gcp.firebase.AppCheckResourcePolicy

Google Cloud v9.23.0, May 7 26

Viewing docs for Google Cloud v9.23.0
published on Thursday, May 7, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-gcp

Viewing docs for Google Cloud v9.23.0
published on Thursday, May 7, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-gcp

Example Usage

Firebase App Check Resource Policy Oauth2 Basic

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const firebaseappcheck = new gcp.projects.Service("firebaseappcheck", {
    project: "my-project-name",
    service: "firebaseappcheck.googleapis.com",
});
const _default = new gcp.firebase.AppCheckResourcePolicy("default", {
    project: "my-project-name",
    serviceId: "oauth2.googleapis.com",
    targetResource: "//oauth2.googleapis.com/projects/my-project-name/oauthClients/example-client-id",
    enforcementMode: "UNENFORCED",
}, {
    dependsOn: [firebaseappcheck],
});

import pulumi
import pulumi_gcp as gcp

firebaseappcheck = gcp.projects.Service("firebaseappcheck",
    project="my-project-name",
    service="firebaseappcheck.googleapis.com")
default = gcp.firebase.AppCheckResourcePolicy("default",
    project="my-project-name",
    service_id="oauth2.googleapis.com",
    target_resource="//oauth2.googleapis.com/projects/my-project-name/oauthClients/example-client-id",
    enforcement_mode="UNENFORCED",
    opts = pulumi.ResourceOptions(depends_on=[firebaseappcheck]))

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/firebase"
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/projects"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		firebaseappcheck, err := projects.NewService(ctx, "firebaseappcheck", &projects.ServiceArgs{
			Project: pulumi.String("my-project-name"),
			Service: pulumi.String("firebaseappcheck.googleapis.com"),
		})
		if err != nil {
			return err
		}
		_, err = firebase.NewAppCheckResourcePolicy(ctx, "default", &firebase.AppCheckResourcePolicyArgs{
			Project:         pulumi.String("my-project-name"),
			ServiceId:       pulumi.String("oauth2.googleapis.com"),
			TargetResource:  pulumi.String("//oauth2.googleapis.com/projects/my-project-name/oauthClients/example-client-id"),
			EnforcementMode: pulumi.String("UNENFORCED"),
		}, pulumi.DependsOn([]pulumi.Resource{
			firebaseappcheck,
		}))
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var firebaseappcheck = new Gcp.Projects.Service("firebaseappcheck", new()
    {
        Project = "my-project-name",
        ServiceName = "firebaseappcheck.googleapis.com",
    });

    var @default = new Gcp.Firebase.AppCheckResourcePolicy("default", new()
    {
        Project = "my-project-name",
        ServiceId = "oauth2.googleapis.com",
        TargetResource = "//oauth2.googleapis.com/projects/my-project-name/oauthClients/example-client-id",
        EnforcementMode = "UNENFORCED",
    }, new CustomResourceOptions
    {
        DependsOn =
        {
            firebaseappcheck,
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.projects.Service;
import com.pulumi.gcp.projects.ServiceArgs;
import com.pulumi.gcp.firebase.AppCheckResourcePolicy;
import com.pulumi.gcp.firebase.AppCheckResourcePolicyArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var firebaseappcheck = new Service("firebaseappcheck", ServiceArgs.builder()
            .project("my-project-name")
            .service("firebaseappcheck.googleapis.com")
            .build());

        var default_ = new AppCheckResourcePolicy("default", AppCheckResourcePolicyArgs.builder()
            .project("my-project-name")
            .serviceId("oauth2.googleapis.com")
            .targetResource("//oauth2.googleapis.com/projects/my-project-name/oauthClients/example-client-id")
            .enforcementMode("UNENFORCED")
            .build(), CustomResourceOptions.builder()
                .dependsOn(firebaseappcheck)
                .build());

    }
}

resources:
  firebaseappcheck:
    type: gcp:projects:Service
    properties:
      project: my-project-name
      service: firebaseappcheck.googleapis.com
  default:
    type: gcp:firebase:AppCheckResourcePolicy
    properties:
      project: my-project-name
      serviceId: oauth2.googleapis.com
      targetResource: //oauth2.googleapis.com/projects/my-project-name/oauthClients/example-client-id
      enforcementMode: UNENFORCED
    options:
      dependsOn:
        - ${firebaseappcheck}

Create AppCheckResourcePolicy Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new AppCheckResourcePolicy(name: string, args: AppCheckResourcePolicyArgs, opts?: CustomResourceOptions);

@overload
def AppCheckResourcePolicy(resource_name: str,
                           args: AppCheckResourcePolicyArgs,
                           opts: Optional[ResourceOptions] = None)

@overload
def AppCheckResourcePolicy(resource_name: str,
                           opts: Optional[ResourceOptions] = None,
                           service_id: Optional[str] = None,
                           target_resource: Optional[str] = None,
                           enforcement_mode: Optional[str] = None,
                           project: Optional[str] = None)

func NewAppCheckResourcePolicy(ctx *Context, name string, args AppCheckResourcePolicyArgs, opts ...ResourceOption) (*AppCheckResourcePolicy, error)

public AppCheckResourcePolicy(string name, AppCheckResourcePolicyArgs args, CustomResourceOptions? opts = null)

public AppCheckResourcePolicy(String name, AppCheckResourcePolicyArgs args)
public AppCheckResourcePolicy(String name, AppCheckResourcePolicyArgs args, CustomResourceOptions options)

type: gcp:firebase:AppCheckResourcePolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args AppCheckResourcePolicyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args AppCheckResourcePolicyArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args AppCheckResourcePolicyArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args AppCheckResourcePolicyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args AppCheckResourcePolicyArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var appCheckResourcePolicyResource = new Gcp.Firebase.AppCheckResourcePolicy("appCheckResourcePolicyResource", new()
{
    ServiceId = "string",
    TargetResource = "string",
    EnforcementMode = "string",
    Project = "string",
});

example, err := firebase.NewAppCheckResourcePolicy(ctx, "appCheckResourcePolicyResource", &firebase.AppCheckResourcePolicyArgs{
	ServiceId:       pulumi.String("string"),
	TargetResource:  pulumi.String("string"),
	EnforcementMode: pulumi.String("string"),
	Project:         pulumi.String("string"),
})

var appCheckResourcePolicyResource = new AppCheckResourcePolicy("appCheckResourcePolicyResource", AppCheckResourcePolicyArgs.builder()
    .serviceId("string")
    .targetResource("string")
    .enforcementMode("string")
    .project("string")
    .build());

app_check_resource_policy_resource = gcp.firebase.AppCheckResourcePolicy("appCheckResourcePolicyResource",
    service_id="string",
    target_resource="string",
    enforcement_mode="string",
    project="string")

const appCheckResourcePolicyResource = new gcp.firebase.AppCheckResourcePolicy("appCheckResourcePolicyResource", {
    serviceId: "string",
    targetResource: "string",
    enforcementMode: "string",
    project: "string",
});

type: gcp:firebase:AppCheckResourcePolicy
properties:
    enforcementMode: string
    project: string
    serviceId: string
    targetResource: string

AppCheckResourcePolicy Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The AppCheckResourcePolicy resource accepts the following input properties:

ServiceId string

The identifier of the service to configure a Resource Policy for. Currently, the following service IDs are supported:

oauth2.googleapis.com (Google Identity for iOS)

TargetResource string

Service specific name of the resource object to which this policy applies, in the format:

iOS OAuth clients (Google Identity for iOS): //oauth2.googleapis.com/projects/{project_number}/oauthClients/{oauthClientId}

EnforcementMode string

The App Check enforcement mode for a service supported by App Check. This will override the EnforcementMode setting on the service. Valid values are: (Unset) Firebase App Check is not enforced for the service, nor are App Check metrics collected. Though the service is not protected by App Check in this mode, other applicable protections, such as user authorization, are still enforced. An unconfigured service is in this mode by default. This is equivalent to OFF in the REST API. Deleting the Terraform resource will also switch the enforcement to OFF for this service. UNENFORCED Firebase App Check is not enforced for the service. App Check metrics are collected to help you decide when to turn on enforcement for the service. Though the service is not protected by App Check in this mode, other applicable protections, such as user authorization, are still enforced. ENFORCED Firebase App Check is enforced for the service. The service will reject any request that attempts to access your project's resources if it does not have valid App Check token attached, with some exceptions depending on the service; for example, some services will still allow requests bearing the developer's privileged service account credentials without an App Check token. App Check metrics continue to be collected to help you detect issues with your App Check integration and monitor the composition of your callers. While the service is protected by App Check, other applicable protections, such as user authorization, continue to be enforced at the same time. Use caution when choosing to enforce App Check on a Firebase service. If your users have not updated to an App Check capable version of your app, their apps will no longer be able to use your Firebase services that are enforcing App Check. App Check metrics can help you decide whether to enforce App Check on your Firebase services. If your app has not launched yet, you should enable enforcement immediately, since there are no outdated clients in use. Possible values are: UNENFORCED, ENFORCED.

Project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

ServiceId string

The identifier of the service to configure a Resource Policy for. Currently, the following service IDs are supported:

oauth2.googleapis.com (Google Identity for iOS)

TargetResource string

Service specific name of the resource object to which this policy applies, in the format:

iOS OAuth clients (Google Identity for iOS): //oauth2.googleapis.com/projects/{project_number}/oauthClients/{oauthClientId}

EnforcementMode string

Project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

serviceId String

The identifier of the service to configure a Resource Policy for. Currently, the following service IDs are supported:

oauth2.googleapis.com (Google Identity for iOS)

targetResource String

Service specific name of the resource object to which this policy applies, in the format:

iOS OAuth clients (Google Identity for iOS): //oauth2.googleapis.com/projects/{project_number}/oauthClients/{oauthClientId}

enforcementMode String

project String

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

serviceId string

The identifier of the service to configure a Resource Policy for. Currently, the following service IDs are supported:

oauth2.googleapis.com (Google Identity for iOS)

targetResource string

Service specific name of the resource object to which this policy applies, in the format:

iOS OAuth clients (Google Identity for iOS): //oauth2.googleapis.com/projects/{project_number}/oauthClients/{oauthClientId}

enforcementMode string

project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

service_id str

The identifier of the service to configure a Resource Policy for. Currently, the following service IDs are supported:

oauth2.googleapis.com (Google Identity for iOS)

target_resource str

Service specific name of the resource object to which this policy applies, in the format:

iOS OAuth clients (Google Identity for iOS): //oauth2.googleapis.com/projects/{project_number}/oauthClients/{oauthClientId}

enforcement_mode str

project str

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

serviceId String

The identifier of the service to configure a Resource Policy for. Currently, the following service IDs are supported:

oauth2.googleapis.com (Google Identity for iOS)

targetResource String

Service specific name of the resource object to which this policy applies, in the format:

iOS OAuth clients (Google Identity for iOS): //oauth2.googleapis.com/projects/{project_number}/oauthClients/{oauthClientId}

enforcementMode String

project String

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

Outputs

All input properties are implicitly available as output properties. Additionally, the AppCheckResourcePolicy resource produces the following output properties:

Etag string: This checksum is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
Id string: The provider-assigned unique ID for this managed resource.
ResourcePolicyId string: The server-generated UID for the Resource Policy.
UpdateTime string: Output only. Timestamp when this resource policy configuration object was most recently updated.

Etag string: This checksum is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
Id string: The provider-assigned unique ID for this managed resource.
ResourcePolicyId string: The server-generated UID for the Resource Policy.
UpdateTime string: Output only. Timestamp when this resource policy configuration object was most recently updated.

etag String: This checksum is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
id String: The provider-assigned unique ID for this managed resource.
resourcePolicyId String: The server-generated UID for the Resource Policy.
updateTime String: Output only. Timestamp when this resource policy configuration object was most recently updated.

etag string: This checksum is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
id string: The provider-assigned unique ID for this managed resource.
resourcePolicyId string: The server-generated UID for the Resource Policy.
updateTime string: Output only. Timestamp when this resource policy configuration object was most recently updated.

etag str: This checksum is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
id str: The provider-assigned unique ID for this managed resource.
resource_policy_id str: The server-generated UID for the Resource Policy.
update_time str: Output only. Timestamp when this resource policy configuration object was most recently updated.

etag String: This checksum is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.
id String: The provider-assigned unique ID for this managed resource.
resourcePolicyId String: The server-generated UID for the Resource Policy.
updateTime String: Output only. Timestamp when this resource policy configuration object was most recently updated.

Look up Existing AppCheckResourcePolicy Resource

Get an existing AppCheckResourcePolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: AppCheckResourcePolicyState, opts?: CustomResourceOptions): AppCheckResourcePolicy

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        enforcement_mode: Optional[str] = None,
        etag: Optional[str] = None,
        project: Optional[str] = None,
        resource_policy_id: Optional[str] = None,
        service_id: Optional[str] = None,
        target_resource: Optional[str] = None,
        update_time: Optional[str] = None) -> AppCheckResourcePolicy

func GetAppCheckResourcePolicy(ctx *Context, name string, id IDInput, state *AppCheckResourcePolicyState, opts ...ResourceOption) (*AppCheckResourcePolicy, error)

public static AppCheckResourcePolicy Get(string name, Input<string> id, AppCheckResourcePolicyState? state, CustomResourceOptions? opts = null)

public static AppCheckResourcePolicy get(String name, Output<String> id, AppCheckResourcePolicyState state, CustomResourceOptions options)

resources:  _:    type: gcp:firebase:AppCheckResourcePolicy    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

EnforcementMode string

Etag string

This checksum is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.

Project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

ResourcePolicyId string

The server-generated UID for the Resource Policy.

ServiceId string

The identifier of the service to configure a Resource Policy for. Currently, the following service IDs are supported:

oauth2.googleapis.com (Google Identity for iOS)

TargetResource string

Service specific name of the resource object to which this policy applies, in the format:

iOS OAuth clients (Google Identity for iOS): //oauth2.googleapis.com/projects/{project_number}/oauthClients/{oauthClientId}

UpdateTime string

Output only. Timestamp when this resource policy configuration object was most recently updated.

EnforcementMode string

Etag string

This checksum is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.

Project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

ResourcePolicyId string

The server-generated UID for the Resource Policy.

ServiceId string

The identifier of the service to configure a Resource Policy for. Currently, the following service IDs are supported:

oauth2.googleapis.com (Google Identity for iOS)

TargetResource string

Service specific name of the resource object to which this policy applies, in the format:

iOS OAuth clients (Google Identity for iOS): //oauth2.googleapis.com/projects/{project_number}/oauthClients/{oauthClientId}

UpdateTime string

Output only. Timestamp when this resource policy configuration object was most recently updated.

enforcementMode String

etag String

This checksum is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.

project String

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

resourcePolicyId String

The server-generated UID for the Resource Policy.

serviceId String

The identifier of the service to configure a Resource Policy for. Currently, the following service IDs are supported:

oauth2.googleapis.com (Google Identity for iOS)

targetResource String

Service specific name of the resource object to which this policy applies, in the format:

iOS OAuth clients (Google Identity for iOS): //oauth2.googleapis.com/projects/{project_number}/oauthClients/{oauthClientId}

updateTime String

Output only. Timestamp when this resource policy configuration object was most recently updated.

enforcementMode string

etag string

This checksum is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.

project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

resourcePolicyId string

The server-generated UID for the Resource Policy.

serviceId string

The identifier of the service to configure a Resource Policy for. Currently, the following service IDs are supported:

oauth2.googleapis.com (Google Identity for iOS)

targetResource string

Service specific name of the resource object to which this policy applies, in the format:

iOS OAuth clients (Google Identity for iOS): //oauth2.googleapis.com/projects/{project_number}/oauthClients/{oauthClientId}

updateTime string

Output only. Timestamp when this resource policy configuration object was most recently updated.

enforcement_mode str

etag str

This checksum is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.

project str

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

resource_policy_id str

The server-generated UID for the Resource Policy.

service_id str

The identifier of the service to configure a Resource Policy for. Currently, the following service IDs are supported:

oauth2.googleapis.com (Google Identity for iOS)

target_resource str

Service specific name of the resource object to which this policy applies, in the format:

iOS OAuth clients (Google Identity for iOS): //oauth2.googleapis.com/projects/{project_number}/oauthClients/{oauthClientId}

update_time str

Output only. Timestamp when this resource policy configuration object was most recently updated.

enforcementMode String

etag String

This checksum is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.

project String

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

resourcePolicyId String

The server-generated UID for the Resource Policy.

serviceId String

The identifier of the service to configure a Resource Policy for. Currently, the following service IDs are supported:

oauth2.googleapis.com (Google Identity for iOS)

targetResource String

Service specific name of the resource object to which this policy applies, in the format:

iOS OAuth clients (Google Identity for iOS): //oauth2.googleapis.com/projects/{project_number}/oauthClients/{oauthClientId}

updateTime String

Output only. Timestamp when this resource policy configuration object was most recently updated.

Import

ResourcePolicy can be imported using any of these accepted formats:

projects/{{project}}/services/{{service_id}}/resourcePolicies/{{resource_policy_id}}
{{project}}/{{service_id}}/{{resource_policy_id}}
{{service_id}}/{{resource_policy_id}}

When using the pulumi import command, ResourcePolicy can be imported using one of the formats above. For example:

$ pulumi import gcp:firebase/appCheckResourcePolicy:AppCheckResourcePolicy default projects/{{project}}/services/{{service_id}}/resourcePolicies/{{resource_policy_id}}
$ pulumi import gcp:firebase/appCheckResourcePolicy:AppCheckResourcePolicy default {{project}}/{{service_id}}/{{resource_policy_id}}
$ pulumi import gcp:firebase/appCheckResourcePolicy:AppCheckResourcePolicy default {{service_id}}/{{resource_policy_id}}

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Google Cloud (GCP) Classic pulumi/pulumi-gcp
License: Apache-2.0
Notes: This Pulumi package is based on the google-beta Terraform Provider.

Viewing docs for Google Cloud v9.23.0
published on Thursday, May 7, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-gcp

gcp.firebase.AppCheckResourcePolicy

On this page

On this page

Example Usage

Firebase App Check Resource Policy Oauth2 Basic

Create AppCheckResourcePolicy Resource

Constructor syntax

Parameters

Constructor example

AppCheckResourcePolicy Resource Properties

Inputs

Outputs

Look up Existing AppCheckResourcePolicy Resource

Import

Package Details

On this page

On this page