Update functions CLI to support deploying onGraphRequest functions.

[rosalyntan]

Description

This adds support to the Firebase Functions CLI to deploy onGraphRequest functions. The deployed function will by default be IAM restricted to the Firebase Data Connect P4SA, with any explicitly specified invokers also granted access.

In addition, if schemaFilePath is specified in the onGraphRequest options, the CLI will pull in the schema GQL source files at schemaFilePath and bundle them with the functions deploy payload.

Scenarios Tested

Sample Commands

[gemini-code-assist]

Summary of Changes

Hello @rosalyntan, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the Firebase Functions CLI to properly support the deployment of onGraphRequest functions by integrating the necessary IAM permissions for the Firebase Data Connect service. It introduces mechanisms to identify the correct Data Connect service account for different environments and ensures that this service account is granted the cloudrun.invoker role, which is essential for Data Connect to interact with Cloud Run functions.

Highlights

• Data Connect IAM Bindings: Introduced new logic to determine and apply necessary IAM bindings for the Firebase Data Connect service agent, specifically granting the cloudrun.invoker role to enable interaction with Cloud Run functions.
• Environment-Specific Service Accounts: Implemented dynamic determination of the Data Connect service account based on the deployment environment (autopush, staging, or production) to ensure correct permissions are applied.
• Deployment Flow Integration: Updated the dataconnectService configuration to utilize the new obtainDataConnectBindings function, integrating these essential IAM permissions directly into the functions deployment process.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request adds support for deploying onGraphRequest functions by introducing the necessary IAM bindings for Firebase Data Connect. The changes include adding logic to obtain the Data Connect service agent and grant it the Cloud Run Invoker role. My review includes suggestions to improve code clarity and maintainability, such as refactoring to avoid magic strings and using async functions appropriately.

[taeold]

this would end up clearing up the invoker setting to "private", including getting rid of access for FDC P4SA 🤔 wondering if that's what we want

[rosalyntan]

I think this is addressed with my changes in fabricator.ts -- what is a test case that would trigger this? I've verified that removing the invoker from the options when redeploying does not remove access for the FDC P4SA.

[taeold]

changelog entry?

[taeold]

i don't think it's useful to print trigger url for FDC urls, esp. since it's not meant to be a public function.

[rosalyntan]

We need the URL printed so developers can copy-paste it into their dataconnect.yaml files. However, I realized that this logic wasn't actually working, so updated with a fix. In addition, it seems like only the non-deterministic run.app URL gets returned from the backend, so I manually construct the deterministic URL here (it's a little hacky).