Improve

Author: iambriccardo

Cargo.lock

@@ -46,7 +46,7 @@ const-oid = { version = "0.9.6", default-features = false }
 constant_time_eq = { version = "0.4.2" }
 fail = { version = "0.5.1", default-features = false }
 futures = { version = "0.3.31", default-features = false }
-gcp-bigquery-client = { git = "https://github.com/iambriccardo/gcp-bigquery-client", default-features = false, rev = "a1cc7895afce36c0c86cd71bab94253fef04f05c" }
+gcp-bigquery-client = { git = "https://github.com/iambriccardo/gcp-bigquery-client", default-features = false, rev = "cfb449afc8eabd6743f7341f5ee13d20531e68d5" }
 iceberg = { version = "0.7.0", default-features = false }
 iceberg-catalog-rest = { version = "0.7.0", default-features = false }
 insta = { version = "1.43.1", default-features = false }
@@ -76,6 +76,7 @@ tikv-jemallocator = { version = "0.6.1", default-features = false, features = ["
 tokio = { version = "1.47.0", default-features = false }
 tokio-postgres = { git = "https://github.com/iambriccardo/rust-postgres", default-features = false, rev = "31acf55c7e5c2244e5bb3a36e7afa2a01bf52c38" }
 tokio-rustls = { version = "0.26.2", default-features = false }
+tonic = { version = "0.14.2", default-features = false }
 tracing = { version = "0.1.41", default-features = false }
 tracing-actix-web = { version = "0.7.19", default-features = false }
 tracing-appender = { version = "0.2.3", default-features = false }

Cargo.toml

@@ -68,8 +68,12 @@ pub static ETL_MIGRATION_OPTIONS: LazyLock<PgConnectionOptions> =
 
 /// Connection options for logical replication streams.
 ///
-/// Disables statement and idle timeouts to allow large COPY operations and long-running
+/// Disables statement, lock, and idle timeouts to allow large COPY operations and long-running
 /// transactions during initial table synchronization and WAL streaming.
+///
+/// Lock timeout is disabled because `CREATE_REPLICATION_SLOT` must wait for all in-progress
+/// write transactions to reach a consistent snapshot point. On heavily-loaded databases this
+/// can take minutes, and a timeout would only cause retries that will also fail.
 pub static ETL_REPLICATION_OPTIONS: LazyLock<PgConnectionOptions> =
     LazyLock::new(|| PgConnectionOptions {
         datestyle: COMMON_DATESTYLE.to_string(),
@@ -78,7 +82,7 @@ pub static ETL_REPLICATION_OPTIONS: LazyLock<PgConnectionOptions> =
         client_encoding: COMMON_CLIENT_ENCODING.to_string(),
         timezone: COMMON_TIMEZONE.to_string(),
         statement_timeout: 0,
-        lock_timeout: 30_000,
+        lock_timeout: 0,
         idle_in_transaction_session_timeout: 0,
         application_name: APP_NAME_REPLICATOR_STREAMING.to_string(),
     });
@@ -398,7 +402,7 @@ mod tests {
 
         assert_eq!(
             options_string,
-            "-c datestyle=ISO -c intervalstyle=postgres -c extra_float_digits=3 -c client_encoding=UTF8 -c timezone=UTC -c statement_timeout=0 -c lock_timeout=30000 -c idle_in_transaction_session_timeout=0 -c application_name=supabase_etl_replicator_streaming"
+            "-c datestyle=ISO -c intervalstyle=postgres -c extra_float_digits=3 -c client_encoding=UTF8 -c timezone=UTC -c statement_timeout=0 -c lock_timeout=0 -c idle_in_transaction_session_timeout=0 -c application_name=supabase_etl_replicator_streaming"
         );
     }
 

etl-config/src/shared/connection.rs

@@ -55,7 +55,7 @@ pub enum DestinationConfig {
 
 impl DestinationConfig {
     /// Default maximum number of concurrent streams for BigQuery destinations.
-    pub const DEFAULT_MAX_CONCURRENT_STREAMS: usize = 8;
+    pub const DEFAULT_MAX_CONCURRENT_STREAMS: usize = 2;
 }
 
 /// Configuration for the iceberg destination with two variants

etl-config/src/shared/destination.rs

@@ -11,6 +11,8 @@ homepage.workspace = true
 bigquery = [
     "dep:gcp-bigquery-client",
     "dep:prost",
+    "dep:rand",
+    "dep:tonic",
     "dep:tracing",
     "dep:tokio",
     "dep:base64",
@@ -48,10 +50,12 @@ iceberg = { workspace = true, optional = true }
 iceberg-catalog-rest = { workspace = true, optional = true }
 parquet = { workspace = true, optional = true, features = ["async", "arrow"] }
 prost = { workspace = true, optional = true }
+rand = { workspace = true, optional = true, features = ["thread_rng"] }
 reqwest = { workspace = true, optional = true, features = ["json"] }
 serde = { workspace = true, optional = true, features = ["derive"] }
 serde_json = { workspace = true, optional = true }
 tokio = { workspace = true, optional = true, features = ["sync"] }
+tonic = { workspace = true, optional = true }
 tracing = { workspace = true, optional = true, default-features = true }
 uuid = { workspace = true, optional = true, features = ["v4"] }
 

etl-destinations/Cargo.toml

@@ -13,6 +13,7 @@ use gcp_bigquery_client::{
 use prost::Message;
 use std::fmt;
 use std::sync::Arc;
+use tonic::Code;
 use tracing::{debug, info};
 
 use crate::bigquery::encoding::BigQueryTableRow;
@@ -410,20 +411,17 @@ impl BigQueryClient {
         }
     }
 
-    /// Streams table batches to BigQuery using the concurrent Storage Write API.
+    /// Appends table batches to BigQuery using the concurrent Storage Write API.
     ///
-    /// Accepts pre-constructed TableBatch objects and processes them concurrently with
-    /// controlled parallelism. This allows streaming to multiple different tables efficiently
-    /// in a single call.
+    /// Accepts pre-constructed TableBatch objects wrapped in Arc and processes them concurrently
+    /// with controlled parallelism. This allows streaming to multiple different tables efficiently
+    /// in a single call. The Arc wrapping enables efficient retry operations without cloning data.
     ///
     /// If ordering is not required, you may split a table's data into multiple batches,
     /// which can be processed concurrently.
     /// If ordering guarantees are needed, all data for a given table must be included
     /// in a single batch.
-    ///
-    /// TODO: we might want to improve the detection of retriable errors by having a special error
-    ///  type that we return for this.
-    pub async fn stream_table_batches_concurrent<I>(
+    pub async fn append_table_batches<I>(
         &self,
         table_batches: I,
         max_concurrent_streams: usize,
@@ -538,6 +536,15 @@ impl BigQueryClient {
         Ok(ResultSet::new_from_query_response(query_response))
     }
 
+    /// Releases all connections currently held in the connection pool.
+    ///
+    /// Removes all idle connections, forcing new requests to create fresh connections.
+    /// This is useful after DDL operations (e.g., ALTER TABLE) when BigQuery's Storage
+    /// Write API may have stale schema information cached in existing connections.
+    pub fn release_all_connections(&self) {
+        self.client.storage().release_all_connections();
+    }
+
     /// Sanitizes a BigQuery identifier for safe backtick quoting.
     ///
     /// Rejects empty identifiers and identifiers containing control characters. Internal backticks
@@ -873,19 +880,123 @@ fn bq_error_to_etl_error(err: BQError) -> EtlError {
             (ErrorKind::InvalidData, "BigQuery invalid metadata value")
         }
         BQError::TonicStatusError(status) => {
-            // Since we do not have access to the `Code` type from `tonic`, we just match on the description
-            // statically.
-            if status.code().description()
-                == "The caller does not have permission to execute the specified operation"
-            {
-                (ErrorKind::PermissionDenied, "BigQuery permission denied")
-            } else if is_retryable_streaming_message(status.message()) {
-                (
+            // First check for schema mismatch patterns in the message, as these can occur
+            // with various gRPC codes after DDL operations.
+            if is_retryable_streaming_message(status.message()) {
+                return etl_error!(
                     ErrorKind::DestinationSchemaMismatch,
                     "BigQuery schema mismatch",
-                )
-            } else {
-                (ErrorKind::DestinationError, "BigQuery gRPC status error")
+                    err.to_string()
+                );
+            }
+
+            match status.code() {
+                // Code::Unavailable (14) - "The service is currently unavailable."
+                // This is the primary retryable code per Google AIP-194. It indicates transient
+                // conditions like network hiccups or intentional throttling. BigQuery returns this
+                // with messages like "Task is overloaded (cpu-protection)" or "(memory-protection)"
+                // when the service is temporarily overwhelmed. Safe to retry with exponential backoff.
+                Code::Unavailable => (ErrorKind::DestinationThrottled, "BigQuery unavailable"),
+
+                // Code::ResourceExhausted (8) - "Some resource has been exhausted."
+                // Per Google AIP-194: "This code may be a signal that quota is exhausted. Retries
+                // therefore may not be expected to work for several hours; meanwhile the retries
+                // may have billing implications." We do NOT retry this to avoid wasting resources
+                // on quota exhaustion that won't recover quickly.
+                Code::ResourceExhausted => {
+                    (ErrorKind::DestinationError, "BigQuery resource exhausted")
+                }
+
+                // Code::PermissionDenied (7) - "The caller does not have permission."
+                // Authorization failure. The request will never succeed without configuration
+                // changes (e.g., granting IAM permissions). Never retry.
+                Code::PermissionDenied => {
+                    (ErrorKind::DestinationError, "BigQuery permission denied")
+                }
+
+                // Code::Unauthenticated (16) - "Missing or invalid authentication credentials."
+                // Authentication failure. Requires credential refresh or configuration fix.
+                // Never retry automatically.
+                Code::Unauthenticated => (
+                    ErrorKind::DestinationError,
+                    "BigQuery authentication failed",
+                ),
+
+                // Code::InvalidArgument (3) - "Client specified an invalid argument."
+                // Malformed request or invalid data. This is a client bug that won't be fixed
+                // by retrying. Never retry.
+                Code::InvalidArgument => (ErrorKind::DestinationError, "BigQuery invalid argument"),
+
+                // Code::NotFound (5) - "Some requested entity was not found."
+                // The resource (table, dataset, stream) doesn't exist. Requires creating the
+                // resource first. Never retry.
+                Code::NotFound => (
+                    ErrorKind::DestinationTableMissing,
+                    "BigQuery entity not found",
+                ),
+
+                // Code::AlreadyExists (6) - "The entity already exists."
+                // Conflict during creation. For streaming with offsets, this may indicate the
+                // row was already written (safe to ignore). Never retry.
+                Code::AlreadyExists => (
+                    ErrorKind::DestinationTableAlreadyExists,
+                    "BigQuery entity already exists",
+                ),
+
+                // Code::FailedPrecondition (9) - "System is not in required state."
+                // The operation can't proceed due to system state (e.g., non-empty table for
+                // certain operations). Requires explicit state change before retrying.
+                // Per gRPC spec: "Use FAILED_PRECONDITION if the client should not retry until
+                // the system state has been explicitly fixed." Never retry automatically.
+                Code::FailedPrecondition => {
+                    (ErrorKind::DestinationError, "BigQuery precondition failed")
+                }
+
+                // Code::OutOfRange (11) - "Operation attempted past the valid range."
+                // For streaming, this typically means the specified offset is beyond the current
+                // end of the stream, indicating a previous write failed. Requires application-level
+                // recovery (retry from last successful write). Never retry at this level.
+                Code::OutOfRange => (ErrorKind::DestinationError, "BigQuery offset out of range"),
+
+                // Code::Aborted (10) - "The operation was aborted."
+                // Typically due to concurrency issues (sequencer check failure, transaction abort).
+                // Per gRPC spec: "Use ABORTED if the client should retry at a higher level."
+                // This means retry the entire transaction, not just this request. We don't retry
+                // here; the caller should handle transaction-level retry if needed.
+                Code::Aborted => (ErrorKind::DestinationError, "BigQuery operation aborted"),
+
+                // Code::Internal (13) - "Internal server error."
+                // Per Google AIP-194: "This error must be surfaced to the application immediately;
+                // it usually means a bug should be filed against the system." While BigQuery docs
+                // suggest these can be retried, AIP-194 recommends surfacing them. The underlying
+                // client library may already retry these internally before surfacing to us.
+                Code::Internal => (ErrorKind::DestinationError, "BigQuery internal error"),
+
+                // Code::DeadlineExceeded (4) - "Deadline expired before operation could complete."
+                // Per Google AIP-194: "An application can set a deadline, which must be honored."
+                // Retrying could violate the application's timeout expectations. The caller should
+                // decide whether to retry with a new deadline.
+                Code::DeadlineExceeded => {
+                    (ErrorKind::DestinationError, "BigQuery deadline exceeded")
+                }
+
+                // Code::Cancelled (1) - "The operation was cancelled."
+                // Typically client-initiated cancellation. Never retry.
+                Code::Cancelled => (ErrorKind::DestinationError, "BigQuery operation cancelled"),
+
+                // Code::Unimplemented (12) - "Operation not implemented or supported."
+                // The requested operation is not available. Never retry.
+                Code::Unimplemented => (
+                    ErrorKind::DestinationError,
+                    "BigQuery operation not supported",
+                ),
+
+                // Code::DataLoss (15) - "Unrecoverable data loss or corruption."
+                // Severe error indicating data corruption. Never retry.
+                Code::DataLoss => (ErrorKind::DestinationError, "BigQuery data loss"),
+
+                // Catch-all for unexpected codes.
+                _ => (ErrorKind::DestinationError, "BigQuery gRPC error"),
             }
         }