@causa/workspace-google 0.4.0 → 0.5.0

package/dist/services/cloud-run-pubsub-trigger.js

@@ -0,0 +1,177 @@
+import { EventTopicTriggerCreationError } from '@causa/workspace-core';
+import { Subscription } from '@google-cloud/pubsub';
+import { randomBytes } from 'crypto';
+import { CloudRunService } from './cloud-run.js';
+import { IamService } from './iam.js';
+import { PubSubService } from './pubsub.js';
+/**
+ * A service that manages (creates) Pub/Sub triggers pointing to Cloud Run services.
+ * This is used for backfilling operations. The reason it is a service is to persist temporary service accounts and IAM
+ * grants, such that they can be reused within the same backfilling operation.
+ */
+export class CloudRunPubSubTriggerService {
+    /**
+     * The service managing Cloud Run resources.
+     */
+    cloudRunService;
+    /**
+     * The service managing Pub/Sub resources.
+     */
+    pubSubService;
+    /**
+     * The service managing IAM permissions.
+     */
+    iamService;
+    /**
+     * A set of IAM bindings that have already been created.
+     * This is used to avoid creating the same bindings multiple times within a single backfill operation.
+     * An IAM binding allows the service account used by Pub/Sub for a single backfill operation to invoke a Cloud Run
+     * service. The format of strings in this set is the one used to reference bindings during deletion as well, i.e.
+     * `projects/<projectId>/locations/<location>/services/<name>/invokerBindings/<serviceAccountEmail>`.
+     */
+    invokerBindingIds = new Set();
+    /**
+     * A map of backfill IDs to promises resolving to the service account email used by Pub/Sub to invoke Cloud Run
+     * services for the backfill.
+     */
+    backfillInvokerServiceAccounts = {};
+    /**
+     * The logger used by this service.
+     */
+    logger;
+    /**
+     * The ID of the GCP project in which resources should be created.
+     */
+    projectId;
+    constructor(context) {
+        this.cloudRunService = context.service(CloudRunService);
+        this.pubSubService = context.service(PubSubService);
+        this.iamService = context.service(IamService);
+        this.logger = context.logger;
+        this.projectId = context
+            .asConfiguration()
+            .getOrThrow('google.project');
+    }
+    /**
+     * Creates a service account that should be used by Pub/Sub to invoke Cloud Run services for a given backfill
+     * operation.
+     *
+     * @param backfillId The ID of the backfilling operation.
+     * @returns The service account email that should be used by Pub/Sub when pushing messages to Cloud Run services,
+     *   along with the corresponding resource ID that should be deleted as part of the backfill cleaning.
+     */
+    async createBackfillInvokerServiceAccount(backfillId) {
+        const serviceAccountId = `backfill-pubsub-${backfillId}`;
+        const bindings = await this.pubSubService.getPushServiceAccountBindings();
+        this.logger.info(`🛂 Creating Pub/Sub backfilling service account '${serviceAccountId}'.`);
+        const serviceAccount = await this.iamService.createServiceAccount(this.projectId, serviceAccountId, { bindings });
+        return {
+            serviceAccountEmail: serviceAccount.email ?? '',
+            resourceId: serviceAccount.name ?? null,
+        };
+    }
+    /**
+     * Gets or creates a service account that should be used by Pub/Sub to invoke Cloud Run services for a given backfill
+     * operation.
+     *
+     * @param backfillId The ID of the backfilling operation.
+     * @returns The service account email that should be used by Pub/Sub when pushing messages to Cloud Run services.
+     *   If `resourceId` is not `null`, it should be added to the list of resources to delete as part of the backfill
+     *   cleaning.
+     */
+    async getBackfillInvokerServiceAccount(backfillId) {
+        const existingServiceAccountPromise = this.backfillInvokerServiceAccounts[backfillId];
+        if (existingServiceAccountPromise) {
+            return {
+                serviceAccountEmail: await existingServiceAccountPromise,
+                resourceId: null,
+            };
+        }
+        const creationPromise = this.createBackfillInvokerServiceAccount(backfillId);
+        this.backfillInvokerServiceAccounts[backfillId] = creationPromise.then((result) => result.serviceAccountEmail);
+        return await creationPromise;
+    }
+    /**
+     * Grants the invoker role to a service account for a given Cloud Run service.
+     * This is used to allow Pub/Sub to invoke the Cloud Run service.
+     * If a resource ID string is returned, it should be added to the list of resources to delete as part of the backfill
+     * cleaning.
+     *
+     * @param serviceId The ID of the Cloud Run service.
+     * @param pubSubServiceAccount The service account email for which the invoker role should be granted.
+     * @returns The resource ID of the IAM binding that was created, or `null` if the binding already existed.
+     */
+    async grantPubSubInvokerRole(serviceId, pubSubServiceAccount) {
+        const invokerBindingId = `${serviceId}/invokerBindings/${pubSubServiceAccount}`;
+        if (this.invokerBindingIds.has(invokerBindingId)) {
+            return null;
+        }
+        this.invokerBindingIds.add(invokerBindingId);
+        this.logger.info(`🛂 Granting invoker IAM role to backfilling service account '${pubSubServiceAccount}' for Cloud Run service '${serviceId}'.`);
+        await this.cloudRunService.addInvokerBinding(serviceId, pubSubServiceAccount);
+        return invokerBindingId;
+    }
+    /**
+     * Creates a Pub/Sub subscription that will push messages to a Cloud Run service.
+     *
+     * @param backfillId The ID of the backfilling operation.
+     * @param topicId The ID of the Pub/Sub topic to subscribe to.
+     * @param serviceId The ID of the Cloud Run service to invoke.
+     * @param path The HTTP endpoint of the Cloud Run service to invoke.
+     * @param serviceAccountEmail The service account email that should be used by Pub/Sub when pushing messages to the
+     *   Cloud Run service.
+     * @returns The ID of the Pub/Sub subscription that was created. It should be added to the list of resources to delete
+     *   as part of the backfill cleaning.
+     */
+    async createSubscription(backfillId, topicId, serviceId, path, serviceAccountEmail) {
+        const serviceUri = await this.cloudRunService.getServiceUri(serviceId);
+        const pushEndpoint = `${serviceUri}${path}`;
+        const subscriptionId = Subscription.formatName_(this.projectId, `backfill-${backfillId}-${randomBytes(3).toString('hex')}`);
+        this.logger.info(`📫 Creating Pub/Sub subscription '${subscriptionId}' for Cloud Run service '${serviceId}'.`);
+        await this.pubSubService.pubSub.createSubscription(topicId, subscriptionId, {
+            pushConfig: { pushEndpoint, oidcToken: { serviceAccountEmail } },
+            expirationPolicy: {},
+            ackDeadlineSeconds: 60 * 10,
+            retryPolicy: {
+                minimumBackoff: { seconds: 1, nanos: 0 },
+                maximumBackoff: { seconds: 60, nanos: 0 },
+            },
+        });
+        return subscriptionId;
+    }
+    /**
+     * Creates a Pub/Sub trigger (push subscription) pointing to a Cloud Run service.
+     * This requires several resources, such as:
+     * - A service account that should be used by Pub/Sub to invoke Cloud Run services for the backfill.
+     * - An IAM binding allowing the service account to invoke the Cloud Run service.
+     * - A Pub/Sub subscription that will push messages to the Cloud Run service.
+     * The IDs of these resources are returned, and should be deleted as part of the backfill cleaning.
+     *
+     * @param backfillId The ID of the backfilling operation.
+     * @param topicId The ID of the Pub/Sub topic to subscribe to.
+     * @param serviceId The ID of the Cloud Run service to invoke.
+     * @param path The HTTP endpoint of the Cloud Run service to invoke.
+     * @returns The IDs of the resources that were created. They should be added to the list of resources to delete as
+     *   part of the backfill cleaning.
+     */
+    async create(backfillId, topicId, serviceId, path) {
+        const resourceIds = [];
+        try {
+            const pubSubInvokerServiceAccount = await this.getBackfillInvokerServiceAccount(backfillId);
+            if (pubSubInvokerServiceAccount.resourceId) {
+                resourceIds.push(pubSubInvokerServiceAccount.resourceId);
+            }
+            const { serviceAccountEmail } = pubSubInvokerServiceAccount;
+            const iamResourceId = await this.grantPubSubInvokerRole(serviceId, serviceAccountEmail);
+            if (iamResourceId) {
+                resourceIds.push(iamResourceId);
+            }
+            const subscriptionId = await this.createSubscription(backfillId, topicId, serviceId, path, serviceAccountEmail);
+            resourceIds.push(subscriptionId);
+            return resourceIds;
+        }
+        catch (error) {
+            throw new EventTopicTriggerCreationError(error, resourceIds);
+        }
+    }
+}

package/dist/services/cloud-run.d.ts

@@ -0,0 +1,35 @@
+import { ServicesClient } from '@google-cloud/run';
+/**
+ * A service to manage Cloud Run services.
+ */
+export declare class CloudRunService {
+    /**
+     * The Cloud Run client.
+     */
+    readonly servicesClient: ServicesClient;
+    constructor();
+    /**
+     * Retrieves the URI at which a Cloud Run service is available and can be requested.
+     *
+     * @param serviceId The ID of the Cloud Run service.
+     *   This should be in the format `projects/<projectId>/locations/<location>/services/<name>`.
+     * @returns The URI at which the service is available.
+     */
+    getServiceUri(serviceId: string): Promise<string>;
+    /**
+     * Allows a service account to call a Cloud Run service by editing the IAM policy bindings.
+     *
+     * @param serviceId The ID of the Cloud Run service.
+     *   This should be in the format `projects/<projectId>/locations/<location>/services/<name>`.
+     * @param serviceAccountEmail The email of the service account that should be allowed to call the service.
+     */
+    addInvokerBinding(serviceId: string, serviceAccountEmail: string): Promise<void>;
+    /**
+     * Removes a service account from the list of allowed invokers of a Cloud Run service.
+     *
+     * @param serviceId The ID of the Cloud Run service.
+     *   This should be in the format `projects/<projectId>/locations/<location>/services/<name>`.
+     * @param serviceAccountEmail The email of the service account that should be removed from the allowed invokers.
+     */
+    removeInvokerBinding(serviceId: string, serviceAccountEmail: string): Promise<void>;
+}

package/dist/services/cloud-run.js

@@ -0,0 +1,72 @@
+import { ServicesClient } from '@google-cloud/run';
+/**
+ * The role used to allow a service account to call a Cloud Run service.
+ */
+const INVOKER_ROLE = 'roles/run.invoker';
+/**
+ * A service to manage Cloud Run services.
+ */
+export class CloudRunService {
+    /**
+     * The Cloud Run client.
+     */
+    servicesClient;
+    constructor() {
+        this.servicesClient = new ServicesClient();
+    }
+    /**
+     * Retrieves the URI at which a Cloud Run service is available and can be requested.
+     *
+     * @param serviceId The ID of the Cloud Run service.
+     *   This should be in the format `projects/<projectId>/locations/<location>/services/<name>`.
+     * @returns The URI at which the service is available.
+     */
+    async getServiceUri(serviceId) {
+        const [service] = await this.servicesClient.getService({ name: serviceId });
+        return service.uri ?? '';
+    }
+    /**
+     * Allows a service account to call a Cloud Run service by editing the IAM policy bindings.
+     *
+     * @param serviceId The ID of the Cloud Run service.
+     *   This should be in the format `projects/<projectId>/locations/<location>/services/<name>`.
+     * @param serviceAccountEmail The email of the service account that should be allowed to call the service.
+     */
+    async addInvokerBinding(serviceId, serviceAccountEmail) {
+        const [policy] = await this.servicesClient.getIamPolicy({
+            resource: serviceId,
+        });
+        const members = [`serviceAccount:${serviceAccountEmail}`];
+        const binding = { role: INVOKER_ROLE, members };
+        policy.bindings = [...(policy.bindings ?? []), binding];
+        await this.servicesClient.setIamPolicy({
+            resource: serviceId,
+            policy,
+        });
+    }
+    /**
+     * Removes a service account from the list of allowed invokers of a Cloud Run service.
+     *
+     * @param serviceId The ID of the Cloud Run service.
+     *   This should be in the format `projects/<projectId>/locations/<location>/services/<name>`.
+     * @param serviceAccountEmail The email of the service account that should be removed from the allowed invokers.
+     */
+    async removeInvokerBinding(serviceId, serviceAccountEmail) {
+        const [policy] = await this.servicesClient.getIamPolicy({
+            resource: serviceId,
+        });
+        policy.bindings = (policy.bindings ?? []).flatMap((binding) => {
+            if (binding.role !== INVOKER_ROLE || binding.condition) {
+                return binding;
+            }
+            // `includes` ensures that deleted service accounts (in the form of `deleted:serviceAccount:...`) are also removed
+            // from the list.
+            binding.members = binding.members?.filter((member) => !member.includes(`serviceAccount:${serviceAccountEmail}`));
+            return binding.members?.length ? binding : [];
+        });
+        await this.servicesClient.setIamPolicy({
+            resource: serviceId,
+            policy,
+        });
+    }
+}

package/dist/services/iam.d.ts

@@ -0,0 +1,43 @@
+import { WorkspaceContext } from '@causa/workspace';
+import { iam_v1 } from 'googleapis';
+/**
+ * A service for interacting with the IAM API.
+ */
+export declare class IamService {
+    /**
+     * The underlying {@link GoogleApisService} used to get the IAM client.
+     */
+    private readonly googleApisService;
+    /**
+     * A promise that resolves to the singleton IAM client.
+     */
+    private iam;
+    constructor(context: WorkspaceContext);
+    /**
+     * Gets or creates the singleton IAM client.
+     *
+     * @returns The singleton IAM client.
+     */
+    private getIam;
+    /**
+     * Creates a service account, optionally setting the IAM policy bindings for it.
+     *
+     * @param projectId The ID of the project in which to create the service account.
+     * @param accountId The ID of the service account to create.
+     * @param options Additional options when creating the account.
+     * @returns The created service account.
+     */
+    createServiceAccount(projectId: string, accountId: string, options?: {
+        /**
+         * The IAM policy bindings to set for the service account after its creation.
+         */
+        bindings?: iam_v1.Schema$Binding[];
+    }): Promise<iam_v1.Schema$ServiceAccount>;
+    /**
+     * Deletes a service account.
+     *
+     * @param name The full resource name of the service account to delete, in the format
+     *   `projects/<projectId>/serviceAccounts/<accountId>`.
+     */
+    deleteServiceAccount(name: string): Promise<void>;
+}

package/dist/services/iam.js

@@ -0,0 +1,65 @@
+import { GoogleApisService } from './google-apis.js';
+/**
+ * A service for interacting with the IAM API.
+ */
+export class IamService {
+    /**
+     * The underlying {@link GoogleApisService} used to get the IAM client.
+     */
+    googleApisService;
+    /**
+     * A promise that resolves to the singleton IAM client.
+     */
+    iam;
+    constructor(context) {
+        this.googleApisService = context.service(GoogleApisService);
+    }
+    /**
+     * Gets or creates the singleton IAM client.
+     *
+     * @returns The singleton IAM client.
+     */
+    async getIam() {
+        if (!this.iam) {
+            this.iam = this.googleApisService.getClient('iam', 'v1', {});
+        }
+        return await this.iam;
+    }
+    /**
+     * Creates a service account, optionally setting the IAM policy bindings for it.
+     *
+     * @param projectId The ID of the project in which to create the service account.
+     * @param accountId The ID of the service account to create.
+     * @param options Additional options when creating the account.
+     * @returns The created service account.
+     */
+    async createServiceAccount(projectId, accountId, options = {}) {
+        const iam = await this.getIam();
+        const { data: serviceAccount } = await iam.projects.serviceAccounts.create({
+            name: `projects/${projectId}`,
+            requestBody: { accountId },
+        });
+        if (options.bindings) {
+            const resource = serviceAccount.name ?? '';
+            const { data: policy } = await iam.projects.serviceAccounts.getIamPolicy({
+                resource,
+            });
+            policy.bindings = [...(policy.bindings ?? []), ...options.bindings];
+            await iam.projects.serviceAccounts.setIamPolicy({
+                resource,
+                requestBody: { policy },
+            });
+        }
+        return serviceAccount;
+    }
+    /**
+     * Deletes a service account.
+     *
+     * @param name The full resource name of the service account to delete, in the format
+     *   `projects/<projectId>/serviceAccounts/<accountId>`.
+     */
+    async deleteServiceAccount(name) {
+        const iam = await this.getIam();
+        await iam.projects.serviceAccounts.delete({ name });
+    }
+}

package/dist/services/index.d.ts

@@ -1,8 +1,14 @@
+export { BigQueryService } from './bigquery.js';
+export { CloudRunPubSubTriggerService } from './cloud-run-pubsub-trigger.js';
+export { CloudRunService } from './cloud-run.js';
 export * from './firebase-app.errors.js';
 export { FirebaseAppService, FirebaseAppType } from './firebase-app.js';
 export { FirebaseEmulatorService } from './firebase-emulator.js';
 export { GcloudEmulatorService } from './gcloud-emulator.js';
 export { GoogleApisService } from './google-apis.js';
+export { IamService } from './iam.js';
+export { PubSubService } from './pubsub.js';
+export { ResourceManagerService } from './resource-manager.js';
 export { GoogleSecretManagerService } from './secret-manager.js';
 export * from './storage.errors.js';
 export { CloudStorageService } from './storage.js';

package/dist/services/index.js

@@ -1,8 +1,14 @@
+export { BigQueryService } from './bigquery.js';
+export { CloudRunPubSubTriggerService } from './cloud-run-pubsub-trigger.js';
+export { CloudRunService } from './cloud-run.js';
 export * from './firebase-app.errors.js';
 export { FirebaseAppService } from './firebase-app.js';
 export { FirebaseEmulatorService } from './firebase-emulator.js';
 export { GcloudEmulatorService } from './gcloud-emulator.js';
 export { GoogleApisService } from './google-apis.js';
+export { IamService } from './iam.js';
+export { PubSubService } from './pubsub.js';
+export { ResourceManagerService } from './resource-manager.js';
 export { GoogleSecretManagerService } from './secret-manager.js';
 export * from './storage.errors.js';
 export { CloudStorageService } from './storage.js';

package/dist/services/pubsub.d.ts

@@ -0,0 +1,41 @@
+import { WorkspaceContext } from '@causa/workspace';
+import { PubSub } from '@google-cloud/pubsub';
+import { iam_v1 } from 'googleapis';
+/**
+ * A service for managing Pub/Sub resources
+ */
+export declare class PubSubService {
+    /**
+     * The Pub/Sub client.
+     */
+    readonly pubSub: PubSub;
+    /**
+     * The resource manager service used to get the project number.
+     */
+    private readonly resourceManagerService;
+    /**
+     * The ID of the GCP project in which to create Pub/Sub resources.
+     */
+    readonly projectId: string;
+    constructor(context: WorkspaceContext);
+    /**
+     * The cached promise that resolves to the GCP service account used by Pub/Sub.
+     */
+    private gcpServiceAccountPromise;
+    /**
+     * Constructs the email of the GCP-owned service account used by Pub/Sub.
+     * This can be used to grant roles to the service account, e.g. for push subscriptions.
+     *
+     * @returns The email of the GCP service account used by Pub/Sub.
+     */
+    getGcpServiceAccount(): Promise<string>;
+    /**
+     * Constructs the IAM policy bindings that should be added to a service account meant to be used by push
+     * subscriptions.
+     * Those bindings allow the GCP-owned Pub/Sub service account to authenticate as the service account when pushing
+     * messages.
+     *
+     * @returns The bindings.
+     */
+    getPushServiceAccountBindings(): Promise<iam_v1.Schema$Binding[]>;
+}

package/dist/services/pubsub.js

@@ -0,0 +1,62 @@
+import { PubSub } from '@google-cloud/pubsub';
+import { ResourceManagerService } from './resource-manager.js';
+/**
+ * A service for managing Pub/Sub resources
+ */
+export class PubSubService {
+    /**
+     * The Pub/Sub client.
+     */
+    pubSub;
+    /**
+     * The resource manager service used to get the project number.
+     */
+    resourceManagerService;
+    /**
+     * The ID of the GCP project in which to create Pub/Sub resources.
+     */
+    projectId;
+    constructor(context) {
+        this.pubSub = new PubSub();
+        this.resourceManagerService = context.service(ResourceManagerService);
+        this.projectId = context
+            .asConfiguration()
+            .getOrThrow('google.project');
+    }
+    /**
+     * The cached promise that resolves to the GCP service account used by Pub/Sub.
+     */
+    gcpServiceAccountPromise;
+    /**
+     * Constructs the email of the GCP-owned service account used by Pub/Sub.
+     * This can be used to grant roles to the service account, e.g. for push subscriptions.
+     *
+     * @returns The email of the GCP service account used by Pub/Sub.
+     */
+    async getGcpServiceAccount() {
+        if (!this.gcpServiceAccountPromise) {
+            this.gcpServiceAccountPromise = (async () => {
+                const projectNumber = await this.resourceManagerService.getProjectNumber(this.projectId);
+                return `service-${projectNumber}@gcp-sa-pubsub.iam.gserviceaccount.com`;
+            })();
+        }
+        return await this.gcpServiceAccountPromise;
+    }
+    /**
+     * Constructs the IAM policy bindings that should be added to a service account meant to be used by push
+     * subscriptions.
+     * Those bindings allow the GCP-owned Pub/Sub service account to authenticate as the service account when pushing
+     * messages.
+     *
+     * @returns The bindings.
+     */
+    async getPushServiceAccountBindings() {
+        const pubSubGcpServiceAccount = await this.getGcpServiceAccount();
+        return [
+            {
+                role: 'roles/iam.serviceAccountTokenCreator',
+                members: [`serviceAccount:${pubSubGcpServiceAccount}`],
+            },
+        ];
+    }
+}

package/dist/services/resource-manager.d.ts

@@ -0,0 +1,18 @@
+import { ProjectsClient } from '@google-cloud/resource-manager';
+/**
+ * A service for interacting with the GCP Resource Manager API, handling organizations, folders, and projects.
+ */
+export declare class ResourceManagerService {
+    /**
+     * The client used to manage GCP projects.
+     */
+    readonly projectsClient: ProjectsClient;
+    constructor();
+    /**
+     * Retrieves the project number for a given GCP project ID.
+     *
+     * @param projectId The ID of the GCP project.
+     * @returns The number of the GCP project.
+     */
+    getProjectNumber(projectId: string): Promise<string>;
+}

package/dist/services/resource-manager.js

@@ -0,0 +1,35 @@
+import { ProjectsClient } from '@google-cloud/resource-manager';
+/**
+ * A service for interacting with the GCP Resource Manager API, handling organizations, folders, and projects.
+ */
+export class ResourceManagerService {
+    /**
+     * The client used to manage GCP projects.
+     */
+    projectsClient;
+    constructor() {
+        this.projectsClient = new ProjectsClient();
+    }
+    /**
+     * Retrieves the project number for a given GCP project ID.
+     *
+     * @param projectId The ID of the GCP project.
+     * @returns The number of the GCP project.
+     */
+    async getProjectNumber(projectId) {
+        const [projects] = await this.projectsClient.searchProjects({
+            query: `projectId:${projectId}`,
+            pageSize: 1,
+        });
+        if (projects.length < 1) {
+            throw new Error(`Could not find GCP project '${projectId}'.`);
+        }
+        const [project] = projects;
+        // eslint-disable-next-line @typescript-eslint/no-unused-vars
+        const [projectsConst, projectNumber] = project.name?.split('/') ?? [];
+        if (!projectNumber) {
+            throw new Error(`Failed to parse invalid project name '${project.name}'.`);
+        }
+        return projectNumber;
+    }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@causa/workspace-google",
-  "version": "0.4.0",
+  "version": "0.5.0",
   "description": "The Causa workspace module providing many functionalities related to GCP and its services.",
   "repository": "github:causa-io/workspace-module-google",
   "license": "ISC",
@@ -31,34 +31,38 @@
   "dependencies": {
     "@causa/cli": ">= 0.4.0 < 1.0.0",
     "@causa/workspace": ">= 0.12.0 < 1.0.0",
-    "@causa/workspace-core": ">= 0.8.0 < 1.0.0",
+    "@causa/workspace-core": ">= 0.14.1 < 1.0.0",
     "@google-cloud/apikeys": "^0.2.2",
+    "@google-cloud/bigquery": "^7.1.1",
     "@google-cloud/iam-credentials": "^2.0.4",
-    "@google-cloud/pubsub": "^3.7.3",
+    "@google-cloud/pubsub": "^4.0.0",
+    "@google-cloud/resource-manager": "^4.3.0",
+    "@google-cloud/run": "^0.6.0",
     "@google-cloud/secret-manager": "^4.2.2",
     "@google-cloud/service-usage": "^2.2.2",
-    "@google-cloud/spanner": "^6.14.0",
-    "@google-cloud/storage": "^6.12.0",
-    "@grpc/grpc-js": "^1.8.20",
+    "@google-cloud/spanner": "^6.15.0",
+    "@google-cloud/storage": "^7.0.0",
+    "@grpc/grpc-js": "~1.8.21",
     "class-validator": "^0.14.0",
     "firebase": "^10.1.0",
     "firebase-admin": "^11.10.1",
     "globby": "^13.2.2",
     "googleapis": "^123.0.0",
+    "pino": "^8.15.0",
     "uuid": "^9.0.0"
   },
   "devDependencies": {
     "@tsconfig/node18": "^18.2.0",
     "@types/jest": "^29.5.3",
-    "@types/node": "^18.17.1",
+    "@types/node": "^18.17.2",
     "@types/uuid": "^9.0.2",
-    "@typescript-eslint/eslint-plugin": "^6.2.0",
+    "@typescript-eslint/eslint-plugin": "^6.2.1",
     "copyfiles": "^2.4.1",
-    "eslint": "^8.45.0",
-    "eslint-config-prettier": "^8.8.0",
+    "eslint": "^8.46.0",
+    "eslint-config-prettier": "^8.10.0",
     "eslint-plugin-prettier": "^5.0.0",
-    "jest": "^29.6.1",
-    "jest-extended": "^4.0.0",
+    "jest": "^29.6.2",
+    "jest-extended": "^4.0.1",
     "rimraf": "^5.0.1",
     "ts-jest": "^29.1.1",
     "ts-node": "^10.9.1",