GoogleFirebaseAppCheckResourcePolicy class final

Factory wrapper for google_firebase_app_check_resource_policy.

App Check enforcement policy for a specific resource of a Google service supported by App Check. Note that this policy will override the service-level configuration.

Required identity:

  • localName: Terraform local name (the address segment after google_firebase_app_check_resource_policy.).
  • service_id: the service this policy applies to. Currently supported values:
    • oauth2.googleapis.com (Google Identity for iOS) The provider does not enumerate this set in the v7 schema, so the parameter stays a plain TfArg<String>; apply your own validation in calling code.
  • target_resource: the fully-qualified name of the resource this policy applies to. The format is service-specific. For iOS OAuth clients: //oauth2.googleapis.com/projects/{project_number}/oauthClients/{oauthClientId}.

Optional:

  • enforcementMode: AppCheckEnforcementMode.unenforced collects metrics without blocking requests; AppCheckEnforcementMode.enforced blocks unverified requests for the specific targetResource. The per-resource setting OVERRIDES the service-wide GoogleFirebaseAppCheckServiceConfig.enforcementMode for the same service. Leaving it null is equivalent to OFF in the REST API — no enforcement, no metrics — and deleting the Terraform resource restores the resource to OFF.

Example (enforce App Check on one iOS OAuth client):

final iosOauthEnforcement = GoogleFirebaseAppCheckResourcePolicy(
  localName: 'ios_oauth_enforce',
  serviceId: TfArg.literal('oauth2.googleapis.com'),
  targetResource: TfArg.literal(
    '//oauth2.googleapis.com/projects/123456789/oauthClients/abc-def-ghi',
  ),
  enforcementMode: TfArg.literal(AppCheckEnforcementMode.enforced),
);

Configures App Check enforcement for a single, named resource (e.g. one specific iOS OAuth client) within a service. This overrides the broader GoogleFirebaseAppCheckServiceConfig setting for the same service — letting you progressively roll enforcement out per resource instead of flipping the entire service at once.

Caution: enabling AppCheckEnforcementMode.enforced on a production resource will reject requests from clients running app versions that have not yet been updated to integrate App Check. Run with AppCheckEnforcementMode.unenforced first to gather metrics.

No nested blocks aside from the meta-arg timeouts.

Constructors

GoogleFirebaseAppCheckResourcePolicy({required String localName, required TfArg<String> serviceId, required TfArg<String> targetResource, TfArg<AppCheckEnforcementMode>? enforcementMode, TfArg<String>? project, LifecycleOptions? lifecycle, List<DependencyTarget>? dependsOn})

Properties

argMap Map<String, TfArg?>
Argument-name → TfArg map. Keys are snake_case (Terraform JSON name). Synth emits these keys directly; the factory is responsible for the camelCase → snake_case translation at construction time.
finalinherited
dependsOn List<DependencyTarget>?
Optional depends_on = [...]. Each entry is a DependencyTarget — either a wholesale resource (rendered as bare address) or an explicit TfRef (rendered via bareAddress).
finalinherited
etag → TfRef<String>
Reference to etag (used for optimistic concurrency on update / delete).
no setter
hashCode int
The hash code for this object.
no setterinherited
id → TfRef<String>
Reference to id attribute (the full resource path).
no setter
kind → ResourceKind
Always ResourceKind.resource. Overridden by Data.
no setterinherited
lifecycle → LifecycleOptions?
Optional lifecycle { ... } block.
finalinherited
localName String
User-supplied local name within a Stack.
finalinherited
resourcePolicyIdRef → TfRef<String>
Reference to resource_policy_id -- the server-generated UID for the policy. Populated after apply.
no setter
runtimeType Type
A representation of the runtime type of the object.
no setterinherited
sensitiveFields Set<String>
Field names that are @Sensitive per the IR-derived per-resource constant. Curated factories override with a baked-in static const Set<String> (file-private in v0.5+).
no setter
supportsDeletionProtection bool
Capability flag: true when this resource's underlying Terraform schema has a deletion_protection boolean attribute that the synth-time devMode flow can flip to false. Defaults to false; the codegen emitter overrides this to true for wrappers whose schema includes the attribute.
no setterinherited
terraformType String
Terraform resource type, e.g. google_pubsub_topic.
finalinherited
tfAddress String
no setterinherited
updateTime → TfRef<String>
Reference to update_time -- RFC3339 timestamp of the last server-side mutation.
no setter

Methods

noSuchMethod(Invocation invocation) → dynamic
Invoked when a nonexistent method or property is accessed.
inherited
toString() String
A string representation of this object.
inherited

Operators

operator ==(Object other) bool
The equality operator.
inherited

Constants

tfType → const String