firebase · blidd-google · May 15, 2025 · May 7, 2025 · May 9, 2025 · May 9, 2025
diff --git a/src/apphosting/backend.ts b/src/apphosting/backend.ts
@@ -14,7 +14,7 @@
   secretManagerOrigin,
 } from "../api";
 import { Backend, BackendOutputOnlyFields, API_VERSION } from "../gcp/apphosting";
-import { addServiceAccountToRoles } from "../gcp/resourceManager";
+import { addServiceAccountToRoles, getIamPolicy } from "../gcp/resourceManager";
 import * as iam from "../gcp/iam";
 import { FirebaseError, getErrStatus, getError } from "../error";
 import { input, confirm, select, checkbox, search, Choice } from "../prompt";
@@ -49,7 +49,7 @@
    // SSL.
    const maybeNodeError = err as { cause: { code: string }; code: string };
    if (
      /HANDSHAKE_FAILURE/.test(maybeNodeError?.cause?.code) ||
      "EPROTO" === maybeNodeError?.code
    ) {
      return false;
@@ -179,6 +179,30 @@
   logSuccess(`Your backend is now deployed at:\n\thttps://${backend.uri}`);
 }
 
+/**
+ * Setup up a new App Hosting backend to deploy from source.
+ */
+export async function doSetupSourceDeploy(
+  projectId: string,
+  backendId: string,
+): Promise<{ backend: Backend; location: string }> {
+  const location = await promptLocation(
+    projectId,
+    "Select a primary region to host your backend:\n",
+  );
+  const webApp = await webApps.getOrCreateWebApp(projectId, null, backendId);
+  if (!webApp) {
+    logWarning(`Firebase web app not set`);
+  }
+  const createBackendSpinner = ora("Creating your new backend...").start();
+  const backend = await createBackend(projectId, location, backendId, null, undefined, webApp?.id);
+  createBackendSpinner.succeed(`Successfully created backend!\n\t${backend.name}\n`);
+  return {
+    backend,
+    location,
+  };
+}
+
 /**
  * Set up a new App Hosting-type Developer Connect GitRepoLink, optionally with a specific connection ID
  */
@@ -218,6 +242,7 @@
 export async function ensureAppHostingComputeServiceAccount(
   projectId: string,
   serviceAccount: string | null,
+  deployFromSource = false,
 ): Promise<void> {
   const sa = serviceAccount || defaultComputeServiceAccountEmail(projectId);
   const name = `projects/${projectId}/serviceAccounts/${sa}`;
@@ -242,13 +267,36 @@
       );
     }
   }
+  // N.B. To deploy from source, the App Hosting Compute Service Account must have
+  // the storage.objectViewer IAM role. For firebase-tools <= 14.3.0, the CLI does
+  // not add the objectViewer role, which means all existing customers will need to
+  // add it before deploying from source.
+  if (deployFromSource) {
+    const policy = await getIamPolicy(projectId);
+    const objectViewerBinding = policy.bindings.find(
+      (binding) => binding.role === "roles/storage.objectViewer",
+    );
+    if (
+      !objectViewerBinding ||
+      !objectViewerBinding.members.includes(
+        `serviceAccount:${defaultComputeServiceAccountEmail(projectId)}`,
+      )
+    ) {
+      await addServiceAccountToRoles(
+        projectId,
+        defaultComputeServiceAccountEmail(projectId),
+        ["roles/storage.objectViewer"],
+        /* skipAccountLookup= */ true,
+      );
+    }
+  }
 }
 
 /**
 * Prompts the user for a backend id and verifies that it doesn't match a pre-existing backend.
 */
 export async function promptNewBackendId(projectId: string, location: string): Promise<string> {
  while (true) {
    const backendId = await input({
      default: "my-web-app",
      message: "Provide a name for your backend [1-30 characters]",
@@ -333,6 +381,7 @@
       "roles/firebaseapphosting.computeRunner",
       "roles/firebase.sdkAdminServiceAgent",
       "roles/developerconnect.readTokenAccessor",
+      "roles/storage.objectViewer",
     ],
     /* skipAccountLookup= */ true,
   );
@@ -546,7 +595,7 @@
    message: locationDisambugationPrompt,
    choices: [...backendsByLocation.keys()],
  });
  return backendsByLocation.get(location)!;
 }

 /**

diff --git a/src/checkValidTargetFilters.ts b/src/checkValidTargetFilters.ts
@@ -30,6 +30,7 @@ const FILTERABLE_TARGETS = new Set([
   "storage",
   "database",
   "dataconnect",
+  "apphosting",
 ]);
 
 /**

diff --git a/src/commands/deploy.ts b/src/commands/deploy.ts
@@ -23,6 +23,7 @@
   "remoteconfig",
   "extensions",
   "dataconnect",
+  "apphosting",
 ];
 export const TARGET_PERMISSIONS: Record<(typeof VALID_DEPLOY_TARGETS)[number], string[]> = {
   database: ["firebasedatabase.instances.update"],
@@ -98,14 +99,14 @@
  )
  .before(requireConfig)
  .before((options) => {
    options.filteredTargets = filterTargets(options, VALID_DEPLOY_TARGETS);
    const permissions = options.filteredTargets.reduce((perms: string[], target: string) => {
      return perms.concat(TARGET_PERMISSIONS[target]);
    }, []);
    return requirePermissions(options, permissions);
  })
  .before((options) => {
    if (options.filteredTargets.includes("functions")) {
      return checkServiceAccountIam(options.project);
    }
  })

diff --git a/src/deploy/apphosting/args.ts b/src/deploy/apphosting/args.ts
@@ -0,0 +1,7 @@
+import { AppHostingSingle } from "../../firebaseConfig";
+
+export interface Context {
+  backendConfigs: Map<string, AppHostingSingle>;
+  backendLocations: Map<string, string>;
+  backendStorageUris: Map<string, string>;
+}
diff --git a/src/deploy/apphosting/deploy.spec.ts b/src/deploy/apphosting/deploy.spec.ts
@@ -0,0 +1,129 @@
+import { expect } from "chai";
+import * as sinon from "sinon";
+import { Config } from "../../config";
+import { FirebaseError } from "../../error";
+import { AppHostingSingle } from "../../firebaseConfig";
+import * as gcs from "../../gcp/storage";
+import { RC } from "../../rc";
+import { Context } from "./args";
+import deploy from "./deploy";
+import * as util from "./util";
+import * as fs from "fs";
+import * as getProjectNumber from "../../getProjectNumber";
+
+const BASE_OPTS = {
+  cwd: "/",
+  configPath: "/",
+  except: "",
+  force: false,
+  nonInteractive: false,
+  interactive: false,
+  debug: false,
+  filteredTargets: [],
+  rc: new RC(),
+  json: false,
+};
+
+function initializeContext(): Context {
+  return {
+    backendConfigs: new Map<string, AppHostingSingle>([
+      [
+        "foo",
+        {
+          backendId: "foo",
+          rootDir: "/",
+          ignore: [],
+        },
+      ],
+    ]),
+    backendLocations: new Map<string, string>([["foo", "us-central1"]]),
+    backendStorageUris: new Map<string, string>(),
+  };
+}
+
+describe("apphosting", () => {
+  let getBucketStub: sinon.SinonStub;
+  let createBucketStub: sinon.SinonStub;
+  let uploadObjectStub: sinon.SinonStub;
+  let createArchiveStub: sinon.SinonStub;
+  let createReadStreamStub: sinon.SinonStub;
+  let getProjectNumberStub: sinon.SinonStub;
+
+  beforeEach(() => {
+    getProjectNumberStub = sinon
+      .stub(getProjectNumber, "getProjectNumber")
+      .throws("Unexpected getProjectNumber call");
+    getBucketStub = sinon.stub(gcs, "getBucket").throws("Unexpected getBucket call");
+    createBucketStub = sinon.stub(gcs, "createBucket").throws("Unexpected createBucket call");
+    uploadObjectStub = sinon.stub(gcs, "uploadObject").throws("Unexpected uploadObject call");
+    createArchiveStub = sinon.stub(util, "createArchive").throws("Unexpected createArchive call");
+    createReadStreamStub = sinon
+      .stub(fs, "createReadStream")
+      .throws("Unexpected createReadStream call");
+  });
+
+  afterEach(() => {
+    sinon.verifyAndRestore();
+  });
+
+  describe("deploy", () => {
+    const opts = {
+      ...BASE_OPTS,
+      projectId: "my-project",
+      only: "apphosting",
+      config: new Config({
+        apphosting: {
+          backendId: "foo",
+          rootDir: "/",
+          ignore: [],
+        },
+      }),
+    };
+
+    it("creates regional GCS bucket if one doesn't exist yet", async () => {
+      const context = initializeContext();
+      getProjectNumberStub.resolves("000000000000");
+      getBucketStub.onFirstCall().rejects(
+        new FirebaseError("error", {
+          original: new FirebaseError("original error", { status: 404 }),
+        }),
+      );
+      createBucketStub.resolves();
+      createArchiveStub.resolves({
+        projectSourcePath: "my-project/",
+        zippedSourcePath: "path/to/foo-1234.zip",
+      });
+      uploadObjectStub.resolves({
+        bucket: "firebaseapphosting-sources-12345678-us-central1",
+        object: "foo-1234",
+      });
+      createReadStreamStub.resolves();
+
+      await deploy(context, opts);
+
+      expect(createBucketStub).to.be.calledOnce;
+    });
+
+    it("correctly creates and sets storage URIs", async () => {
+      const context = initializeContext();
+      getProjectNumberStub.resolves("000000000000");
+      getBucketStub.resolves();
+      createBucketStub.resolves();
+      createArchiveStub.resolves({
+        projectSourcePath: "my-project/",
+        zippedSourcePath: "path/to/foo-1234.zip",
+      });
+      uploadObjectStub.resolves({
+        bucket: "firebaseapphosting-sources-12345678-us-central1",
+        object: "foo-1234",
+      });
+      createReadStreamStub.resolves();
+
+      await deploy(context, opts);
+
+      expect(context.backendStorageUris.get("foo")).to.equal(
+        "gs://firebaseapphosting-sources-000000000000-us-central1/foo-1234.zip",
+      );
+    });
+  });
+});
diff --git a/src/deploy/apphosting/deploy.ts b/src/deploy/apphosting/deploy.ts
@@ -0,0 +1,92 @@
+import * as fs from "fs";
+import * as path from "path";
+import { FirebaseError, getErrStatus } from "../../error";
+import * as gcs from "../../gcp/storage";
+import { getProjectNumber } from "../../getProjectNumber";
+import { Options } from "../../options";
+import { needProjectId } from "../../projectUtils";
+import { logBullet, logWarning } from "../../utils";
+import { Context } from "./args";
+import { createArchive } from "./util";
+
+/**
+ * Zips and uploads App Hosting source code to Google Cloud Storage in preparation for
+ * build and deployment. Creates storage buckets if necessary.
+ */
+export default async function (context: Context, options: Options): Promise<void> {
+  const projectId = needProjectId(options);
+  options.projectNumber = await getProjectNumber(options);
+  if (!context.backendConfigs) {
+    return;
+  }
+
+  // Ensure that a bucket exists in each region that a backend is or will be deployed to
+  for (const loc of context.backendLocations.values()) {
+    const bucketName = `firebaseapphosting-sources-${options.projectNumber}-${loc.toLowerCase()}`;
+    try {
+      await gcs.getBucket(bucketName);
+    } catch (err) {
+      const errStatus = getErrStatus((err as FirebaseError).original);
+      // Unfortunately, requests for a non-existent bucket from the GCS API sometimes return 403 responses as well as 404s.
+      // We must attempt to create a new bucket on both 403s and 404s.
+      if (errStatus === 403 || errStatus === 404) {
+        logBullet(
+          `Creating Cloud Storage bucket in ${loc} to store App Hosting source code uploads at ${bucketName}...`,
+        );
+        try {
+          await gcs.createBucket(projectId, {
+            name: bucketName,
+            location: loc,
+            lifecycle: {
+              rule: [
+                {
+                  action: {
+                    type: "Delete",
+                  },
+                  condition: {
+                    age: 30,
+                  },
+                },
+              ],
+            },
+          });
+        } catch (err) {
+          if (getErrStatus((err as FirebaseError).original) === 403) {
+            logWarning(
+              "Failed to create Cloud Storage bucket because user does not have sufficient permissions. " +
+                "See https://cloud.google.com/storage/docs/access-control/iam-roles for more details on " +
+                "IAM roles that are able to create a Cloud Storage bucket, and ask your project administrator " +
+                "to grant you one of those roles.",
+            );
+            throw (err as FirebaseError).original;
+          }
+        }
+      } else {
+        throw err;
+      }
+    }
+  }
+
+  for (const cfg of context.backendConfigs.values()) {
+    const { projectSourcePath, zippedSourcePath } = await createArchive(cfg, options.projectRoot);
+    const backendLocation = context.backendLocations.get(cfg.backendId);
+    if (!backendLocation) {
+      throw new FirebaseError(
+        `Failed to find location for backend ${cfg.backendId}. Please contact support with the contents of your firebase-debug.log to report your issue.`,
+      );
+    }
+    logBullet(`Uploading source code at ${projectSourcePath}...`);
+    const { bucket, object } = await gcs.uploadObject(
+      {
+        file: zippedSourcePath,
+        stream: fs.createReadStream(zippedSourcePath),
+      },
+      `firebaseapphosting-sources-${options.projectNumber}-${backendLocation.toLowerCase()}`,
+    );
+    logBullet(`Source code uploaded at gs://${bucket}/${object}`);
+    context.backendStorageUris.set(
+      cfg.backendId,
+      `gs://firebaseapphosting-sources-${options.projectNumber}-${backendLocation.toLowerCase()}/${path.basename(zippedSourcePath)}`,
+    );
+  }
+}
diff --git a/src/deploy/apphosting/index.ts b/src/deploy/apphosting/index.ts
@@ -0,0 +1,5 @@
+import prepare from "./prepare";
+import deploy from "./deploy";
+import release from "./release";
+
+export { prepare, deploy, release };