CreateTableMustHaveSystemKeyFile

Last updated: January 30, 2026

CreateTableMustHaveSystemKeyFile is a custom policy check that requires every CREATE TABLE statement to also have a system_key_file. All Regex Custom Policy Checks can only run against the changelog, not against the database.

regex: (?is)(?=.*\b(create)\b)(?=.*\b(table)\b)(?!.*\b(system_key_file)\b).*

This example utilizes Cassandra. You can use this check as it is or customize it further to fit your needs in your NoSQL database.

Before you begin

Scope

Database

changelog

Cassandra

  • Liquibase 4.29.0+

  • Python 3.10.14+

  • Configure a valid Liquibase Pro license key

  • Create a Check Settings file

  • Ensure the Liquibase Checks extension is installed. In Liquibase 4.31.0+, it is already installed in the /liquibase/internal/lib directory, so no action is needed.

  • If the checks JAR is not installed, download liquibase-checks-<version>.jar and put it in the liquibase/lib directory.

    • Maven users only:

      Add this dependency to your pom.xml

      file: <dependency> <groupId>org.liquibase.ext</groupId> <artifactId>liquibase-checks</artifactId> <version>2.0.0</version> </dependency>

  • Java Development Kit 17+ (available for Open JDK and Oracle JDK)

  • Linux, macOS, or Windows operating system

Procedure

These steps describe how to create the Custom Policy Check. It does not exist by default in Liquibase Pro.

1

Run this command in the CLI:

liquibase checks customize --check-name=SqlUserDefinedPatternCheck
2

Give your check a short name for easy identification

Use up to 64 alpha-numeric characters only.

CreateTableMustHavePrimaryKey
3

Set the Severity to return a code of 0-4 when triggered.

These severity codes allow you to determine if the job moves forward or stops when this check triggers. Learn more here: Use Policy Checks in Automation: Severity and Exit Code options: 'INFO'=0, 'MINOR'=1, 'MAJOR'=2, 'CRITICAL'=3, 'BLOCKER'=4

4

Set the SEARCH_STRING to this valid regular expression:

Regular expression search string
(?is)(?=.*\b(create)\b)(?=.*\b(table)\b)(?!.*\b(primary)\b)(?!.*\b(key)\b).*
5

Set the MESSAGE to display when a match for the regular expression <SEARCH_STRING> is found in a Changeset.

Error! CREATE TABLE statement must have a primary key included.

6

Set STRIP_COMMENTS to true if you want to remove the comments from the output.

The regex custom policy check is created successfully.

Sample Passing Script

--changeset amalik:encryption_test CREATE TABLE test.encryption_test (d int PRIMARY KEY) WITH COMPRESSION = {       'class': 'EncryptingLZ4Compressor',        'cipher_algorithm' : 'DESede/CBC/PKCS5Padding',        'secret_key_strength' : 112,       'system_key_file' : 'system_key' };

Sample Failing Scripts

--changeset amalik:encryption_test CREATE TABLE test.encryption_test (d int PRIMARY KEY) WITH COMPRESSION = {       'class': 'EncryptingLZ4Compressor',        'cipher_algorithm' : 'DESede/CBC/PKCS5Padding',        'secret_key_strength' : 112 };

Sample Error Message

CHANGELOG CHECKS ---------------- Checks completed validation of the changelog and found the following issues: Check Name:         Check for specific patterns in sql (CreateTableMustHaveSystemKeyFile) Changeset ID:       encryption_test Changeset Filepath: main/100_ddl/06_CassandraDDL.sql Check Severity:     BLOCKER (Return code: 4) Message:            Error! CREATE TABLE statement must have a TDE Encription enabled using "system_key_file".