Identity Platform configuration for a Cloud project. Identity Platform is an end-to-end authentication system for third-party users to access apps and services.
This entity is created only once during intialization and cannot be deleted, individual Identity Providers may be disabled instead. This resource may only be created in billing-enabled projects.
To get more information about Config, see:
resource "google_project" "default" {
project_id = "my-project"
name = "my-project"
org_id = "123456789"
billing_account = "000000-0000000-0000000-000000"
labels = {
firebase = "enabled"
}
}
resource "google_project_service" "identitytoolkit" {
project = google_project.default.project_id
service = "identitytoolkit.googleapis.com"
}
resource "google_identity_platform_config" "default" {
project = google_project.default.project_id
autodelete_anonymous_users = true
sign_in {
allow_duplicate_emails = true
anonymous {
enabled = true
}
email {
enabled = true
password_required = false
}
phone_number {
enabled = true
test_phone_numbers = {
"+11231231234" = "000000"
}
}
}
sms_region_config {
allowlist_only {
allowed_regions = [
"US",
"CA",
]
}
}
blocking_functions {
triggers {
event_type = "beforeSignIn"
function_uri = "https://us-east1-my-project.cloudfunctions.net/before-sign-in"
}
forward_inbound_credentials {
refresh_token = true
access_token = true
id_token = true
}
}
quota {
sign_up_quota_config {
quota = 1000
start_time = ""
quota_duration = "7200s"
}
}
authorized_domains = [
"localhost",
"my-project.firebaseapp.com",
"my-project.web.app",
]
}
The following arguments are supported:
autodelete_anonymous_users
-
(Optional)
Whether anonymous users will be auto-deleted after a period of 30 days
sign_in
-
(Optional)
Configuration related to local sign in methods.
Structure is documented below.
blocking_functions
-
(Optional)
Configuration related to blocking functions.
Structure is documented below.
quota
-
(Optional)
Configuration related to quotas.
Structure is documented below.
authorized_domains
-
(Optional)
List of domains authorized for OAuth redirects.
sms_region_config
-
(Optional)
Configures the regions where users are allowed to send verification SMS for the project or tenant. This is based on the calling code of the destination phone number.
Structure is documented below.
client
-
(Optional)
Options related to how clients making requests on behalf of a project should be configured.
Structure is documented below.
mfa
-
(Optional)
Options related to how clients making requests on behalf of a project should be configured.
Structure is documented below.
multi_tenant
-
(Optional)
Configuration related to multi-tenant functionality.
Structure is documented below.
monitoring
-
(Optional)
Configuration related to monitoring project activity.
Structure is documented below.
project
- (Optional) The ID of the project in which the resource belongs.
If it is not provided, the provider project is used.
email
-
(Optional)
Configuration options related to authenticating a user by their email address.
Structure is documented below.
phone_number
-
(Optional)
Configuration options related to authenticated a user by their phone number.
Structure is documented below.
anonymous
-
(Optional)
Configuration options related to authenticating an anonymous user.
Structure is documented below.
allow_duplicate_emails
-
(Optional)
Whether to allow more than one account to have the same email.
hash_config
-
(Output)
Output only. Hash config information.
Structure is documented below.
enabled
-
(Required)
Whether email auth is enabled for the project or not.
password_required
-
(Optional)
Whether a password is required for email auth or not. If true, both an email and
password must be provided to sign in. If false, a user may sign in via either
email/password or email link.
The phone_number
block supports:
enabled
-
(Required)
Whether phone number auth is enabled for the project or not.
test_phone_numbers
-
(Optional)
A map of
enabled
-
(Required)
Whether anonymous user auth is enabled for the project or not.The hash_config
block contains:
algorithm
-
(Output)
Different password hash algorithms used in Identity Toolkit.
signer_key
-
(Output)
Signer key in base64.
salt_separator
-
(Output)
Non-printable character to be inserted between the salt and plain text password in base64.
rounds
-
(Output)
How many rounds for hash calculation. Used by scrypt and other similar password derivation algorithms.
memory_cost
-
(Output)
Memory cost for hash calculation. Used by scrypt and other similar password derivation algorithms. See https://tools.ietf.org/html/rfc7914 for explanation of field.
The blocking_functions
block supports:
triggers
-
(Required)
Map of Trigger to event type. Key should be one of the supported event types: "beforeCreate", "beforeSignIn".
Structure is documented below.
forward_inbound_credentials
-
(Optional)
The user credentials to include in the JWT payload that is sent to the registered Blocking Functions.
Structure is documented below.
event_type
- (Required) The identifier for this object. Format specified above.
function_uri
-
(Required)
HTTP URI trigger for the Cloud Function.
update_time
-
(Output)
When the trigger was changed.
The forward_inbound_credentials
block supports:
id_token
-
(Optional)
Whether to pass the user's OIDC identity provider's ID token.
access_token
-
(Optional)
Whether to pass the user's OAuth identity provider's access token.
refresh_token
-
(Optional)
Whether to pass the user's OAuth identity provider's refresh token.
sign_up_quota_config
-
(Optional)
Quota for the Signup endpoint, if overwritten. Signup quota is measured in sign ups per project per hour per IP.
Structure is documented below.The sign_up_quota_config
block supports:
quota
-
(Optional)
A sign up APIs quota that customers can override temporarily.
start_time
-
(Optional)
When this quota will take affect.
quota_duration
-
(Optional)
How long this quota will be active for. It is measurred in seconds, e.g., Example: "9.615s".
The sms_region_config
block supports:
allow_by_default
-
(Optional)
A policy of allowing SMS to every region by default and adding disallowed regions to a disallow list.
Structure is documented below.
allowlist_only
-
(Optional)
A policy of only allowing regions by explicitly adding them to an allowlist.
Structure is documented below.
The allow_by_default
block supports:
disallowed_regions
-
(Optional)
Two letter unicode region codes to disallow as defined by https://cldr.unicode.org/ The full list of these region codes is here: https://github.com/unicode-cldr/cldr-localenames-full/blob/master/main/en/territories.jsonThe allowlist_only
block supports:
allowed_regions
-
(Optional)
Two letter unicode region codes to allow as defined by https://cldr.unicode.org/ The full list of these region codes is here: https://github.com/unicode-cldr/cldr-localenames-full/blob/master/main/en/territories.jsonpermissions
-
(Optional)
Configuration related to restricting a user's ability to affect their account.
Structure is documented below.
api_key
-
(Output)
API key that can be used when making requests for this project.
Note: This property is sensitive and will not be displayed in the plan.
firebase_subdomain
-
(Output)
Firebase subdomain.
The permissions
block supports:
disabled_user_signup
-
(Optional)
When true, end users cannot sign up for a new account on the associated project through any of our API methods
disabled_user_deletion
-
(Optional)
When true, end users cannot delete their account on the associated project through any of our API methods
state
-
(Optional)
Whether MultiFactor Authentication has been enabled for this project.
Possible values are: DISABLED
, ENABLED
, MANDATORY
.
enabled_providers
-
(Optional)
A list of usable second factors for this project.
Each value may be one of: PHONE_SMS
.
provider_configs
-
(Optional)
A list of usable second factors for this project along with their configurations.
This field does not support phone based MFA, for that use the 'enabledProviders' field.
Structure is documented below.
The provider_configs
block supports:
state
-
(Optional)
Whether MultiFactor Authentication has been enabled for this project.
Possible values are: DISABLED
, ENABLED
, MANDATORY
.
totp_provider_config
-
(Optional)
TOTP MFA provider config for this project.
Structure is documented below.
The totp_provider_config
block supports:
adjacent_intervals
-
(Optional)
The allowed number of adjacent intervals that will be used for verification to avoid clock skew.The multi_tenant
block supports:
allow_tenants
-
(Optional)
Whether this project can have tenants or not.
default_tenant_location
-
(Optional)
The default cloud parent org or folder that the tenant project should be created under.
The parent resource name should be in the format of "/", such as "folders/123" or "organizations/456".
If the value is not set, the tenant will be created under the same organization or folder as the agent project.
The monitoring
block supports:
request_logging
-
(Optional)
Configuration for logging requests made to this project to Stackdriver Logging
Structure is documented below.The request_logging
block supports:
enabled
-
(Optional)
Whether logging is enabled for this project or not.In addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with format projects/{{project}}/config
name
-
The name of the Config resource
This resource provides the following Timeouts configuration options:
create
- Default is 20 minutes.update
- Default is 20 minutes.delete
- Default is 20 minutes.Config can be imported using any of these accepted formats:
projects/{{project}}/config
projects/{{project}}
{{project}}
In Terraform v1.5.0 and later, use an import
block to import Config using one of the formats above. For example:
import {
id = "projects/{{project}}/config"
to = google_identity_platform_config.default
}
When using the terraform import
command, Config can be imported using one of the formats above. For example:
$ terraform import google_identity_platform_config.default projects/{{project}}/config
$ terraform import google_identity_platform_config.default projects/{{project}}
$ terraform import google_identity_platform_config.default {{project}}
This resource supports User Project Overrides.