Attachment refactor

[galvana]

Description Of Changes

Refactors the attachment storage system to use a proper service layer architecture with the Strategy and Factory design patterns. This improves code organization, testability, and maintainability by separating storage concerns from the data model.

Key architectural improvements:

• Introduces a unified StorageProvider abstract base class that defines a consistent interface for all storage backends (S3, GCS, Local)
• Implements the Factory pattern via StorageProviderFactory for clean provider instantiation based on configuration
• Creates a new AttachmentService in the service layer to handle all storage operations, following the project's layered architecture (API routes → Services → Models)
• Removes storage logic from the Attachment model, keeping it focused on data representation only

Code Changes

• Added StorageProvider abstract base class (src/fides/api/service/storage/providers/base.py) defining unified interface for upload, download, delete, presigned URLs, and file operations
• Added S3StorageProvider implementation (src/fides/api/service/storage/providers/s3_provider.py)
• Added GCSStorageProvider implementation (src/fides/api/service/storage/providers/gcs_provider.py)
• Added LocalStorageProvider implementation (src/fides/api/service/storage/providers/local_provider.py)
• Added StorageProviderFactory (src/fides/api/service/storage/providers/factory.py) for creating providers from configuration
• Added AttachmentService (src/fides/service/attachment_service.py) for attachment storage operations with methods for upload, retrieve, delete, and reference management
• Refactored Attachment model to remove embedded storage logic
• Updated external_data_storage.py to use new provider architecture
• Updated polling_attachment_handler.py to use AttachmentService
• Added comprehensive test suite for storage providers including contract tests and characterization tests

Steps to Confirm

1. Verify attachment uploads work correctly for S3, GCS, and local storage configurations
2. Verify attachment downloads return correct presigned URLs
3. Verify attachment deletion removes files from storage and cleans up database records
4. Verify privacy request attachments still work end-to-end
5. Verify manual task attachments still work correctly
6. Run the new storage provider tests: pytest tests/ops/service/storage/providers/
7. Run existing attachment tests: pytest tests/ctl/models/test_attachment.py

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Add a db-migration This indicates that a change includes a database migration label to the entry if your change includes a DB migration
  • Add a high-risk This issue suggests changes that have a high-probability of breaking existing code label to the entry if your change includes a high-risk change (i.e. potential for performance impact or unexpected regression) that should be flagged
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • All UX related changes have been reviewed by a designer
  • No UX review needed
• Followup issues:
  • Followup issues created
  • No followup issues
• Database migrations:
  • Ensure that your downrev is up to date with the latest revision on main
  • Ensure that your downgrade() migration is correct and works
    • If a downgrade migration is not possible for this change, please call this out in the PR description!
  • No migrations
• Documentation:
  • Documentation complete, PR opened in fidesdocs
  • Documentation issue created in fidesdocs
  • If there are any new client scopes created as part of the pull request, remember to update public-facing documentation that references our scope registry
  • No documentation updates required

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
fides-plus-nightly	Ignored	Preview	Feb 5, 2026 4:08am
fides-privacy-center	Ignored		Feb 5, 2026 4:08am