase-tools
- Enable Google Cloud Build, Cloud Key Management
- Create a Symmetric Cryptographic Secret for the Firebase Token
- Configure Repository within Cloud Build and Cloud Build Trigger
- Create Container Image for Firebase Tools
- Build Configuration
- Commit and Watch Build
Step 1 - Enable Google Cloud Build, Cloud Key Management
Next, enable the Cloud Key Management Service (KMS) API. The KMS service handles encryption a Firebase Access Token in the next step.
Step 2 - Create a Symmetric Cryptographic Secret for the Firebase Token
Firebase requires an access token in order to deploy from Cloud Build.
Open a terminal and type
firebase login:ci. This opens a web browser window for authentication. Login from the web browser and the command line tool provides and authentication token. Copy the token returned from the login that's outlined in red below.
Should this access token be compromised, revoke the token with the following command
firebase logout --token TOKEN.
Go back to the Cloud Console and open the Cloud Shell. In Cloud Shell, create a KeyRing with the following command replacing the
gcloud kms keyrings create KEY_RING_NAME --location global
Create a key within the
KEY_RING_NAME created using the following command replacing the
glcoud kms keys create KEY --keyring KEY_RING_NAME --location global --purpose "encryption"
In the Security Console, the
KEY_RING includes the
Be mindful of key rotation if you or your organization requires it.
In Cloud Shell, run the command below.
FIREBASE_TOKEN will be the shell variable, and
TOKEN is the login token created above.
Next run the following command to encrypt the
FIREBASE_TOKEN to a base64 encoded token. Replace the
echo FIREBASE_TOKEN$ | gcloud kms encrypt --plaintext-file=- --ciphertext-file=- --key=KEY --keyring=KEY_RING_NAME --location=global | base64
The encrypted base64 encoded value will be used in the creation of the Cloud Build Trigger.
Step 3 - Configure Repository within Cloud Build and Cloud Build Trigger
After the repository connects in the Cloud Build Menu click Triggers. Once the screen appears for all the triggers in this project, click Create Trigger.
Triggers observe changes made to a branch of repository. The ability to filter and ignore changes to certain files can be done specifically or through glob patterns. Filtering can be useful in the case of builds done through a monorepository such as Nrwl's nx.
Define the cloudbuild.yaml file for the project to be built.
Two substitution variables will be used in our cloudbuild.yaml template for replacement. Add the following variables and the values described.
- _KEY_RING_NAME - The
KEY_RING_NAMEcreated in step 2.
- _KEY_NAME - The
KEY_NAMEcreated in step 2
Finally, enable the service accounts needed for the build process to work. In this instance, the Firebase Admin and KMS Secret Manager needs to be enabled. Go to settings of cloud build to enable the service accounts. Other services accounts can be enabled depending on which resources need to be built. This allows an ability to manage these permissions more easily than IAM.
Step 4 - Create Container Image for Firebase Tools
Cloud Build handles each build step through different Docker images. Many different containers exist out of the box, but deploying Firebase Functions or other Firebase services requires Firebase-Tools.
In the Google Cloud Console, click the shell to activate cloud shell. It may take a moment for the instance to show up for first time use.
The following steps can be found here: https://cloud.google.com/cloud-build/docs/deploying-builds/deploy-firebase
- In the shell clone the repository
git clone https://github.com/GoogleCloudPlatform/cloud-builders-community.git
2. Change the directory
3. Add the docker file to Container Registry
gcloud builds submit .
4. You may remove the clone of this repository once the image has been pushed to your Container Registry.
As a note, the
Firebase image installs
firebase-tools, the Firebase CLI.
Step 5 - Cloud Build Configuration
The cloud build configuration file consists of the following steps:
- Install the necessary npm packages.
- Build the project
- Deploy the functions
Copy and paste the cloudbuild.yaml file above into the directory defined when setting up the trigger. The
FIREBASE_TOKEN needs to be replaced with the base64 encoded string created in step 2.*
*Normally, I would suggest to put this as a substitution variable so it doesn't get checked into source code, and it'd be easier to handle different environmental changes from dev, staging, and production. I'll update if I find a better solution.
Step 6 - Commit and Watch Build
The next commit made triggers the build. Watch the build through each step and make sure it deploys to your Firebase environment.
Google Cloud Build enables developers to deploy code per a branch commit and filter or ignore certain file changes. Cloud Key Management Service encrypted the Firebase token allowing the Build Service to connect to Firebase via a Docker image created with Firebase-Tools CLI installed. Finally, the build configuration file defines the build steps with Key Management Service secrets and substitution variables to remove sensitive information from source code commits.