Applies to
- Liquibase Pro
- Policy Checks
Summary
Liquibase Policy Checks is a Liquibase Pro feature which enables developers to adhere to code standards to ensure compliance and data security.
In this document we will discuss how to run Liquibase Policy Checks as part of a continuous integration (CI) pipeline.
Policy Checks Workflow
Liquibase Policy Checks should be implemented close to the developer experience in order to provide fast feedback about database code passing or failing these checks. Following workflow shows a suggested use of Policy Checks as part of developer pull request. A developer opens a new pull request which triggers Liquibase Policy Checks to be run as part of a continuous integration (CI) pipeline. If Policy Checks pass, then results are made available to the pull request reviewer. But if Policy Checks fail, then the developer is notified about the failure and allows developer to fix their code.
Running Policy Checks from pipeline code can be done by directly invoking Liquibase command line interface (CLI).
<pipeline code> ... export LIQUIBASE_COMMAND_CHANGELOG_FILE=changelog.xml export LIQUIBASE_COMMAND_URL=<database connection string> export LIQUIBASE_COMMAND_USERNAME=<username> export LIQUIBASE_COMMAND_PASSWORD=<password> ... ... ... liquibase checks run --changeset-filter=pending ... <pipeline code>
Also note that running Policy Checks requires configuring one or more checks settings configuration file ahead of time and save in a repo.
Another approach is to use Liquibase Flow Files in your CI pipeline to organize multiple Liquibase operations such as running multiple Policy Checks configurations and updating the dev database. Here is a sample Flow File (named: "checks.flowfile.yaml"):
stages:
DDL Checks:
actions:
- type: liquibase
command: checks run
cmdArgs: {
checks-settings-file: "automation/ddl.checks-settings.conf",
changelog-file: "changelog.xml"
}
Data Checks:
actions:
- type: liquibase
command: checks run
cmdArgs: {
checks-settings-file: "automation/data.checks-settings.conf",
changelog-file: "changelog.xml"
}
This flow file can be invoked from CI pipeline using Liquibase command line interface (CLI):
<pipeline code> ... liquibase flow --flow-file=automation/checks.flowfile.yaml ... <pipeline code>
Best Practice
The pipeline code running Liquibase Policy Checks should be implemented outside of the application repository, perhaps in a pipelines template repository or in a common automation repository. This will prevent developers from editing Policy Checks configurations such as disabling checks or changing severity codes.
Consideration for Liquibase Running in Spring Boot Application
For Spring Boot applications, Policy Checks are NOT run as part of spring commands (or maven or gradle commands) since Policy Checks implementation requires running a continuous integration (CI) pipeline which receives a trigger from opening a pull request. Instead, running Policy Checks from pipeline code can be done by directly invoking Liquibase command line interface (CLI) or using a flow file.
<pipeline code> ... export LIQUIBASE_COMMAND_CHANGELOG_FILE=src/main/resources/db/changelog/db.changelog.yaml export LIQUIBASE_COMMAND_URL=<database connection string> export LIQUIBASE_COMMAND_USERNAME=<username> export LIQUIBASE_COMMAND_PASSWORD=<password> ... ... ... liquibase checks run --changeset-filter=pending ... <pipeline code>
One caveat to this approach is that you must specify a changelog file which in Spring Boot framework could be nested deep in a directory structure. Follow is an example of pipeline code using Liquibase command.
Another example of specifying a changelog file in Spring Boot framework, using a Liquibase flow file:
stages:
DDL Checks:
actions:
- type: liquibase
command: checks run
cmdArgs: {
checks-settings-file: "automation/ddl.checks-settings.conf",
changelog-file: "src/main/resources/db/changelog/db.changelog-master.yaml"
}
Data Checks:
actions:
- type: liquibase
command: checks run
cmdArgs: {
checks-settings-file: "automation/data.checks-settings.conf",
changelog-file: "src/main/resources/db/changelog/db.changelog-master.yaml"
}
Comments
0 comments
Please sign in to leave a comment.