DEV Community: Hasan Naqvi The latest articles on DEV Community by Hasan Naqvi (@hasanhaider). https://dev.to/hasanhaider https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F528017%2Fd3e76210-27a8-457b-afed-438aa860523c.png DEV Community: Hasan Naqvi https://dev.to/hasanhaider en Airflow Version Upgrade for Enterprises: A Practical Blueprint for AWS, Snowflake, dbt, and Fintech Data Platforms Hasan Naqvi Sun, 10 May 2026 09:22:55 +0000 https://dev.to/hasanhaider/airflow-version-upgrade-for-enterprises-a-practical-blueprint-for-aws-snowflake-dbt-and-fintech-10d3 https://dev.to/hasanhaider/airflow-version-upgrade-for-enterprises-a-practical-blueprint-for-aws-snowflake-dbt-and-fintech-10d3 <h1> Airflow Version Upgrade for Enterprises: A Practical Blueprint for AWS, Snowflake, dbt, and Fintech Data Platforms </h1> <p><strong>SEO title:</strong> Airflow Version Upgrade for Enterprises: Secure, Tested, Production-Ready<br> <strong>Meta description:</strong> Airflow version upgrade for enterprises requires dependency control, metadata database migration, DAG validation, and safe rollout across AWS, Snowflake, dbt, and fintech platforms.</p> <p>Enterprise Airflow upgrades are rarely just a <code>pip install --upgrade</code> exercise. In regulated fintech environments, an <strong>Airflow version upgrade</strong> touches orchestration reliability, auditability, IAM boundaries, data lineage, SLAs, dbt jobs, Snowflake cost controls, and incident response. Apache Airflow’s own documentation notes that newer versions can include metadata database migrations and that <code>airflow db migrate</code> must be run during upgrades; Airflow 3 is also a major release with breaking changes, so enterprises need a controlled engineering process rather than an ad hoc deployment. (<a href="https://airflow.apache.org/docs/apache-airflow/stable/installation/upgrading.html?utm_source=chatgpt.com" rel="noopener noreferrer">Apache Airflow</a>)</p> <h2> 1. Build an Enterprise Upgrade Strategy Before Touching Production </h2> <p>A good enterprise upgrade starts with an inventory: Airflow core version, Python version, providers, custom plugins, DAG import behavior, executor type, metadata database engine, secrets backend, and deployment model.</p> <p>For a fintech platform running Airflow on AWS, the upgrade scope usually includes:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Area</th> <th>Upgrade Risk</th> <th>Enterprise Control</th> </tr> </thead> <tbody> <tr> <td>Airflow metadata DB</td> <td>High</td> <td>Snapshot, migration dry run, rollback plan</td> </tr> <tr> <td>Providers</td> <td>High</td> <td>Pin versions and test hooks/operators</td> </tr> <tr> <td>DAG code</td> <td>High</td> <td>Static validation and import tests</td> </tr> <tr> <td>Snowflake connections</td> <td>Medium</td> <td>Validate auth, warehouses, roles</td> </tr> <tr> <td>dbt orchestration</td> <td>Medium</td> <td>Test commands, profiles, artifacts</td> </tr> <tr> <td>IAM/secrets</td> <td>High</td> <td>Validate AWS Secrets Manager, KMS, IRSA</td> </tr> <tr> <td>Observability</td> <td>Medium</td> <td>Update alerts, metrics, dashboards</td> </tr> </tbody> </table></div> <p>Apache Airflow recommends using constraints when installing from PyPI because constraints files are fixed for a released Airflow version to help produce consistent installs. (<a href="https://airflow.apache.org/docs/apache-airflow/stable/installation/installing-from-pypi.html?utm_source=chatgpt.com" rel="noopener noreferrer">Apache Airflow</a>) On Amazon MWAA, AWS notes that environments keep using the specified Airflow image version until upgraded, and for Airflow v2.7.2 and later MWAA requires a constraints statement in <code>requirements.txt</code> or applies one for compatibility. (<a href="https://docs.aws.amazon.com/mwaa/latest/userguide/airflow-versions.html?utm_source=chatgpt.com" rel="noopener noreferrer">AWS Documentation</a>)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Example: inspect the current enterprise Airflow runtime</span> airflow version python <span class="nt">--version</span> airflow providers list <span class="c"># Export installed dependencies for comparison</span> pip freeze | <span class="nb">sort</span> <span class="o">&gt;</span> airflow-current-freeze.txt <span class="c"># Capture DAG inventory</span> airflow dags list <span class="nt">--output</span> json <span class="o">&gt;</span> airflow-current-dags.json <span class="c"># Capture current configuration, excluding secrets before sharing</span> airflow config list <span class="o">&gt;</span> airflow-current-config.txt </code></pre> </div> <p><strong>Enterprise recommendation:</strong> treat the Airflow upgrade as a platform migration with a formal change record, not a library bump.</p> <h2> 2. Pin Airflow, Providers, and Python Dependencies Reproducibly </h2> <p>Dependency drift is one of the most common causes of failed Airflow upgrades. Providers evolve independently from Airflow core, and enterprise DAGs often rely on AWS, Snowflake, Kubernetes, Slack, dbt, OpenLineage, or custom internal packages.</p> <p>A hardened upgrade should use:</p> <ul> <li>A target Airflow version.</li> <li>A supported Python version.</li> <li>A constraints file.</li> <li>Explicit provider versions.</li> <li>A separate constraints lock for internal packages.</li> <li>A reproducible container build.</li> </ul> <p>For Airflow 3.0.0, Apache’s migration guide states that Python 3.9, 3.10, 3.11, and 3.12 are supported, and it also recommends being on Airflow 2.7 or later before moving from Airflow 2.x to Airflow 3. (<a href="https://airflow.apache.org/docs/apache-airflow/3.0.1/installation/upgrading_to_airflow3.html?utm_source=chatgpt.com" rel="noopener noreferrer">Apache Airflow</a>)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Dockerfile example for self-managed Airflow on ECS/EKS</span> <span class="k">FROM</span><span class="s"> apache/airflow:3.2.1-python3.11</span> <span class="k">ARG</span><span class="s"> AIRFLOW_VERSION=3.2.1</span> <span class="k">ARG</span><span class="s"> PYTHON_VERSION=3.11</span> <span class="k">USER</span><span class="s"> root</span> <span class="k">RUN </span>apt-get update <span class="o">&amp;&amp;</span> apt-get <span class="nb">install</span> <span class="nt">-y</span> <span class="nt">--no-install-recommends</span> <span class="se">\ </span> git <span class="se">\ </span> build-essential <span class="se">\ </span> <span class="o">&amp;&amp;</span> apt-get clean <span class="se">\ </span> <span class="o">&amp;&amp;</span> <span class="nb">rm</span> <span class="nt">-rf</span> /var/lib/apt/lists/<span class="k">*</span> <span class="k">USER</span><span class="s"> airflow</span> <span class="k">COPY</span><span class="s"> requirements.txt /requirements.txt</span> <span class="k">RUN </span>pip <span class="nb">install</span> <span class="nt">--no-cache-dir</span> <span class="se">\ </span> <span class="nt">--constraint</span> <span class="s2">"https://raw.githubusercontent.com/apache/airflow/constraints-</span><span class="k">${</span><span class="nv">AIRFLOW_VERSION</span><span class="k">}</span><span class="s2">/constraints-</span><span class="k">${</span><span class="nv">PYTHON_VERSION</span><span class="k">}</span><span class="s2">.txt"</span> <span class="se">\ </span> <span class="nt">-r</span> /requirements.txt </code></pre> </div> <p>Example <code>requirements.txt</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>apache-airflow-providers-amazon apache-airflow-providers-snowflake apache-airflow-providers-slack apache-airflow-providers-cncf-kubernetes dbt-core==1.8.9 dbt-snowflake==1.8.4 openlineage-airflow great-expectations </code></pre> </div> <p>For Amazon MWAA, the dependency pattern is different because AWS manages the base image. AWS documents that MWAA builds images bundling Airflow releases with common binaries and Python libraries, so enterprises should validate requirements against the MWAA-supported Airflow version rather than assuming parity with a self-managed container. (<a href="https://docs.aws.amazon.com/mwaa/latest/userguide/airflow-versions.html?utm_source=chatgpt.com" rel="noopener noreferrer">AWS Documentation</a>)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># MWAA requirements.txt example --constraint "https://raw.githubusercontent.com/apache/airflow/constraints-2.10.3/constraints-3.11.txt" apache-airflow-providers-snowflake apache-airflow-providers-amazon dbt-core==1.8.9 dbt-snowflake==1.8.4 </code></pre> </div> <h2> 3. Validate DAG Compatibility Before the Upgrade Window </h2> <p>Enterprise DAG validation should happen in CI before a platform image reaches staging. The goal is to catch import errors, deprecated APIs, provider incompatibilities, slow DAG parsing, direct metadata DB access, and business-critical workflow regressions.</p> <p>Airflow 3 contains breaking changes, and the official Airflow 3 upgrade guide specifically calls out architectural changes and migration preparation from Airflow 2.x. (<a href="https://airflow.apache.org/docs/apache-airflow/stable/installation/upgrading_to_airflow3.html?utm_source=chatgpt.com" rel="noopener noreferrer">Apache Airflow</a>) Astronomer’s Airflow 2-to-3 guidance also emphasizes testing updated DAGs locally before upgrading production. (<a href="https://www.astronomer.io/docs/learn/airflow-upgrade-2-3?utm_source=chatgpt.com" rel="noopener noreferrer">astronomer.io</a>)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># tests/test_dag_imports.py </span><span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">pytest</span> <span class="kn">from</span> <span class="n">airflow.models</span> <span class="kn">import</span> <span class="n">DagBag</span> <span class="n">DAGS_FOLDER</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">AIRFLOW__CORE__DAGS_FOLDER</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">dags</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@pytest.fixture</span><span class="p">(</span><span class="n">scope</span><span class="o">=</span><span class="sh">"</span><span class="s">session</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">dag_bag</span><span class="p">():</span> <span class="k">return</span> <span class="nc">DagBag</span><span class="p">(</span><span class="n">dag_folder</span><span class="o">=</span><span class="n">DAGS_FOLDER</span><span class="p">,</span> <span class="n">include_examples</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="k">def</span> <span class="nf">test_no_dag_import_errors</span><span class="p">(</span><span class="n">dag_bag</span><span class="p">):</span> <span class="k">assert</span> <span class="n">dag_bag</span><span class="p">.</span><span class="n">import_errors</span> <span class="o">==</span> <span class="p">{},</span> <span class="n">dag_bag</span><span class="p">.</span><span class="n">import_errors</span> <span class="k">def</span> <span class="nf">test_dags_have_owners</span><span class="p">(</span><span class="n">dag_bag</span><span class="p">):</span> <span class="k">for</span> <span class="n">dag_id</span><span class="p">,</span> <span class="n">dag</span> <span class="ow">in</span> <span class="n">dag_bag</span><span class="p">.</span><span class="n">dags</span><span class="p">.</span><span class="nf">items</span><span class="p">():</span> <span class="k">assert</span> <span class="n">dag</span><span class="p">.</span><span class="n">owner</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">dag_id</span><span class="si">}</span><span class="s"> has no owner</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">test_dags_have_tags</span><span class="p">(</span><span class="n">dag_bag</span><span class="p">):</span> <span class="k">for</span> <span class="n">dag_id</span><span class="p">,</span> <span class="n">dag</span> <span class="ow">in</span> <span class="n">dag_bag</span><span class="p">.</span><span class="n">dags</span><span class="p">.</span><span class="nf">items</span><span class="p">():</span> <span class="k">assert</span> <span class="n">dag</span><span class="p">.</span><span class="n">tags</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">dag_id</span><span class="si">}</span><span class="s"> has no tags</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">test_no_paused_critical_dags</span><span class="p">(</span><span class="n">dag_bag</span><span class="p">):</span> <span class="n">critical_prefixes</span> <span class="o">=</span> <span class="p">(</span><span class="sh">"</span><span class="s">payments_</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ledger_</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">risk_</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">reconciliation_</span><span class="sh">"</span><span class="p">)</span> <span class="k">for</span> <span class="n">dag_id</span> <span class="ow">in</span> <span class="n">dag_bag</span><span class="p">.</span><span class="n">dags</span><span class="p">:</span> <span class="k">if</span> <span class="n">dag_id</span><span class="p">.</span><span class="nf">startswith</span><span class="p">(</span><span class="n">critical_prefixes</span><span class="p">):</span> <span class="k">assert</span> <span class="n">dag_bag</span><span class="p">.</span><span class="n">dags</span><span class="p">[</span><span class="n">dag_id</span><span class="p">].</span><span class="n">schedule</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">None</span> </code></pre> </div> <p>Add a CI job that runs against the target Airflow image:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/airflow-upgrade-validation.yml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">airflow-upgrade-validation</span> <span class="na">on</span><span class="pi">:</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">dags/**"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">plugins/**"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">requirements.txt"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">Dockerfile"</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">validate-airflow</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build target Airflow image</span> <span class="na">run</span><span class="pi">:</span> <span class="s">docker build -t enterprise-airflow-upgrade:test .</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run DAG import tests</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">docker run --rm \</span> <span class="s">-e AIRFLOW__CORE__LOAD_EXAMPLES=False \</span> <span class="s">enterprise-airflow-upgrade:test \</span> <span class="s">bash -c "pip install pytest &amp;&amp; pytest tests/test_dag_imports.py -q"</span> </code></pre> </div> <p>For fintech workloads, also add regression tests for DAGs that move money, produce ledger entries, generate regulatory reports, or trigger customer-facing notifications.</p> <h2> 4. Run Metadata Database Migration as a Controlled Operation </h2> <p>The metadata database is the heart of Airflow state: DAG runs, task instances, rendered templates, variables, connections, pools, serialized DAGs, and scheduler metadata. Apache Airflow states that newer versions can contain database migrations and that <code>airflow db migrate</code> should be run to apply schema changes. (<a href="https://airflow.apache.org/docs/apache-airflow/stable/installation/upgrading.html?utm_source=chatgpt.com" rel="noopener noreferrer">Apache Airflow</a>) Airflow’s database setup documentation also says Airflow components should not be running while the database migration executes, and notes that <code>airflow db upgrade</code> was deprecated in favor of <code>airflow db migrate</code> before Airflow 2.7. (<a href="https://airflow.apache.org/docs/apache-airflow/stable/installation/setting-up-the-database.html?utm_source=chatgpt.com" rel="noopener noreferrer">Apache Airflow</a>)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="nb">set</span> <span class="nt">-euo</span> pipefail <span class="nb">echo</span> <span class="s2">"Stopping Airflow services..."</span> kubectl scale deployment airflow-scheduler <span class="nt">--replicas</span><span class="o">=</span>0 <span class="nt">-n</span> airflow kubectl scale deployment airflow-webserver <span class="nt">--replicas</span><span class="o">=</span>0 <span class="nt">-n</span> airflow kubectl scale deployment airflow-worker <span class="nt">--replicas</span><span class="o">=</span>0 <span class="nt">-n</span> airflow <span class="o">||</span> <span class="nb">true echo</span> <span class="s2">"Running metadata DB migration..."</span> kubectl run airflow-db-migrate <span class="se">\</span> <span class="nt">--rm</span> <span class="nt">-i</span> <span class="nt">--restart</span><span class="o">=</span>Never <span class="se">\</span> <span class="nt">--namespace</span> airflow <span class="se">\</span> <span class="nt">--image</span> registry.example.com/data-platform/airflow:3.2.1 <span class="se">\</span> <span class="nt">--</span> bash <span class="nt">-c</span> <span class="s2">"airflow db check &amp;&amp; airflow db migrate"</span> <span class="nb">echo</span> <span class="s2">"Restarting Airflow services..."</span> kubectl scale deployment airflow-scheduler <span class="nt">--replicas</span><span class="o">=</span>2 <span class="nt">-n</span> airflow kubectl scale deployment airflow-webserver <span class="nt">--replicas</span><span class="o">=</span>2 <span class="nt">-n</span> airflow kubectl scale deployment airflow-worker <span class="nt">--replicas</span><span class="o">=</span>6 <span class="nt">-n</span> airflow <span class="o">||</span> <span class="nb">true</span> </code></pre> </div> <p>For RDS-backed metadata databases, a safer enterprise sequence is:</p> <ol> <li>Take an automated RDS snapshot.</li> <li>Restore the snapshot to a staging database.</li> <li>Run <code>airflow db migrate</code> against staging.</li> <li>Run DAG import and scheduler smoke tests.</li> <li>Run the production migration during a change window.</li> <li>Keep the old image available for rollback planning.</li> </ol> <p>For Amazon MWAA and managed Airflow platforms, the procedure may be provider-specific. AWS documents supported MWAA versions and upgrade considerations, while Google Cloud Composer states that Airflow 2 to Airflow 3 requires side-by-side migration rather than in-place upgrade for its managed Airflow service. (<a href="https://docs.aws.amazon.com/mwaa/latest/userguide/airflow-versions.html?utm_source=chatgpt.com" rel="noopener noreferrer">AWS Documentation</a>)</p> <h2> 5. Architecture Decision: Blue/Green Upgrade Instead of In-Place Upgrade </h2> <p><strong>Decision:</strong> We <strong>decided</strong> to use a blue/green Airflow upgrade for enterprise production environments.</p> <p>We <strong>chose</strong> to deploy a parallel target Airflow environment, validate DAGs, mirror connections and variables, replay non-destructive DAGs, and then cut over scheduler ownership <strong>instead of</strong> upgrading the running environment in place.</p> <p><strong>Trade-off:</strong> blue/green costs more in infrastructure and operational coordination, but it materially reduces outage risk and gives the enterprise a fast fallback path.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>flowchart LR A[Git DAG Repository] --&gt; B[CI Validation] B --&gt; C[Blue Airflow Current Version] B --&gt; D[Green Airflow Target Version] C --&gt; E[(Current Metadata DB)] D --&gt; F[(Cloned Metadata DB)] C --&gt; G[Snowflake Prod] D --&gt; H[Snowflake Staging / Prod Read-Only] D --&gt; I[Smoke Tests] I --&gt; J{Cutover Approved?} J --&gt;|Yes| K[Route Schedulers and Web UI to Green] J --&gt;|No| L[Keep Blue Active] </code></pre> </div> <p>In a self-managed AWS architecture, this can be implemented using EKS namespaces, separate Helm releases, independent metadata databases, and shared read-only access to DAG code during validation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Example Helm-based blue/green deployment</span> helm upgrade <span class="nt">--install</span> airflow-green apache-airflow/airflow <span class="se">\</span> <span class="nt">--namespace</span> airflow-green <span class="se">\</span> <span class="nt">--create-namespace</span> <span class="se">\</span> <span class="nt">--values</span> values-green.yaml <span class="se">\</span> <span class="nt">--set</span> images.airflow.repository<span class="o">=</span>registry.example.com/data-platform/airflow <span class="se">\</span> <span class="nt">--set</span> images.airflow.tag<span class="o">=</span>3.2.1 <span class="se">\</span> <span class="nt">--set</span> dags.gitSync.enabled<span class="o">=</span><span class="nb">true</span> <span class="se">\</span> <span class="nt">--set</span> dags.gitSync.repo<span class="o">=</span>git@github.com:example/enterprise-dags.git <span class="se">\</span> <span class="nt">--set</span> dags.gitSync.branch<span class="o">=</span>airflow-upgrade </code></pre> </div> <p>Example cutover guardrail:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Snowflake: confirm no duplicate production writes during cutover</span> <span class="k">select</span> <span class="n">dag_id</span><span class="p">,</span> <span class="n">task_id</span><span class="p">,</span> <span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">as</span> <span class="n">write_events</span><span class="p">,</span> <span class="k">min</span><span class="p">(</span><span class="n">event_ts</span><span class="p">)</span> <span class="k">as</span> <span class="n">first_event_ts</span><span class="p">,</span> <span class="k">max</span><span class="p">(</span><span class="n">event_ts</span><span class="p">)</span> <span class="k">as</span> <span class="n">last_event_ts</span> <span class="k">from</span> <span class="n">platform_audit</span><span class="p">.</span><span class="n">airflow_write_events</span> <span class="k">where</span> <span class="n">event_ts</span> <span class="o">&gt;=</span> <span class="n">dateadd</span><span class="p">(</span><span class="n">hour</span><span class="p">,</span> <span class="o">-</span><span class="mi">2</span><span class="p">,</span> <span class="k">current_timestamp</span><span class="p">())</span> <span class="k">and</span> <span class="n">environment</span> <span class="k">in</span> <span class="p">(</span><span class="s1">'airflow-blue'</span><span class="p">,</span> <span class="s1">'airflow-green'</span><span class="p">)</span> <span class="k">group</span> <span class="k">by</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">2</span> <span class="k">having</span> <span class="k">count</span><span class="p">(</span><span class="k">distinct</span> <span class="n">environment</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">1</span><span class="p">;</span> </code></pre> </div> <p>Blue/green is especially valuable for fintech platforms where duplicate task execution can produce customer-impacting side effects. The safest design is to make DAGs idempotent and to prevent green from writing to production until cutover is approved.</p> <h2> 6. Upgrade dbt and Snowflake Workloads With Cost and Lineage Controls </h2> <p>Airflow upgrades often expose hidden assumptions in dbt and Snowflake workflows: environment variables, profiles paths, warehouse names, OAuth integrations, private keys, masking policies, and task retry semantics.</p> <p>A typical enterprise pattern is to run dbt inside an isolated KubernetesPodOperator, ECS task, or containerized Python virtualenv rather than installing every analytics dependency into the Airflow scheduler image.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># dags/dbt_snowflake_upgrade_smoke_test.py </span><span class="kn">from</span> <span class="n">__future__</span> <span class="kn">import</span> <span class="n">annotations</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="kn">from</span> <span class="n">airflow</span> <span class="kn">import</span> <span class="n">DAG</span> <span class="kn">from</span> <span class="n">airflow.providers.cncf.kubernetes.operators.pod</span> <span class="kn">import</span> <span class="n">KubernetesPodOperator</span> <span class="k">with</span> <span class="nc">DAG</span><span class="p">(</span> <span class="n">dag_id</span><span class="o">=</span><span class="sh">"</span><span class="s">dbt_snowflake_upgrade_smoke_test</span><span class="sh">"</span><span class="p">,</span> <span class="n">start_date</span><span class="o">=</span><span class="nf">datetime</span><span class="p">(</span><span class="mi">2025</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">1</span><span class="p">),</span> <span class="n">schedule</span><span class="o">=</span><span class="bp">None</span><span class="p">,</span> <span class="n">catchup</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="n">tags</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">upgrade</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">dbt</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">snowflake</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">smoke-test</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> <span class="k">as</span> <span class="n">dag</span><span class="p">:</span> <span class="n">dbt_debug</span> <span class="o">=</span> <span class="nc">KubernetesPodOperator</span><span class="p">(</span> <span class="n">task_id</span><span class="o">=</span><span class="sh">"</span><span class="s">dbt_debug</span><span class="sh">"</span><span class="p">,</span> <span class="n">namespace</span><span class="o">=</span><span class="sh">"</span><span class="s">data-platform</span><span class="sh">"</span><span class="p">,</span> <span class="n">image</span><span class="o">=</span><span class="sh">"</span><span class="s">registry.example.com/analytics/dbt-snowflake:1.8.9</span><span class="sh">"</span><span class="p">,</span> <span class="n">cmds</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">bash</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-lc</span><span class="sh">"</span><span class="p">],</span> <span class="n">arguments</span><span class="o">=</span><span class="p">[</span> <span class="sh">"""</span><span class="s"> set -euo pipefail dbt --version dbt debug --profiles-dir /opt/dbt/profiles </span><span class="sh">"""</span> <span class="p">],</span> <span class="n">env_vars</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">DBT_TARGET</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">staging</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">SNOWFLAKE_WAREHOUSE</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">AIRFLOW_UPGRADE_WH</span><span class="sh">"</span><span class="p">,</span> <span class="p">},</span> <span class="n">get_logs</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">is_delete_operator_pod</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">)</span> <span class="n">dbt_compile</span> <span class="o">=</span> <span class="nc">KubernetesPodOperator</span><span class="p">(</span> <span class="n">task_id</span><span class="o">=</span><span class="sh">"</span><span class="s">dbt_compile</span><span class="sh">"</span><span class="p">,</span> <span class="n">namespace</span><span class="o">=</span><span class="sh">"</span><span class="s">data-platform</span><span class="sh">"</span><span class="p">,</span> <span class="n">image</span><span class="o">=</span><span class="sh">"</span><span class="s">registry.example.com/analytics/dbt-snowflake:1.8.9</span><span class="sh">"</span><span class="p">,</span> <span class="n">cmds</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">bash</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-lc</span><span class="sh">"</span><span class="p">],</span> <span class="n">arguments</span><span class="o">=</span><span class="p">[</span> <span class="sh">"""</span><span class="s"> set -euo pipefail dbt deps dbt compile --target staging --profiles-dir /opt/dbt/profiles </span><span class="sh">"""</span> <span class="p">],</span> <span class="n">get_logs</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">is_delete_operator_pod</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">)</span> <span class="n">dbt_debug</span> <span class="o">&gt;&gt;</span> <span class="n">dbt_compile</span> </code></pre> </div> <p>For Snowflake, apply explicit controls during the upgrade:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Snowflake warehouse for upgrade validation</span> <span class="k">create</span> <span class="n">warehouse</span> <span class="n">if</span> <span class="k">not</span> <span class="k">exists</span> <span class="n">AIRFLOW_UPGRADE_WH</span> <span class="n">warehouse_size</span> <span class="o">=</span> <span class="s1">'XSMALL'</span> <span class="n">auto_suspend</span> <span class="o">=</span> <span class="mi">60</span> <span class="n">auto_resume</span> <span class="o">=</span> <span class="k">true</span> <span class="n">initially_suspended</span> <span class="o">=</span> <span class="k">true</span><span class="p">;</span> <span class="c1">-- Dedicated role for upgrade smoke tests</span> <span class="k">create</span> <span class="k">role</span> <span class="n">if</span> <span class="k">not</span> <span class="k">exists</span> <span class="n">AIRFLOW_UPGRADE_ROLE</span><span class="p">;</span> <span class="k">grant</span> <span class="k">usage</span> <span class="k">on</span> <span class="n">warehouse</span> <span class="n">AIRFLOW_UPGRADE_WH</span> <span class="k">to</span> <span class="k">role</span> <span class="n">AIRFLOW_UPGRADE_ROLE</span><span class="p">;</span> <span class="k">grant</span> <span class="k">usage</span> <span class="k">on</span> <span class="k">database</span> <span class="n">ANALYTICS_DEV</span> <span class="k">to</span> <span class="k">role</span> <span class="n">AIRFLOW_UPGRADE_ROLE</span><span class="p">;</span> <span class="k">grant</span> <span class="k">usage</span> <span class="k">on</span> <span class="k">all</span> <span class="n">schemas</span> <span class="k">in</span> <span class="k">database</span> <span class="n">ANALYTICS_DEV</span> <span class="k">to</span> <span class="k">role</span> <span class="n">AIRFLOW_UPGRADE_ROLE</span><span class="p">;</span> <span class="k">grant</span> <span class="k">select</span> <span class="k">on</span> <span class="k">all</span> <span class="n">tables</span> <span class="k">in</span> <span class="k">database</span> <span class="n">ANALYTICS_DEV</span> <span class="k">to</span> <span class="k">role</span> <span class="n">AIRFLOW_UPGRADE_ROLE</span><span class="p">;</span> </code></pre> </div> <p>This keeps the upgrade test path observable, cost-limited, and isolated from production finance reporting.</p> <h2> 7. Post-Upgrade Observability and Rollback Readiness </h2> <p>After the upgrade, validate platform health using operational metrics and business metrics. Do not rely only on a green webserver.</p> <p>Minimum checks:</p> <ul> <li>Scheduler heartbeat is healthy.</li> <li>DAG parse time is within baseline.</li> <li>Critical DAGs are scheduled.</li> <li>Worker queues are draining.</li> <li>Metadata DB connections are stable.</li> <li>Snowflake query volume is expected.</li> <li>dbt artifacts are generated.</li> <li>SLA or deadline alerts still fire.</li> <li>Secrets backend resolution works.</li> <li>Audit logs are complete. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># dags/platform_upgrade_canary.py </span><span class="kn">from</span> <span class="n">__future__</span> <span class="kn">import</span> <span class="n">annotations</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="kn">from</span> <span class="n">airflow.decorators</span> <span class="kn">import</span> <span class="n">dag</span><span class="p">,</span> <span class="n">task</span> <span class="kn">from</span> <span class="n">airflow.providers.snowflake.hooks.snowflake</span> <span class="kn">import</span> <span class="n">SnowflakeHook</span> <span class="nd">@dag</span><span class="p">(</span> <span class="n">dag_id</span><span class="o">=</span><span class="sh">"</span><span class="s">platform_upgrade_canary</span><span class="sh">"</span><span class="p">,</span> <span class="n">start_date</span><span class="o">=</span><span class="nf">datetime</span><span class="p">(</span><span class="mi">2025</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">1</span><span class="p">),</span> <span class="n">schedule</span><span class="o">=</span><span class="sh">"</span><span class="s">*/15 * * * *</span><span class="sh">"</span><span class="p">,</span> <span class="n">catchup</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="n">tags</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">platform</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">upgrade</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">canary</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> <span class="k">def</span> <span class="nf">platform_upgrade_canary</span><span class="p">():</span> <span class="nd">@task</span> <span class="k">def</span> <span class="nf">check_snowflake_connection</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="n">hook</span> <span class="o">=</span> <span class="nc">SnowflakeHook</span><span class="p">(</span><span class="n">snowflake_conn_id</span><span class="o">=</span><span class="sh">"</span><span class="s">snowflake_platform</span><span class="sh">"</span><span class="p">)</span> <span class="n">result</span> <span class="o">=</span> <span class="n">hook</span><span class="p">.</span><span class="nf">get_first</span><span class="p">(</span><span class="sh">"</span><span class="s">select current_version(), current_role(), current_warehouse()</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Snowflake OK: </span><span class="si">{</span><span class="n">result</span><span class="si">}</span><span class="sh">"</span> <span class="nd">@task</span> <span class="k">def</span> <span class="nf">check_airflow_runtime</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="kn">import</span> <span class="n">airflow</span> <span class="k">return</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Airflow runtime OK: </span><span class="si">{</span><span class="n">airflow</span><span class="p">.</span><span class="n">__version__</span><span class="si">}</span><span class="sh">"</span> <span class="nf">check_airflow_runtime</span><span class="p">()</span> <span class="o">&gt;&gt;</span> <span class="nf">check_snowflake_connection</span><span class="p">()</span> <span class="nf">platform_upgrade_canary</span><span class="p">()</span> </code></pre> </div> <p>A rollback plan should be written before the change window. For database migrations, rollback is not always a simple downgrade; the safest strategy is to keep a database snapshot, old image, old DAG branch, and frozen dependency set available. Airflow’s migration reference documents the migrations executed by <code>airflow db migrate</code>, which is useful for reviewing the schema impact before production execution. (<a href="https://airflow.apache.org/docs/apache-airflow/stable/migrations-ref.html?utm_source=chatgpt.com" rel="noopener noreferrer">Apache Airflow</a>)</p> <h2> Conclusion </h2> <p>An <strong>Airflow version upgrade for enterprises</strong> should be engineered like a production platform migration: version pinning, reproducible builds, DAG compatibility testing, metadata database migration, blue/green rollout, Snowflake/dbt smoke tests, and post-upgrade observability.</p> <p>The most important principle is control. Control the dependencies. Control the metadata database migration. Control task side effects. Control cutover. Control rollback. Enterprises that follow this model can upgrade Airflow with lower operational risk while improving security, scheduler performance, provider compatibility, and long-term maintainability.</p> automation aws dataengineering devops Airflow Version Upgrade for Enterprises: A Practical Blueprint for AWS, Snowflake, dbt, and Fintech Data Platforms Hasan Naqvi Sun, 10 May 2026 09:14:44 +0000 https://dev.to/hasanhaider/airflow-version-upgrade-for-enterprises-a-practical-blueprint-for-aws-snowflake-dbt-and-fintech-5390 https://dev.to/hasanhaider/airflow-version-upgrade-for-enterprises-a-practical-blueprint-for-aws-snowflake-dbt-and-fintech-5390 <h1> Airflow Version Upgrade for Enterprises: A Practical Blueprint for AWS, Snowflake, dbt, and Fintech Data Platforms </h1> <p><strong>SEO title:</strong> Airflow Version Upgrade for Enterprises: Secure, Tested, Production-Ready<br> <strong>Meta description:</strong> Airflow version upgrade for enterprises requires dependency control, metadata database migration, DAG validation, and safe rollout across AWS, Snowflake, dbt, and fintech platforms.</p> <p>Enterprise Airflow upgrades are rarely just a <code>pip install --upgrade</code> exercise. In regulated fintech environments, an <strong>Airflow version upgrade</strong> touches orchestration reliability, auditability, IAM boundaries, data lineage, SLAs, dbt jobs, Snowflake cost controls, and incident response. Apache Airflow’s own documentation notes that newer versions can include metadata database migrations and that <code>airflow db migrate</code> must be run during upgrades; Airflow 3 is also a major release with breaking changes, so enterprises need a controlled engineering process rather than an ad hoc deployment. (<a href="https://airflow.apache.org/docs/apache-airflow/stable/installation/upgrading.html?utm_source=chatgpt.com" rel="noopener noreferrer">Apache Airflow</a>)</p> <h2> 1. Build an Enterprise Upgrade Strategy Before Touching Production </h2> <p>A good enterprise upgrade starts with an inventory: Airflow core version, Python version, providers, custom plugins, DAG import behavior, executor type, metadata database engine, secrets backend, and deployment model.</p> <p>For a fintech platform running Airflow on AWS, the upgrade scope usually includes:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Area</th> <th>Upgrade Risk</th> <th>Enterprise Control</th> </tr> </thead> <tbody> <tr> <td>Airflow metadata DB</td> <td>High</td> <td>Snapshot, migration dry run, rollback plan</td> </tr> <tr> <td>Providers</td> <td>High</td> <td>Pin versions and test hooks/operators</td> </tr> <tr> <td>DAG code</td> <td>High</td> <td>Static validation and import tests</td> </tr> <tr> <td>Snowflake connections</td> <td>Medium</td> <td>Validate auth, warehouses, roles</td> </tr> <tr> <td>dbt orchestration</td> <td>Medium</td> <td>Test commands, profiles, artifacts</td> </tr> <tr> <td>IAM/secrets</td> <td>High</td> <td>Validate AWS Secrets Manager, KMS, IRSA</td> </tr> <tr> <td>Observability</td> <td>Medium</td> <td>Update alerts, metrics, dashboards</td> </tr> </tbody> </table></div> <p>Apache Airflow recommends using constraints when installing from PyPI because constraints files are fixed for a released Airflow version to help produce consistent installs. (<a href="https://airflow.apache.org/docs/apache-airflow/stable/installation/installing-from-pypi.html?utm_source=chatgpt.com" rel="noopener noreferrer">Apache Airflow</a>) On Amazon MWAA, AWS notes that environments keep using the specified Airflow image version until upgraded, and for Airflow v2.7.2 and later MWAA requires a constraints statement in <code>requirements.txt</code> or applies one for compatibility. (<a href="https://docs.aws.amazon.com/mwaa/latest/userguide/airflow-versions.html?utm_source=chatgpt.com" rel="noopener noreferrer">AWS Documentation</a>)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Example: inspect the current enterprise Airflow runtime</span> airflow version python <span class="nt">--version</span> airflow providers list <span class="c"># Export installed dependencies for comparison</span> pip freeze | <span class="nb">sort</span> <span class="o">&gt;</span> airflow-current-freeze.txt <span class="c"># Capture DAG inventory</span> airflow dags list <span class="nt">--output</span> json <span class="o">&gt;</span> airflow-current-dags.json <span class="c"># Capture current configuration, excluding secrets before sharing</span> airflow config list <span class="o">&gt;</span> airflow-current-config.txt </code></pre> </div> <p><strong>Enterprise recommendation:</strong> treat the Airflow upgrade as a platform migration with a formal change record, not a library bump.</p> <h2> 2. Pin Airflow, Providers, and Python Dependencies Reproducibly </h2> <p>Dependency drift is one of the most common causes of failed Airflow upgrades. Providers evolve independently from Airflow core, and enterprise DAGs often rely on AWS, Snowflake, Kubernetes, Slack, dbt, OpenLineage, or custom internal packages.</p> <p>A hardened upgrade should use:</p> <ul> <li>A target Airflow version.</li> <li>A supported Python version.</li> <li>A constraints file.</li> <li>Explicit provider versions.</li> <li>A separate constraints lock for internal packages.</li> <li>A reproducible container build.</li> </ul> <p>For Airflow 3.0.0, Apache’s migration guide states that Python 3.9, 3.10, 3.11, and 3.12 are supported, and it also recommends being on Airflow 2.7 or later before moving from Airflow 2.x to Airflow 3. (<a href="https://airflow.apache.org/docs/apache-airflow/3.0.1/installation/upgrading_to_airflow3.html?utm_source=chatgpt.com" rel="noopener noreferrer">Apache Airflow</a>)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Dockerfile example for self-managed Airflow on ECS/EKS</span> <span class="k">FROM</span><span class="s"> apache/airflow:3.2.1-python3.11</span> <span class="k">ARG</span><span class="s"> AIRFLOW_VERSION=3.2.1</span> <span class="k">ARG</span><span class="s"> PYTHON_VERSION=3.11</span> <span class="k">USER</span><span class="s"> root</span> <span class="k">RUN </span>apt-get update <span class="o">&amp;&amp;</span> apt-get <span class="nb">install</span> <span class="nt">-y</span> <span class="nt">--no-install-recommends</span> <span class="se">\ </span> git <span class="se">\ </span> build-essential <span class="se">\ </span> <span class="o">&amp;&amp;</span> apt-get clean <span class="se">\ </span> <span class="o">&amp;&amp;</span> <span class="nb">rm</span> <span class="nt">-rf</span> /var/lib/apt/lists/<span class="k">*</span> <span class="k">USER</span><span class="s"> airflow</span> <span class="k">COPY</span><span class="s"> requirements.txt /requirements.txt</span> <span class="k">RUN </span>pip <span class="nb">install</span> <span class="nt">--no-cache-dir</span> <span class="se">\ </span> <span class="nt">--constraint</span> <span class="s2">"https://raw.githubusercontent.com/apache/airflow/constraints-</span><span class="k">${</span><span class="nv">AIRFLOW_VERSION</span><span class="k">}</span><span class="s2">/constraints-</span><span class="k">${</span><span class="nv">PYTHON_VERSION</span><span class="k">}</span><span class="s2">.txt"</span> <span class="se">\ </span> <span class="nt">-r</span> /requirements.txt </code></pre> </div> <p>Example <code>requirements.txt</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>apache-airflow-providers-amazon apache-airflow-providers-snowflake apache-airflow-providers-slack apache-airflow-providers-cncf-kubernetes dbt-core==1.8.9 dbt-snowflake==1.8.4 openlineage-airflow great-expectations </code></pre> </div> <p>For Amazon MWAA, the dependency pattern is different because AWS manages the base image. AWS documents that MWAA builds images bundling Airflow releases with common binaries and Python libraries, so enterprises should validate requirements against the MWAA-supported Airflow version rather than assuming parity with a self-managed container. (<a href="https://docs.aws.amazon.com/mwaa/latest/userguide/airflow-versions.html?utm_source=chatgpt.com" rel="noopener noreferrer">AWS Documentation</a>)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># MWAA requirements.txt example --constraint "https://raw.githubusercontent.com/apache/airflow/constraints-2.10.3/constraints-3.11.txt" apache-airflow-providers-snowflake apache-airflow-providers-amazon dbt-core==1.8.9 dbt-snowflake==1.8.4 </code></pre> </div> <h2> 3. Validate DAG Compatibility Before the Upgrade Window </h2> <p>Enterprise DAG validation should happen in CI before a platform image reaches staging. The goal is to catch import errors, deprecated APIs, provider incompatibilities, slow DAG parsing, direct metadata DB access, and business-critical workflow regressions.</p> <p>Airflow 3 contains breaking changes, and the official Airflow 3 upgrade guide specifically calls out architectural changes and migration preparation from Airflow 2.x. (<a href="https://airflow.apache.org/docs/apache-airflow/stable/installation/upgrading_to_airflow3.html?utm_source=chatgpt.com" rel="noopener noreferrer">Apache Airflow</a>) Astronomer’s Airflow 2-to-3 guidance also emphasizes testing updated DAGs locally before upgrading production. (<a href="https://www.astronomer.io/docs/learn/airflow-upgrade-2-3?utm_source=chatgpt.com" rel="noopener noreferrer">astronomer.io</a>)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># tests/test_dag_imports.py </span><span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">pytest</span> <span class="kn">from</span> <span class="n">airflow.models</span> <span class="kn">import</span> <span class="n">DagBag</span> <span class="n">DAGS_FOLDER</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">AIRFLOW__CORE__DAGS_FOLDER</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">dags</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@pytest.fixture</span><span class="p">(</span><span class="n">scope</span><span class="o">=</span><span class="sh">"</span><span class="s">session</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">dag_bag</span><span class="p">():</span> <span class="k">return</span> <span class="nc">DagBag</span><span class="p">(</span><span class="n">dag_folder</span><span class="o">=</span><span class="n">DAGS_FOLDER</span><span class="p">,</span> <span class="n">include_examples</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="k">def</span> <span class="nf">test_no_dag_import_errors</span><span class="p">(</span><span class="n">dag_bag</span><span class="p">):</span> <span class="k">assert</span> <span class="n">dag_bag</span><span class="p">.</span><span class="n">import_errors</span> <span class="o">==</span> <span class="p">{},</span> <span class="n">dag_bag</span><span class="p">.</span><span class="n">import_errors</span> <span class="k">def</span> <span class="nf">test_dags_have_owners</span><span class="p">(</span><span class="n">dag_bag</span><span class="p">):</span> <span class="k">for</span> <span class="n">dag_id</span><span class="p">,</span> <span class="n">dag</span> <span class="ow">in</span> <span class="n">dag_bag</span><span class="p">.</span><span class="n">dags</span><span class="p">.</span><span class="nf">items</span><span class="p">():</span> <span class="k">assert</span> <span class="n">dag</span><span class="p">.</span><span class="n">owner</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">dag_id</span><span class="si">}</span><span class="s"> has no owner</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">test_dags_have_tags</span><span class="p">(</span><span class="n">dag_bag</span><span class="p">):</span> <span class="k">for</span> <span class="n">dag_id</span><span class="p">,</span> <span class="n">dag</span> <span class="ow">in</span> <span class="n">dag_bag</span><span class="p">.</span><span class="n">dags</span><span class="p">.</span><span class="nf">items</span><span class="p">():</span> <span class="k">assert</span> <span class="n">dag</span><span class="p">.</span><span class="n">tags</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">dag_id</span><span class="si">}</span><span class="s"> has no tags</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">test_no_paused_critical_dags</span><span class="p">(</span><span class="n">dag_bag</span><span class="p">):</span> <span class="n">critical_prefixes</span> <span class="o">=</span> <span class="p">(</span><span class="sh">"</span><span class="s">payments_</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ledger_</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">risk_</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">reconciliation_</span><span class="sh">"</span><span class="p">)</span> <span class="k">for</span> <span class="n">dag_id</span> <span class="ow">in</span> <span class="n">dag_bag</span><span class="p">.</span><span class="n">dags</span><span class="p">:</span> <span class="k">if</span> <span class="n">dag_id</span><span class="p">.</span><span class="nf">startswith</span><span class="p">(</span><span class="n">critical_prefixes</span><span class="p">):</span> <span class="k">assert</span> <span class="n">dag_bag</span><span class="p">.</span><span class="n">dags</span><span class="p">[</span><span class="n">dag_id</span><span class="p">].</span><span class="n">schedule</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">None</span> </code></pre> </div> <p>Add a CI job that runs against the target Airflow image:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/airflow-upgrade-validation.yml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">airflow-upgrade-validation</span> <span class="na">on</span><span class="pi">:</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">dags/**"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">plugins/**"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">requirements.txt"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">Dockerfile"</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">validate-airflow</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build target Airflow image</span> <span class="na">run</span><span class="pi">:</span> <span class="s">docker build -t enterprise-airflow-upgrade:test .</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run DAG import tests</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">docker run --rm \</span> <span class="s">-e AIRFLOW__CORE__LOAD_EXAMPLES=False \</span> <span class="s">enterprise-airflow-upgrade:test \</span> <span class="s">bash -c "pip install pytest &amp;&amp; pytest tests/test_dag_imports.py -q"</span> </code></pre> </div> <p>For fintech workloads, also add regression tests for DAGs that move money, produce ledger entries, generate regulatory reports, or trigger customer-facing notifications.</p> <h2> 4. Run Metadata Database Migration as a Controlled Operation </h2> <p>The metadata database is the heart of Airflow state: DAG runs, task instances, rendered templates, variables, connections, pools, serialized DAGs, and scheduler metadata. Apache Airflow states that newer versions can contain database migrations and that <code>airflow db migrate</code> should be run to apply schema changes. (<a href="https://airflow.apache.org/docs/apache-airflow/stable/installation/upgrading.html?utm_source=chatgpt.com" rel="noopener noreferrer">Apache Airflow</a>) Airflow’s database setup documentation also says Airflow components should not be running while the database migration executes, and notes that <code>airflow db upgrade</code> was deprecated in favor of <code>airflow db migrate</code> before Airflow 2.7. (<a href="https://airflow.apache.org/docs/apache-airflow/stable/installation/setting-up-the-database.html?utm_source=chatgpt.com" rel="noopener noreferrer">Apache Airflow</a>)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="nb">set</span> <span class="nt">-euo</span> pipefail <span class="nb">echo</span> <span class="s2">"Stopping Airflow services..."</span> kubectl scale deployment airflow-scheduler <span class="nt">--replicas</span><span class="o">=</span>0 <span class="nt">-n</span> airflow kubectl scale deployment airflow-webserver <span class="nt">--replicas</span><span class="o">=</span>0 <span class="nt">-n</span> airflow kubectl scale deployment airflow-worker <span class="nt">--replicas</span><span class="o">=</span>0 <span class="nt">-n</span> airflow <span class="o">||</span> <span class="nb">true echo</span> <span class="s2">"Running metadata DB migration..."</span> kubectl run airflow-db-migrate <span class="se">\</span> <span class="nt">--rm</span> <span class="nt">-i</span> <span class="nt">--restart</span><span class="o">=</span>Never <span class="se">\</span> <span class="nt">--namespace</span> airflow <span class="se">\</span> <span class="nt">--image</span> registry.example.com/data-platform/airflow:3.2.1 <span class="se">\</span> <span class="nt">--</span> bash <span class="nt">-c</span> <span class="s2">"airflow db check &amp;&amp; airflow db migrate"</span> <span class="nb">echo</span> <span class="s2">"Restarting Airflow services..."</span> kubectl scale deployment airflow-scheduler <span class="nt">--replicas</span><span class="o">=</span>2 <span class="nt">-n</span> airflow kubectl scale deployment airflow-webserver <span class="nt">--replicas</span><span class="o">=</span>2 <span class="nt">-n</span> airflow kubectl scale deployment airflow-worker <span class="nt">--replicas</span><span class="o">=</span>6 <span class="nt">-n</span> airflow <span class="o">||</span> <span class="nb">true</span> </code></pre> </div> <p>For RDS-backed metadata databases, a safer enterprise sequence is:</p> <ol> <li>Take an automated RDS snapshot.</li> <li>Restore the snapshot to a staging database.</li> <li>Run <code>airflow db migrate</code> against staging.</li> <li>Run DAG import and scheduler smoke tests.</li> <li>Run the production migration during a change window.</li> <li>Keep the old image available for rollback planning.</li> </ol> <p>For Amazon MWAA and managed Airflow platforms, the procedure may be provider-specific. AWS documents supported MWAA versions and upgrade considerations, while Google Cloud Composer states that Airflow 2 to Airflow 3 requires side-by-side migration rather than in-place upgrade for its managed Airflow service. (<a href="https://docs.aws.amazon.com/mwaa/latest/userguide/airflow-versions.html?utm_source=chatgpt.com" rel="noopener noreferrer">AWS Documentation</a>)</p> <h2> 5. Architecture Decision: Blue/Green Upgrade Instead of In-Place Upgrade </h2> <p><strong>Decision:</strong> We <strong>decided</strong> to use a blue/green Airflow upgrade for enterprise production environments.</p> <p>We <strong>chose</strong> to deploy a parallel target Airflow environment, validate DAGs, mirror connections and variables, replay non-destructive DAGs, and then cut over scheduler ownership <strong>instead of</strong> upgrading the running environment in place.</p> <p><strong>Trade-off:</strong> blue/green costs more in infrastructure and operational coordination, but it materially reduces outage risk and gives the enterprise a fast fallback path.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>flowchart LR A[Git DAG Repository] --&gt; B[CI Validation] B --&gt; C[Blue Airflow Current Version] B --&gt; D[Green Airflow Target Version] C --&gt; E[(Current Metadata DB)] D --&gt; F[(Cloned Metadata DB)] C --&gt; G[Snowflake Prod] D --&gt; H[Snowflake Staging / Prod Read-Only] D --&gt; I[Smoke Tests] I --&gt; J{Cutover Approved?} J --&gt;|Yes| K[Route Schedulers and Web UI to Green] J --&gt;|No| L[Keep Blue Active] </code></pre> </div> <p>In a self-managed AWS architecture, this can be implemented using EKS namespaces, separate Helm releases, independent metadata databases, and shared read-only access to DAG code during validation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Example Helm-based blue/green deployment</span> helm upgrade <span class="nt">--install</span> airflow-green apache-airflow/airflow <span class="se">\</span> <span class="nt">--namespace</span> airflow-green <span class="se">\</span> <span class="nt">--create-namespace</span> <span class="se">\</span> <span class="nt">--values</span> values-green.yaml <span class="se">\</span> <span class="nt">--set</span> images.airflow.repository<span class="o">=</span>registry.example.com/data-platform/airflow <span class="se">\</span> <span class="nt">--set</span> images.airflow.tag<span class="o">=</span>3.2.1 <span class="se">\</span> <span class="nt">--set</span> dags.gitSync.enabled<span class="o">=</span><span class="nb">true</span> <span class="se">\</span> <span class="nt">--set</span> dags.gitSync.repo<span class="o">=</span>git@github.com:example/enterprise-dags.git <span class="se">\</span> <span class="nt">--set</span> dags.gitSync.branch<span class="o">=</span>airflow-upgrade </code></pre> </div> <p>Example cutover guardrail:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Snowflake: confirm no duplicate production writes during cutover</span> <span class="k">select</span> <span class="n">dag_id</span><span class="p">,</span> <span class="n">task_id</span><span class="p">,</span> <span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">as</span> <span class="n">write_events</span><span class="p">,</span> <span class="k">min</span><span class="p">(</span><span class="n">event_ts</span><span class="p">)</span> <span class="k">as</span> <span class="n">first_event_ts</span><span class="p">,</span> <span class="k">max</span><span class="p">(</span><span class="n">event_ts</span><span class="p">)</span> <span class="k">as</span> <span class="n">last_event_ts</span> <span class="k">from</span> <span class="n">platform_audit</span><span class="p">.</span><span class="n">airflow_write_events</span> <span class="k">where</span> <span class="n">event_ts</span> <span class="o">&gt;=</span> <span class="n">dateadd</span><span class="p">(</span><span class="n">hour</span><span class="p">,</span> <span class="o">-</span><span class="mi">2</span><span class="p">,</span> <span class="k">current_timestamp</span><span class="p">())</span> <span class="k">and</span> <span class="n">environment</span> <span class="k">in</span> <span class="p">(</span><span class="s1">'airflow-blue'</span><span class="p">,</span> <span class="s1">'airflow-green'</span><span class="p">)</span> <span class="k">group</span> <span class="k">by</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">2</span> <span class="k">having</span> <span class="k">count</span><span class="p">(</span><span class="k">distinct</span> <span class="n">environment</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">1</span><span class="p">;</span> </code></pre> </div> <p>Blue/green is especially valuable for fintech platforms where duplicate task execution can produce customer-impacting side effects. The safest design is to make DAGs idempotent and to prevent green from writing to production until cutover is approved.</p> <h2> 6. Upgrade dbt and Snowflake Workloads With Cost and Lineage Controls </h2> <p>Airflow upgrades often expose hidden assumptions in dbt and Snowflake workflows: environment variables, profiles paths, warehouse names, OAuth integrations, private keys, masking policies, and task retry semantics.</p> <p>A typical enterprise pattern is to run dbt inside an isolated KubernetesPodOperator, ECS task, or containerized Python virtualenv rather than installing every analytics dependency into the Airflow scheduler image.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># dags/dbt_snowflake_upgrade_smoke_test.py </span><span class="kn">from</span> <span class="n">__future__</span> <span class="kn">import</span> <span class="n">annotations</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="kn">from</span> <span class="n">airflow</span> <span class="kn">import</span> <span class="n">DAG</span> <span class="kn">from</span> <span class="n">airflow.providers.cncf.kubernetes.operators.pod</span> <span class="kn">import</span> <span class="n">KubernetesPodOperator</span> <span class="k">with</span> <span class="nc">DAG</span><span class="p">(</span> <span class="n">dag_id</span><span class="o">=</span><span class="sh">"</span><span class="s">dbt_snowflake_upgrade_smoke_test</span><span class="sh">"</span><span class="p">,</span> <span class="n">start_date</span><span class="o">=</span><span class="nf">datetime</span><span class="p">(</span><span class="mi">2025</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">1</span><span class="p">),</span> <span class="n">schedule</span><span class="o">=</span><span class="bp">None</span><span class="p">,</span> <span class="n">catchup</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="n">tags</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">upgrade</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">dbt</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">snowflake</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">smoke-test</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> <span class="k">as</span> <span class="n">dag</span><span class="p">:</span> <span class="n">dbt_debug</span> <span class="o">=</span> <span class="nc">KubernetesPodOperator</span><span class="p">(</span> <span class="n">task_id</span><span class="o">=</span><span class="sh">"</span><span class="s">dbt_debug</span><span class="sh">"</span><span class="p">,</span> <span class="n">namespace</span><span class="o">=</span><span class="sh">"</span><span class="s">data-platform</span><span class="sh">"</span><span class="p">,</span> <span class="n">image</span><span class="o">=</span><span class="sh">"</span><span class="s">registry.example.com/analytics/dbt-snowflake:1.8.9</span><span class="sh">"</span><span class="p">,</span> <span class="n">cmds</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">bash</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-lc</span><span class="sh">"</span><span class="p">],</span> <span class="n">arguments</span><span class="o">=</span><span class="p">[</span> <span class="sh">"""</span><span class="s"> set -euo pipefail dbt --version dbt debug --profiles-dir /opt/dbt/profiles </span><span class="sh">"""</span> <span class="p">],</span> <span class="n">env_vars</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">DBT_TARGET</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">staging</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">SNOWFLAKE_WAREHOUSE</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">AIRFLOW_UPGRADE_WH</span><span class="sh">"</span><span class="p">,</span> <span class="p">},</span> <span class="n">get_logs</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">is_delete_operator_pod</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">)</span> <span class="n">dbt_compile</span> <span class="o">=</span> <span class="nc">KubernetesPodOperator</span><span class="p">(</span> <span class="n">task_id</span><span class="o">=</span><span class="sh">"</span><span class="s">dbt_compile</span><span class="sh">"</span><span class="p">,</span> <span class="n">namespace</span><span class="o">=</span><span class="sh">"</span><span class="s">data-platform</span><span class="sh">"</span><span class="p">,</span> <span class="n">image</span><span class="o">=</span><span class="sh">"</span><span class="s">registry.example.com/analytics/dbt-snowflake:1.8.9</span><span class="sh">"</span><span class="p">,</span> <span class="n">cmds</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">bash</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-lc</span><span class="sh">"</span><span class="p">],</span> <span class="n">arguments</span><span class="o">=</span><span class="p">[</span> <span class="sh">"""</span><span class="s"> set -euo pipefail dbt deps dbt compile --target staging --profiles-dir /opt/dbt/profiles </span><span class="sh">"""</span> <span class="p">],</span> <span class="n">get_logs</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">is_delete_operator_pod</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">)</span> <span class="n">dbt_debug</span> <span class="o">&gt;&gt;</span> <span class="n">dbt_compile</span> </code></pre> </div> <p>For Snowflake, apply explicit controls during the upgrade:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Snowflake warehouse for upgrade validation</span> <span class="k">create</span> <span class="n">warehouse</span> <span class="n">if</span> <span class="k">not</span> <span class="k">exists</span> <span class="n">AIRFLOW_UPGRADE_WH</span> <span class="n">warehouse_size</span> <span class="o">=</span> <span class="s1">'XSMALL'</span> <span class="n">auto_suspend</span> <span class="o">=</span> <span class="mi">60</span> <span class="n">auto_resume</span> <span class="o">=</span> <span class="k">true</span> <span class="n">initially_suspended</span> <span class="o">=</span> <span class="k">true</span><span class="p">;</span> <span class="c1">-- Dedicated role for upgrade smoke tests</span> <span class="k">create</span> <span class="k">role</span> <span class="n">if</span> <span class="k">not</span> <span class="k">exists</span> <span class="n">AIRFLOW_UPGRADE_ROLE</span><span class="p">;</span> <span class="k">grant</span> <span class="k">usage</span> <span class="k">on</span> <span class="n">warehouse</span> <span class="n">AIRFLOW_UPGRADE_WH</span> <span class="k">to</span> <span class="k">role</span> <span class="n">AIRFLOW_UPGRADE_ROLE</span><span class="p">;</span> <span class="k">grant</span> <span class="k">usage</span> <span class="k">on</span> <span class="k">database</span> <span class="n">ANALYTICS_DEV</span> <span class="k">to</span> <span class="k">role</span> <span class="n">AIRFLOW_UPGRADE_ROLE</span><span class="p">;</span> <span class="k">grant</span> <span class="k">usage</span> <span class="k">on</span> <span class="k">all</span> <span class="n">schemas</span> <span class="k">in</span> <span class="k">database</span> <span class="n">ANALYTICS_DEV</span> <span class="k">to</span> <span class="k">role</span> <span class="n">AIRFLOW_UPGRADE_ROLE</span><span class="p">;</span> <span class="k">grant</span> <span class="k">select</span> <span class="k">on</span> <span class="k">all</span> <span class="n">tables</span> <span class="k">in</span> <span class="k">database</span> <span class="n">ANALYTICS_DEV</span> <span class="k">to</span> <span class="k">role</span> <span class="n">AIRFLOW_UPGRADE_ROLE</span><span class="p">;</span> </code></pre> </div> <p>This keeps the upgrade test path observable, cost-limited, and isolated from production finance reporting.</p> <h2> 7. Post-Upgrade Observability and Rollback Readiness </h2> <p>After the upgrade, validate platform health using operational metrics and business metrics. Do not rely only on a green webserver.</p> <p>Minimum checks:</p> <ul> <li>Scheduler heartbeat is healthy.</li> <li>DAG parse time is within baseline.</li> <li>Critical DAGs are scheduled.</li> <li>Worker queues are draining.</li> <li>Metadata DB connections are stable.</li> <li>Snowflake query volume is expected.</li> <li>dbt artifacts are generated.</li> <li>SLA or deadline alerts still fire.</li> <li>Secrets backend resolution works.</li> <li>Audit logs are complete. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># dags/platform_upgrade_canary.py </span><span class="kn">from</span> <span class="n">__future__</span> <span class="kn">import</span> <span class="n">annotations</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="kn">from</span> <span class="n">airflow.decorators</span> <span class="kn">import</span> <span class="n">dag</span><span class="p">,</span> <span class="n">task</span> <span class="kn">from</span> <span class="n">airflow.providers.snowflake.hooks.snowflake</span> <span class="kn">import</span> <span class="n">SnowflakeHook</span> <span class="nd">@dag</span><span class="p">(</span> <span class="n">dag_id</span><span class="o">=</span><span class="sh">"</span><span class="s">platform_upgrade_canary</span><span class="sh">"</span><span class="p">,</span> <span class="n">start_date</span><span class="o">=</span><span class="nf">datetime</span><span class="p">(</span><span class="mi">2025</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">1</span><span class="p">),</span> <span class="n">schedule</span><span class="o">=</span><span class="sh">"</span><span class="s">*/15 * * * *</span><span class="sh">"</span><span class="p">,</span> <span class="n">catchup</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="n">tags</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">platform</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">upgrade</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">canary</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> <span class="k">def</span> <span class="nf">platform_upgrade_canary</span><span class="p">():</span> <span class="nd">@task</span> <span class="k">def</span> <span class="nf">check_snowflake_connection</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="n">hook</span> <span class="o">=</span> <span class="nc">SnowflakeHook</span><span class="p">(</span><span class="n">snowflake_conn_id</span><span class="o">=</span><span class="sh">"</span><span class="s">snowflake_platform</span><span class="sh">"</span><span class="p">)</span> <span class="n">result</span> <span class="o">=</span> <span class="n">hook</span><span class="p">.</span><span class="nf">get_first</span><span class="p">(</span><span class="sh">"</span><span class="s">select current_version(), current_role(), current_warehouse()</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Snowflake OK: </span><span class="si">{</span><span class="n">result</span><span class="si">}</span><span class="sh">"</span> <span class="nd">@task</span> <span class="k">def</span> <span class="nf">check_airflow_runtime</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="kn">import</span> <span class="n">airflow</span> <span class="k">return</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Airflow runtime OK: </span><span class="si">{</span><span class="n">airflow</span><span class="p">.</span><span class="n">__version__</span><span class="si">}</span><span class="sh">"</span> <span class="nf">check_airflow_runtime</span><span class="p">()</span> <span class="o">&gt;&gt;</span> <span class="nf">check_snowflake_connection</span><span class="p">()</span> <span class="nf">platform_upgrade_canary</span><span class="p">()</span> </code></pre> </div> <p>A rollback plan should be written before the change window. For database migrations, rollback is not always a simple downgrade; the safest strategy is to keep a database snapshot, old image, old DAG branch, and frozen dependency set available. Airflow’s migration reference documents the migrations executed by <code>airflow db migrate</code>, which is useful for reviewing the schema impact before production execution. (<a href="https://airflow.apache.org/docs/apache-airflow/stable/migrations-ref.html?utm_source=chatgpt.com" rel="noopener noreferrer">Apache Airflow</a>)</p> <h2> Conclusion </h2> <p>An <strong>Airflow version upgrade for enterprises</strong> should be engineered like a production platform migration: version pinning, reproducible builds, DAG compatibility testing, metadata database migration, blue/green rollout, Snowflake/dbt smoke tests, and post-upgrade observability.</p> <p>The most important principle is control. Control the dependencies. Control the metadata database migration. Control task side effects. Control cutover. Control rollback. Enterprises that follow this model can upgrade Airflow with lower operational risk while improving security, scheduler performance, provider compatibility, and long-term maintainability.</p> aws dataengineering devops infrastructure TAP E2E Verify — Snowflake RBAC Automation Pipeline Hasan Naqvi Sat, 09 May 2026 03:16:50 +0000 https://dev.to/hasanhaider/tap-e2e-verify-snowflake-rbac-automation-pipeline-23j0 https://dev.to/hasanhaider/tap-e2e-verify-snowflake-rbac-automation-pipeline-23j0 <p>Artifact type: blog_post</p> <h1> TAP E2E Verify — Snowflake RBAC Automation Pipeline </h1> <p>This post explores how to automate role-based access control in Snowflake using Python and the Snowflake Python connector. We opted for a declarative approach over imperative scripts due to its ease of auditing and reviewing.</p> <h2> Architecture Overview </h2> <p>We selected a layered architecture rather than a monolithic script, allowing for better modularity and maintainability.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">create_role</span><span class="p">(</span><span class="n">conn</span><span class="p">:</span> <span class="nb">object</span><span class="p">,</span> <span class="n">role_name</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Create a new Snowflake role with the given name.</span><span class="sh">"""</span> <span class="n">conn</span><span class="p">.</span><span class="nf">cursor</span><span class="p">().</span><span class="nf">execute</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">CREATE ROLE IF NOT EXISTS </span><span class="si">{</span><span class="n">role_name</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h2> Implementation Details </h2> <p>The core challenge was handling role hierarchies. We decided to use a topological sort algorithm because it naturally handles dependency ordering and allows for efficient role creation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">collections</span> <span class="kn">import</span> <span class="n">deque</span> <span class="k">def</span> <span class="nf">topological_sort</span><span class="p">(</span><span class="n">graph</span><span class="p">:</span> <span class="nb">dict</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">list</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Perform a topological sort on the given graph.</span><span class="sh">"""</span> <span class="n">in_degree</span> <span class="o">=</span> <span class="p">{</span><span class="n">node</span><span class="p">:</span> <span class="mi">0</span> <span class="k">for</span> <span class="n">node</span> <span class="ow">in</span> <span class="n">graph</span><span class="p">}</span> <span class="c1"># Calculate in-degrees for all nodes </span> <span class="k">for</span> <span class="n">node</span> <span class="ow">in</span> <span class="n">graph</span><span class="p">:</span> <span class="k">for</span> <span class="n">neighbour</span> <span class="ow">in</span> <span class="n">graph</span><span class="p">[</span><span class="n">node</span><span class="p">]:</span> <span class="n">in_degree</span><span class="p">[</span><span class="n">neighbour</span><span class="p">]</span> <span class="o">+=</span> <span class="mi">1</span> <span class="c1"># Initialize a queue with nodes having an in-degree of 0 </span> <span class="n">queue</span> <span class="o">=</span> <span class="nf">deque</span><span class="p">(</span><span class="n">n</span> <span class="k">for</span> <span class="n">n</span><span class="p">,</span> <span class="n">d</span> <span class="ow">in</span> <span class="n">in_degree</span><span class="p">.</span><span class="nf">items</span><span class="p">()</span> <span class="k">if</span> <span class="n">d</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="c1"># Initialize the result list </span> <span class="n">result</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">while</span> <span class="n">queue</span><span class="p">:</span> <span class="n">node</span> <span class="o">=</span> <span class="n">queue</span><span class="p">.</span><span class="nf">popleft</span><span class="p">()</span> <span class="n">result</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">node</span><span class="p">)</span> <span class="c1"># Decrease in-degrees for neighbouring nodes </span> <span class="k">for</span> <span class="n">neighbour</span> <span class="ow">in</span> <span class="n">graph</span><span class="p">[</span><span class="n">node</span><span class="p">]:</span> <span class="n">in_degree</span><span class="p">[</span><span class="n">neighbour</span><span class="p">]</span> <span class="o">-=</span> <span class="mi">1</span> <span class="k">if</span> <span class="n">in_degree</span><span class="p">[</span><span class="n">neighbour</span><span class="p">]</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span> <span class="n">queue</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">neighbour</span><span class="p">)</span> <span class="k">return</span> <span class="n">result</span> </code></pre> </div> <h2> Testing Strategy </h2> <p>We chose pytest over unittest due to its fixture system and parametrize support, which provide a more efficient testing framework for our use case. The trade-off is a slightly steeper learning curve for new team members.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">pytest</span> <span class="nd">@pytest.mark.parametrize</span><span class="p">(</span><span class="sh">"</span><span class="s">role</span><span class="sh">"</span><span class="p">,</span> <span class="p">[</span><span class="sh">"</span><span class="s">analyst</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">engineer</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">admin</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">test_create_role</span><span class="p">(</span><span class="n">role</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Verify that the create role function returns the expected result.</span><span class="sh">"""</span> <span class="k">assert</span> <span class="n">role</span> <span class="ow">in</span> <span class="p">[</span><span class="sh">"</span><span class="s">analyst</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">engineer</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">admin</span><span class="sh">"</span><span class="p">]</span> </code></pre> </div> <h2> Conclusion </h2> <p>We developed a robust RBAC automation pipeline that reduces manual effort and improves auditability. By opting for a declarative approach over imperative scripts, we made it easier to review changes in pull requests, enhancing overall code quality and maintainability.</p> automation database python security