In [None]:
# Optional: install DuckDB if missing
# !pip install -q duckdb

import duckdb
print(f"DuckDB version: {duckdb.__version__}")

## ðŸ“¦ InstalaÃ§Ã£o de DependÃªncias

# Capitulo 08 Secrets Extensions

Notebook gerado automaticamente a partir do cÃ³digo fonte python.


## Visao geral

Extensions podem usar secrets para autenticar em cloud storage, bancos e HTTP. Este notebook divide cada provider em blocos pequenos e evita chamadas externas para manter a execucao leve.

In [None]:
import duckdb
import pandas as pd


def fresh_con():
    con = duckdb.connect(database=":memory:")
    # Keep installs explicit to avoid surprise downloads
    con.execute("SET autoinstall_known_extensions = false")
    con.execute("SET autoload_known_extensions = false")
    return con


def try_load_extension(con: duckdb.DuckDBPyConnection, name: str) -> bool:
    """Install and load an extension if available; return True on success."""
    try:
        con.install_extension(name)
        con.load_extension(name)
        return True
    except Exception as exc:
        print(f"Warning: could not install/load {name}: {exc}")
        return False


def extension_status(names):
    con = fresh_con()
    try:
        df = con.execute(
            """
            SELECT extension_name, installed, loaded
            FROM duckdb_extensions()
            WHERE extension_name IN ($names)
            ORDER BY extension_name
            """,
            {"names": names},
        ).df()
        return df
    except Exception as exc:
        print(f"Note: duckdb_extensions() not available in this build ({exc})")
        return None
    finally:
        con.close()


def print_queries(title: str, queries: list[str]):
    print(f"\n{title}\n{'-' * len(title)}")
    for idx, query in enumerate(queries, 1):
        print(f"\n{idx}.\n{query}")

## Status de extensions

Consulta rapida para ver quais extensions principais estao instaladas e carregadas.

In [None]:
core_extensions = ["httpfs", "azure", "mysql_scanner", "postgres_scanner", "iceberg"]
status = extension_status(core_extensions)
if status is not None:
    status

## Setup rapido de extension + secret

Funcao util para instalar/carregar uma extension e registrar um secret basico. Usa apenas placeholders para manter o exemplo offline.

In [None]:
def setup_extension_with_secret(extension_name: str, secret_sql: str):
    con = fresh_con()
    print(f"\nSetup for {extension_name}")
    if not try_load_extension(con, extension_name):
        con.close()
        return
    con.execute(secret_sql)
    secrets_df = con.execute("SELECT name, type, scope FROM duckdb_secrets() ORDER BY name").df()
    display(secrets_df)
    con.close()


s3_config = """
CREATE OR REPLACE SECRET demo_s3 (
    TYPE s3,
    KEY_ID 'key_id',
    SECRET 'secret',
    SCOPE 's3://demo-bucket/'
)
"""

setup_extension_with_secret("httpfs", s3_config)
print("Ordem recomendada: INSTALL -> LOAD -> CREATE SECRET -> consultar dados")

## httpfs com S3

Cria dois secrets com scopes diferentes e mostra qual secret seria escolhido para uma URL de exemplo usando `which_secret`.

In [None]:
con = fresh_con()
if try_load_extension(con, "httpfs"):
    con.execute(
        """
        CREATE OR REPLACE SECRET s3_main (
            TYPE s3,
            KEY_ID 'key_main',
            SECRET 'secret_main',
            REGION 'us-east-1',
            SCOPE 's3://main-bucket/'
        )
        """
    )
    con.execute(
        """
        CREATE OR REPLACE SECRET s3_analytics (
            TYPE s3,
            KEY_ID 'key_analytics',
            SECRET 'secret_analytics',
            REGION 'us-west-2',
            SCOPE 's3://analytics-bucket/'
        )
        """
    )

    url = "s3://analytics-bucket/data/2024/report.parquet"
    try:
        chosen = con.execute("SELECT * FROM which_secret(?, 's3')", [url]).df()
        secrets_df = con.execute(
            "SELECT name, type, scope FROM duckdb_secrets() WHERE type = 's3' ORDER BY name"
        ).df()
        display(secrets_df)
        print(f"which_secret for {url}")
        display(chosen)
    except Exception as exc:
        print(f"which_secret unavailable: {exc}")

    s3_queries = [
        """
        -- Leitura de Parquet
        SELECT *
        FROM 's3://main-bucket/data/sales/2024/01/data.parquet'
        WHERE amount > 1000
        LIMIT 10
        """,
        """
        -- Escrita de Parquet
        COPY (
            SELECT date_trunc('month', order_date) AS month, SUM(amount) AS total
            FROM orders
            GROUP BY 1
        ) TO 's3://analytics-bucket/reports/monthly_summary.parquet'
        (FORMAT PARQUET, COMPRESSION 'snappy')
        """,
        """
        -- Leitura com glob
        SELECT *
        FROM read_parquet('s3://main-bucket/data/sales/2024/*/*.parquet')
        """,
    ]
    print_queries("Padroes de query S3", s3_queries)
else:
    print("httpfs nao disponivel nesta instalacao")
con.close()

## httpfs com GCS

Duas formas comuns: service account e credential chain (Application Default Credentials).

In [None]:
con = fresh_con()
if try_load_extension(con, "httpfs"):
    con.execute(
        """
        CREATE OR REPLACE SECRET gcs_service_account (
            TYPE gcs,
            KEY_ID 'service-account@project.iam.gserviceaccount.com',
            SECRET '/path/to/service-account-key.json',
            SCOPE 'gs://my-gcs-bucket/'
        )
        """
    )
    con.execute(
        """
        CREATE OR REPLACE SECRET gcs_adc (
            TYPE gcs,
            PROVIDER credential_chain,
            SCOPE 'gs://another-bucket/'
        )
        """
    )
    gcs_df = con.execute(
        "SELECT name, type, scope FROM duckdb_secrets() WHERE type = 'gcs' ORDER BY name"
    ).df()
    display(gcs_df)
    gcs_queries = [
        """
        SELECT * FROM 'gs://my-gcs-bucket/data.parquet'
        """,
        """
        COPY (SELECT * FROM my_table) TO 'gs://my-gcs-bucket/export/data.parquet'
        """,
        """
        SELECT * FROM read_parquet('gs://my-gcs-bucket/year=2024/month=*/*.parquet')
        """,
    ]
    print_queries("Padroes de query GCS", gcs_queries)
else:
    print("httpfs nao disponivel nesta instalacao")
con.close()

## httpfs para HTTP APIs

Exemplos de bearer token, basic auth e headers customizados.

In [None]:
con = fresh_con()
if try_load_extension(con, "httpfs"):
    con.execute(
        """
        CREATE OR REPLACE SECRET api_bearer (
            TYPE http,
            BEARER_TOKEN 'token_value',
            SCOPE 'https://api.example.com/'
        )
        """
    )
    con.execute(
        """
        CREATE OR REPLACE SECRET api_basic (
            TYPE http,
            USERNAME 'api_user',
            PASSWORD 'api_password',
            SCOPE 'https://internal-api.company.com/'
        )
        """
    )
    con.execute(
        """
        CREATE OR REPLACE SECRET api_custom (
            TYPE http,
            HEADERS MAP {
                'Authorization': 'Bearer token123',
                'X-API-Key': 'my_api_key',
                'User-Agent': 'DuckDB/1.0'
            },
            SCOPE 'https://custom-api.example.com/'
        )
        """
    )
    http_df = con.execute(
        "SELECT name, type, scope FROM duckdb_secrets() WHERE type = 'http' ORDER BY name"
    ).df()
    display(http_df)
    http_queries = [
        """
        SELECT * FROM read_json('https://api.example.com/data/users.json')
        """,
        """
        SELECT * FROM read_csv('https://internal-api.company.com/reports/daily.csv')
        """,
        """
        SELECT * FROM 'https://custom-api.example.com/datasets/large.parquet'
        """,
    ]
    print_queries("Padroes de query HTTP", http_queries)
else:
    print("httpfs nao disponivel nesta instalacao")
con.close()

## httpfs com Cloudflare R2

R2 segue o mesmo padrao do S3 com `ACCOUNT_ID` adicional.

In [None]:
con = fresh_con()
if try_load_extension(con, "httpfs"):
    con.execute(
        """
        CREATE OR REPLACE SECRET r2_storage (
            TYPE r2,
            KEY_ID 'r2_access_key_id',
            SECRET 'r2_secret_access_key',
            ACCOUNT_ID 'cloudflare_account_id',
            SCOPE 'r2://my-r2-bucket/'
        )
        """
    )
    r2_df = con.execute(
        "SELECT name, type, scope FROM duckdb_secrets() WHERE type = 'r2' ORDER BY name"
    ).df()
    display(r2_df)
    r2_queries = [
        """
        SELECT * FROM 'r2://my-r2-bucket/data/events.parquet' WHERE event_date >= '2024-01-01'
        """,
        """
        COPY (SELECT * FROM processed_data) TO 'r2://my-r2-bucket/exports/processed.parquet'
        (FORMAT PARQUET, COMPRESSION 'zstd')
        """,
        """
        SELECT * FROM read_parquet('r2://my-r2-bucket/events/year=*/month=*/*.parquet')
        """,
    ]
    print_queries("Padroes de query R2", r2_queries)
else:
    print("httpfs nao disponivel nesta instalacao")
con.close()

## azure extension

Exemplos com connection string, managed identity e service principal. Uso ficticio para manter o bloco offline.

In [None]:
con = fresh_con()
if try_load_extension(con, "azure"):
    con.execute(
        """
        CREATE OR REPLACE SECRET azure_conn (
            TYPE azure,
            CONNECTION_STRING 'DefaultEndpointsProtocol=https;AccountName=myaccount;AccountKey=key;EndpointSuffix=core.windows.net',
            SCOPE 'azure://production-container/'
        )
        """
    )
    con.execute(
        """
        CREATE OR REPLACE SECRET azure_mi (
            TYPE azure,
            PROVIDER managed_identity,
            ACCOUNT_NAME 'myaccount',
            SCOPE 'azure://analytics-container/'
        )
        """
    )
    con.execute(
        """
        CREATE OR REPLACE SECRET azure_sp (
            TYPE azure,
            PROVIDER service_principal,
            TENANT_ID '00000000-0000-0000-0000-000000000000',
            CLIENT_ID '11111111-1111-1111-1111-111111111111',
            CLIENT_SECRET 'client_secret',
            ACCOUNT_NAME 'myaccount',
            SCOPE 'azure://backup-container/'
        )
        """
    )
    azure_df = con.execute(
        "SELECT name, type, scope FROM duckdb_secrets() WHERE type = 'azure' ORDER BY name"
    ).df()
    display(azure_df)
    azure_queries = [
        """
        SELECT * FROM 'azure://production-container/data/sales.parquet'
        """,
        """
        COPY (SELECT * FROM analytics) TO 'azure://analytics-container/reports/summary.parquet'
        """,
        """
        SELECT * FROM 'azure://adls-container/bronze/events/2024/01/*.parquet'
        """,
    ]
    print_queries("Padroes de query Azure", azure_queries)
else:
    print("azure extension nao disponivel nesta instalacao")
con.close()

## Azure Data Lake Gen2

Exemplo com service principal e scopes para uma arquitetura tipo medallion.

In [None]:
con = fresh_con()
if try_load_extension(con, "azure"):
    con.execute(
        """
        CREATE OR REPLACE SECRET adls_gen2 (
            TYPE azure,
            PROVIDER service_principal,
            TENANT_ID 'tenant-id',
            CLIENT_ID 'client-id',
            CLIENT_SECRET 'client-secret',
            ACCOUNT_NAME 'adlsgen2account',
            SCOPE 'azure://datalake/'
        )
        """
    )
    adls_df = con.execute(
        "SELECT name, type, scope FROM duckdb_secrets() WHERE name = 'adls_gen2'"
    ).df()
    display(adls_df)
    medallion_queries = [
        """
        -- Bronze layer
        SELECT * FROM 'azure://datalake/bronze/source_system/YYYY/MM/DD/*.parquet'
        """,
        """
        -- Silver layer
        CREATE TABLE silver.customers AS
        SELECT customer_id, clean_name(name) AS name, validated_email(email) AS email
        FROM 'azure://datalake/silver/customers/*.parquet'
        """,
        """
        -- Gold layer
        CREATE TABLE gold.customer_metrics AS
        SELECT date_trunc('month', order_date) AS month, customer_id,
               COUNT(*) AS order_count, SUM(amount) AS total_spent
        FROM 'azure://datalake/gold/orders/*.parquet'
        GROUP BY 1, 2
        """,
    ]
    print_queries("Padroes ADLS Gen2", medallion_queries)
else:
    print("azure extension nao disponivel nesta instalacao")
con.close()

## mysql_scanner

Configure secrets e ATTACH para MySQL. Mantemos apenas scripts para evitar conexoes reais.

```sql
-- Secret para MySQL
CREATE SECRET mysql_prod (
    TYPE mysql,
    HOST 'mysql.example.com',
    PORT 3306,
    DATABASE 'production',
    USER 'readonly_user',
    PASSWORD 'secure_password',
    SSL_MODE 'REQUIRED'
);

-- ATTACH
ATTACH 'mysql:production' AS mysql_prod (
    TYPE mysql,
    SECRET mysql_prod
);
```

Consultas tipicas:
```sql
SELECT * FROM mysql_prod.orders WHERE order_date >= '2024-01-01' LIMIT 100;
SELECT m.customer_id, m.customer_name, l.score
FROM mysql_prod.customers m
JOIN local_customer_scores l ON m.customer_id = l.customer_id;
```


### Padroes ETL com MySQL

```sql
-- Setup
INSTALL mysql_scanner;
LOAD mysql_scanner;
CREATE SECRET mysql_source (
    TYPE mysql,
    HOST 'mysql.example.com',
    DATABASE 'source_db',
    USER 'etl_user',
    PASSWORD 'etl_password'
);
ATTACH 'mysql:source_db' AS mysql_src (TYPE mysql, SECRET mysql_source);

-- Incremental load
COPY (
    SELECT *
    FROM mysql_src.transactions
    WHERE updated_at >= (
        SELECT COALESCE(MAX(updated_at), '1970-01-01'::TIMESTAMP)
        FROM 'data/transactions/*.parquet'
    )
) TO 'data/transactions/incremental.parquet' (FORMAT PARQUET, PARTITION_BY (year, month));
```

```sql
-- Unificar multiplos MySQL
ATTACH 'mysql:db1' AS mysql_db1 (TYPE mysql, SECRET mysql_secret1);
ATTACH 'mysql:db2' AS mysql_db2 (TYPE mysql, SECRET mysql_secret2);
ATTACH 'mysql:db3' AS mysql_db3 (TYPE mysql, SECRET mysql_secret3);

CREATE VIEW unified_customers AS
SELECT 'db1' AS source, * FROM mysql_db1.customers
UNION ALL
SELECT 'db2' AS source, * FROM mysql_db2.customers
UNION ALL
SELECT 'db3' AS source, * FROM mysql_db3.customers;
```


## postgres_scanner

Scripts de secret e ATTACH para PostgreSQL (mantidos como texto para evitar conexao real).

```sql
CREATE SECRET postgres_prod (
    TYPE postgres,
    HOST 'postgres.example.com',
    PORT 5432,
    DATABASE 'production',
    USER 'readonly_user',
    PASSWORD 'secure_password',
    SSLMODE 'verify-full',
    SSLROOTCERT '/path/to/root.crt'
);

CREATE SECRET postgres_analytics (
    TYPE postgres,
    CONNECTION_STRING 'postgresql://analyst:pass@analytics.example.com:5432/analytics?sslmode=require'
);

ATTACH 'postgres:production' AS pg_prod (TYPE postgres, SECRET postgres_prod);
ATTACH 'postgres:analytics' AS pg_analytics (TYPE postgres, SECRET postgres_analytics);
```

Consultas tipicas:
```sql
SELECT * FROM pg_prod.orders WHERE order_date >= CURRENT_DATE - INTERVAL '7 days';
SELECT p.product_id, p.name, s.stock_level
FROM pg_prod.products p
JOIN local_stock_data s ON p.product_id = s.product_id;
```


### Padroes com PostgreSQL

```sql
-- Incremental sync
CREATE TABLE IF NOT EXISTS sync_metadata (
    table_name VARCHAR,
    last_sync_timestamp TIMESTAMP
);

CREATE TABLE updated_records AS
SELECT *
FROM pg_prod.events
WHERE updated_at > (
    SELECT COALESCE(MAX(last_sync_timestamp), '1970-01-01'::TIMESTAMP)
    FROM sync_metadata
    WHERE table_name = 'events'
);

INSERT INTO sync_metadata VALUES ('events', CURRENT_TIMESTAMP);
```

```sql
-- Customer 360
CREATE VIEW customer_360 AS
SELECT
    c.customer_id,
    c.name,
    c.email,
    c.segment,
    o.order_count,
    o.total_spent,
    o.last_order_date,
    s.support_tickets,
    s.satisfaction_score
FROM pg_prod.customers c
LEFT JOIN (
    SELECT customer_id, COUNT(*) AS order_count, SUM(amount) AS total_spent,
           MAX(order_date) AS last_order_date
    FROM pg_prod.orders
    GROUP BY customer_id
) o ON c.customer_id = o.customer_id
LEFT JOIN (
    SELECT customer_id, COUNT(*) AS support_tickets, AVG(satisfaction) AS satisfaction_score
    FROM pg_prod.support_interactions
    GROUP BY customer_id
) s ON c.customer_id = s.customer_id;
```

```sql
-- Cross database ETL
ATTACH 'mysql:orders_db' AS mysql_orders (TYPE mysql, SECRET mysql_secret);
ATTACH 'postgres:customers_db' AS pg_customers (TYPE postgres, SECRET pg_secret);

COPY (
    SELECT o.order_id, o.order_date, o.amount,
           c.customer_name, c.customer_segment, c.customer_region
    FROM mysql_orders.orders o
    JOIN pg_customers.customers c ON o.customer_id = c.customer_id
    WHERE o.order_date >= '2024-01-01'
) TO 'analytics/enriched_orders.parquet' (FORMAT PARQUET, COMPRESSION 'zstd');
```


## Auto-loading de extensions

Habilita para reduzir boilerplate em ambientes de desenvolvimento.

```sql
SET autoinstall_known_extensions = true;
SET autoload_known_extensions = true;

CREATE SECRET my_s3 (
    TYPE s3,
    KEY_ID 'key',
    SECRET 'secret'
);

-- httpfs sera instalado/carregado automaticamente ao acessar s3://
SELECT * FROM 's3://bucket/file.parquet';
```

Em producao prefira INSTALL/LOAD explicito para ter controle.

## Exercicios sugeridos

1) Instalar e carregar httpfs e azure, criar secrets para S3, GCS e Azure, testar leitura se voce tiver credenciais.
2) Instalar mysql_scanner e postgres_scanner, criar secrets e escrever uma consulta que una dados de ambos e exporte para Parquet.
3) Criar uma funcao `setup_complete` que valide extension, secret e uma consulta simples com tratamento de erro.
4) ETL: ler de PostgreSQL com secret, transformar no DuckDB e gravar em S3 com secret, adicionando carga incremental.