Using Liquibase MongoDB Pro with MongoDB Atlas

MongoDB Atlas is a fully managed cloud database service provided by MongoDB, Inc. It allows users to deploy, manage, and scale MongoDB databases without the need to handle the underlying infrastructure.

Verified database versions

• 7
• 6
• 5

For more information on Liquibase Pro and MongoDB version requirements, see Verified database versions.

Prerequisites

Learn more about each step at the links below.

1. Create a MongDB Atlas Account
2. Deploy a Free Cluster
3. Add Your Connection IP Address to Your IP Access List

Configure MongoDB

1. Configure User Roles for MongoDB before continuing.
2. Download and Install mongosh if it is not already installed on your machine.

Note: mongosh is mandatory to use MongoDB with Liquibase Pro and it must be accessible to Liquibase. We recommend that mongosh is in the system PATH environment variable. If it is not, that location of mongosh must be manually specified in the liquibase.mongosh.conf file.

3. Download Java 11. The MongoDB Pro extension requires it.

Tip: Java 11 may already be present on your machine if you used the installer to install Liquibase. We recommend installing Liquibase with Java 11 with the installer asset available on GitHub.

Install drivers

CLI users

To use Liquibase and MongoDB Atlas, you must download the JAR file that contains the Liquibase MongoDB Pro extension and the JDBC drivers.

To use the Liquibase CLI, place your JAR file(s) in the liquibase/lib directory.

Maven users

To use Liquibase with Maven, you must instead include the driver JAR(s) as a dependency in your pom.xml file. Using this information, Maven automatically downloads the driver JAR from Maven Central when you build your project.

<dependency>
    <groupId>org.liquibase.ext</groupId>
    <artifactId>liquibase-commercial-mongodb</artifactId>
    <version>1.5.0</version>
</dependency>

Configure connection

1. Ensure your MongoDB database is configured. See Install MongoDB for more information.

2. Ensure your Liquibase Pro license key is specified. For example, in a liquibase.properties file (defaults file):

   licenseKey: zQl8kNZjZgSp9LvqWQFAtGwiHrpg97UyAfQrNSiJQBCDH8FQPdDzANUpIe4Bj3CZA2IXgDBaoYZFvMw0E/s4JcECB3/A6jO+...

3. Choose an authentication method. This guide includes SCRAM (username/password), X.509 Certificate, AWS IAM, and OIDC.

• SCRAM example
• X.509 certificate example
• AWS IAM example
• OIDC example

Users may prefer the SCRAM method because of simplicity and increased security. The server stores passwords in a iterated hash format. This makes offline attacks harder, and decreases the impact of database breaches.

MongoDB Atlas configuration

1. Create a Database User for Your Cluster
2. Add or change Database User role to Atlas admin (Security > Database Access > Edit > Database User Privileges > Built-in Role)

Note: Learn more about database users and built in roles here: Modify Database Users and Built In Roles.

Liquibase configuration

Once MongoDB Atlas is configured, you must then configure Liquibase.

1. Add the liquibase.command.url property to the properties file, environment variables, or command line options in the following format:

liquibase.command.url: mongodb+srv://cluster0.abcd123.mongodb.net/lbcat

2. Add the liquibase.command.username and liquibase.command.password properties to the same configuration file, environment variables, or command line. These are the same credentials entered in Step 1 above titled: Create a Database User for Your Cluster

This authorization mechanism allows system administrators to configure certificates for users within their organization. It also does not require you to memorize a password.

MongoDB Atlas configuration

1. Add Database Users for X.509 Certificates
2. Add or change Database User role to Atlas admin (Security > Database Access > Edit > Database User Privileges > Built-in Role)

Note: Learn more about database users and built in roles here: Modify Database Users and Built In Roles.

Java configuration

Java Truststore is a Java mechanism that stores Certificates. It is used only by Java applications. The below command creates the CA.p12 Truststore file that contains the certificate which was pulled from MongoDB Atlas above in Step 4.

1. Create the Truststore file by running the following in the CLI:

openssl pkcs12 -export -in X509-cert-137983036943191321.pem -name mongoAtlas -caname CA -out CA.p12 -passout pass:qwerty123

The CA.p12 Truststore file that contains the certificate can now be used by Liquibase to connect to MongoDB Atlas.

Liquibase configuration

Once MongoDB Atlas and Java are configured, you must then configure Liquibase.

Note: Your connection to MongoDB Atlas must be TLS and SSL encrypted.

1. Add the liquibase.command.url property to the properties file, environment variables, or command line options in the following format:

liquibase.command.url: mongodb+srv://cluster0.xtsabc123.mongodb.net/lbcat?authSource=%24external&authMechanism=MONGODB-X509&&tlsCertificateKeyFile=X509-cert-137983036943191321.pem

2. Add the following to the environment variables before running Liquibase commands:

JAVA_OPTS="-Djavax.net.ssl.keyStoreType=pkcs12 -Djavax.net.ssl.keyStore=CA.p12 -Djavax.net.ssl.keyStorePassword=qwerty123"

AWS lets you configure credentials using IAM (Identity and Access Management) roles, which can offer better security and simplify your credential management process.

MongoDB Atlas configuration

Follow the steps in the MongoDB documentation Set Up Authentication with AWS IAM:

1. Set Up Authentication with AWS IAM Roles
2. Grant Database Access to AWS IAM Roles
3. Connect to Atlas Cluster Using AWS IAM

Liquibase configuration

1. Ensure your Liquibase Pro license key is specified. For example, in a liquibase.properties file (defaults file):

   licenseKey: zQl8kNZjZgSp9LvqWQFAtGwiHrpg97UyAfQrNSiJQBCDH8FQPdDzANUpIe4Bj3CZA2IXgDBaoYZFvMw0E/s4JcECB3/A6jO+...

2. Configure your properties file, environment variables, or command line options in the following format:

liquibase.command.url=mongodb+srv://<atlas-host-name>/test?authSource=%24external&authMechanism=MONGODB-AWS
liquibase.command.username=<AWS_ACCESS_KEY_ID> # optional
liquibase.command.password=<AWS_SECRET_ACCESS_KEY> # optional

OIDC is a type of federated authentication that provides a secure, scalable, and user-friendly identity solution with Single Sign-On (SSO) capabilities and seamless integration across diverse applications.

In the Liquibase Pro MongoDB extension version 1.5.0 and later, you can authenticate using OIDC through Microsoft Entra ID (formerly called Azure Active Directory) in an Azure environment. For more information, see MongoDB: Enterprise Authentication Mechanisms.

Prerequisites

• A running MongoDB Atlas cluster (version 7 or newer)
• An active Azure subscription with administrative access
• Java Development Kit (JDK) 8 or later installed
• MongoDB Java driver version 5.2.0 or later, which includes OIDC support

Microsoft Azure configuration

1. Register your application in Azure Entra ID from the Azure portal. For more information, see Quickstart: Register an application with the Microsoft identity platform.
2. Retrieve your application ID URI so that you can provide it to Liquibase later in this tutorial. For more information, see Quickstart: Configure an application to expose a web API.
3. Configure a user-managed or system-managed identity. Retrieve the Object (principal) ID so that you can provide it to MongoDB Atlas later in this tutorial. For more information, see Configure managed identities on Azure virtual machines (VMs).
4. (Optional) If you have a user-managed identity, retrieve your Client ID so that you can provide it to Liquibase later in this tutorial. This is the unique identifier of your user-assigned managed identity (it is different than your overall application ID). For more information, see Manage user-assigned managed identities.

MongoDB Atlas configuration

1. Enable Workforce Identity Provider for your organization. Follow the steps in § Configure Workforce Identity Federation Authentication.
2. Register your Azure identity by adding it to a new database user in MongoDB Atlas. Follow the steps in § Add a Database User using Workforce Authentication. While you configure the database user, ensure that:
   • For "Select Identity Provider," select "Liquibase OIDC config for Applications."
   • For "User Identifier," specify the Object ID you retrieved earlier (not the application ID).

Liquibase configuration

1. Ensure your Liquibase Pro license key is specified. For example, in a liquibase.properties file (defaults file):

   licenseKey: zQl8kNZjZgSp9LvqWQFAtGwiHrpg97UyAfQrNSiJQBCDH8FQPdDzANUpIe4Bj3CZA2IXgDBaoYZFvMw0E/s4JcECB3/A6jO+...

2. Configure your properties file, environment variables, or command line options in the following format:

url=mongodb+srv://dat-18611.cn9br.mongodb.net/demo
liquibase.mongodb.oidc.authenticationMechanism=MONGODB-OIDC
liquibase.mongodb.oidc.environment=azure
liquibase.mongodb.oidc.oidcApplicationIDURI=api://8d719796-c744-4352-aab9-47a52c363907
liquibase.mongodb.oidc.oidcClientID=<optional-user-assigned-client-id>

For more information about MongoDB Atlas OIDC parameters, see Liquibase Parameters for MongoDB.

Warning: In the MongoDB extension version 1.5.0, Liquibase MongoDB Atlas OIDC authentication is not compatible with the mongosh native executor. If you want to use OIDC authentication in this version, you must use a YAML, JSON, or XML changelog. You cannot use the mongo and mongoFile Change Types since they require mongosh. When you copy the following examples into your changelog, ensure that you remove runWith from each changeset.

Test connection

1. Create a text file called changelog (.js, .yaml, .json, or .xml) in your project directory and add a changeset.

You can write Liquibase changelogs in the MongoDB Pro extension in three ways:

• Native MongoDB Shell (mongosh) scripts in MongoDB Query Language (MQL): let developers use Liquibase without modifying existing MQL scripts, which may be JavaScript (.js) files.
• Formatted Mongo changelogs (MongoDB Pro 1.3.0+): add Liquibase changeset metadata to your MQL scripts to use features like rollback, contexts, labels, and the include and includeAll tags. These must be saved as .js files.
• YAML, JSON, and XML modeled changelogs: specify changes for Liquibase to deploy without the need for MQL scripts. However, you can still deploy MQL scripts in YAML, JSON, and XML changelogs by using the mongo and mongoFile Change Types. Using these Change Types requires you to specify mongosh as the value of the runWith attribute for all mongo and mongoFile changesets.
• Raw mongosh example
• Formatted mongosh example
• YAML example
• JSON example
• XML example

Raw mongosh example

The MongoDB Pro extension lets you use MongoDB's native language of MongoDB Query Language (MQL), which you may be storing in JavaScript files, in Liquibase changesets and Change Types. This is possible because MongoDB Shell (mongosh) is compatible with Liquibase Pro. For more information, see MongoDB: Write Scripts. Example syntax:

db.createCollection('customers');

Formatted mongosh example

With the Liquibase MongoDB Pro extension 1.3.0+, you can use a formatted Mongo changelog for MongoDB Pro, similar to a formatted SQL changelog. This lets you use mongosh scripts written in MongoDB Query Language (MQL) directly in Liquibase while also having access to all Liquibase features.

All Liquibase formatted Mongo changelogs must use the file extension .JS or .js (JavaScript). They must also begin with a changelog header: // liquibase formatted mongodb. Your changesets must each specify runWith:mongosh. For example:

// liquibase formatted mongodb

// changeset your.name:1 labels:example-label context:example-context runWith:mongosh
// comment: example comment

db.createCollection('customers');

// rollback db = db.person.drop()

YAML example

databaseChangeLog:
  - changeSet:
      id: 1
      author: your.name
      runWith: mongosh
      changes:
        - mongo:
            mongo: "db.createCollection('person')"
            dbms: mongodb
        - rollback:
            mongo:
              mongo: "db.person.drop()"

  - changeSet:
      id: 2
      author: your.name
      runWith: mongosh
      changes:
        - mongoFile:
            path: "scriptFile.txt"
            dbms: mongodb
            relativeToChangelogFile: "true"
        - rollback:
            mongo:
              mongo: "db.company.drop()"

JSON example

{
  "databaseChangeLog": [
    {
      "changeSet": {
        "id": "1",
        "author": "your.name",
        "runWith": "mongosh",
        "changes": [
          {
            "mongo": {
              "dbms": "mongodb",
              "mongo": "db.createCollection('person')"
            }
          }
        ],
        "rollback": [
          {
            "mongo": {
              "mongo": "db.person.drop()"
            }
          }
        ]
      }
    },
    {
      "changeSet": {
        "id": "2",
        "author": "your.name",
        "runWith": "mongosh",
        "changes": [
          {
            "mongoFile": {
              "dbms": "mongodb",
              "path": "scriptFile.txt",
              "relativeToChangelogFile": true
            }
          }
        ],
        "rollback": [
          {
            "mongo": {
              "mongo": "db.company.drop()"
            }
          }
        ]
      }
    }
  ]
}

XML example

The Liquibase MongoDB Pro extension uses a unique mongodb-pro XML namespace and XSD files in the changelog header. However, the ext prefix used with other extensions is backwards-compatible:

<databaseChangeLog
    xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:mongodb-pro="http://www.liquibase.org/xml/ns/pro-mongodb"
    xmlns:mongodb="http://www.liquibase.org/xml/ns/mongodb"
    xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-latest.xsd
    http://www.liquibase.org/xml/ns/pro-mongodb http://www.liquibase.org/xml/ns/pro-mongodb/liquibase-pro-mongodb-latest.xsd
    http://www.liquibase.org/xml/ns/mongodb http://www.liquibase.org/xml/ns/mongodb/liquibase-mongodb-latest.xsd">

    <changeSet id="1" author="your.name" runWith="mongosh">
        <mongodb-pro:mongo dbms="mongodb">
            db.createCollection('person')
        </mongodb-pro:mongo>

        <rollback>
            <mongodb-pro:mongo>
                db.person.drop()
            </mongodb-pro:mongo>
        </rollback>
    </changeSet>

    <changeSet id="2" author="your.name" runWith="mongosh">
        <mongodb-pro:mongoFile dbms="mongodb" path="scriptFile.txt" relativeToChangelogFile="true"/>

        <rollback>
            <mongodb-pro:mongo>
                db.company.drop()
            </mongodb-pro:mongo>
        </rollback>
    </changeSet>

</databaseChangeLog>

Tip: The preceding examples show only the mongo and mongoFile Change Types for Liquibase Pro. For a list of all Liquibase Pro and Liquibase Open Source Change Types for MongoDB, including Change Types that you can without the mongosh native executor, see Liquibase Change Types for MongoDB.

2. Navigate to your project folder in the CLI and run the Liquibase status command to see whether the connection is successful:

Note: You can specify arguments in the CLI or keep them in the Liquibase properties file.

If your connection is successful, you'll see a message like this:

4 changesets have not been applied to <your_connection_url>
Liquibase command 'status' was executed successfully. 

3. Then execute these changes to your database with the update command:

liquibase update --changelog-file=<changelog.xml>

If your update is successful, Liquibase runs each changeset and displays a summary message ending with:

Liquibase: Update has been successful.
Liquibase command 'update' was executed successfully.

4. From a database UI tool, ensure that your database contains the myCollection object you added along with the DATABASECHANGELOG collection and DATABASECHANGELOGLOCK collection.

Tip: You can use MongoDB Compass to easily view collections in your database. For example, run the commands use myDatabase and db.myCollection.find().

Now you're ready to start making deployments with Liquibase!

Related links

• Using Liquibase MongoDB Pro with MongoDB Platforms