Flyway

Property Resolvers

Property Resolvers

Property resolvers allow Flyway to retrieve configuration parameters from other locations at runtime, such as secrets managers and environment variables. This is not to be confused with migration resolvers.

Flyway comes with support for the following resolvers:

Using Property Resolvers In TOML Configuration Files

The syntax for this is ${resolver-name.resolver-key}.

For example, to retrieve the value of the password key from Dapr, you would use ${dapr.password}.

Inlining

These may be inlined, e.g.

[environments.default]
url = "jdbc:sqlserver://${vault.db-endpoint};databaseName=${vault.db-name}"

Escaping

The syntax can be escaped inline using $${a.b}. I.e. please $${do.not} resolve will be read as please ${do.not} resolve and Flyway will not attempt to retrieve a value

Alternatively, the whole value can be escaped by wrapping it in !{ ... }. So !{please ${do.not} resolve} will be read as please ${do.not} resolve.

Configuring

Some property resolvers require configuration. This is done within the resolvers namespace within your environment. For example, to configure a Hashicorp Vault instance in a development environment, you would configure it like this:

[environments.development.resolvers.vault]
url = "http://localhost:8200/v1"
token = "abc.1234567890"
engineName = "secret"
engineVersion = "v2"

If configuration of a resolver requires a parameter from another resolver, you must configure the dependent resolver first. For instance, if the token configuration for Vault comes from a Dapr secret, you must configure Dapr first:

[environments.development.resolvers.dapr]
url = "daprUrl"

[environments.development.resolvers.vault]
url = "http://localhost:8200/v1"
token = "${dapr.vault-token}"
engineName = "secret"
engineVersion = "v2"

Filtering

For security reasons, you may wish to filter the resolver value to avoid arbitrary values being inserted into your configuration. This can be done with filters. The syntax to add a filter is ${resolver-name.resolver-key:filter}.

The filter can contain one or more of the following, each of which whitelists a certain type of character:

  • A - Allows letters (characters in the following Unicode categories: "Uppercase letter (Lu)", "Lowercase letter (Ll)", "Titlecase letter (Lt)", "Modifier letter (Lm)" or "Other letter (Lo)")
  • a - Allows ASCII letters
  • D - Allows Digits (characters in the "Decimal number (Nd)" Unicode category)
  • d - Allows ASCII digits

For example, if ${my-resolver.my-value} has a value of @bc-123, then ${my-resolver.my-value:AD} will return bc123 because @ and - are not letters or digits.


Didn't find what you were looking for?