firebase · blidd-google · May 15, 2025 · May 7, 2025 · May 9, 2025 · May 9, 2025
diff --git a/npm-shrinkwrap.json b/npm-shrinkwrap.json
diff --git a/package.json b/package.json
@@ -132,6 +132,7 @@
     "gaxios": "^6.7.0",
     "glob": "^10.4.1",
     "google-auth-library": "^9.11.0",
+    "ignore": "^7.0.4",
     "js-yaml": "^3.14.1",
     "jsonwebtoken": "^9.0.0",
     "leven": "^3.1.0",

diff --git a/src/apphosting/backend.ts b/src/apphosting/backend.ts
@@ -14,7 +14,7 @@
   secretManagerOrigin,
 } from "../api";
 import { Backend, BackendOutputOnlyFields, API_VERSION } from "../gcp/apphosting";
-import { addServiceAccountToRoles } from "../gcp/resourceManager";
+import { addServiceAccountToRoles, getIamPolicy } from "../gcp/resourceManager";
 import * as iam from "../gcp/iam";
 import { FirebaseError, getErrStatus, getError } from "../error";
 import { input, confirm, select, checkbox, search, Choice } from "../prompt";
@@ -49,7 +49,7 @@
    // SSL.
    const maybeNodeError = err as { cause: { code: string }; code: string };
    if (
      /HANDSHAKE_FAILURE/.test(maybeNodeError?.cause?.code) ||
      "EPROTO" === maybeNodeError?.code
    ) {
      return false;
@@ -172,6 +172,30 @@
   logSuccess(`Your backend is now deployed at:\n\thttps://${backend.uri}`);
 }
 
+/**
+ * Setup up a new App Hosting backend to deploy from source.
+ */
+export async function doSetupSourceDeploy(
+  projectId: string,
+  backendId: string,
+): Promise<{ backend: Backend; location: string }> {
+  const location = await promptLocation(
+    projectId,
+    "Select a primary region to host your backend:\n",
+  );
+  const webApp = await webApps.getOrCreateWebApp(projectId, null, backendId);
+  if (!webApp) {
+    logWarning(`Firebase web app not set`);
+  }
+  const createBackendSpinner = ora("Creating your new backend...").start();
+  const backend = await createBackend(projectId, location, backendId, null, undefined, webApp?.id);
+  createBackendSpinner.succeed(`Successfully created backend!\n\t${backend.name}\n`);
+  return {
+    backend,
+    location,
+  };
+}
+
 /**
  * Check that all GCP APIs required for App Hosting are enabled.
  */
@@ -225,6 +249,7 @@
 export async function ensureAppHostingComputeServiceAccount(
   projectId: string,
   serviceAccount: string | null,
+  deployFromSource = false,
 ): Promise<void> {
   const sa = serviceAccount || defaultComputeServiceAccountEmail(projectId);
   const name = `projects/${projectId}/serviceAccounts/${sa}`;
@@ -249,13 +274,36 @@
       );
     }
   }
+  // N.B. To deploy from source, the App Hosting Compute Service Account must have
+  // the storage.objectViewer IAM role. For firebase-tools <= 14.3.0, the CLI does
+  // not add the objectViewer role, which means all existing customers will need to
+  // add it before deploying from source.
+  if (deployFromSource) {
+    const policy = await getIamPolicy(projectId);
+    const objectViewerBinding = policy.bindings.find(
+      (binding) => binding.role === "roles/storage.objectViewer",
+    );
+    if (
+      !objectViewerBinding ||
+      !objectViewerBinding.members.includes(
+        `serviceAccount:${defaultComputeServiceAccountEmail(projectId)}`,
+      )
+    ) {
+      await addServiceAccountToRoles(
+        projectId,
+        defaultComputeServiceAccountEmail(projectId),
+        ["roles/storage.objectViewer"],
+        /* skipAccountLookup= */ true,
+      );
+    }
+  }
 }
 
 /**
 * Prompts the user for a backend id and verifies that it doesn't match a pre-existing backend.
 */
 export async function promptNewBackendId(projectId: string, location: string): Promise<string> {
  while (true) {
    const backendId = await input({
      default: "my-web-app",
      message: "Provide a name for your backend [1-30 characters]",
@@ -340,6 +388,7 @@
       "roles/firebaseapphosting.computeRunner",
       "roles/firebase.sdkAdminServiceAgent",
       "roles/developerconnect.readTokenAccessor",
+      "roles/storage.objectViewer",
     ],
     /* skipAccountLookup= */ true,
   );
@@ -553,7 +602,7 @@
    message: locationDisambugationPrompt,
    choices: [...backendsByLocation.keys()],
  });
  return backendsByLocation.get(location)!;
 }

 /**

diff --git a/src/checkValidTargetFilters.ts b/src/checkValidTargetFilters.ts
@@ -30,6 +30,7 @@ const FILTERABLE_TARGETS = new Set([
   "storage",
   "database",
   "dataconnect",
+  "apphosting",
 ]);
 
 /**

diff --git a/src/commands/deploy.ts b/src/commands/deploy.ts
@@ -23,6 +23,7 @@
   "remoteconfig",
   "extensions",
   "dataconnect",
+  "apphosting",
 ];
 export const TARGET_PERMISSIONS: Record<(typeof VALID_DEPLOY_TARGETS)[number], string[]> = {
   database: ["firebasedatabase.instances.update"],
@@ -98,14 +99,14 @@
  )
  .before(requireConfig)
  .before((options) => {
    options.filteredTargets = filterTargets(options, VALID_DEPLOY_TARGETS);
    const permissions = options.filteredTargets.reduce((perms: string[], target: string) => {
      return perms.concat(TARGET_PERMISSIONS[target]);
    }, []);
    return requirePermissions(options, permissions);
  })
  .before((options) => {
    if (options.filteredTargets.includes("functions")) {
      return checkServiceAccountIam(options.project);
    }
  })

diff --git a/src/deploy/apphosting/args.ts b/src/deploy/apphosting/args.ts
@@ -0,0 +1,7 @@
+import { AppHostingSingle } from "../../firebaseConfig";
+
+export interface Context {
+  backendConfigs: Map<string, AppHostingSingle>;
+  backendLocations: Map<string, string>;
+  backendStorageUris: Map<string, string>;
+}