This tutorial is part of the Bytebase Terraform Provider series:

This tutorial configures workspace-level settings that apply to all projects and environments in your Bytebase instance.

What You’ll Learn

  • Configure workspace profile settings including signup controls and external URL
  • Define risk policies to automatically assess database operations
  • Create multi-step and risk-based approval flows for database changes

Prerequisites

Before starting this tutorial, ensure you have:

Setup

From the previous tutorials, you should have:

  • Bytebase instances and projects configured
  • Service account with Workspace Admin role
  • Your Terraform files ready for additional configurations

Configure General Settings

Step 1 - Workspace Profile Configuration

Terraform resourcebytebase_setting
Sample file4-1-workspace-profile.tf

Create 4-1-workspace-profile.tf with the workspace profile settings:

4-1-workspace-profile.tf
# Workspace profile configuration
resource "bytebase_setting" "workspace_profile" {
  name = "settings/WORKSPACE_PROFILE"

  workspace_profile {
    disallow_signup          = true
    domains                  = ["example.com"]
    enforce_identity_domain  = false
    external_url             = "https://your-bytebase-url.com"
  }
}

This configuration:

  • Disables public signup for security
  • Restricts users to specific email domains
  • Sets your Bytebase instance’s external URL

Step 2 - Risk Management Policies

Terraform resourcebytebase_risk
Sample file4-2-risk.tf

Create 4-2-risk.tf with risk policies to assess the database operations’ risk level:

4-2-risk.tf
# Risk management policies
resource "bytebase_risk" "dml_moderate" {
  title     = "DML Moderate Risk"
  source    = "DML"
  level     = 200
  active    = true
  condition = "environment_id == \"prod\" && affected_rows >= 100"
}

resource "bytebase_risk" "ddl_high" {
  title     = "DDL High Risk"
  source    = "DDL"
  level     = 300
  active    = true
  condition = "environment_id == \"prod\""
}

Risk levels:

  • 100 (LOW).
  • 200 (MODERATE): DML operations in production affecting 100+ rows
  • 300 (HIGH): All DDL operations in production

Step 3 - Approval Flow Settings

Terraform resourcebytebase_setting
Sample file4-3-approval-flow.tf

Create 4-3-approval-flow.tf with approval flow configuration that requires multiple approvals for risky operations:

4-3-approval-flow.tf
# Approval flow settings
resource "bytebase_setting" "approval_flow" {
  name = "settings/WORKSPACE_APPROVAL"

  approval_flow {
    rules {
      flow {
        title       = "Project Owner → DBA → Admin"
        description = "Need DBA and workspace admin approval"

        steps { role = "roles/projectOwner" }
        steps { role = "roles/workspaceDBA" }
        steps { role = "roles/workspaceAdmin" }
      }
      conditions {
        source = "DML"
        level  = "MODERATE"
      }
      conditions {
        source = "DDL"
        level  = "HIGH"
      }
    }
  }
}

This creates a three-step approval flow that triggers for:

  • DML operations with MODERATE risk level
  • DDL operations with HIGH risk level

Step 4 - Apply Configuration

terraform plan
terraform apply

Step 5 - Verify Configuration

Workspace Profile Settings

  1. Go to Settings > General to verify workspace profile settings.
  2. Log out and try to signup which should be disabled.
  3. Visit the external URL to verify it is set.

Risk Policies

  1. Go to CI/CD > Risk Center to view risk policies.

    risks

  2. You should see both “DML Moderate Risk” and “DDL High Risk” policies active.

Approval Flows

  1. Go to CI/CD > Custom Approval to see the approval flow.

    custom-approval

  2. Verify the Project Owner → DBA → Admin flow is configured.

Test the Flow

  1. Go to Project Two, click Database > Databases on the left sidebar.

  2. Check hr_prod, click Edit Schema, add a new table t0.

  3. After creating the issue, you should see:

    • Risk level: DDL High
    • Approval flow: Project Owner → DBA → Admin

    issue-risk-high

Key Points

  • Workspace Profile: Controls signup, domain restrictions, and external URL for your entire Bytebase instance
  • Risk Policies: Automatically assess database operations based on conditions like environment and affected rows
  • Approval Flows: Define multi-step approval processes that trigger based on risk levels
  • Integration: Risk policies and approval flows work together to ensure proper governance for database changes

You can configure additional settings such as classification and semantic_types. These will be covered in upcoming tutorials.

Part 4: Manage SQL Review Rules with Terraform