TerraformPilot

DevOps

Terraform for Android App Backends on Firebase and GCP

Provision Android app backends with Terraform: Firebase Auth, Firestore, FCM push, Cloud Run APIs, and Play Integrity API on Google Cloud.

LLuca Berton1 min read

Android apps usually pair with Firebase / Google Cloud. The google and google-beta Terraform providers cover Firebase Auth, Firestore, FCM, Cloud Run, and the Play Integrity API — so your entire mobile backend can live in code.

Quick Pattern (TL;DR)

# 
provider "google-beta" {
  project = var.project_id
  region  = "us-central1"
}
 
resource "google_firebase_project" "default" {
  provider = google-beta
  project  = var.project_id
}
 
resource "google_firebase_android_app" "android" {
  provider     = google-beta
  project      = var.project_id
  display_name = "Acme Android"
  package_name = "com.acme.app"
  sha1_hashes  = [var.release_sha1]
}

Firestore + Auth

# 
resource "google_firestore_database" "default" {
  project     = var.project_id
  name        = "(default)"
  location_id = "nam5"
  type        = "FIRESTORE_NATIVE"
}
 
resource "google_identity_platform_config" "auth" {
  project = var.project_id
  sign_in {
    email { enabled = true; password_required = true }
    phone_number { enabled = true }
    anonymous { enabled = false }
  }
}

FCM Push (HTTP v1)

# 
resource "google_project_service" "fcm" {
  project = var.project_id
  service = "fcm.googleapis.com"
}
 
resource "google_service_account" "fcm_sender" {
  account_id   = "fcm-sender"
  display_name = "FCM HTTP v1 sender"
}
 
resource "google_project_iam_member" "fcm" {
  project = var.project_id
  role    = "roles/firebasenotifications.viewer"
  member  = "serviceAccount:${google_service_account.fcm_sender.email}"
}

API on Cloud Run

# 
resource "google_cloud_run_v2_service" "api" {
  name     = "android-api"
  location = "us-central1"
 
  template {
    containers {
      image = var.api_image
      env { name = "FIRESTORE_PROJECT"; value = var.project_id }
    }
    scaling { min_instance_count = 1; max_instance_count = 50 }
  }
}

Best Practices

#
  • Use App Check + Play Integrity to gate Firestore reads/writes.
  • Region-pin Firestore (nam5 or eur3) for compliance.
  • One service account per concern (FCM sender, Firestore admin, signed-URL issuer).
  • Use Firebase Remote Config for feature flags and Terraform-managed config rollouts.
#
#Terraform#Android#Firebase#GCP#FCM

Share this article

Related articles