Enabling Firestore from Terraform

As of June 2020, you can enable the Firestore key-value database with Terraform. Two things are somewhat confusing:

  • You need to create an App Engine app to enable the Firestore database
  • You need to use Datastore IAM roles.

This is what you need to do:

Use the Google Beta Provider

Start with using the google-beta provider (it might be in main by the time you read this).

provider google-beta {
  project = var.project_id
  version = "~> 3.0"
}

Create an App Engine App

In order to use Firestore, you first need to create an App Engine app. As I understand, there is work underway to remove this limitation, but this is how it is right now. Here’s what you need to know:

  • You can only enable App Engine once per project.
  • The region (location_id) choice is permanent per project – and can not be undone.
  • You will not be charged for enabling App Engine if you don’t use it.
variable "location_id" {
  type        = string
  description = "The default App Engine region. For instance 'europe-west'"
}

# Use firestore
resource google_app_engine_application "app" {
  provider      = google-beta
  location_id   = var.location_id
  database_type = "CLOUD_FIRESTORE"
}

Using Firestore From Your Application

Enable the firestore API, to make sure your applications can connect using the Firestore client libraries.

resource google_project_service "firestore" {
  service = "firestore.googleapis.com"
  disable_dependent_services = true
}

If you are not using default service accounts (or disable the default grants) – you will need to provide the Datastore User role. Yes, that’s datastore, not firestore.

resource google_project_iam_member "firestore_user" {
  role   = "roles/datastore.user"
  member = "serviceAccount:[YOUR SERVICE ACCOUNT]"
}
Share this article: Tweet this post / Post on LinkedIn