chore: support more environment policy (#124)

ecmadao · web-flow · commit 619e80dd5c18 · 2025-07-10T19:00:00.000+08:00
* chore: support more environment policy

* fix: lint
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-3.8.0
+3.8.1
diff --git a/docs/data-sources/policy.md b/docs/data-sources/policy.md
@@ -17,13 +17,16 @@ The policy data source.
 
 ### Required
 
+- `parent` (String) The policy parent name for the policy, support projects/{resource id}, environments/{resource id}, instances/{resource id}, or instances/{resource id}/databases/{database name}
 - `type` (String) The policy type.
 
 ### Optional
 
+- `data_source_query_policy` (Block List, Max: 1) Restrict querying admin data sources (see [below for nested schema](#nestedblock--data_source_query_policy))
+- `disable_copy_data_policy` (Block List, Max: 1) Restrict data copying in SQL Editor (Admins/DBAs allowed) (see [below for nested schema](#nestedblock--disable_copy_data_policy))
 - `global_masking_policy` (Block List, Max: 1) (see [below for nested schema](#nestedblock--global_masking_policy))
 - `masking_exception_policy` (Block List, Max: 1) (see [below for nested schema](#nestedblock--masking_exception_policy))
-- `parent` (String) The policy parent name for the policy, support projects/{resource id}, environments/{resource id}, instances/{resource id}, or instances/{resource id}/databases/{database name}
+- `rollout_policy` (Block List, Max: 1) Control issue rollout. Learn more: https://docs.bytebase.com/administration/environment-policy/rollout-policy (see [below for nested schema](#nestedblock--rollout_policy))
 
 ### Read-Only
 
@@ -32,6 +35,24 @@ The policy data source.
 - `inherit_from_parent` (Boolean) Decide if the policy should inherit from the parent.
 - `name` (String) The policy full name
 
+<a id="nestedblock--data_source_query_policy"></a>
+### Nested Schema for `data_source_query_policy`
+
+Optional:
+
+- `disallow_ddl` (Boolean) Disallow running DDL statements in the SQL editor.
+- `disallow_dml` (Boolean) Disallow running DML statements in the SQL editor.
+- `restriction` (String) RESTRICTION_UNSPECIFIED means no restriction; FALLBACK will allows to query admin data sources when there is no read-only data source; DISALLOW will always disallow to query admin data sources.
+
+
+<a id="nestedblock--disable_copy_data_policy"></a>
+### Nested Schema for `disable_copy_data_policy`
+
+Required:
+
+- `enable` (Boolean) Restrict data copying
+
+
 <a id="nestedblock--global_masking_policy"></a>
 ### Nested Schema for `global_masking_policy`
 
@@ -74,3 +95,13 @@ Optional:
 - `table` (String)
 
 
+
+<a id="nestedblock--rollout_policy"></a>
+### Nested Schema for `rollout_policy`
+
+Optional:
+
+- `automatic` (Boolean) If all check pass, the change will be rolled out and executed automatically.
+- `roles` (Set of String) If any roles are specified, Bytebase requires users with those roles to manually roll out the change.
+
+
diff --git a/docs/data-sources/setting.md b/docs/data-sources/setting.md
@@ -22,7 +22,7 @@ The setting data source.
 ### Optional
 
 - `classification` (Block List, Max: 1) Classification for data masking. Require ENTERPRISE subscription. (see [below for nested schema](#nestedblock--classification))
-- `semantic_types` (Block Set) Semantic types for data masking. Require ENTERPRISE subscription. (see [below for nested schema](#nestedblock--semantic_types))
+- `semantic_types` (Block List) Semantic types for data masking. Require ENTERPRISE subscription. (see [below for nested schema](#nestedblock--semantic_types))
 - `workspace_profile` (Block List, Max: 1) (see [below for nested schema](#nestedblock--workspace_profile))
 
 ### Read-Only
@@ -38,7 +38,7 @@ Required:
 
 - `classifications` (Block Set, Min: 1) (see [below for nested schema](#nestedblock--classification--classifications))
 - `id` (String) The classification unique uuid.
-- `levels` (Block Set, Min: 1) (see [below for nested schema](#nestedblock--classification--levels))
+- `levels` (Block List, Min: 1) (see [below for nested schema](#nestedblock--classification--levels))
 - `title` (String) The classification title. Optional.
 
 Optional:
diff --git a/docs/resources/environment.md b/docs/resources/environment.md
@@ -17,13 +17,13 @@ The environment resource.
 
 ### Required
 
-- `order` (Number) The environment sorting order.
 - `resource_id` (String) The environment unique id.
 - `title` (String) The environment display name.
 
 ### Optional
 
 - `color` (String) The environment color.
+- `order` (Number) The environment sorting order.
 - `protected` (Boolean) The environment is protected or not.
 
 ### Read-Only
diff --git a/docs/resources/policy.md b/docs/resources/policy.md
@@ -22,16 +22,37 @@ The policy resource.
 
 ### Optional
 
+- `data_source_query_policy` (Block List, Max: 1) Restrict querying admin data sources (see [below for nested schema](#nestedblock--data_source_query_policy))
+- `disable_copy_data_policy` (Block List, Max: 1) Restrict data copying in SQL Editor (Admins/DBAs allowed) (see [below for nested schema](#nestedblock--disable_copy_data_policy))
 - `enforce` (Boolean) Decide if the policy is enforced.
 - `global_masking_policy` (Block List, Max: 1) (see [below for nested schema](#nestedblock--global_masking_policy))
 - `inherit_from_parent` (Boolean) Decide if the policy should inherit from the parent.
 - `masking_exception_policy` (Block List, Max: 1) (see [below for nested schema](#nestedblock--masking_exception_policy))
+- `rollout_policy` (Block List, Max: 1) Control issue rollout. Learn more: https://docs.bytebase.com/administration/environment-policy/rollout-policy (see [below for nested schema](#nestedblock--rollout_policy))
 
 ### Read-Only
 
 - `id` (String) The ID of this resource.
 - `name` (String) The policy full name
 
+<a id="nestedblock--data_source_query_policy"></a>
+### Nested Schema for `data_source_query_policy`
+
+Optional:
+
+- `disallow_ddl` (Boolean) Disallow running DDL statements in the SQL editor.
+- `disallow_dml` (Boolean) Disallow running DML statements in the SQL editor.
+- `restriction` (String) RESTRICTION_UNSPECIFIED means no restriction; FALLBACK will allows to query admin data sources when there is no read-only data source; DISALLOW will always disallow to query admin data sources.
+
+
+<a id="nestedblock--disable_copy_data_policy"></a>
+### Nested Schema for `disable_copy_data_policy`
+
+Required:
+
+- `enable` (Boolean) Restrict data copying
+
+
 <a id="nestedblock--global_masking_policy"></a>
 ### Nested Schema for `global_masking_policy`
 
@@ -74,3 +95,13 @@ Optional:
 - `table` (String)
 
 
+
+<a id="nestedblock--rollout_policy"></a>
+### Nested Schema for `rollout_policy`
+
+Optional:
+
+- `automatic` (Boolean) If all check pass, the change will be rolled out and executed automatically.
+- `roles` (Set of String) If any roles are specified, Bytebase requires users with those roles to manually roll out the change.
+
+
diff --git a/docs/resources/setting.md b/docs/resources/setting.md
@@ -24,7 +24,7 @@ The setting resource.
 - `approval_flow` (Block List) Configure risk level and approval flow for different tasks. Require ENTERPRISE subscription. (see [below for nested schema](#nestedblock--approval_flow))
 - `classification` (Block List, Max: 1) Classification for data masking. Require ENTERPRISE subscription. (see [below for nested schema](#nestedblock--classification))
 - `environment_setting` (Block List) The environment (see [below for nested schema](#nestedblock--environment_setting))
-- `semantic_types` (Block Set) Semantic types for data masking. Require ENTERPRISE subscription. (see [below for nested schema](#nestedblock--semantic_types))
+- `semantic_types` (Block List) Semantic types for data masking. Require ENTERPRISE subscription. (see [below for nested schema](#nestedblock--semantic_types))
 - `workspace_profile` (Block List, Max: 1) (see [below for nested schema](#nestedblock--workspace_profile))
 
 ### Read-Only
@@ -88,7 +88,7 @@ Required:
 
 - `classifications` (Block Set, Min: 1) (see [below for nested schema](#nestedblock--classification--classifications))
 - `id` (String) The classification unique uuid.
-- `levels` (Block Set, Min: 1) (see [below for nested schema](#nestedblock--classification--levels))
+- `levels` (Block List, Min: 1) (see [below for nested schema](#nestedblock--classification--levels))
 - `title` (String) The classification title. Optional.
 
 Optional:
diff --git a/examples/database/main.tf b/examples/database/main.tf
@@ -2,7 +2,7 @@
 terraform {
   required_providers {
     bytebase = {
-      version = "3.7.2"
+      version = "3.8.1"
       # For local development, please use "terraform.local/bytebase/bytebase" instead
       source = "registry.terraform.io/bytebase/bytebase"
     }
diff --git a/examples/database_group/main.tf b/examples/database_group/main.tf
@@ -1,7 +1,7 @@
 terraform {
   required_providers {
     bytebase = {
-      version = "3.7.2"
+      version = "3.8.1"
       # For local development, please use "terraform.local/bytebase/bytebase" instead
       source = "registry.terraform.io/bytebase/bytebase"
     }
diff --git a/examples/environments/main.tf b/examples/environments/main.tf
@@ -1,7 +1,7 @@
 terraform {
   required_providers {
     bytebase = {
-      version = "3.7.2"
+      version = "3.8.1"
       # For local development, please use "terraform.local/bytebase/bytebase" instead
       source = "registry.terraform.io/bytebase/bytebase"
     }
diff --git a/examples/groups/main.tf b/examples/groups/main.tf
@@ -1,7 +1,7 @@
 terraform {
   required_providers {
     bytebase = {
-      version = "3.7.2"
+      version = "3.8.1"
       # For local development, please use "terraform.local/bytebase/bytebase" instead
       source = "registry.terraform.io/bytebase/bytebase"
     }
diff --git a/examples/iamPolicy/main.tf b/examples/iamPolicy/main.tf
@@ -1,7 +1,7 @@
 terraform {
   required_providers {
     bytebase = {
-      version = "3.7.2"
+      version = "3.8.1"
       # For local development, please use "terraform.local/bytebase/bytebase" instead
       source = "registry.terraform.io/bytebase/bytebase"
     }
diff --git a/examples/instances/main.tf b/examples/instances/main.tf
@@ -2,7 +2,7 @@
 terraform {
   required_providers {
     bytebase = {
-      version = "3.7.2"
+      version = "3.8.1"
       # For local development, please use "terraform.local/bytebase/bytebase" instead
       source = "registry.terraform.io/bytebase/bytebase"
     }
diff --git a/examples/policies/main.tf b/examples/policies/main.tf
@@ -1,7 +1,7 @@
 terraform {
   required_providers {
     bytebase = {
-      version = "3.7.2"
+      version = "3.8.1"
       # For local development, please use "terraform.local/bytebase/bytebase" instead
       source = "registry.terraform.io/bytebase/bytebase"
     }
diff --git a/examples/projects/main.tf b/examples/projects/main.tf
@@ -2,7 +2,7 @@
 terraform {
   required_providers {
     bytebase = {
-      version = "3.7.2"
+      version = "3.8.1"
       # For local development, please use "terraform.local/bytebase/bytebase" instead
       source = "registry.terraform.io/bytebase/bytebase"
     }
diff --git a/examples/risk/main.tf b/examples/risk/main.tf
@@ -1,7 +1,7 @@
 terraform {
   required_providers {
     bytebase = {
-      version = "3.7.2"
+      version = "3.8.1"
       # For local development, please use "terraform.local/bytebase/bytebase" instead
       source = "registry.terraform.io/bytebase/bytebase"
     }
diff --git a/examples/roles/main.tf b/examples/roles/main.tf
@@ -1,7 +1,7 @@
 terraform {
   required_providers {
     bytebase = {
-      version = "3.7.2"
+      version = "3.8.1"
       # For local development, please use "terraform.local/bytebase/bytebase" instead
       source = "registry.terraform.io/bytebase/bytebase"
     }
diff --git a/examples/settings/main.tf b/examples/settings/main.tf
@@ -1,7 +1,7 @@
 terraform {
   required_providers {
     bytebase = {
-      version = "3.7.2"
+      version = "3.8.1"
       # For local development, please use "terraform.local/bytebase/bytebase" instead
       source = "registry.terraform.io/bytebase/bytebase"
     }
diff --git a/examples/setup/environment.tf b/examples/setup/environment.tf
@@ -37,3 +37,41 @@ resource "bytebase_environment" "prod" {
   order       = 1 // change order to 1
   protected   = true
 }
+
+resource "bytebase_policy" "rollout_policy" {
+  depends_on = [bytebase_environment.test]
+  parent     = bytebase_environment.test.name
+  type       = "ROLLOUT_POLICY"
+
+  rollout_policy {
+    automatic = true
+    roles = [
+      "roles/workspaceAdmin",
+      "roles/projectOwner",
+      "roles/LAST_APPROVER",
+      "roles/CREATOR"
+    ]
+  }
+}
+
+resource "bytebase_policy" "disable_copy_data_policy" {
+  depends_on = [bytebase_environment.test]
+  parent     = bytebase_environment.test.name
+  type       = "DISABLE_COPY_DATA"
+
+  disable_copy_data_policy {
+    enable = true
+  }
+}
+
+resource "bytebase_policy" "data_source_query_policy" {
+  depends_on = [bytebase_environment.test]
+  parent     = bytebase_environment.test.name
+  type       = "DATA_SOURCE_QUERY"
+
+  data_source_query_policy {
+    restriction  = "FALLBACK"
+    disallow_ddl = false
+    disallow_dml = false
+  }
+}
diff --git a/examples/setup/main.tf b/examples/setup/main.tf
@@ -1,7 +1,7 @@
 terraform {
   required_providers {
     bytebase = {
-      version = "3.7.2"
+      version = "3.8.1"
       # For local development, please use "terraform.local/bytebase/bytebase" instead
       source = "registry.terraform.io/bytebase/bytebase"
     }
diff --git a/examples/setup/sql_review.tf b/examples/setup/sql_review.tf
@@ -1,14 +1,16 @@
 resource "bytebase_review_config" "sample" {
   depends_on = [
-    bytebase_setting.environments
+    bytebase_setting.environments,
+    bytebase_project.sample_project
   ]
 
   resource_id = "review-config-sample"
   title       = "Sample SQL Review Config"
   enabled     = true
   resources = toset([
     bytebase_setting.environments.environment_setting[0].environment[0].name,
-    bytebase_setting.environments.environment_setting[0].environment[1].name
+    bytebase_setting.environments.environment_setting[0].environment[1].name,
+    bytebase_project.sample_project.name
   ])
   rules {
     type   = "column.no-null"
diff --git a/examples/sql_review/main.tf b/examples/sql_review/main.tf
@@ -1,7 +1,7 @@
 terraform {
   required_providers {
     bytebase = {
-      version = "3.7.2"
+      version = "3.8.1"
       # For local development, please use "terraform.local/bytebase/bytebase" instead
       source = "registry.terraform.io/bytebase/bytebase"
     }
diff --git a/provider/data_source_iam_policy.go b/provider/data_source_iam_policy.go
@@ -67,6 +67,9 @@ func getIAMBindingSchema(computed bool) *schema.Schema {
 					Computed:    computed,
 					Optional:    !computed,
 					Description: "The role full name in roles/{id} format.",
+					ValidateDiagFunc: internal.ResourceNameValidation(
+						fmt.Sprintf("^%s", internal.RoleNamePrefix),
+					),
 				},
 				"members": {
 					Type:        schema.TypeSet,
@@ -75,6 +78,11 @@ func getIAMBindingSchema(computed bool) *schema.Schema {
 					Description: `A set of memebers. The value can be "allUsers", "user:{email}" or "group:{email}".`,
 					Elem: &schema.Schema{
 						Type: schema.TypeString,
+						ValidateDiagFunc: internal.ResourceNameValidation(
+							"allUsers",
+							"^user:",
+							"^group:",
+						),
 					},
 				},
 				"condition": {
@@ -242,6 +250,12 @@ func bindingHash(rawBinding interface{}) int {
 		_, _ = buf.WriteString(conditionHash(rawCondition))
 	}
 
+	if members, ok := binding["members"].(*schema.Set); ok && members.Len() > 0 {
+		for _, member := range members.List() {
+			_, _ = buf.WriteString(fmt.Sprintf("[member] %s", member))
+		}
+	}
+
 	return internal.ToHashcodeInt(buf.String())
 }
 
diff --git a/provider/data_source_policy.go b/provider/data_source_policy.go
diff --git a/provider/data_source_setting.go b/provider/data_source_setting.go
diff --git a/provider/resource_policy.go b/provider/resource_policy.go
diff --git a/provider/resource_review_config.go b/provider/resource_review_config.go
diff --git a/provider/resource_setting.go b/provider/resource_setting.go
diff --git a/tutorials/0-provider.tf b/tutorials/0-provider.tf

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@`
`2`	`2`	`terraform {`
`3`	`3`	`required_providers {`
`4`	`4`	`bytebase = {`
`5`		`- version = "3.7.2"`
	`5`	`+ version = "3.8.1"`
`6`	`6`	`# For local development, please use "terraform.local/bytebase/bytebase" instead`
`7`	`7`	`source = "registry.terraform.io/bytebase/bytebase"`
`8`	`8`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`terraform {`
`2`	`2`	`required_providers {`
`3`	`3`	`bytebase = {`
`4`		`- version = "3.7.2"`
	`4`	`+ version = "3.8.1"`
`5`	`5`	`# For local development, please use "terraform.local/bytebase/bytebase" instead`
`6`	`6`	`source = "registry.terraform.io/bytebase/bytebase"`
`7`	`7`	`}`