As of June 2020, you can enable the Firestore key-value database with Terraform. Two things are somewhat confusing:
- You need to create an App Engine app to enable the Firestore database
- You need to use Datastore IAM roles.
This is what you need to do:
Use the Google Beta Provider
Start with using the google-beta provider (it might be in main by the time you read this).
provider google-beta {
project = var.project_id
version = "~> 3.0"
}Create an App Engine App
In order to use Firestore, you first need to create an App Engine app. As I understand, there is work underway to remove this limitation, but this is how it is right now. Here’s what you need to know:
- You can only enable App Engine once per project.
- The region (location_id) choice is permanent per project – and can not be undone.
- You will not be charged for enabling App Engine if you don’t use it.
variable "location_id" {
type = string
description = "The default App Engine region. For instance 'europe-west'"
}
# Use firestore
resource google_app_engine_application "app" {
provider = google-beta
location_id = var.location_id
database_type = "CLOUD_FIRESTORE"
}Using Firestore From Your Application
Enable the firestore API, to make sure your applications can connect using the Firestore client libraries.
resource google_project_service "firestore" {
service = "firestore.googleapis.com"
disable_dependent_services = true
}If you are not using default service accounts (or disable the default grants) – you will need to provide the Datastore User role. Yes, that’s datastore, not firestore.
resource google_project_iam_member "firestore_user" {
role = "roles/datastore.user"
member = "serviceAccount:[YOUR SERVICE ACCOUNT]"
}