Skip to content

feat: migrate doc-api to Cloud SQL IAM auth#273

Open
panish16 wants to merge 11 commits into
bcgov:mainfrom
panish16:feat/doc-api-iam-auth
Open

feat: migrate doc-api to Cloud SQL IAM auth#273
panish16 wants to merge 11 commits into
bcgov:mainfrom
panish16:feat/doc-api-iam-auth

Conversation

@panish16
Copy link
Copy Markdown
Contributor

@panish16 panish16 commented Jun 4, 2026
edited
Loading

Summary

Migrates doc-api to Cloud SQL IAM auth, matching the pattern established in `person-search` (PR #9) and `legal-api`.

Changes:

  • `config.py`: When `CLOUDSQL_INSTANCE_CONNECTION_NAME` is set, uses `DBConfig` from `sbc-connect-common/cloud-sql-connector` (IAM auth, `pool_pre_ping`, `pool_recycle`, `pool_use_lifo`). Falls back to Unix socket or TCP — no behaviour change without the env var. Adds pool size tuning via `DATABASE_MIN/MAX_POOL_SIZE` etc. Adds `MigrationConfig` for migration jobs.
  • `migrations/env.py`: Adds `DATABASE_OWNER_ROLE` support — `SET ROLE` before running migrations so DDL is executed under the owner role, ensuring correct table ownership when the IAM service account runs Alembic.
  • `init.py`: `setup_pg8000_close_event_listener` conditional on IAM auth being active.

Why: `doc-api-prod` (`c4hnrd-prod`) is actively hitting `pg8000.exceptions.InterfaceError` on connection pool teardown (scale-to-zero noise) AND on live requests via stale pooled connections. IAM auth via the Cloud SQL Python Connector adds `pool_pre_ping=True` which prevents stale connection reuse at the pool level, not just suppresses the error noise.

Reference: person-search PR #9

GCP infra required

  • Cloud SQL instance: enable IAM database authentication
  • Cloud Run service account: grant `roles/cloudsql.instanceUser` on the Cloud SQL instance
  • Cloud SQL: create IAM database user matching the Cloud Run service account email
  • Cloud Run (`doc-api-dev`): set the new env vars above

Test plan

  • CI passes (linting, unit tests, Docker build)
  • Deploy to `c4hnrd-dev` with `CLOUDSQL_INSTANCE_CONNECTION_NAME` set — app starts and connects
  • Run migrations via `flask db upgrade` — verify tables owned by correct role (`DATABASE_OWNER_ROLE`)
  • No `InterfaceError` in Cloud Run logs at overnight scale-to-zero
  • `Suppressed pg8000 InterfaceError on connection close during teardown.` appears in DEBUG logs
  • Key API endpoints respond correctly after scale-up from zero

panish16 added 11 commits May 26, 2026 16:42
@panish16
fix: add pg8000 graceful shutdown on Cloud Run scale-down
0fd1583 
Calls setup_pg8000_close_event_listener(engine) after db init in notify-api
and notify-delivery so pg8000 InterfaceError is suppressed instead of logged
as an error when SQLAlchemy closes pooled connections during teardown.

Resolves #33564
@panish16
fix: add pg8000 graceful shutdown on Cloud Run scale-down
fb59c2a
@panish16
fix: remove duplicate setup_pg8000_close_event_listener call in notif…
81b2624 
…y-delivery
@panish16
test: add coverage tests for pg8000 graceful shutdown in doc-api
978e29b 
Covers all branches of _setup_pg8000_graceful_shutdown:
non-pg8000 early return, listener registration, normal close,
InterfaceError suppression, re-raise of other errors,
and ImportError fallback. Also renames _InterfaceError to
_interface_error to satisfy naming linter rules.
@panish16
fix: remove duplicate setup_pg8000_close_event_listener call in notif…
368d5f5 
…y-api
@panish16
fix: use setup_pg8000_close_event_listener from cloud-sql-connector i…
9f60267 
…n doc-api

Replace local _setup_pg8000_graceful_shutdown copy with the shared
setup_pg8000_close_event_listener from sbc-connect-common/cloud-sql-connector
(main branch, v0.2.3). Matches the approach used by notify-api,
notify-delivery, and the lear queue services.
@panish16
fix: align python version constraint with lock file (>=3.12,<3.14)
a6d71b2
@panish16
fix: upgrade Poetry to 2.1.1 in Dockerfile to resolve dulwich git ins…
ff8c640 
…tall issue
@panish16
feat: migrate doc-api to Cloud SQL IAM auth via cloud-sql-connector
afa9a63
@panish16
feat: add DATABASE_OWNER_ROLE to migrations env.py and align pool con…
bc1ff09 
…fig with person-search pattern
@panish16
feat: add update_db.sh, update .env.sample and vaults.gcp.env for IAM…
d450f9d 
… auth
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@panish16