google-cloud-firestoregoogle-cloud-functionsgoogle-cloud-runevent-arc

Firestore created document Eventarc audit log methods are inconsistent


I am trying to call a service when a new Firestore document is created. With Cloud Functions v1 this was simple and worked great (https://firebase.google.com/docs/functions/firestore-events). With Cloud Functions v2/Cloud Run being triggered via Eventarc, I'm struggling to get similar or even consistent behavior and feel like I'm missing something.

My expectation that would get us the same behavior as exists with v1 functions I would need to have an audit log recorded with a service name of firestore.googleapis.com and a method name of google.firestore.v1.Firestore.CreateDocument (per https://cloud.google.com/eventarc/docs/reference/supported-events#cloud-firestore) to be created. I'm getting audit logs written for document creation, but no consistent behavior.

  1. If I create a new document in the GCP or Firebase Console, an audit log record with a service name of firestore.googleapis.com and method name of google.firestore.v1.Firestore.Write generated.

  2. If I create a new document using the Firestore Client SDK (tested with Android), an audit log record with a service name of firestore.googleapis.com and method name of google.firestore.v1.Firestore.Write is generated.

  3. If I create a new document using the Firestore Admin SDK (tested with both "@google-cloud/firestore and firebase-admin for Node and cloud.google.com/go/firestore for Go...all the same behavior), an audit log record with a service name of firestore.googleapis.com and method name of google.firestore.v1.Firestore.Commit generated.

// JS implementation...similar implementation for Go
const {Firestore} = require('@google-cloud/firestore');
...
const db = new Firestore({...});
const collection = db.collection('users');
const res = await collection.add({});
  1. If I create a new document using the Firestore REST API, an audit log record with a service name of firestore.googleapis.com and method name of google.firestore.v1.Firestore.CreateDocument generated.
curl --request \
    POST 'https://firestore.googleapis.com/v1/projects/MY_PROJECT/databases/(default)/documents/users' \
     --header 'Accept: application/json' \
     --header 'Content-Type: application/json' \
     --header 'Authorization: Bearer MY_TOKEN' \
     --data '{"fields":{}}'

My goal is to have a behavior similar to v1 functions where I can reliably respond to document creation.

None of the above are necessarily wrong, but not having consistent behavior is not great. I don't feel like I'm doing something wrong, but clearly am not doing something right either. What is it that I'm missing or should I correct my Eventarc mental model?


Solution

  • From https://cloud.google.com/functions/docs/calling/cloud-firestore (as recent as Sept 7, 2022):

    Cloud Functions (2nd gen) does not currently support Cloud Firestore triggers.

    From https://cloud.google.com/functions/docs/calling (as recent as Sept 7, 2022):

    Note: Eventarc does not currently support direct events from Firestore, Google Analytics for Firebase, or Firebase Authentication. Use Cloud Functions (1st gen) to use these events.

    If you want the v1 behavior with Eventarc, it's not currently supported. Continue to use v1 functions.