Skip to content

feat(gcp): support arbitrary Cloud SQL database flags on gcp-cloudsql-postgres#357

Open
Cre-eD wants to merge 5 commits into
mainfrom
feat/cloudsql-database-flags
Open

feat(gcp): support arbitrary Cloud SQL database flags on gcp-cloudsql-postgres#357
Cre-eD wants to merge 5 commits into
mainfrom
feat/cloudsql-database-flags

Conversation

@Cre-eD

@Cre-eD Cre-eD commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

What

Adds a generic databaseFlags map to the gcp-cloudsql-postgres resource config:

postgres:
  type: gcp-cloudsql-postgres
  config:
    maxConnections: 200
    databaseFlags:
      cloudsql.iam_authentication: "on"

Why

max_connections (via maxConnections) was the only database flag the resource could manage. Features gated on instance flags — IAM database authentication in particular (required for Cloud SQL Auth Proxy --auto-iam-authn / passwordless Workload Identity DB access) — could not be enabled through IaC and forced an out-of-band gcloud sql instances patch, which the provisioner would then silently revert on the next refresh+update cycle.

How

  • configuredDatabaseFlags merges the legacy MaxConnections field with the new map; an explicit max_connections entry in databaseFlags wins.
  • Flags render sorted by name — map iteration order would otherwise produce phantom diffs on every update.
  • The adoption path (adopt_postgres.go) preserves unmanaged existing instance flags and overrides only configured ones, generalizing the previous max_connections-only override logic.
  • Unit tests cover config parsing, merge precedence, and deterministic ordering.

Compatibility

Existing configs are unaffected: maxConnections behaves exactly as before; databaseFlags is optional and omitted from serialization when empty.

…-postgres

Adds a generic databaseFlags map to the resource config, e.g.:

    postgres:
      type: gcp-cloudsql-postgres
      config:
        maxConnections: 200
        databaseFlags:
          cloudsql.iam_authentication: "on"

Previously max_connections (via maxConnections) was the only flag the
resource could manage, so features gated on instance flags — IAM
database authentication in particular — could not be enabled through
IaC. Flags merge with maxConnections (an explicit max_connections
entry in databaseFlags wins) and render sorted by name so the
resulting array is deterministic across updates. The adoption path
preserves unmanaged existing flags and overrides only the configured
ones, generalizing the previous max_connections-only override.

Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown

Semgrep Scan Results

Repository: api | Commit: 5b5a8e9

Check Status Details
⚠️ Semgrep Warning 1 warning(s), 5 total

Scanned at 2026-07-02 18:40 UTC

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown

Security Scan Results

Repository: api | Commit: 5b5a8e9

Check Status Details
✅ Secret Scan Pass No secrets detected
✅ Dependencies (Trivy) Pass 0 total (no critical/high)
✅ Dependencies (Grype) Pass 0 total (no critical/high)
📦 SBOM Generated 523 components (CycloneDX)

Scanned at 2026-07-02 18:51 UTC

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown

📊 Statement coverage

Measured on the documented included set (see docs/TESTING.md → Coverage scope). Observe-only — no regression gate is enforced yet.

Scope This PR main baseline Δ
Included set (Gold-tier denominator) 90.3% 90.3% +0.0 pp
Full set (whole repo, transparency) 28.0% 27.9% +0.1 pp

Baseline: main @ 6eacb7c

@blacksmith-sh

This comment has been minimized.

Cre-eD added 4 commits July 2, 2026 17:59
Placeholder resolution rebuilds maps via reflect.MakeMap, so an absent
databaseFlags arrives as an empty (non-nil) map after resolution.
Encode that in the resolved fixtures rather than changing resolution
behavior, which other code may rely on.

Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
Review findings:
- The adoption path listed settings.databaseFlags in IgnoreChanges, so
  the configured-flag override logic was dead code and the override log
  line lied. Keep ignoring the path only while no flags are configured.
- Merge existing + configured flags through one map so the rendered
  array is fully sorted; a mixed existing-order/sorted-tail array would
  churn on every update. Extracted as mergeDatabaseFlags with a unit
  test (preserve unmanaged, override configured, sort all).
- Log only overridden flag names — values could carry substituted
  secrets.
- Regenerate docs/schemas (schema-gen): picks up databaseFlags plus
  fields added since the last regeneration (backup config,
  availabilityType, aws storageEncrypted, etc.).

Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
…Flags

Follow-up review pass:
- Gate the adoption-path IgnoreChanges exemption on the NEW DatabaseFlags
  field instead of the merged flag set: legacy adopted stacks carrying
  only maxConnections keep their historical no-op instead of suddenly
  applying a restart-requiring static flag on the next deploy. Flag
  application on adopted instances is now an explicit opt-in, with a
  Warn covering the restart risk and the import-must-match caveat.
- Extract adoptIgnoreChanges + sortedFlagNames helpers; unit-test both
  ignore-list branches; split flag tests per helper.
- Lock in yaml.v3 scalar coercion with an unquoted-int databaseFlags
  test case (users write flag values bare).
- Mark MaxConnections deprecated in favor of databaseFlags.
- Document databaseFlags in supported-resources.md, including the
  removal-semantics asymmetry between provisioned and adopted instances.
- Comment the {}-not-nil resolution artifact at the fixture site.

Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
The deprecation marker trips staticcheck on the shim's own read of the
field — the one legitimate internal consumer.

Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants