Support env vars for local/zip deploys

src/apphosting/backend.ts

@@ -13,6 +13,7 @@
   iamOrigin,
   secretManagerOrigin,
 } from "../api";
+import { logger } from "../logger";
 import { Backend, BackendOutputOnlyFields, API_VERSION } from "../gcp/apphosting";
 import { addServiceAccountToRoles } from "../gcp/resourceManager";
 import * as iam from "../gcp/iam";
@@ -52,7 +53,7 @@
     // SSL.
     const maybeNodeError = err as { cause: { code: string }; code: string };
     if (
       /HANDSHAKE_FAILURE/.test(maybeNodeError?.cause?.code) ||
       "EPROTO" === maybeNodeError?.code
     ) {
       return false;
@@ -294,6 +295,32 @@
   await githubConnections.linkGitHubRepository(projectId, location, connectionId);
 }
 
+/**
+ * Ensures that the App Hosting service agent has the necessary permissions to
+ * manage resources in the project.
+ */
+export async function ensureAppHostingServiceAgentRoles(
+  projectId: string,
+  projectNumber: string,
+): Promise<void> {
+  const p4saEmail = apphosting.serviceAgentEmail(projectNumber);
+  try {
+    await addServiceAccountToRoles(
+      projectId,
+      p4saEmail,
+      ["roles/storage.objectViewer"],
+      /* skipAccountLookup= */ true,
+    );
+  } catch (err: unknown) {
+    logger.debug(`Failed to grant storage.objectViewer to ${p4saEmail}: ${err}`);
+    // We don't want to fail the entire prepare step if this fails, as it might
+    // be due to insufficient permissions to grant roles.
+    logWarning(
+      `Unable to verify App Hosting service agent permissions for ${p4saEmail}. If you encounter a PERMISSION_DENIED error during rollout, please ensure the service agent has the "Storage Object Viewer" role.`,
+    );
+  }
+}
+
 /**
  * Ensures the service account is present the user has permissions to use it by
  * checking the `iam.serviceAccounts.actAs` permission. If the permissions
@@ -337,7 +364,7 @@
  * Prompts the user for a backend id and verifies that it doesn't match a pre-existing backend.
  */
 export async function promptNewBackendId(projectId: string, location: string): Promise<string> {
   while (true) {
     const backendId = await input({
       default: "my-web-app",
       message: "Provide a name for your backend [1-30 characters]",
@@ -650,7 +677,7 @@
     message: locationDisambugationPrompt,
     choices: [...backendsByLocation.keys()],
   });
   return backendsByLocation.get(location)!;
 }
 
 /**

src/apphosting/config.spec.ts

@@ -473,6 +473,27 @@
     });
   });
 
+  describe("splitEnvVars", () => {
+    it("should stringify numeric values", () => {
+      const env: AppHostingYamlConfig["env"] = {
+        STR: { value: "string" },
+        NUM: { value: 12345 as any },
+        BUILD_AND_RUNTIME_NUM: { value: 67890 as any, availability: ["BUILD", "RUNTIME"] },
+      };
+
+      const { build, runtime } = config.splitEnvVars(env);
+
+      expect(build["BUILD_AND_RUNTIME_NUM"].value).to.equal("67890");
+      expect(runtime).to.deep.include({ variable: "STR", value: "string" });
+      expect(runtime).to.deep.include({ variable: "NUM", value: "12345" });
+      expect(runtime).to.deep.include({
+        variable: "BUILD_AND_RUNTIME_NUM",
+        value: "67890",
+        availability: ["BUILD", "RUNTIME"],
+      });
+    });
+  });
+
   describe("getAppHostingConfiguration", () => {
     let loadAppHostingYamlStub: sinon.SinonStub;
     let listAppHostingFilesInPathStub: sinon.SinonStub;

src/apphosting/config.ts

@@ -1,4 +1,4 @@
-import { join, dirname } from "path";
+import { join, dirname, basename } from "path";
 import { writeFileSync } from "fs";
 import * as yaml from "yaml";
 import * as clc from "colorette";
@@ -11,7 +11,6 @@
 import { logger } from "../logger";
 import * as csm from "../gcp/secretManager";
 import { FirebaseError, getError } from "../error";
-import { basename } from "path";
 
 // Common config across all environments
 export const APPHOSTING_BASE_YAML_FILE = "apphosting.yaml";
@@ -62,7 +61,7 @@
 export function discoverBackendRoot(cwd: string): string | null {
   let dir = cwd;
 
   while (true) {
     const files = fs.listFiles(dir);
     if (files.some((file) => APPHOSTING_YAML_FILE_REGEX.test(file))) {
       return dir;
@@ -101,7 +100,7 @@
   let raw: string;
   try {
     raw = fs.readFile(yamlPath);
   } catch (err: any) {
     if (err.code !== "ENOENT") {
       throw new FirebaseError(`Unexpected error trying to load ${yamlPath}`, {
         original: getError(err),
@@ -393,3 +392,27 @@
 export function suggestedTestKeyName(variable: string): string {
   return "test-" + variable.replace(/_/g, "-").toLowerCase();
 }
+
+/**
+ * Split a set of environment variables into build and runtime variables.
+ */
+export function splitEnvVars(env: EnvMap): { build: EnvMap; runtime: Env[] } {
+  const build: EnvMap = {};
+  const runtime: Env[] = [];
+
+  for (const [key, val] of Object.entries(env)) {
+    const envVal = { ...val };
+    if (envVal.value !== undefined) {
+      envVal.value = String(envVal.value);
+    }
+
+    if (val.availability?.includes("BUILD")) {
+      build[key] = envVal;
+    }
+    if (val.availability?.includes("RUNTIME") || !val.availability) {
+      runtime.push({ variable: key, ...envVal });
+    }
+  }
+
+  return { build, runtime };
+}

src/apphosting/localbuilds.ts

@@ -1,5 +1,7 @@
+import * as path from "path";
 import { BuildConfig, Env } from "../gcp/apphosting";
 import { localBuild as localAppHostingBuild } from "@apphosting/build";
+import { EnvMap } from "./yaml";
 
 /**
  * Triggers a local build of your App Hosting codebase.
@@ -17,31 +19,72 @@ import { localBuild as localAppHostingBuild } from "@apphosting/build";
 export async function localBuild(
   projectRoot: string,
   framework: string,
+  env: EnvMap = {},
 ): Promise<{
   outputFiles: string[];
   annotations: Record<string, string>;
   buildConfig: BuildConfig;
 }> {
-  const apphostingBuildOutput = await localAppHostingBuild(projectRoot, framework);
+  // We need to inject the environment variables into the process.env
+  // because the build adapter uses them to build the app.
+  // We'll restore the original process.env after the build is done.
+  const originalEnv = { ...process.env };
+  const projectNodeModules = path.join(projectRoot, "node_modules");
+  const newNodePath = process.env.NODE_PATH
+    ? `${process.env.NODE_PATH}${path.delimiter}${projectNodeModules}`
+    : projectNodeModules;
+
+  const addedEnv = toProcessEnv(env);
+  for (const [key, value] of Object.entries(addedEnv)) {
+    process.env[key] = value;
+  }
+  const originalNodePath = process.env.NODE_PATH;
+  process.env.NODE_PATH = newNodePath;
+
+  let apphostingBuildOutput;
+  try {
+    apphostingBuildOutput = await localAppHostingBuild(projectRoot, framework);
+  } finally {
+    for (const key in process.env) {
+      if (!(key in originalEnv)) {
+        delete process.env[key];
+      }
+    }
+    for (const [key, value] of Object.entries(originalEnv)) {
+      process.env[key] = value;
+    }
+    if (originalNodePath !== undefined) {
+      process.env.NODE_PATH = originalNodePath;
+    } else {
+      delete process.env.NODE_PATH;
+    }
+  }
 
   const annotations: Record<string, string> = Object.fromEntries(
     Object.entries(apphostingBuildOutput.metadata).map(([key, value]) => [key, String(value)]),
   );
 
-  const env: Env[] | undefined = apphostingBuildOutput.runConfig.environmentVariables?.map(
-    ({ variable, value, availability }) => ({
-      variable,
-      value,
-      availability,
-    }),
-  );
+  const discoveredEnv: Env[] | undefined =
+    apphostingBuildOutput.runConfig.environmentVariables?.map(
+      ({ variable, value, availability }) => ({
+        variable,
+        value,
+        availability,
+      }),
+    );
 
   return {
     outputFiles: apphostingBuildOutput.outputFiles?.serverApp.include ?? [],
     annotations,
     buildConfig: {
       runCommand: apphostingBuildOutput.runConfig.runCommand,
-      env: env ?? [],
+      env: discoveredEnv ?? [],
     },
   };
 }
+
+function toProcessEnv(env: EnvMap): NodeJS.ProcessEnv {
+  return Object.fromEntries(
+    Object.entries(env).map(([key, value]) => [key, value.value || ""]),
+  ) as NodeJS.ProcessEnv;
+}

src/apphosting/utils.ts

@@ -1,6 +1,6 @@
 import { FirebaseError } from "../error";
-import { APPHOSTING_BASE_YAML_FILE, APPHOSTING_YAML_FILE_REGEX } from "./config";
 import { WebConfig } from "../fetchWebSetup";
+import { APPHOSTING_BASE_YAML_FILE, APPHOSTING_YAML_FILE_REGEX } from "./config";
 import * as prompt from "../prompt";
 
 /**

src/deploy/apphosting/prepare.spec.ts

@@ -11,6 +11,7 @@ import { Context } from "./args";
 import { FirebaseError } from "../../error";
 import prepare, { getBackendConfigs } from "./prepare";
 import * as localbuilds from "../../apphosting/localbuilds";
+import * as managementApps from "../../management/apps";
 import * as experiments from "../../experiments";
 import * as getProjectNumber from "../../getProjectNumber";
 import * as resourceManager from "../../gcp/resourceManager";
@@ -68,13 +69,15 @@ describe("apphosting", () => {
       .stub(apphosting, "listBackends")
       .throws("Unexpected listBackends call");
     sinon.stub(backend, "ensureAppHostingComputeServiceAccount").resolves();
+    sinon.stub(backend, "ensureAppHostingServiceAgentRoles").resolves();
+    sinon.stub(getProjectNumber, "getProjectNumber").resolves("123456789");
     sinon.stub(apiEnabled, "ensure").resolves();
     getGitRepositoryLinkStub = sinon
       .stub(devconnect, "getGitRepositoryLink")
       .throws("Unexpected getGitRepositoryLink call");
     assertEnabledStub = sinon.stub(experiments, "assertEnabled").returns();
     sinon.stub(experiments, "isEnabled").returns(true);
-    sinon.stub(getProjectNumber, "getProjectNumber").resolves("123456789");
+
     addServiceAccountToRolesStub = sinon
       .stub(resourceManager, "addServiceAccountToRoles")
       .resolves();
@@ -143,6 +146,71 @@ describe("apphosting", () => {
       );
     });
 
+    it("injects Firebase configuration when appId is present", async () => {
+      const optsWithLocalBuild = {
+        ...opts,
+        config: new Config({
+          apphosting: {
+            backendId: "foo",
+            rootDir: "/",
+            ignore: [],
+            localBuild: true,
+          },
+        }),
+      };
+      const context = initializeContext();
+
+      const webAppConfig = {
+        projectId: "my-project",
+        appId: "my-app-id",
+        apiKey: "my-api-key",
+        authDomain: "my-project.firebaseapp.com",
+        databaseURL: "https://my-project.firebaseio.com",
+        storageBucket: "my-project.appspot.com",
+        messagingSenderId: "123456",
+        measurementId: "G-123456",
+      };
+
+      sinon.stub(managementApps, "getAppConfig").resolves(webAppConfig);
+      const localBuildStub = sinon.stub(localbuilds, "localBuild").resolves({
+        outputFiles: ["./next/standalone"],
+        buildConfig: { runCommand: "npm run build", env: [] },
+        annotations: {},
+      });
+
+      listBackendsStub.onFirstCall().resolves({
+        backends: [
+          {
+            name: "projects/my-project/locations/us-central1/backends/foo",
+            appId: "my-app-id",
+          },
+        ],
+      });
+
+      await prepare(context, optsWithLocalBuild);
+
+      expect(localBuildStub).to.be.calledWithMatch(
+        sinon.match.any,
+        "nextjs",
+        sinon.match({
+          FIREBASE_WEBAPP_CONFIG: { value: JSON.stringify(webAppConfig) },
+          FIREBASE_CONFIG: {
+            value: JSON.stringify({
+              databaseURL: webAppConfig.databaseURL,
+              storageBucket: webAppConfig.storageBucket,
+              projectId: webAppConfig.projectId,
+            }),
+          },
+        }),
+      );
+      expect(addServiceAccountToRolesStub).to.have.been.calledWith(
+        "my-project",
+        apphosting.serviceAgentEmail("123456789"),
+        ["roles/storage.objectViewer"],
+        true,
+      );
+    });
+
     it("should fail if localBuild is specified but experiment is disabled", async () => {
       const optsWithLocalBuild = {
         ...opts,