Features

The MongoDB Secure extension supports all the features of Liquibase that are supported in the MongoDB Open Source extension. In addition, MongoDB Secure lets you use Liquibase Secure features including:

• Policy Checks: automatically analyze your changelogs for desired format and behavior to increase deployment success rates and uphold security best practices

• Secrets Management: keep your authentication data secure by integrating with third-party secrets vaults

• Structured Logging: improve your database observability by easily reading Liquibase data in your favorite analytics tool

• Operation Reports: generate reports of operations you perform on your database

• Flow Files: create repeatable, portable, and platform-independent Liquibase workflows to run in any of your CI/CD tools

• Remote file access: centralize file management with AWS S3 to build a reusable repository of Liquibase files you can update and retrieve

• Targeted rollback: avoid collateral damage by specifying which changesets in your changelog to undo

• DATABASECHANGELOGHISTORY table: record a history of all changes made to the database that have been applied and are currently active.

Change Types

You can use many of the standard Liquibase Change Types in MongoDB Secure. MongoDB-specific Change Types include mongo and mongoFile, which allow you to specify native Mongo scripts in XML, YAML, and JSON changelogs. They require the user to configure the native executor, Mongo Shell (mongosh), prior to use.

For a list of unique Change Types in the Liquibase Secure extension for MongoDB, see Liquibase Change Types for MongoDB. In addition to the Secure Change Types, you can use several Change Types from the Liquibase Open Source extension.

Supported parameters

To configure MongoDB-specific behavior, such as OIDC authentication for MongoDB Atlas, you can set the following Liquibase parameters in the CLI, in flow files, in your liquibase.properties file, or as environment variables:

• mongodb-adjust-tracking-tables-on-startup

• mongodb-oidc-authentication-mechanism

• mongodb-oidc-environment

• mongodb-oidc-oidc-application-id-uri

• mongodb-oidc-oidc-client-id

• mongodb-retry-writes

• mongodb-supports-validator

For more information, see Liquibase Parameters for MongoDB.

Supported commands

MongoDB supports the following commands:

• Update commands, except those that generate SQL output. For example: update and update-count are supported.

• Rollback commands, except those that generate SQL output. For example: rollback and rollback-one-changeset are supported.

• Database inspection commands, except diff-changelog and generate-changelog. For example: diff and snapshot are supported.

Note: Since MongoDB doesn't have schema objects, Liquibase will return a placeholder schema object in output and in files, which you can ignore. This is because Liquibase’s highest-level objects (catalog, schema) all map to the database object in MongoDB. It is not indicative of an error or problem in your configuration or with the command.

• Change tracking commands, except those that generate SQL output. For example: changelog-sync, status, and history are supported.

• The connect command is supported in MongoDB Secure 1.4.0+.

• Policy checks commands are supported. For example: checks copy, checks show, and checks run.

• All other commands, unless otherwise specified in the Limitations section.

Supported operations reports

Drift Report-- If you're working in an environment that experiences database drift, Liquibase drift reports can alert you of the drift and show you the changes that need to be addressed.

The Drift report is the only report supported for use with the MongoDB Secure extension.

Supported policy checks

You can use changelog-scoped policy checks in MongoDB Secure. For example:

• Checks that focus on changeset metadata, such as RollbackRequired and ChangesetLabelCheck.

• The generic regex-based check SqlUserDefinedPatternCheck.

Note: These policy checks only work if you have created your own from the regex template. Liquibase uses the java.util.regex engine to match regular expressions.

Changelog-scoped policy checks are supported as long as they are not SQL-specific or relational-specific. The following is a full list of policy checks supported on MongoDB:

• ChangesetCommentCheck

• ChangesetContextCheck

• ChangesetLabelCheck

• RollbackRequired

• RequireChangesetIDisUUID

• SqlUserDefinedPatternCheck

Limitations

• The child MongoDB scripts referenced by the include and includeAll tags must contain the changeset decoration and the following minimum changeset metadata: author:id and runWith:mongosh // liquibase formatted mongodb // changeset authorname:1 runWith:mongosh

• Liquibase preconditions are not supported.

• The modifyChangeSets tag is not supported.

• MongoDB is a NoSQL database, so you cannot use any commands that generate SQL output (such as update-sql and changelog-sync-sql). Learn more: Liquibase Commands

• Liquibase Secure policy checks have limited support. Database-scoped policy checks are not supported because they are database-specific.

• OIDC authentication is supported only for MongoDB Atlas.

• LDAP authentication is supported for MongoDB Server.

• Kerberos authentication is not supported for any MongoDB platform. Learn more about MongoDB authentication here: authentication

Verified database versions

Change history