Property Resolvers
Published 31 October 2023
Property Resolvers
Property resolvers allow Flyway to retrieve configuration parameters from other locations at runtime, such as secrets managers and environment variables. This is not to be confused with migration resolvers.
Flyway comes with support for the following resolvers:
- Dapr Secret Store
- Google Cloud Secret Manager
- Vault
- Local Secret
- Environment Variables
- Git
- Redgate Clone
- Azure Active Directory Interactive Resolver
- Local DB Resolver
Using Property Resolvers In TOML Configuration Files
The syntax for this is ${resolver-name.resolver-key}
.
For example, to retrieve the value of the password
key from Dapr, you would use ${dapr.password}
.
Inlining
These may be inlined, e.g.
[environments.default]
url = "jdbc:sqlserver://${vault.db-endpoint};databaseName=${vault.db-name}"
Escaping
The syntax can be escaped inline using $${a.b}
.
I.e. please $${do.not} resolve
will be read as please ${do.not} resolve
and Flyway will not attempt to retrieve a value
Alternatively, the whole value can be escaped by wrapping it in !{ ... }
.
So !{please ${do.not} resolve}
will be read as please ${do.not} resolve
.
Configuring
Some property resolvers require configuration. This is done within the resolvers
namespace within your environment. For
example, to configure a Hashicorp Vault instance in a development
environment, you would configure it like this:
[environments.development.resolvers.vault]
url = "http://localhost:8200/v1"
token = "abc.1234567890"
engineName = "secret"
engineVersion = "v2"
If configuration of a resolver requires a parameter from another resolver, you must configure the dependent resolver first.
For instance, if the token
configuration for Vault comes from a Dapr secret, you must configure Dapr first:
[environments.development.resolvers.dapr]
url = "daprUrl"
[environments.development.resolvers.vault]
url = "http://localhost:8200/v1"
token = "${dapr.vault-token}"
engineName = "secret"
engineVersion = "v2"
Filtering
For security reasons, you may wish to filter the resolver value to avoid arbitrary values being inserted into your configuration.
This can be done with filters. The syntax to add a filter is ${resolver-name.resolver-key:filter}
.
The filter can contain one or more of the following, each of which whitelists a certain type of character:
A
- Allows letters (characters in the following Unicode categories: "Uppercase letter (Lu)", "Lowercase letter (Ll)", "Titlecase letter (Lt)", "Modifier letter (Lm)" or "Other letter (Lo)")a
- Allows ASCII lettersD
- Allows Digits (characters in the "Decimal number (Nd)" Unicode category)d
- Allows ASCII digits
For example, if ${my-resolver.my-value}
has a value of @bc-123
, then ${my-resolver.my-value:AD}
will return bc123
because @
and -
are not letters or digits.