Firestore Security - allow only known fields

You can separate your rules to include different create and update (as well as delete) logic:

// allows for creation with name and phone fields
allow create: if request.resource.data.size() == 2
              && request.resource.data.hasAll(['name', 'phone'])
              && request.resource.data.name is string
              && request.resource.data.phone is string;
// allows a single update adding the address field
// OR (||) in additional constraints
allow update: if request.resource.data.size() == resource.data.size() + 1
              && !('address' in resource.data)
              && request.resource.data.address is string;

You're looking for both the size() and hasOnly() methods.

allow write: if request.resource.data.size() == 3 
             && request.resource.data.keys().hasOnly(['name', 'phone', 'address'])

Using size() allows you to ensure an exact number of fields. Combining that with hasOnly() allows to you lock it to those specific fields.

You can read more in the Cloud Firestore Rules reference docs.

To add on to Mike McDonald's answer, to check for particular keys, the form is now:

request.resource.data.keys().hasAll

instead of

request.resource.data.hasAll

Full example:

// allows for creation with name and phone fields
allow create: if request.resource.data.size() == 2
              && request.resource.data.keys().hasAll(['name', 'phone'])
              && request.resource.data.name is string
              && request.resource.data.phone is string;
// allows a single update adding the address field
// OR (||) in additional constraints
allow update: if request.resource.data.size() == resource.data.size() + 1
              && !('address' in resource.data)
              && request.resource.data.address is string;

More information here: https://firebase.google.com/docs/reference/rules/rules.Map