> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytebase.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Manage General Settings with Terraform
This tutorial is part of the **Bytebase Terraform Provider** series:
* Part 1: [Manage Environments with Terraform](/tutorials/manage-environments-with-terraform) - Set up environments with policies
* Part 2: [Manage Databases with Terraform](/tutorials/manage-databases-with-terraform) - Register database instances
* Part 3: [Manage Projects with Terraform](/tutorials/manage-projects-with-terraform) - Organize databases into projects
* Part 4: Manage General Settings with Terraform 👈
* Part 5: [Manage SQL Review Rules with Terraform](/tutorials/manage-sql-review-rules-with-terraform) - Define SQL review policies
* Part 6: [Manage Users and Groups with Terraform](/tutorials/manage-users-and-groups-with-terraform) - Configure users and groups
* Part 7: [Manage Database Access Control with Terraform](/tutorials/manage-database-access-control-with-terraform) - Grant database permissions
* Part 8: [Manage Data Masking with Terraform](/tutorials/manage-data-masking-with-terraform) - Protect sensitive data
This tutorial series uses separate Terraform files for better organization. Files are numbered by tutorial part and sub-step (e.g., [1-1-env-setting.tf](https://github.com/bytebase/terraform-provider-bytebase/blob/main/tutorials/1-1-env-setting.tf), [1-2-env-policy-rollout.tf](https://github.com/bytebase/terraform-provider-bytebase/blob/main/tutorials/1-2-env-policy-rollout.tf) for Part 1, [2-instances.tf](https://github.com/bytebase/terraform-provider-bytebase/blob/main/tutorials/2-instances.tf) for Part 2, etc.). Terraform automatically handles dependencies between files.
This tutorial configures workspace-level settings that apply to all projects and environments in
your Bytebase workspace.
## What You'll Learn
* **Configure** workspace profile settings including signup controls and external URL
* **Create** multi-step, risk-based approval flows for database changes using CEL conditions
## Prerequisites
Before starting this tutorial, ensure you have:
* Completed [Part 3: Manage Projects with Terraform](/tutorials/manage-projects-with-terraform)
* Bytebase running with service account configured
* Your Terraform files from the previous tutorials
## Setup
From the previous tutorials, you should have:
* Bytebase workspaces and projects configured
* Service account with Workspace Admin role
* Your Terraform files ready for additional configurations
## Configure General Settings
### Step 1 - Workspace Profile Configuration
| | |
| ------------------ | -------------------------------------------------------------------------------------------------------------------------------- |
| Terraform resource | [bytebase\_setting](https://registry.terraform.io/providers/bytebase/bytebase/latest/docs/resources/setting) |
| Sample file | [4-1-workspace-profile.tf](https://github.com/bytebase/terraform-provider-bytebase/blob/main/tutorials/4-1-workspace-profile.tf) |
Create `4-1-workspace-profile.tf` with the workspace profile settings:
```hcl 4-1-workspace-profile.tf theme={null}
# Workspace profile configuration
resource "bytebase_setting" "workspace_profile" {
name = "settings/WORKSPACE_PROFILE"
workspace_profile {
disallow_signup = true
domains = ["example.com"]
enforce_identity_domain = false
external_url = "https://example.com"
}
}
```
This configuration:
* Disables public signup for security
* Restricts users to specific email domains
* Sets your Bytebase workspace's external URL
### Step 2 - Approval Flow Settings
| | |
| ------------------ | ------------------------------------------------------------------------------------------------------------------------ |
| Terraform resource | [bytebase\_setting](https://registry.terraform.io/providers/bytebase/bytebase/latest/docs/resources/setting) |
| Sample file | [4-2-approval-flow.tf](https://github.com/bytebase/terraform-provider-bytebase/blob/main/tutorials/4-2-approval-flow.tf) |
Create `4-2-approval-flow.tf` with approval flow configuration that requires multiple approvals for risky operations:
```hcl 4-2-approval-flow.tf theme={null}
# Approval flow settings
resource "bytebase_setting" "approval_flow" {
name = "settings/WORKSPACE_APPROVAL"
approval_flow {
# Rule 1: risky database changes need a three-step approval
rules {
flow {
title = "Project Owner → DBA → Admin"
description = "Need DBA and workspace admin approval"
# The steps of the flow are executed in the order of the roles list.
roles = [
"roles/projectOwner",
"roles/workspaceDBA",
"roles/workspaceAdmin"
]
}
source = "CHANGE_DATABASE"
condition = "request.risk >= 100"
}
# Rule 2: fallback — everything else only needs a DBA
rules {
flow {
title = "Fallback rule"
roles = [
"roles/workspaceDBA"
]
}
condition = "true"
}
}
}
```
**Key Configuration Options:**
* `flow.roles`: Ordered list of roles that must approve the issue, in sequence.
* `source`: The activity source this rule matches — `CHANGE_DATABASE`, `CREATE_DATABASE`, `EXPORT_DATA`, `REQUEST_ROLE`, or `REQUEST_ACCESS`. Omit for a fallback rule.
* `condition`: A CEL expression evaluated against the request. Common variables include `request.risk` (100 = LOW, 200 = MODERATE, 300 = HIGH) and `resource.project_id`. Use `"true"` for a catch-all fallback.
* Rules are evaluated in order; the **first matching rule applies**, so place the most specific rules first and keep a fallback last.
### Step 3 - Apply Configuration
```bash theme={null}
terraform plan
terraform apply
```
### Step 4 - Verify Configuration
#### Workspace Profile Settings
1. Go to **Settings > General** to verify workspace profile settings.
2. Log out and try to signup which should be disabled.
3. Visit the external URL to verify it is set.
#### Approval Flows
1. Go to **CI/CD > Custom Approval** to see the approval flow.
2. Verify the `Project Owner → DBA → Admin` flow is configured for the `CHANGE_DATABASE` source with `request.risk >= 100`, and the `Fallback rule` catches everything else.
Risk levels (returned by `request.risk` in the CEL expression) are configured separately in **CI/CD > Risks** in the UI. Each risk rule maps an activity (DDL/DML/CREATE\_DATABASE/EXPORT/REQUEST\_ROLE) plus a CEL condition to a numeric level (100 LOW / 200 MODERATE / 300 HIGH), which is then evaluated against your approval-flow conditions here.
## Key Points
* **Workspace Profile**: Controls signup, domain restrictions, and external URL for your entire Bytebase workspace
* **Approval Flows**: Define multi-step approval processes. Each rule binds a `source` + CEL `condition` to an ordered list of approver roles; rules are evaluated top-down, first match wins
* **Fallback Rule**: Include a final rule with `condition = "true"` and no `source` so that every issue has a defined approval path
You can configure additional
[settings](https://registry.terraform.io/providers/bytebase/bytebase/latest/docs/resources/setting)
such as classification and semantic\_types. These will be covered in upcoming tutorials.