foundry db
Standalone Liquibase operations with automatic SSH tunnels and credential resolution — no service startup required. Each subcommand runs against every database in foundry.json (or a filtered subset).
Subcommands
| Subcommand | Liquibase op | Description |
|---|---|---|
migrate | update | Run pending migrations |
status | status | Show the pending changeset count |
changelog-sync | changelog-sync | Mark all pending changesets as executed (prompts first) |
changelog-sync-sql | changelog-sync-sql | Preview the changelog-sync SQL without executing |
execute-sql | execute-sql | Run arbitrary SQL (requires --filter + a SQL argument) |
Options
| Flag | Description |
|---|---|
--filter | Comma-separated database names to target. Required (single db) for execute-sql. |
Credentials & tunnels
Credentials are resolved from AWS Secrets Manager via the database's credentials.secretId, then passed to Liquibase through environment variables (avoiding shell-escaping issues). If the secret lookup fails, it falls back to the database's liquibase.properties. If an sshTunnel is configured for the database (in .foundry/config.yml or the manifest service entry), the tunnel is opened automatically and the JDBC URL is rewritten to localhost.
Requires the Liquibase CLI on PATH. Supported engines: MariaDB, MySQL, PostgreSQL.Examples
foundry db migrate # update all databases
foundry db migrate --filter api # one database
foundry db status # pending changeset count
foundry db execute-sql --filter api "SELECT COUNT(*) FROM DATABASECHANGELOG"