firebase_hosting_custom_domain persistent DNS Records

[TrieBr]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

TL;DR: Fix the API shape for supporting dynamic dns record creation, or add an example demonstrating how to do it in the current form.

firebase_hosting_custom_domain doesn't have a good way to dynamically create DNS records for the SSL challenges or other A/CNAME/TXT records. required_dns_updates is only present when the records need to be created so you can't reliably create DNS records from this field.

It would be nice is required_dns_updates was always populated regardless of if the DNS records have been previously verified or not, or even better: a simple field that is a list of records that should exist for the domain to be verified.

If this is already possible, it would be nice if the "Example Usage" included a section on how to dynamically create dns records based on this block (which I think would be an extremely common use case).

New or Affected Resource(s)

• firebase_hosting_custom_domain

Potential Terraform Configuration

resource "google_firebase_hosting_custom_domain" "default" {
  provider = google-beta
  project  = var.project_id
  site_id    = google_firebase_hosting_site.default.site_id
  custom_domain = var.dns_name
  wait_dns_verification = false
}
locals {
  # flatten ensures that this local value is a flat list of objects, rather
  # than a list of lists of objects.
  required_domain_records = flatten([
    for list_key, dns_updates in google_firebase_hosting_custom_domain.default.required_dns_updates : [
    for desired_key, desired in dns_updates.desired : [
      for record_key, record in desired.records : {
        list_key = list_key
        desired_key  = desired_key
        record_key  = record_key
        domain_name  = record.domain_name
        type  = record.type
        rdata  = record.rdata
      }
    ]
    ]
  ])
  depends_on = [google_firebase_hosting_custom_domain.default]
}

resource "google_dns_record_set" "domains" {
  for_each = local.required_domain_records
  project     = var.project_id
  name = "${each.value.domain_name}."
  type = each.value.type
  ttl  = 300
  managed_zone = var.root_dns_managed_zone_name
  rrdatas = [each.value.rdata]
  depends_on = [google_firebase_hosting_custom_domain.default]
}

The above example illustrates how dns records could be dynamically generated using the output from google_firebase_hosting_custom_domain, but this doesn't work as-is mainly because required_dns_updates can change between runs.

References

• #0000

b/318495539

[melinath]

Note from triage: It sounds like the issue here is that google_firebase_hosting_custom_domain.required_dns_updates.desired only contains items the need to exist (but don't yet exist), which means that once they are created, the field is empty - so iterating over the field to automate domain creation will create them correctly but then try to delete them immediately afterward. Is that accurate?

[BenJackGill]

I am having the same issue. Struggling to figure out how to get the A/CNAME/TXT records that are required for verification.

@TrieBr Did you manage to overcome this issue?

[anuraaga]

I also ran into this issue, it will be great if it's possible to automate DNS verification for Firebase hosting. A couple of ideas for the proposal

• It might be just my inexperience with it, but I couldn't find a way to flatten two complex lists with Terraform CDK (e.g. typescript). Making sure the DNS verification records is a single list may make it easier to use in general, and especially with CDK

• I have a scheme where I delegate the nameservers of a subdomain, e.g. alpha.project.com to a separate GCP managed zone for alpha.project.com. I'm not sure if it's a GCP bug or not, but I'm unable to add a CNAME to such a zone since it is considered "not a subdomain". If it's possible to access the advanced verification records in addition to the quick setup records, it would be nice for this case.