How to include Liquibase into or Continuous Deployment in Azure?

Question

How to include Liquibase into or Continuous Deployment in Azure?

Staffan Hedström 25

Hello!

Summary: How to add use liquibase and managed identities in continuous deployment?

We are using Azure to host multiple APIs that communicate with a Postgresql database that is running in a Postgres Flexible server in azure.

For local development we have been using Liquibase to handle database migrations and there it is a simple matter running a container to handle the execution of the liquibase scripts.

How would you recommend to set this up in azure?

I would prefer using Managed Identities as far as possible (that is how the APIs have access to eachother and the database).

I've containerized the liquibase scripts so that I have a container that is ready to run the migrations, but using a Container App, Function App (with container) hasn't worked since neither of them work with managed identities. I've experimented with entrypoints similar to this

#!/bin/bash
# Obtain token for Azure SQL Database
TOKEN=$(az account get-access-token --resource https://database.windows.net/ --query accessToken -o tsv)
# Export token as environment variable (or directly pass it to the Liquibase command)
export LIQUIBASE_COMMAND_PASSWORD=$TOKEN
# Run Liquibase with the token
liquibase update

But here the problem is that the container is not logged in to azure, and the "az login" command demands browser interaction.

In essence what I would like to acheive is this.

I commit migration changes to my github repo
That builds a container for the migrations and pushes it to my acr repo
Some resource in azure detects that this container got updated and runs, which executes the database migrations

1 and 2 I have no problems setting up. For for some reason 3 is giving me headache.

I really want to run the migrations from within azure and not something like github because we want to keep our database secure on restricted networks we have in azure.

Please help.

Carlos Solís Salazar 18,191 Reputation points MVP Volunteer Moderator

2023-12-07T16:24:32.1033333+00:00
To set up continuous deployment for database migrations using Liquibase and Managed Identities in Azure, consider the following approach:

Azure DevOps Pipeline: Use Azure DevOps Pipelines to automate the process. When you commit migration changes to your GitHub repo, it can trigger a pipeline in Azure DevOps.

Container Build and Push: The pipeline builds the Liquibase container and pushes it to your Azure Container Registry (ACR).

Azure Kubernetes Service (AKS) or Azure Container Instances (ACI): Deploy the container to AKS or ACI. These services can use Managed Identities to securely connect to your database.

Run Migrations: The container executes the Liquibase scripts to update the database.

Managed Identity Authentication: For the container to authenticate using Managed Identity, configure AKS or ACI with a Managed Identity that has appropriate permissions to access the Postgresql database.

Automation and Security: Ensure your pipeline is secure and only allows authorized changes. Consider using network security features in Azure to restrict access to your database.

This setup allows you to automate the migration process within Azure's secure environment, leveraging Managed Identities for secure access without the need for interactive login.
kobulloc-MSFT 26,801 Reputation points Microsoft Employee Moderator

2023-12-11T17:31:07.34+00:00

Liquibase has an Azure DevOps workflow in their documentation for Preparing for Database Automation with Liquibase:

https://www.liquibase.com/blog/preparing-database-automation-liquibase

Azure DevOps would be the place to start for an Azure CICD solution:

https://developercommunity.visualstudio.com/spaces/21/index.html
Staffan Hedström 25 Reputation points

2024-01-04T15:30:52.86+00:00
While I am not using Azure DevOps pipelines am am basically doing of steps 1-3. But through this process

Commit migration changes to my github repo

A github action bundles the liquibase changelogs into a docker image that is pushed to an Azure Container Registry

Once push to the registry, I send a command to initiate a Container App Job

The Container App Job has been setup with managed identities to be allowed to connect to a Flexible Posgres Server.

The Container App Job pulls the latest images and runs it.

This seems like a nice setup for me. BUT! There is still issues with Postgresql, Managed Identities and the Container App Job.

As mentioned above, I could not get the token to use as a password, nor can I use the jbdc connection string that is recommended here
Migrate an application to use passwordless connections with Azure Database for PostgreSQL - Java on Azure | Microsoft Learn

Since liquibase cannot load addon that is used:

AzurePostgresqlAuthenticationPlugin.

Thoughts?

1 answer

Your answer

Carlos Solís Salazar 18,191 Reputation points MVP Volunteer Moderator

2023-12-07T16:24:32.1033333+00:00

To set up continuous deployment for database migrations using Liquibase and Managed Identities in Azure, consider the following approach:

Azure DevOps Pipeline: Use Azure DevOps Pipelines to automate the process. When you commit migration changes to your GitHub repo, it can trigger a pipeline in Azure DevOps.

Container Build and Push: The pipeline builds the Liquibase container and pushes it to your Azure Container Registry (ACR).

Azure Kubernetes Service (AKS) or Azure Container Instances (ACI): Deploy the container to AKS or ACI. These services can use Managed Identities to securely connect to your database.

Run Migrations: The container executes the Liquibase scripts to update the database.

Managed Identity Authentication: For the container to authenticate using Managed Identity, configure AKS or ACI with a Managed Identity that has appropriate permissions to access the Postgresql database.

Automation and Security: Ensure your pipeline is secure and only allows authorized changes. Consider using network security features in Azure to restrict access to your database.

This setup allows you to automate the migration process within Azure's secure environment, leveraging Managed Identities for secure access without the need for interactive login.
kobulloc-MSFT 26,801 Reputation points Microsoft Employee Moderator

2023-12-11T17:31:07.34+00:00

Liquibase has an Azure DevOps workflow in their documentation for Preparing for Database Automation with Liquibase:

https://www.liquibase.com/blog/preparing-database-automation-liquibase

Azure DevOps would be the place to start for an Azure CICD solution:

https://developercommunity.visualstudio.com/spaces/21/index.html
Staffan Hedström 25 Reputation points

2024-01-04T15:30:52.86+00:00

While I am not using Azure DevOps pipelines am am basically doing of steps 1-3. But through this process

Commit migration changes to my github repo

A github action bundles the liquibase changelogs into a docker image that is pushed to an Azure Container Registry

Once push to the registry, I send a command to initiate a Container App Job

The Container App Job has been setup with managed identities to be allowed to connect to a Flexible Posgres Server.

The Container App Job pulls the latest images and runs it.

This seems like a nice setup for me. BUT! There is still issues with Postgresql, Managed Identities and the Container App Job.

As mentioned above, I could not get the token to use as a password, nor can I use the jbdc connection string that is recommended here
Migrate an application to use passwordless connections with Azure Database for PostgreSQL - Java on Azure | Microsoft Learn

Since liquibase cannot load addon that is used:

AzurePostgresqlAuthenticationPlugin.

Thoughts?

Answer 1

I found a solution. It is so simple when you know it.

Make sure the Dockerfile has Azure CLI
In the entrypoint/cmd for the Dockerfile reference a bash script
In the bash script use Azure CLI to sign in and receive an access token
Use the access token to sign in.

I got stuck at 3 before because I was unaware of the --identity option. And for this to work in any container app (job), you will need to use the workaround of export APPSETTING_WEBSITE_SITE_NAME=DUMMY for az login --identity to work properly. Why? See this issue https://github.com/Azure/azure-cli/issues/22677

Example bash script.

#!/bin/bash
# Workaround to get az login --identity to use the correct url for authentication
export APPSETTING_WEBSITE_SITE_NAME=DUMMY

# Get access token and username
az login --identity
token=$(az account get-access-token --resource https://database.windows.net/ --query accessToken -o tsv)
username=$(az ad signed-in-user show --query userPrincipalName --output tsv)

# Example Setup your jbdc url
jdbc=jdbc:postgresql://[server]:5432/[database]

# Run liquibase with token
liquibase update --username $username --password $token --url $jdbc

Share via

How to include Liquibase into or Continuous Deployment in Azure?

1 answer

Your answer