Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/luisumit/LaPreviaRestobar/llms.txt

Use this file to discover all available pages before exploring further.

The Terraform configuration in infra/terraform/ provisions all Google Cloud and Firebase resources needed to run the La Previa Restobar backend. It uses the hashicorp/google and hashicorp/google-beta providers (~> 6.0) and requires Terraform >= 1.5.0. Resources are organized across dedicated .tf files for Cloud Run and Artifact Registry, Firebase, IAM, Secrets, and Auth — making each concern independently readable and maintainable.

Prerequisites

Before running any Terraform command, ensure the following tools are installed and authenticated:
  • Terraform >= 1.5.0Install Terraform
  • Google Cloud SDK (gcloud) — Install gcloud
  • An authenticated gcloud account with Owner or Editor permissions on the target project:
gcloud auth application-default login
gcloud config set project laprevia-restobar

Input Variables

All variables are declared in variables.tf (core) and cloud_run.tf (backend-specific). Copy terraform.tfvars.example to terraform.tfvars and fill in your values before running terraform apply.

Core Variables

VariableDescriptionDefault
project_idFirebase/Google Cloud project ID"laprevia-restobar"
regionDefault region for cloud resources"us-central1"

Backend / Cloud Run Variables

VariableDescriptionDefault
backend_artifact_registry_repository_idArtifact Registry repository ID for backend Docker images"laprevia-backend"
backend_artifact_registry_locationLocation of the Artifact Registry repository"us-central1"
backend_image_nameDocker image name for the backend"api-firebase"
backend_image_tagDocker image tag"latest"
backend_cloud_run_service_nameName of the Cloud Run service"laprevia-backend"
backend_cloud_run_min_instancesMinimum Cloud Run instance count0
backend_cloud_run_max_instancesMaximum Cloud Run instance count2
backend_cloud_run_cpuCPU allocated to each container"1"
backend_cloud_run_memoryMemory allocated to each container"512Mi"
backend_cloud_run_allow_public_invokerAllow unauthenticated public accesstrue
backend_service_account_json_secret_idSecret Manager secret ID for the Firebase Admin JSON"laprevia-backend-firebase-service-account-json"
backend_service_account_json_secret_versionSecret version to mount at runtime (null to skip)null
Set backend_service_account_json_secret_version to "latest" once you have manually uploaded the Firebase service account JSON value into Secret Manager. Leave it as null during initial provisioning to avoid a dependency error on a non-existent secret version.

Resources Provisioned

Artifact Registry

google_artifact_registry_repository.backend creates a Docker image repository in us-central1 named laprevia-backend. The Cloud Build service account is granted roles/artifactregistry.writer and the Cloud Run service agent is granted roles/artifactregistry.reader.

Cloud Run Service

google_cloud_run_v2_service.backend deploys the Express.js backend container with the following configuration:
  • Port: 3000
  • Environment variables injected at runtime:
    • NODE_ENV=production
    • FIREBASE_DATABASE_URL — resolved from the Firebase Realtime Database instance URL output
    • FIREBASE_SERVICE_ACCOUNT_JSON — mounted from Secret Manager when backend_service_account_json_secret_version is not null
  • Scaling: configurable min/max instances via variables (default 0–2)
  • Traffic: 100% routed to the latest revision
resource "google_cloud_run_v2_service" "backend" {
  provider = google-beta

  project  = local.project_id
  name     = var.backend_cloud_run_service_name
  location = var.region

  ingress = "INGRESS_TRAFFIC_ALL"

  template {
    service_account = google_service_account.backend_runtime.email

    scaling {
      min_instance_count = var.backend_cloud_run_min_instances
      max_instance_count = var.backend_cloud_run_max_instances
    }

    containers {
      image = local.backend_container_image

      ports {
        container_port = 3000
      }

      env {
        name  = "NODE_ENV"
        value = "production"
      }

      env {
        name  = "FIREBASE_DATABASE_URL"
        value = google_firebase_database_instance.default.database_url
      }

      resources {
        limits = {
          cpu    = var.backend_cloud_run_cpu
          memory = var.backend_cloud_run_memory
        }
      }
    }
  }

  traffic {
    type    = "TRAFFIC_TARGET_ALLOCATION_TYPE_LATEST"
    percent = 100
  }
}

Public Invoker (Optional)

google_cloud_run_v2_service_iam_member.public_invoker grants roles/run.invoker to allUsers when backend_cloud_run_allow_public_invoker = true. Disable this for production deployments that require authenticated callers.

Firebase Realtime Database

A Firebase Realtime Database instance is provisioned in the region specified by realtime_database_region. The instance ID defaults to laprevia-restobar-default-rtdb.

Firebase Android Apps

  • google_firebase_android_app.main — the primary Android app (com.laprevia.restobar)
  • google_firebase_android_app.staging — an optional staging app (com.laprevia.restobar.staging), created only when create_staging_android_app = true

Identity Platform / Auth

google_identity_platform_config.default configures Firebase Authentication with:
  • Email/password sign-in enabled (password required)
  • Anonymous sign-in disabled
  • Duplicate emails disallowed
  • Auto-deletion of anonymous users enabled
  • Authorized domains: localhost, laprevia-restobar.firebaseapp.com, laprevia-restobar.web.app

IAM Service Accounts

Service AccountAccount IDRoles
Cloud Run runtimelaprevia-backend-runroles/firebasedatabase.admin
Cloud Build deployerlaprevia-backend-buildroles/artifactregistry.writer, roles/run.developer
The Cloud Build service account is also granted roles/iam.serviceAccountUser on the runtime service account so it can deploy new revisions.

Secret Manager

google_secret_manager_secret.backend creates a secret named laprevia-backend-firebase-service-account-json with automatic replication. Terraform only creates the secret shell — it does not upload any secret value. Upload the Firebase Admin SDK JSON manually after terraform apply: 
gcloud secrets versions add laprevia-backend-firebase-service-account-json \
  --data-file=path/to/serviceAccountKey.json
The Cloud Run runtime service account is granted roles/secretmanager.secretAccessor on this secret.

Enabled APIs (Phase 2)

The following Google Cloud APIs are enabled automatically when phase 2 resources are provisioned:
  • artifactregistry.googleapis.com
  • cloudbuild.googleapis.com
  • iam.googleapis.com
  • run.googleapis.com
  • secretmanager.googleapis.com

Outputs

After terraform apply completes, the following values are available via terraform output:
OutputDescription
backend_cloud_run_urlPublic HTTPS URL of the deployed Cloud Run backend service
backend_container_imageFull image reference used by Cloud Run (Artifact Registry path)
backend_artifact_registry_repositoryName of the Artifact Registry Docker repository
project_idGCP/Firebase project ID managed by this configuration
firebase_project_numberFirebase project number
android_app_idFirebase App ID for the main Android app
staging_android_app_idFirebase App ID for the staging Android app (or null)
realtime_database_urlFirebase Realtime Database URL injected into Cloud Run
realtime_database_instance_nameFull resource name of the Realtime Database instance

Deployment Steps

1

Copy and populate terraform.tfvars

Copy the example vars file to terraform.tfvars and fill in your project’s values:
cd infra/terraform
cp terraform.tfvars.example terraform.tfvars
At minimum, review and set these values in terraform.tfvars:
project_id   = "laprevia-restobar"
project_name = "La Previa Restobar"

create_project = false   # set true only if creating a brand-new GCP project

region                        = "us-central1"
realtime_database_region      = "us-central1"
realtime_database_instance_id = "laprevia-restobar-default-rtdb"

android_package_name = "com.laprevia.restobar"
android_display_name = "La Previa Restobar Android"

create_staging_android_app   = true
staging_android_package_name = "com.laprevia.restobar.staging"
staging_android_display_name = "La Previa Restobar Android Staging"

authorized_domains = [
  "localhost",
  "laprevia-restobar.firebaseapp.com",
  "laprevia-restobar.web.app"
]
2

Initialize Terraform

Download the required providers and set up the local backend:
terraform init
3

Review the plan

Inspect all resources Terraform will create or modify before applying:
terraform plan
Review the output carefully. No changes are made at this stage.
4

Apply the configuration

Provision all resources. Confirm with yes when prompted:
terraform apply

Building and Pushing the Docker Image

After Terraform has provisioned the Artifact Registry repository, build the backend Docker image locally from backend/ and push it to the registry. Use the repository path printed in the backend_container_image output. 
# Authenticate Docker with Artifact Registry
gcloud auth configure-docker us-central1-docker.pkg.dev

# Build the image from the backend directory
docker build -t us-central1-docker.pkg.dev/laprevia-restobar/laprevia-backend/api-firebase:latest ./backend

# Push the image to Artifact Registry
docker push us-central1-docker.pkg.dev/laprevia-restobar/laprevia-backend/api-firebase:latest
Once the image is pushed, Cloud Run will pull it on the next deployment or when terraform apply updates the service.
To deploy a new backend version without re-running Terraform, push a new image tag to Artifact Registry and then run gcloud run deploy laprevia-backend --image <new-image-ref> --region us-central1. Terraform will reconcile the image reference on the next terraform apply if backend_image_tag is updated in terraform.tfvars.

Build docs developers (and LLMs) love

Get started for freeTalk to us