Firebase Tutorial - DevOps with Google Cloud Build
Google Cloud Build allows developers to easily watch repository changes and start a build process. In this tutorial, I will teach how to utilize Google Cloud Build for deploying Firebase functions.
Prerequisites
- You currently have a Firebase project with Functions you're actively developing against
- Firebase CLI installed on your computer
npm i -g firebase-tools
Goals
- Enable Google Cloud Build, Cloud Key Management
- Create a Symmetric Cryptographic Secret for the Firebase Token
- Configure Repository within Cloud Build and Cloud Build Trigger
- Create Container Image for Firebase Tools
- Build Configuration
- Commit and Watch Build
Step 1 - Enable Google Cloud Build, Cloud Key Management
After logging into Google Cloud Console, navigate from the left navigation hamburger menu and select Google Cloud Build. This will redirect you to a page enable the Google Cloud Build API.
Next, enable the Cloud Key Management Service (KMS) API. The KMS service handles encryption a Firebase Access Token in the next step.
Step 2 - Create a Symmetric Cryptographic Secret for the Firebase Token
Firebase requires an access token in order to deploy from Cloud Build.
Open a terminal and type firebase login:ci
. This opens a web browser window for authentication. Login from the web browser and the command line tool provides and authentication token. Copy the token returned from the login that's outlined in red below.
Should this access token be compromised, revoke the token with the following command firebase logout --token TOKEN
.
Go back to the Cloud Console and open the Cloud Shell. In Cloud Shell, create a KeyRing with the following command replacing the KEY_RING_NAME
.
gcloud kms keyrings create KEY_RING_NAME --location global
Create a key within the KEY_RING_NAME
created using the following command replacing the KEY
name.
glcoud kms keys create KEY --keyring KEY_RING_NAME --location global --purpose "encryption"
In the Security Console, the KEY_RING
includes the KEY
now.
Be mindful of key rotation if you or your organization requires it.
In Cloud Shell, run the command below. FIREBASE_TOKEN
will be the shell variable, and TOKEN
is the login token created above.
export FIREBASE_TOKEN=TOKEN
Next run the following command to encrypt the FIREBASE_TOKEN
to a base64 encoded token. Replace the KEY
and KEY_RING_NAME
.
echo FIREBASE_TOKEN$ | gcloud kms encrypt --plaintext-file=- --ciphertext-file=- --key=KEY --keyring=KEY_RING_NAME --location=global | base64
The encrypted base64 encoded value will be used in the creation of the Cloud Build Trigger.
Step 3 - Configure Repository within Cloud Build and Cloud Build Trigger
Google Cloud Build supports three different repository types, Google's Cloud Source Repository, Bitbucket, and GitHub. Walk through the steps of connecting a repository to Cloud Build.
After the repository connects in the Cloud Build Menu click Triggers. Once the screen appears for all the triggers in this project, click Create Trigger.
Free Your Developers
Nx Monorepo Starter alleviates developers from re-inventing deployments on popular Google Cloud Services, standardizes on libraries, and saves time for scaffolding projects.
Thanks for your interest in Nx GCP Starter. We'll be in touch shortly
Triggers observe changes made to a branch of repository. The ability to filter and ignore changes to certain files can be done specifically or through glob patterns. Filtering can be useful in the case of builds done through a monorepository such as Nrwl's nx.
Define the cloudbuild.yaml file for the project to be built.
Substitution Variables
Two substitution variables will be used in our cloudbuild.yaml template for replacement. Add the following variables and the values described.
- _KEY_RING_NAME - The
KEY_RING_NAME
created in step 2. - _KEY_NAME - The
KEY_NAME
created in step 2
Finally, enable the service accounts needed for the build process to work. In this instance, the Firebase Admin and KMS Secret Manager needs to be enabled. Go to settings of cloud build to enable the service accounts. Other services accounts can be enabled depending on which resources need to be built. This allows an ability to manage these permissions more easily than IAM.
Step 4 - Create Container Image for Firebase Tools
Cloud Build handles each build step through different Docker images. Many different containers exist out of the box, but deploying Firebase Functions or other Firebase services requires Firebase-Tools.
In the Google Cloud Console, click the shell to activate cloud shell. It may take a moment for the instance to show up for first time use.
The following steps can be found here: https://cloud.google.com/cloud-build/docs/deploying-builds/deploy-firebase
- In the shell clone the repository
git clone https://github.com/GoogleCloudPlatform/cloud-builders-community.git
2. Change the directory
cd cloud-builders-community/firebase
3. Add the docker file to Container Registry
gcloud builds submit .
4. You may remove the clone of this repository once the image has been pushed to your Container Registry.
As a note, the Firebase
image installs firebase-tools
, the Firebase CLI.
Step 5 - Cloud Build Configuration
The cloud build configuration file consists of the following steps:
- Install the necessary npm packages.
- Build the project
- Deploy the functions
Copy and paste the cloudbuild.yaml file above into the directory defined when setting up the trigger. The FIREBASE_TOKEN
needs to be replaced with the base64 encoded string created in step 2.*
*Normally, I would suggest to put this as a substitution variable so it doesn't get checked into source code, and it'd be easier to handle different environmental changes from dev, staging, and production. I'll update if I find a better solution.
Step 6 - Commit and Watch Build
The next commit made triggers the build. Watch the build through each step and make sure it deploys to your Firebase environment.
Summary
Google Cloud Build enables developers to deploy code per a branch commit and filter or ignore certain file changes. Cloud Key Management Service encrypted the Firebase token allowing the Build Service to connect to Firebase via a Docker image created with Firebase-Tools CLI installed. Finally, the build configuration file defines the build steps with Key Management Service secrets and substitution variables to remove sensitive information from source code commits.