233 lines
5.3 KiB
HCL
233 lines
5.3 KiB
HCL
terraform {
|
|
required_providers {
|
|
google-beta = {
|
|
source = "hashicorp/google-beta"
|
|
version = "~> 6.0"
|
|
}
|
|
}
|
|
}
|
|
|
|
provider "google" {
|
|
project = var.gcp_project_id
|
|
region = var.gcp_region
|
|
}
|
|
|
|
|
|
# Firebase Project Setup
|
|
resource "google_firebase_project" "default" {
|
|
provider = google-beta
|
|
project = var.gcp_project_id
|
|
}
|
|
|
|
# Firebase Web App
|
|
resource "google_firebase_web_app" "rothbard_portal" {
|
|
provider = google-beta
|
|
project = google_firebase_project.default.project
|
|
display_name = "Rothbard Client Portal"
|
|
|
|
app_url = "https://${var.domain_name}"
|
|
|
|
# Handle OAuth redirect
|
|
oauth_config {
|
|
client_id = var.oauth_client_id
|
|
client_secret = var.oauth_client_secret
|
|
}
|
|
}
|
|
|
|
# Firestore Database
|
|
resource "google_firestore_database" "default" {
|
|
provider = google-beta
|
|
project = var.gcp_project_id
|
|
name = "(default)"
|
|
location_id = var.firestore_location
|
|
type = "FIRESTORE_NATIVE"
|
|
|
|
delete_protection_state = "DISABLED"
|
|
}
|
|
|
|
# Firebase Authentication - Complete Configuration
|
|
resource "google_identitytoolkit_config" "default" {
|
|
provider = google-beta
|
|
project = var.gcp_project_id
|
|
|
|
sign_in_options {
|
|
email {
|
|
enabled = true
|
|
password_required = true
|
|
}
|
|
|
|
# Disable other providers for security
|
|
phone {
|
|
enabled = false
|
|
}
|
|
|
|
google {
|
|
enabled = var.enable_google_signin
|
|
}
|
|
|
|
facebook {
|
|
enabled = false
|
|
}
|
|
|
|
apple {
|
|
enabled = false
|
|
}
|
|
}
|
|
|
|
# Email configuration
|
|
email {
|
|
reset_password_template {
|
|
from_email_address = var.auth_from_email
|
|
from_display_name = var.auth_from_name
|
|
reply_to = var.auth_reply_to
|
|
subject = "Reset your Rothbard Law Group password"
|
|
html = file("${path.module}/templates/reset_password.html")
|
|
text = file("${path.module}/templates/reset_password.txt")
|
|
}
|
|
|
|
email_verification_template {
|
|
from_email_address = var.auth_from_email
|
|
from_display_name = var.auth_from_name
|
|
reply_to = var.auth_reply_to
|
|
subject = "Verify your Rothbard Law Group account"
|
|
html = file("${path.module}/templates/email_verification.html")
|
|
text = file("${path.module}/templates/email_verification.txt")
|
|
}
|
|
}
|
|
|
|
# Security settings
|
|
sign_in {
|
|
allow_duplicate_emails = false
|
|
}
|
|
|
|
# Multi-factor authentication (disabled for simplicity)
|
|
multi_factor_auth {
|
|
enabled = false
|
|
}
|
|
|
|
# Anonymous user access (disabled)
|
|
anonymous {
|
|
enabled = false
|
|
}
|
|
}
|
|
|
|
# Service Account for the Flask App
|
|
resource "google_service_account" "flask_app" {
|
|
account_id = "rothbard-flask-app"
|
|
display_name = "Rothbard Flask App Service Account"
|
|
}
|
|
|
|
# IAM permissions for the Flask App
|
|
resource "google_project_iam_member" "firestore_access" {
|
|
project = var.gcp_project_id
|
|
role = "roles/datastore.user"
|
|
member = "serviceAccount:${google_service_account.flask_app.email}"
|
|
}
|
|
|
|
resource "google_project_iam_member" "firebase_admin" {
|
|
project = var.gcp_project_id
|
|
role = "roles/firebase.admin"
|
|
member = "serviceAccount:${google_service_account.flask_app.email}"
|
|
}
|
|
|
|
# Firestore Security Rules
|
|
resource "google_firestore_security_policy" "default" {
|
|
project = var.gcp_project_id
|
|
policy = {
|
|
rules = [
|
|
{
|
|
description = "Allow users to read/write their own profile"
|
|
match = {
|
|
collection = "users"
|
|
document = "{userId}"
|
|
}
|
|
allow = [
|
|
{
|
|
resource = "read"
|
|
condition = {
|
|
name = "request.auth.uid == userId"
|
|
}
|
|
},
|
|
{
|
|
resource = "write"
|
|
condition = {
|
|
name = "request.auth.uid == userId"
|
|
}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
description = "Only authenticated users can access the database"
|
|
match = {
|
|
collection = "{collection=**}"
|
|
}
|
|
allow = [
|
|
{
|
|
resource = "read"
|
|
condition = {
|
|
name = "request.auth != null"
|
|
}
|
|
},
|
|
{
|
|
resource = "write"
|
|
condition = {
|
|
name = "request.auth != null"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
}
|
|
|
|
# Firebase Hosting (optional - for static assets)
|
|
resource "google_firebase_hosting_site" "default" {
|
|
provider = google-beta
|
|
project = var.gcp_project_id
|
|
site_id = "rothbard-portal"
|
|
|
|
# Default configuration for hosting
|
|
config {
|
|
public_root_dir = "public"
|
|
headers = [
|
|
{
|
|
headers = ["Cache-Control: public, max-age=31536000"]
|
|
glob = "**/*.@(jpg|jpeg|gif|png|svg|webp)"
|
|
},
|
|
{
|
|
headers = ["Cache-Control: public, max-age=86400"]
|
|
glob = "**/*.@(css|js)"
|
|
}
|
|
]
|
|
redirects = [
|
|
{
|
|
status_code = 302
|
|
path = "/login"
|
|
location = "/login.html"
|
|
}
|
|
]
|
|
rewrites = [
|
|
{
|
|
glob = "**"
|
|
path = "/index.html"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
|
|
# Output important values
|
|
output "firebase_web_app_id" {
|
|
description = "Firebase Web App ID"
|
|
value = google_firebase_web_app.rothbard_portal.app_id
|
|
}
|
|
|
|
output "firebase_project_id" {
|
|
description = "Firebase Project ID"
|
|
value = google_firebase_project.default.project
|
|
}
|
|
|
|
output "service_account_email" {
|
|
description = "Service account email for Flask app"
|
|
value = google_service_account.flask_app.email
|
|
}
|