Skip to content

fix: logging API roles#1244

Merged
davidgamez merged 6 commits intomainfrom
fix/logging_api_roles
Jun 5, 2025
Merged

fix: logging API roles#1244
davidgamez merged 6 commits intomainfrom
fix/logging_api_roles

Conversation

@davidgamez
Copy link
Copy Markdown
Member

@davidgamez davidgamez commented Jun 5, 2025

Summary:

This pull request refactors logging across the codebase to improve maintainability and introduces infrastructure changes to enhance Google Cloud resource configurations. The most significant changes include replacing the custom Logger utility with a standardized get_logger function, improving error handling and logging messages, and updating Terraform configurations for better role management and traffic egress settings.

Logging Refactor:

  • Replaced the custom Logger utility with the get_logger function across multiple files (feeds_api_impl.py, validation_report_impl.py, load_dataset_on_create.py, populate_db.py, populate_db_test_data.py). This simplifies the logging setup and ensures consistency. [1] [2] [3] [4] [5]
  • Removed the Logger class from logging_utils.py, as it is no longer in use.

Improved Error Handling and Logging:

  • Enhanced error handling in GoogleCloudLogFilter to prevent recursive logging calls and added debug-level messages in global_logging_setup for better visibility during initialization. [1] [2] [3] [4]
  • Updated error messages in request_context.py to use logging.error instead of print or logging.warning, ensuring proper log level usage. [1] [2]

Infrastructure Updates:

  • Added new service account roles in main.tf for Cloud Logging, Cloud Trace, Cloud Monitoring, and Serverless VPC Access. This ensures the service account has the necessary permissions.
  • Modified the VPC connector egress setting from PRIVATE_RANGES_ONLY to ALL_TRAFFIC in main.tf, allowing broader traffic routing.
  • Introduced IAM bindings for service account roles in main.tf to dynamically assign roles based on the environment.

Expected behavior:

Proper roles are added to the GCP environments, and the logs are sent to GCP.

Testing tips:

Provide tips, procedures and sample files on how to test the feature.
Testers are invited to follow the tips AND to try anything they deem relevant outside the bounds of the testing tips.

Please make sure these boxes are checked before submitting your pull request - thanks!

  • Run the unit tests with ./scripts/api-tests.sh to make sure you didn't break anything
  • Add or update any needed documentation to the repo
  • Format the title like "feat: [new feature short description]". Title must follow the Conventional Commit Specification(https://www.conventionalcommits.org/en/v1.0.0/).
  • Linked all relevant issues
  • Include screenshot(s) showing how this pull request works and fixes the issue(s)

google-labs-jules bot and others added 5 commits June 4, 2025 01:20
@google-labs-jules
Fix: Ensure user_id logging by enabling JWT validation and enhancing …
53aab7f 
…logs

This commit addresses an issue where your user_id was not being logged consistently across environments.

The primary cause identified was the Cloud Run service's inability to fetch Google's public JWT keys due to a restrictive VPC egress setting (`PRIVATE_RANGES_ONLY`). This prevented the fallback JWT decoding mechanism (used when IAP headers are not the primary source) from successfully validating tokens and extracting user_id.

Changes:
- Modified `infra/feed-api/main.tf` to set the Cloud Run service's `template.vpc_access.egress` to `ALL_TRAFFIC`. This allows the service to connect to external Google APIs required for fetching JWT public keys.
- Enhanced error logging in `api/src/middleware/request_context.py`:
    - Added specific error logs in `resolve_google_public_keys` for failures during fetching or processing of Google's public keys.
    - Upgraded a warning to an error in `decode_jwt` for JWT decoding exceptions and added a log for when public keys are unavailable.

These changes ensure that if JWT-based authentication is used (either as primary or fallback), it can function correctly. Further investigation may be needed to confirm if IAP headers from the load balancer are being correctly propagated to the Cloud Run service, as this is the preferred method for obtaining user identity.
@davidgamez
fix lint
73ec1ac
@davidgamez
testing logs
90ede69
@davidgamez
add missing roles
3d11978
@davidgamez
clean-up logger
853e6be
@CLAassistant
Copy link
Copy Markdown

CLAassistant commented Jun 5, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@davidgamez davidgamez marked this pull request as ready for review June 5, 2025 19:08
Alessandro100
Alessandro100 approved these changes Jun 5, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@Alessandro100 Alessandro100 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@davidgamez davidgamez merged commit 372476e into main Jun 5, 2025
8 of 9 checks passed
@davidgamez davidgamez deleted the fix/logging_api_roles branch June 5, 2025 22:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Alessandro100 Alessandro100 Alessandro100 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@davidgamez @CLAassistant @Alessandro100