A comprehensive solution for automating Google Cloud SQL PostgreSQL database management and IAM user permissions across multiple databases in an organization.
This application provides a complete REST API for managing PostgreSQL databases, schemas, roles, and IAM users. Below you'll find screenshots demonstrating the key features:
- Health Monitoring: Real-time service and database health checks
- Schema Management: Create and manage database schemas with proper ownership
- Role Management: Initialize, assign, and revoke PostgreSQL roles
- IAM Integration: Seamless Google Cloud IAM user management
- Database Operations: List schemas, tables, and perform health checks
Scroll down to see detailed screenshots for each feature!
This project contains comprehensive documentation for the Cloud SQL PostgreSQL Manager, a modular FastAPI service for managing PostgreSQL databases, schemas, roles, and IAM user permissions in Google Cloud SQL.
- md/ARCHITECTURE_OVERVIEW.md - High-level system architecture and design principles
- md/SERVICES.md - Detailed documentation of all services and their responsibilities
- md/COMPONENTS.md - Component system documentation and reusable business logic
- md/PLUGINS.md - Plugin system documentation for extensible role management
- md/API.md - Complete API endpoint documentation with examples
- md/test_endpoints.json - Test endpoints and sample requests
- md/ROLE_TESTING.md - Comprehensive guide for testing standard roles and permissions
- md/QUICK_TEST_GUIDE.md - Quick 5-minute testing guide for role validation
- md/role_test_scripts.sql - Automated SQL test scripts
- md/DEPLOYMENT.md - Comprehensive deployment guide for various environments
Start with md/ARCHITECTURE_OVERVIEW.md to understand the system design and components.
Read md/SERVICES.md to understand each service's responsibilities and interactions.
Check md/API.md for endpoint documentation and examples.
Follow md/DEPLOYMENT.md for deployment instructions.
The system follows a modular microservices architecture with clear separation of concerns:
βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
β API Layer β β Service Layer β β Component Layer β
β β β β β β
β β’ Health Router β β β’ ConnectionMgr β β β’ Validation β
β β’ Database Routerβ β β’ SchemaMgr β β β’ ErrorHandler β
β β’ Schema Router β β β’ RoleMgr β β β’ ServiceOps β
β β’ Role Router β β β’ UserMgr β β β’ DatabaseOps β
βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
- Schema Operations: Create, list, and manage database schemas
- Table Management: List tables with metadata and statistics
- Health Monitoring: Comprehensive database health checks
- Connection Pooling: High-performance connection management
- Plugin System: Extensible role definitions with versioning
- Permission Levels:
readonly,readwrite,adminwith granular control - IAM Integration: Seamless Google Cloud IAM user management
- Role Registry: Firestore-based role tracking and history
- Input Validation: Comprehensive request validation
- IAM Validation: Service account and permission verification
- SQL Injection Protection: Parameterized queries and sanitization
- Error Handling: Secure error responses without information leakage
| Service | Purpose | Key Features |
|---|---|---|
| ConnectionManager | Database connection pooling | High-performance, automatic recovery |
| SchemaManager | Schema and table operations | Creation, listing, ownership management |
| RoleManager | Role initialization and management | Plugin system, versioning, Firestore integration |
| UserManager | IAM user operations | Validation, normalization, permission checks |
| RolePermissionManager | Role assignments | User-role mapping, permission management |
| HealthManager | System monitoring | Health checks, performance metrics |
The system includes an extensible plugin architecture for role management:
- StandardRolePlugin: Built-in role definitions
- CustomRolePlugin: Custom role implementations
- PluginRegistry: Plugin management and loading
- Version Control: Role versioning and updates
GET /health- Service health check
POST /database/schemas- List database schemasPOST /database/tables- List schema tablesPOST /database/health- Database health check
POST /schemas/create- Create database schema
POST /roles/initialize- Initialize rolesPOST /roles/assign- Assign role to userPOST /roles/revoke- Revoke role from userPOST /roles/list- List available roles
POST /database/postgres-inheritance/grant- Grant IAM user to postgresPOST /database/postgres-inheritance/revoke- Revoke IAM user from postgres
cd postgres-manager
uvicorn app.main:app --reload --host 0.0.0.0 --port 8080cd postgres-manager
docker build -t cloudsql-postgres-manager .
docker run -p 8080:8080 cloudsql-postgres-managergcloud run deploy cloudsql-postgres-manager \
--image gcr.io/PROJECT_ID/cloudsql-postgres-manager \
--platform managed \
--region europe-west1For comprehensive testing documentation, see:
- tests/README.md - Complete test suite documentation
For comprehensive role testing, see the testing documentation:
- md/ROLE_TESTING.md - Complete testing guide
- md/QUICK_TEST_GUIDE.md - Quick testing guide
- md/role_test_scripts.sql - Automated test scripts
- Service Health:
GET /health - Database Health:
POST /database/health
- Request processing time
- Database connection metrics
- Error rates by endpoint
- Role operation success rates
Structured JSON logging with correlation IDs and performance metrics.
- Google Cloud IAM integration
- Service account validation
- Permission verification
- Secret Manager for credentials
- Parameterized queries
- Input validation and sanitization
- Sanitized error messages
- No sensitive data in logs
- Structured error responses
- High-performance connection management
- Configurable pool sizes
- Automatic connection recovery
- Modular design for independent scaling
- Plugin-based extensibility
- Component reusability
cloudsql-postgres-manager/
βββ postgres-manager/ # FastAPI application
β βββ app/
β β βββ main.py # Main application code
β β βββ models.py # Pydantic models
β β βββ services/ # Business logic
β β βββ components/ # Reusable components
β β βββ routers/ # API endpoints
β β βββ plugins/ # Plugin system
β β βββ utils/ # Utilities
β βββ requirements.txt # Python dependencies
β βββ Dockerfile # Container configuration
βββ md/ # Documentation
β βββ README.md # This file
β βββ API.md # API documentation
β βββ SERVICES.md # Service documentation
β βββ ROLE_TESTING.md # Role testing guide
β βββ ... # Other documentation
βββ README.md # This file
- Read the architecture documentation
- Understand the service responsibilities
- Follow the component patterns
- Add comprehensive tests
- Update documentation
- Documentation: md/ directory
- API Docs: http://localhost:8080/docs
- Issues: GitHub Issues
This documentation is maintained alongside the codebase. When making changes:
- Update relevant documentation files
- Ensure examples are current
- Test all code examples
- Update version numbers
- Review for accuracy and completeness
For questions or suggestions about the documentation, please open an issue or submit a pull request.