jir-ogc

[jirhiker]

Why

This PR addresses the following problem / context:

• Use bullet points here

How

Implementation summary - the following was changed / added / removed:

• Use bullet points here

Notes

Any special considerations, workarounds, or follow-up work to note?

• Use bullet points here

[Copilot]

Pull request overview

This PR updates the Cloud SQL connection configuration to prefer IAM DB authentication by default, and removes unused async-related imports.

Changes:

• Switches CLOUD_SQL_IAM_AUTH default from False to True in both runtime DB engine creation and Alembic migration engine creation.
• Removes unused imports in db/engine.py (asyncio, async_sessionmaker).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File	Description
db/engine.py	Removes unused imports and changes Cloud SQL IAM auth default to True for connector-based connections.
alembic/env.py	Changes Cloud SQL IAM auth default to True for URL building and online migration connector connections.

Comments suppressed due to low confidence (1)

alembic/env.py:66

• Defaulting CLOUD_SQL_IAM_AUTH to True changes Alembic’s Cloud SQL URL rendering behavior when the env var is omitted (it will render an IAM-style URL and the online connector path will attempt IAM token auth). Please ensure all migration runners set CLOUD_SQL_IAM_AUTH explicitly, or keep the default False to avoid unexpected failures in password-auth setups.

        password = os.environ.get("CLOUD_SQL_PASSWORD", "")
        database = os.environ.get("CLOUD_SQL_DATABASE", "")
        use_iam_auth = get_bool_env("CLOUD_SQL_IAM_AUTH", True)
        # Host is provided by connector, so leave blank.
        if use_iam_auth:
            return f"postgresql+pg8000://{user}@/{database}"
        return f"postgresql+pg8000://{user}:{password}@/{database}"

[Copilot]

The PR description still contains the template placeholders (no concrete Why/How/Notes). Please fill this in so reviewers can confirm the intended behavior change (especially the IAM auth default flip) and any expected deployment/config updates.

[Copilot]

Changing the default for CLOUD_SQL_IAM_AUTH from False to True is a behavior change: if an environment relies on password auth and does not explicitly set CLOUD_SQL_IAM_AUTH, it will now attempt IAM token acquisition (ADC) and may fail at startup. Consider requiring explicit opt-in (no default), or selecting the default based on whether CLOUD_SQL_PASSWORD is set / whether Google credentials are available.

Suggested change

	use_iam_auth = get_bool_env("CLOUD_SQL_IAM_AUTH", True)
	if "CLOUD_SQL_IAM_AUTH" in os.environ:
	# Honor explicit configuration of IAM auth.
	use_iam_auth = get_bool_env("CLOUD_SQL_IAM_AUTH", False)
	else:
	# Derive a safe default: prefer password auth when a password is set.
	use_iam_auth = False if password else True

[Copilot]

Same concern here: defaulting CLOUD_SQL_IAM_AUTH to True can silently switch Cloud SQL connections to IAM auth when the env var is omitted, breaking password-auth deployments. Please make this explicit (env var required) or implement a safe default/fallback strategy.

[Copilot]

Same as above in the online migration path: switching CLOUD_SQL_IAM_AUTH default to True can break environments that previously relied on password auth without explicitly setting the flag. Consider requiring explicit configuration or a safer default/fallback.

Suggested change

	use_iam_auth = get_bool_env("CLOUD_SQL_IAM_AUTH", True)
	use_iam_auth = get_bool_env("CLOUD_SQL_IAM_AUTH", False)