DevOps
Terraform for Android App Backends on Firebase and GCP
Provision Android app backends with Terraform: Firebase Auth, Firestore, FCM push, Cloud Run APIs, and Play Integrity API on Google Cloud.
1 min read
DevOps
Terraform for ChromeOS Fleet Backends and Managed Cloud
Provision cloud infrastructure for ChromeOS fleets with Terraform: Google Workspace, identity, Chrome Enterprise APIs, and PWA backends on GCP.
LLuca Berton1 min read
ChromeOS dominates US K-12 and is meaningful in managed enterprise. Device policy itself stays in Google Admin (you can't fully Terraform Chrome device policy yet), but the cloud services around a fleet — identity, PWA backends, education apps, BigQuery for telemetry — fit Terraform perfectly.
What Terraform Does (and Doesn't)
#| Manageable via Terraform | Managed in Google Admin |
|---|---|
| GCP project, IAM, BigQuery | Chrome device policies |
| PWA / Cloud Run app backends | Auto-update channel |
| Identity Platform OIDC | App allowlists |
| Cloud Storage for assets | Kiosk apps |
PWA Backend on Cloud Run
#resource "google_cloud_run_v2_service" "pwa_api" {
name = "chromeos-pwa-api"
location = "us-central1"
template {
containers {
image = var.api_image
env { name = "ALLOWED_DOMAIN"; value = var.school_domain }
}
}
iam_policy = jsonencode({
bindings = [{
role = "roles/run.invoker"
members = ["domain:${var.school_domain}"]
}]
})
}SSO with Identity Platform
#resource "google_identity_platform_oauth_idp_config" "google" {
project = var.project_id
name = "oidc.google-workspace"
display_name = "Google Workspace"
client_id = var.workspace_oidc_client_id
issuer = "https://accounts.google.com"
enabled = true
}BigQuery for Chrome Reporting Logs Export
#resource "google_bigquery_dataset" "chrome_reporting" {
dataset_id = "chrome_reporting"
location = "US"
default_table_expiration_ms = 1000 * 60 * 60 * 24 * 365 # 1 year
}Configure the BigQuery export of Chrome Enterprise reporting in Google Admin → Devices → Chrome → Reports → Logs export.
Best Practices
#- Don't try to Terraform device policy — the Admin SDK doesn't expose enough of it.
- Pin PWA backends to Workspace domain via Cloud Run IAM
domain:member. - One BigQuery dataset per fleet for Chrome reporting export, with a clear retention policy.
- Use App-Bound Encryption-aware backends for stored creds.
Related
##Terraform#ChromeOS#Chrome Enterprise#GCP#Education
Related articles
DevOps
Terraform for Android Automotive OS: Connected-Car Backends
Provision Android Automotive OS connected-car backends with Terraform: vehicle telemetry, OTA updates, maps APIs, and secure ingestion pipelines.
1 min read
Cloud Computing
Google Cloud Load Balancer with Terraform
Configure Google Cloud HTTP(S) Load Balancer with Terraform — backend services, health checks, CDN, and SSL. Step-by-step guide with code examples and best p...
2 min read
Cloud Computing
Google Cloud Pub Sub Messaging with Terraform
Set up Pub/Sub topics, subscriptions, and dead letter queues with Terraform for reliable event-driven messaging. Step-by-step guide with code examples and be...
2 min read