GoogleFirebaseAppCheckResourcePolicy class final
Factory wrapper for google_firebase_app_check_resource_policy.
App Check enforcement policy for a specific resource of a Google service supported by App Check. Note that this policy will override the service-level configuration.
Required identity:
localName: Terraform local name (the address segment aftergoogle_firebase_app_check_resource_policy.).service_id: the service this policy applies to. Currently supported values:oauth2.googleapis.com(Google Identity for iOS) The provider does not enumerate this set in the v7 schema, so the parameter stays a plainTfArg<String>; apply your own validation in calling code.
target_resource: the fully-qualified name of the resource this policy applies to. The format is service-specific. For iOS OAuth clients://oauth2.googleapis.com/projects/{project_number}/oauthClients/{oauthClientId}.
Optional:
enforcementMode: AppCheckEnforcementMode.unenforced collects metrics without blocking requests; AppCheckEnforcementMode.enforced blocks unverified requests for the specifictargetResource. The per-resource setting OVERRIDES the service-wideGoogleFirebaseAppCheckServiceConfig.enforcementModefor the same service. Leaving it null is equivalent toOFFin the REST API — no enforcement, no metrics — and deleting the Terraform resource restores the resource toOFF.
Example (enforce App Check on one iOS OAuth client):
final iosOauthEnforcement = GoogleFirebaseAppCheckResourcePolicy(
localName: 'ios_oauth_enforce',
serviceId: TfArg.literal('oauth2.googleapis.com'),
targetResource: TfArg.literal(
'//oauth2.googleapis.com/projects/123456789/oauthClients/abc-def-ghi',
),
enforcementMode: TfArg.literal(AppCheckEnforcementMode.enforced),
);
Configures App Check enforcement for a single, named resource (e.g. one specific iOS OAuth client) within a service. This overrides the broader GoogleFirebaseAppCheckServiceConfig setting for the same service — letting you progressively roll enforcement out per resource instead of flipping the entire service at once.
Caution: enabling AppCheckEnforcementMode.enforced on a production resource will reject requests from clients running app versions that have not yet been updated to integrate App Check. Run with AppCheckEnforcementMode.unenforced first to gather metrics.
No nested blocks aside from the meta-arg timeouts.
Constructors
-
GoogleFirebaseAppCheckResourcePolicy({required String localName, required TfArg<
String> serviceId, required TfArg<String> targetResource, TfArg<AppCheckEnforcementMode> ? enforcementMode, TfArg<String> ? project, LifecycleOptions? lifecycle, List<DependencyTarget> ? dependsOn})
Properties
-
argMap
→ Map<
String, TfArg?> -
Argument-name → TfArg map. Keys are snake_case (Terraform JSON name).
Synth emits these keys directly; the factory is responsible for the
camelCase → snake_case translation at construction time.
finalinherited
-
dependsOn
→ List<
DependencyTarget> ? -
Optional
depends_on = [...]. Each entry is aDependencyTarget— either a wholesale resource (rendered as bare address) or an explicitTfRef(rendered viabareAddress).finalinherited -
etag
→ TfRef<
String> -
Reference to
etag(used for optimistic concurrency on update / delete).no setter - hashCode → int
-
The hash code for this object.
no setterinherited
-
id
→ TfRef<
String> -
Reference to
idattribute (the full resource path).no setter - kind → ResourceKind
-
Always
ResourceKind.resource. Overridden byData.no setterinherited - lifecycle → LifecycleOptions?
-
Optional
lifecycle { ... }block.finalinherited - localName → String
-
User-supplied local name within a Stack.
finalinherited
-
resourcePolicyIdRef
→ TfRef<
String> -
Reference to
resource_policy_id-- the server-generated UID for the policy. Populated after apply.no setter - runtimeType → Type
-
A representation of the runtime type of the object.
no setterinherited
-
sensitiveFields
→ Set<
String> -
Field names that are
@Sensitiveper the IR-derived per-resource constant. Curated factories override with a baked-instatic const Set<String>(file-private in v0.5+).no setter - supportsDeletionProtection → bool
-
Capability flag: true when this resource's underlying Terraform
schema has a
deletion_protectionboolean attribute that the synth-time devMode flow can flip tofalse. Defaults to false; the codegen emitter overrides this totruefor wrappers whose schema includes the attribute.no setterinherited - terraformType → String
-
Terraform resource type, e.g.
google_pubsub_topic.finalinherited - tfAddress → String
-
no setterinherited
-
updateTime
→ TfRef<
String> -
Reference to
update_time-- RFC3339 timestamp of the last server-side mutation.no setter
Methods
-
noSuchMethod(
Invocation invocation) → dynamic -
Invoked when a nonexistent method or property is accessed.
inherited
-
toString(
) → String -
A string representation of this object.
inherited
Operators
-
operator ==(
Object other) → bool -
The equality operator.
inherited