Enable Secret Manager when function includes secrets.

Author: taeold

CHANGELOG.md

@@ -0,0 +1,2 @@
+- Fixed issue where `firebase init firestore` would raise an error due to rules/indexes file path being undefined. (#8518)
+- Fixed issue where Secret Manager API was not automatically enabled for functions using secrets. (#8528)

src/deploy/functions/prepare.spec.ts

@@ -2,6 +2,8 @@ import { expect } from "chai";
 
 import * as backend from "./backend";
 import * as prepare from "./prepare";
+import * as ensureApiEnabled from "../../ensureApiEnabled";
+import * as serviceusage from "../../gcp/serviceusage";
 import { BEFORE_CREATE_EVENT, BEFORE_SIGN_IN_EVENT } from "../../functions/events/v1";
 import * as sinon from "sinon";
 import * as prompt from "../../prompt";
@@ -419,4 +421,96 @@ describe("prepare", () => {
  ).to.be.rejectedWith(FirebaseError);
  });
  });
+
+ describe("ensureAllRequiredAPIsEnabled", () => {
+ let sinonSandbox: sinon.SinonSandbox;
+ let ensureApiStub: sinon.SinonStub;
+ let generateServiceIdentityStub: sinon.SinonStub;
+
+ beforeEach(() => {
+ sinonSandbox = sinon.createSandbox();
+ ensureApiStub = sinonSandbox.stub(ensureApiEnabled, "ensure").resolves();
+ generateServiceIdentityStub = sinonSandbox
+ .stub(serviceusage, "generateServiceIdentity")
+ .resolves();
+ });
+
+ afterEach(() => {
+ sinonSandbox.restore();
+ });
+
+ it("should not enable any APIs for an empty backend", async () => {
+ await prepare.ensureAllRequiredAPIsEnabled("project", backend.empty());
+ expect(ensureApiStub.called).to.be.false;
+ expect(generateServiceIdentityStub.called).to.be.false;
+ });
+
+ it("should enable APIs from backend.requiredAPIs", async () => {
+ const api1 = "testapi1.googleapis.com";
+ const api2 = "testapi2.googleapis.com";
+ const b = backend.empty();
+ b.requiredAPIs = [{ api: api1 }, { api: api2 }];
+
+ await prepare.ensureAllRequiredAPIsEnabled("project", b);
+ expect(ensureApiStub.calledWith("project", api1, "functions", false)).to.be.true;
+ expect(ensureApiStub.calledWith("project", api2, "functions", false)).to.be.true;
+ });
+
+ it("should enable Secret Manager API if secrets are used ", async () => {
+ const e: backend.Endpoint = {
+ id: "hasSecrets",
+ platform: "gcfv1",
+ region: "us-central1",
+ project: "project",
+ entryPoint: "entry",
+ runtime: "nodejs22",
+ httpsTrigger: {},
+ secretEnvironmentVariables: [
+ {
+ key: "SECRET",
+ secret: "secret",
+ projectId: "project",
+ },
+ ],
+ };
+ await prepare.ensureAllRequiredAPIsEnabled("project", backend.of(e));
+ expect(
+ ensureApiStub.calledWith(
+ "project",
+ "https://secretmanager.googleapis.com",
+ "functions",
+ false,
+ ),
+ ).to.be.true;
+ });
+
+ it("should enable GCFv2 APIs and generate required service identities", async () => {
+ const e: backend.Endpoint = {
+ id: "v2",
+ platform: "gcfv2",
+ region: "us-central1",
+ project: "project",
+ entryPoint: "entry",
+ runtime: "nodejs22",
+ httpsTrigger: {},
+ };
+
+ await prepare.ensureAllRequiredAPIsEnabled("project", backend.of(e));
+
+ expect(ensureApiStub.calledWith("project", "https://run.googleapis.com", "functions")).to.be
+ .true;
+ expect(ensureApiStub.calledWith("project", "https://eventarc.googleapis.com", "functions")).to
+ .be.true;
+ expect(ensureApiStub.calledWith("project", "https://pubsub.googleapis.com", "functions")).to
+ .be.true;
+ expect(ensureApiStub.calledWith("project", "https://storage.googleapis.com", "functions")).to
+ .be.true;
+ expect(
+ generateServiceIdentityStub.calledWith("project", "pubsub.googleapis.com", "functions"),
+ ).to.be.true;
+ expect(
+ generateServiceIdentityStub.calledWith("project", "eventarc.googleapis.com", "functions"),
+ ).to.be.true;
+ });
+ });
 });

src/deploy/functions/prepare.ts

@@ -18,6 +18,7 @@ import {
  eventarcOrigin,
  pubsubOrigin,
  storageOrigin,
+ secretManagerOrigin,
 } from "../../api";
 import { Options } from "../../options";
 import {
@@ -205,6 +206,7 @@ export async function prepare(
  `preparing ${clc.bold(sourceDirName)} directory for uploading...`,
  );
  }
+
  if (backend.someEndpoint(wantBackend, (e) => e.platform === "gcfv2")) {
  const packagedSource = await prepareFunctionsUpload(sourceDir, config);
  source.functionsSourceV2 = packagedSource?.pathToSource;
@@ -241,34 +243,9 @@ export async function prepare(
  const wantBackend = backend.merge(...Object.values(wantBackends));
  const haveBackend = backend.merge(...Object.values(haveBackends));
 
+ await ensureAllRequiredAPIsEnabled(projectNumber, wantBackend);
  await warnIfNewGenkitFunctionIsMissingSecrets(wantBackend, haveBackend, options);
 
- // Enable required APIs. This may come implicitly from triggers (e.g. scheduled triggers
- // require cloudscheudler and, in v1, require pub/sub), or can eventually come from
- // explicit dependencies.
- await Promise.all(
- Object.values(wantBackend.requiredAPIs).map(({ api }) => {
- return ensureApiEnabled.ensure(projectId, api, "functions", /* silent=*/ false);
- }),
- );
- if (backend.someEndpoint(wantBackend, (e) => e.platform === "gcfv2")) {
- // Note: Some of these are premium APIs that require billing to be enabled.
- // We'd eventually have to add special error handling for billing APIs, but
- // enableCloudBuild is called above and has this special casing already.
- const V2_APIS = [cloudRunApiOrigin(), eventarcOrigin(), pubsubOrigin(), storageOrigin()];
- const enablements = V2_APIS.map((api) => {
- return ensureApiEnabled.ensure(context.projectId, api, "functions");
- });
- await Promise.all(enablements);
- // Need to manually kick off the p4sa activation of services
- // that we use with IAM roles assignment.
- const services = ["pubsub.googleapis.com", "eventarc.googleapis.com"];
- const generateServiceAccounts = services.map((service) => {
- return generateServiceIdentity(projectNumber, service, "functions");
- });
- await Promise.all(generateServiceAccounts);
- }
-
  // ===Phase 6. Ask for user prompts for things might warrant user attentions.
  // We limit the scope endpoints being deployed.
  const matchingBackend = backend.matchingBackend(wantBackend, (endpoint) => {
@@ -533,3 +510,48 @@ export async function warnIfNewGenkitFunctionIsMissingSecrets(
  }
  }
 }
+
+// Enable required APIs. This may come implicitly from triggers (e.g. scheduled triggers
+// require cloudscheduler and, in v1, require pub/sub), use of features (secrets), or explicit dependencies.
+export async function ensureAllRequiredAPIsEnabled(
+ projectNumber: string,
+ wantBackend: backend.Backend,
+): Promise<void> {
+ await Promise.all(
+ Object.values(wantBackend.requiredAPIs).map(({ api }) => {
+ return ensureApiEnabled.ensure(projectNumber, api, "functions", /* silent=*/ false);
+ }),
+ );
+ if (backend.someEndpoint(wantBackend, (e) => e.platform === "gcfv2")) {
+ // Note: Some of these are premium APIs that require billing to be enabled.
+ // We'd eventually have to add special error handling for billing APIs, but
+ // enableCloudBuild is called above and has this special casing already.
+ const V2_APIS = [cloudRunApiOrigin(), eventarcOrigin(), pubsubOrigin(), storageOrigin()];
+ const enablements = V2_APIS.map((api) => {
+ return ensureApiEnabled.ensure(projectNumber, api, "functions");
+ });
+ await Promise.all(enablements);
+ // Need to manually kick off the p4sa activation of services
+ // that we use with IAM roles assignment.
+ const services = ["pubsub.googleapis.com", "eventarc.googleapis.com"];
+ const generateServiceAccounts = services.map((service) => {
+ return generateServiceIdentity(projectNumber, service, "functions");
+ });
+ await Promise.all(generateServiceAccounts);
+ }
+
+ // If function is making use of secrets, go ahead and enable Secret Manager API.
+ if (
+ backend.someEndpoint(
+ wantBackend,
+ (e) => !!(e.secretEnvironmentVariables && e.secretEnvironmentVariables.length > 0),
+ )
+ ) {
+ await ensureApiEnabled.ensure(
+ projectNumber,
+ secretManagerOrigin(),
+ "functions",
+ /* silent=*/ false,
+ );
+ }
+}