App Check DeviceCheck provider

mmv1/products/firebaseappcheck/DeviceCheckConfig.yaml

@@ -0,0 +1,113 @@
+# Copyright 2024 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+!ruby/object:Api::Resource
+name: "DeviceCheckConfig"
+base_url: projects/{{project}}/apps/{{app_id}}/deviceCheckConfig
+self_link: projects/{{project}}/apps/{{app_id}}/deviceCheckConfig
+create_url: projects/{{project}}/apps/{{app_id}}/deviceCheckConfig?updateMask=tokenTtl,keyId,privateKey
+create_verb: :PATCH
+update_verb: :PATCH
+update_mask: true
+skip_delete: true
+description: |
+  An app's DeviceCheck configuration object. Note that the Team ID registered with your
+  app is used as part of the validation process. Make sure your `google_firebase_apple_app` has a team_id present.
+references: !ruby/object:Api::Resource::ReferenceLinks
+  guides:
+    "Official Documentation": "https://firebase.google.com/docs/app-check"
+  api: "https://firebase.google.com/docs/reference/appcheck/rest/v1/projects.apps.deviceCheckConfig"
+import_format:
+  [
+    "projects/{{project}}/apps/{{app_id}}/deviceCheckConfig",
+    "{{project}}/{{app_id}}",
+    "{{app_id}}",
+  ]
+examples:
+  - !ruby/object:Provider::Terraform::Examples
+    name: "firebase_app_check_device_check_config_minimal"
+    # Need the time_sleep resource
+    pull_external: true
+    primary_resource_id: "default"
+    vars:
+      bundle_id: "bundle.id.devicecheck"
+      key_id: "Key ID"
+      private_key_path: "path/to/private-key.p8"
+      team_id: "9987654321"
+    test_vars_overrides:
+      # Don't add random suffix
+      private_key_path: '"test-fixtures/private-key.p8"'
+      team_id: '"9987654321"'
+    test_env_vars:
+      project_id: :PROJECT_NAME
+  - !ruby/object:Provider::Terraform::Examples
+    name: "firebase_app_check_device_check_config_full"
+    # Need the time_sleep resource
+    pull_external: true
+    primary_resource_id: "default"
+    vars:
+      bundle_id: "bundle.id.devicecheck"
+      key_id: "Key ID"
+      private_key_path: "path/to/private-key.p8"
+      team_id: "9987654321"
+      token_ttl: "7200s"
+    test_vars_overrides:
+      # Don't add random suffix
+      private_key_path: '"test-fixtures/private-key-2.p8"'
+      team_id: '"9987654321"'
+      token_ttl: '"7200s"'
+    test_env_vars:
+      project_id: :PROJECT_NAME
+parameters:
+  - !ruby/object:Api::Type::String
+    name: app_id
+    description: |
+      The ID of an
+      [Apple App](https://firebase.google.com/docs/reference/firebase-management/rest/v1beta1/projects.iosApps#IosApp.FIELDS.app_id).
+    required: true
+    immutable: true
+    url_param_only: true
+properties:
+  - !ruby/object:Api::Type::String
+    name: name
+    description: |
+      The relative resource name of the DeviceCheck configuration object
+    output: true
+    pattern: projects/{{project}}/apps/{{app_id}}/deviceCheckConfig
+  - !ruby/object:Api::Type::String
+    name: tokenTtl
+    description: |
+      Specifies the duration for which App Check tokens exchanged from DeviceCheck artifacts will be valid.
+      If unset, a default value of 1 hour is assumed. Must be between 30 minutes and 7 days, inclusive.
+
+      A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".
+    default_from_api: true
+  - !ruby/object:Api::Type::String
+    name: keyId
+    description: |
+      The key identifier of a private key enabled with DeviceCheck, created in your Apple Developer account.
+    required: true
+  - !ruby/object:Api::Type::String
+    name: privateKey
+    description: |
+      The contents of the private key (.p8) file associated with the key specified by keyId.
+    required: true
+    sensitive: true
+    ignore_read: true
+  - !ruby/object:Api::Type::Boolean
+    name: privateKeySet
+    description: |
+      Whether the privateKey field was previously set. Since App Check will never return the
+      privateKey field, this field is the only way to find out whether it was previously set.
+    output: true

mmv1/templates/terraform/examples/firebase_app_check_device_check_config_full.tf.erb

@@ -0,0 +1,30 @@
+resource "google_firebase_apple_app" "default" {
+  project      = "<%= ctx[:test_env_vars]['project_id'] %>"
+  display_name = "Apple app"
+  bundle_id    = "<%= ctx[:vars]['bundle_id'] %>"
+  team_id      = "<%= ctx[:vars]['team_id'] %>"
+}
+
+# It takes a while for App Check to recognize the new app
+# If your app already exists, you don't have to wait 30 seconds.
+resource "time_sleep" "wait_30s" {
+  depends_on      = [google_firebase_apple_app.default]
+  create_duration = "30s"
+}
+
+resource "google_firebase_app_check_device_check_config" "default" {
+  project     = "<%= ctx[:test_env_vars]['project_id'] %>"
+  app_id      = google_firebase_apple_app.default.app_id
+  token_ttl   = "<%= ctx[:vars]['token_ttl'] %>"
+  key_id      = "<%= ctx[:vars]['key_id'] %>"
+  private_key = file("<%= ctx[:vars]['private_key_path'] %>")
+
+  depends_on = [time_sleep.wait_30s]
+
+  lifecycle {
+    precondition {
+      condition     = google_firebase_apple_app.default.team_id != ""
+      error_message = "Provide a Team ID on the Apple App to use App Check"
+    }
+  }
+}

mmv1/templates/terraform/examples/firebase_app_check_device_check_config_minimal.tf.erb

@@ -0,0 +1,29 @@
+resource "google_firebase_apple_app" "default" {
+  project      = "<%= ctx[:test_env_vars]['project_id'] %>"
+  display_name = "Apple app"
+  bundle_id    = "<%= ctx[:vars]['bundle_id'] %>"
+  team_id      = "<%= ctx[:vars]['team_id'] %>"
+}
+
+# It takes a while for App Check to recognize the new app
+# If your app already exists, you don't have to wait 30 seconds.
+resource "time_sleep" "wait_30s" {
+  depends_on      = [google_firebase_apple_app.default]
+  create_duration = "30s"
+}
+
+resource "google_firebase_app_check_device_check_config" "default" {
+  project     = "<%= ctx[:test_env_vars]['project_id'] %>"
+  app_id      = google_firebase_apple_app.default.app_id
+  key_id      = "<%= ctx[:vars]['key_id'] %>"
+  private_key = file("<%= ctx[:vars]['private_key_path'] %>")
+
+  depends_on = [time_sleep.wait_30s]
+
+  lifecycle {
+    precondition {
+      condition     = google_firebase_apple_app.default.team_id != ""
+      error_message = "Provide a Team ID on the Apple App to use App Check"
+    }
+  }
+}

mmv1/third_party/terraform/services/firebaseappcheck/resource_firebase_app_check_device_check_config_test.go

@@ -0,0 +1,69 @@
+package firebaseappcheck_test
+
+import (
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+
+	"github.com/hashicorp/terraform-provider-google/google/acctest"
+	"github.com/hashicorp/terraform-provider-google/google/envvar"
+)
+
+func TestAccFirebaseAppCheckDeviceCheckConfig_firebaseAppCheckDeviceCheckConfigUpdate(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"project_id":       envvar.GetTestProjectFromEnv(),
+		"team_id":          "9987654321",
+		"private_key_path": "test-fixtures/private-key.p8",
+		"token_ttl":        "3600s",
+		"random_suffix":    acctest.RandString(t, 10),
+	}
+
+	contextUpdated := map[string]interface{}{
+		"project_id":       envvar.GetTestProjectFromEnv(),
+		"team_id":          "9987654321",
+		"private_key_path": "test-fixtures/private-key-2.p8",
+		"token_ttl":        "7200s",
+		// Bundle ID needs to be the same between updates but different between tests
+		"random_suffix": context["random_suffix"],
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		ExternalProviders: map[string]resource.ExternalProvider{
+			"random": {},
+			"time":   {},
+		},
+		Steps: []resource.TestStep{
+			{
+				Config: testAccFirebaseAppCheckDeviceCheckConfig_firebaseAppCheckDeviceCheckConfigMinimalExample(context),
+			},
+			{
+				ResourceName:            "google_firebase_app_check_device_check_config.default",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"private_key", "app_id"},
+			},
+			{
+				Config: testAccFirebaseAppCheckDeviceCheckConfig_firebaseAppCheckDeviceCheckConfigFullExample(contextUpdated),
+			},
+			{
+				ResourceName:            "google_firebase_app_check_device_check_config.default",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"private_key", "app_id"},
+			},
+			{
+				Config: testAccFirebaseAppCheckDeviceCheckConfig_firebaseAppCheckDeviceCheckConfigMinimalExample(contextUpdated),
+			},
+			{
+				ResourceName:            "google_firebase_app_check_device_check_config.default",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"private_key", "app_id"},
+			},
+		},
+	})
+}

mmv1/third_party/terraform/services/firebaseappcheck/test-fixtures/private-key-2.p8

@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+AlsoNotAValidKey
+-----END PRIVATE KEY-----

mmv1/third_party/terraform/services/firebaseappcheck/test-fixtures/private-key.p8

@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+NotAValidKey
+-----END PRIVATE KEY-----