wave Hello I m using <https www pulumi com registry package Pulumi Community #google-cloud

:wave: Hello! I'm using <gcp:firebaserules:Ruleset...

stocky-finland-45016

12/23/2023, 11:11 AM

👋 Hello! I'm using gcp:firebaserules:Ruleset with the following YAML config:

Copy code

database-rules-4:
    type: gcp:firebaserules:Ruleset
    properties:
      source:
        files:
          - name: "firestore.rules"
            content: |
              service cloud.firestore {
                match /databases/{database}/documents { 
                  match /{document=**} { 
                    allow read, write: if false; 
                  }
                }
              }

However, when I do

pulumi up

I can see that in Firestore the timestamp of my rules seems to have been updated but I'm still seeing

allow read, write: if true;

, instead of

false

which is what I'd like to set it to. Not seeing any errors and manually updating the rules works. Am I missing something in the setup?

stocky-finland-45016

12/23/2023, 11:30 AM

Hmm I wonder if it's a Firebase/GCP UI issue... when I manually update a rule in the console I can see the previous rule that was in place and it does match what I set via Pulumi, even though previously it didn't show the right value on the UI. I'll try out actual invocations to the DB to confirm. Very strange!

dry-keyboard-94795

12/23/2023, 11:51 AM

The rest api docs talk about needing to also "release" your rulesets after deploying them. In the console, this is called "publish". Perhaps you need this as well? https://www.pulumi.com/registry/packages/gcp/api-docs/firebaserules/release/

dry-keyboard-94795

12/23/2023, 11:51 AM

Ref: https://firebase.google.com/docs/rules/manage-deploy#release_deploy_a_ruleset

stocky-finland-45016

12/23/2023, 3:05 PM

Hmm in theory that makes sense but even with that additional resource the rules still aren’t getting published 🤔 I may be missing something. I asked pulimi AI but it didn’t mention the release resource unless specifically prompted for it.

stocky-finland-45016

12/23/2023, 6:54 PM

Alright, after a bunch of trial and error and attempting the setup on a new project I got this to update properly. I think I created and destroyed my infra way too many times with way too many errors for it to have worked on my first GCP project - was getting 400s in the end and couldn't destroy the stack anymore 😅 Here's the final setup I've got for the resources:

Copy code

firestoreRuleset:
    type: gcp:firebaserules:Ruleset
    properties:
      source:
        files:
          - name: "firestore.rules"
            content: "service cloud.firestore {match /databases/{database}/documents { match /{document=**} { allow read, write: if true; } } }"
  firestoreRulesRelease:
    type: gcp:firebaserules:Release
    properties:
      name: "cloud.firestore"
      rulesetName: "projects/pulumitest2-409018/rulesets/${firestoreRuleset.name}"
    options:
      dependsOn:
        - ${firestoreRuleset}

The Terraform docs also helped, especially around understanding what the arguments should be.

stocky-finland-45016

12/23/2023, 6:55 PM

Specifically this

Firestore Rules Releases will always have the name 'cloud.firestore'

which I was messing with and clearly broke somehow

Open in Slack

Previous Next