This tutorial is part of the Bytebase Terraform Provider series:

What You’ll Learn

  • Create users and service accounts for team members
  • Organize users into groups for easier management
  • Understand the difference between users and service accounts
  • Prepare for setting up permissions in the next tutorial

Prerequisites

Before starting this tutorial, ensure you have:

Setup

From the previous tutorials, you should have:

  • Bytebase instances and projects configured
  • Workspace settings and approval flows set up
  • Service account with Workspace Admin role

Understanding User Management in Bytebase

Bytebase adopts Identity and Access Management (IAM) system with:

  • Users: Individual accounts for team members
  • Service Accounts: Automated accounts for API/Terraform access
  • Groups: Collections of users for easier permission management

Configure Users and Groups

Step 1 - Create Users and Service Accounts

Terraform resourcebytebase_user
Sample file6-1-users.tf

Create 6-1-users.tf to define your team structure:

6-1-users.tf
# Workspace administrators
resource "bytebase_user" "workspace_admin" {
  email = "admin@example.com"
  title = "Workspace Admin"
  type  = "USER"
}

# Service account for automation
resource "bytebase_user" "tf_service_account" {
  email = "tf@service.bytebase.com"
  title = "Terraform Service Account"
  type  = "SERVICE_ACCOUNT"  # SERVICE_ACCOUNT type for API access
}

# Database administrators
resource "bytebase_user" "workspace_dba1" {
  email = "dba@example.com"
  title = "Database Administrator 1"
  type  = "USER"
}

resource "bytebase_user" "workspace_dba2" {
  email = "dba2@example.com"
  title = "Database Administrator 2"
  type  = "USER"
}

# Development team members
resource "bytebase_user" "dev1" {
  email = "dev1@example.com"
  title = "Developer 1"
  type  = "USER"
}

resource "bytebase_user" "dev2" {
  email = "dev2@example.com"
  title = "Developer 2"
  type  = "USER"
}

resource "bytebase_user" "dev3" {
  email = "dev3@example.com"
  title = "Developer 3"
  type  = "USER"
}

# QA team members
resource "bytebase_user" "qa1" {
  email = "qa1@example.com"
  title = "QA Tester 1"
  type  = "USER"
}

resource "bytebase_user" "qa2" {
  email = "qa2@example.com"
  title = "QA Tester 2"
  type  = "USER"
}

Step 2 - Apply User Configuration

terraform plan
terraform apply

Step 3 - Create Groups

Groups simplify permission management by allowing you to assign roles to multiple users at once.

Each group has an owner who can manage group membership. Regular members inherit permissions assigned to the group.

Terraform resourcebytebase_group
Sample file6-2-groups.tf

Add the following groups to your 6-2-groups.tf file:

6-2-groups.tf
# Create groups
resource "bytebase_group" "developers" {
  email       = "developers@example.com"
  title       = "Developer Team"
  description = "Group for all developers"

  members {
    member = "users/${bytebase_user.dev1.email}"
    role   = "OWNER"
  }

  members {
    member = "users/${bytebase_user.dev2.email}"
    role   = "MEMBER"
  }

  members {
    member = "users/${bytebase_user.dev3.email}"
    role   = "MEMBER"
  }
}

resource "bytebase_group" "qa" {
  email       = "qa@example.com"
  title       = "QA Team"
  description = "Group for all QA testers"

  members {
    member = "users/${bytebase_user.qa1.email}"
    role   = "OWNER"
  }

  members {
    member = "users/${bytebase_user.qa2.email}"
    role   = "MEMBER"
  }
}

Step 4 - Apply Complete Configuration

terraform plan
terraform apply

Step 5 - Verify in Bytebase

  1. Go to IAM & Admin > Users & Groups to see all users:

    users

  2. Click the Groups tab to verify groups:

    • Developer Team: 3 members (dev1 as owner, dev2 and dev3 as members)
    • QA Team: 2 members (qa1 as owner, qa2 as member)

    groups

Key Points

  • User Types: Regular users (USER) for team members, service accounts (SERVICE_ACCOUNT) for API/automation
  • Group Roles: Each group has owners (manage membership) and members (inherit permissions)
  • Organization: Groups simplify permission management - assign roles to groups instead of individual users

Part 7: Manage Database Access Control with Terraform