https://pulumi.com logo
#google-cloud
Title
# google-cloud
s

stocky-finland-45016

12/23/2023, 11:11 AM
👋 Hello! I'm using gcp:firebaserules:Ruleset with the following YAML config:
Copy code
database-rules-4:
    type: gcp:firebaserules:Ruleset
    properties:
      source:
        files:
          - name: "firestore.rules"
            content: |
              service cloud.firestore {
                match /databases/{database}/documents { 
                  match /{document=**} { 
                    allow read, write: if false; 
                  }
                }
              }
However, when I do
pulumi up
I can see that in Firestore the timestamp of my rules seems to have been updated but I'm still seeing
allow read, write: if true;
, instead of
false
which is what I'd like to set it to. Not seeing any errors and manually updating the rules works. Am I missing something in the setup?
Hmm I wonder if it's a Firebase/GCP UI issue... when I manually update a rule in the console I can see the previous rule that was in place and it does match what I set via Pulumi, even though previously it didn't show the right value on the UI. I'll try out actual invocations to the DB to confirm. Very strange!
d

dry-keyboard-94795

12/23/2023, 11:51 AM
The rest api docs talk about needing to also "release" your rulesets after deploying them. In the console, this is called "publish". Perhaps you need this as well? https://www.pulumi.com/registry/packages/gcp/api-docs/firebaserules/release/
s

stocky-finland-45016

12/23/2023, 3:05 PM
Hmm in theory that makes sense but even with that additional resource the rules still aren’t getting published 🤔 I may be missing something. I asked pulimi AI but it didn’t mention the release resource unless specifically prompted for it.
Alright, after a bunch of trial and error and attempting the setup on a new project I got this to update properly. I think I created and destroyed my infra way too many times with way too many errors for it to have worked on my first GCP project - was getting 400s in the end and couldn't destroy the stack anymore 😅 Here's the final setup I've got for the resources:
Copy code
firestoreRuleset:
    type: gcp:firebaserules:Ruleset
    properties:
      source:
        files:
          - name: "firestore.rules"
            content: "service cloud.firestore {match /databases/{database}/documents { match /{document=**} { allow read, write: if true; } } }"
  firestoreRulesRelease:
    type: gcp:firebaserules:Release
    properties:
      name: "cloud.firestore"
      rulesetName: "projects/pulumitest2-409018/rulesets/${firestoreRuleset.name}"
    options:
      dependsOn:
        - ${firestoreRuleset}
The Terraform docs also helped, especially around understanding what the arguments should be.
Specifically this
Firestore Rules Releases will always have the name 'cloud.firestore'
which I was messing with and clearly broke somehow