add tutorial hcl (#123)

* add tutorial hcl

* fix

Author: adela-bytebase

tutorials/0-provider.tf

@@ -0,0 +1,15 @@
+terraform {
+  required_providers {
+    bytebase = {
+      version = "3.8.0"
+      # For local development, please use "terraform.local/bytebase/bytebase" instead
+      source = "registry.terraform.io/bytebase/bytebase"
+    }
+  }
+}
+
+provider "bytebase" {
+  service_account = "tf@service.bytebase.com"
+  service_key     = "bbs_xxxx"
+  url = "https://xxx.xxx.xxx"
+}

tutorials/1-instances.tf

@@ -0,0 +1,37 @@
+# Built-in Test Instance
+resource "bytebase_instance" "test" {
+  depends_on  = [bytebase_setting.environments]
+  resource_id = "test-sample-instance"
+  environment = "environments/test"
+  title       = "Test Sample Instance"
+  engine      = "POSTGRES"
+  activation  = true
+
+  data_sources {
+    id       = "admin data source test-sample-instance"
+    type     = "ADMIN"
+    host     = "/tmp"
+    port     = "8083"
+    username = "bbsample"
+    password = ""
+  }
+}
+
+# Built-in Prod Instance
+resource "bytebase_instance" "prod" {
+  depends_on  = [bytebase_setting.environments]
+  resource_id = "prod-sample-instance"
+  environment = "environments/prod"
+  title       = "Prod Sample Instance"
+  engine      = "POSTGRES"
+  activation  = true
+
+  data_sources {
+    id       = "admin data source prod-sample-instance"
+    type     = "ADMIN"
+    host     = "/tmp"
+    port     = "8084"
+    username = "bbsample"
+    password = ""
+  }
+}

tutorials/2-projects.tf

@@ -0,0 +1,23 @@
+# Project One
+resource "bytebase_project" "project-one" {
+  depends_on = [
+    bytebase_instance.test
+  ]
+  resource_id = "project-one"
+  title       = "Project One"
+
+  databases = bytebase_instance.test.databases
+}
+
+# Project Two
+resource "bytebase_project" "project-two" {
+  depends_on = [
+    bytebase_instance.prod
+  ]
+  resource_id = "project-two"
+  title       = "Project Two"
+
+  databases = [
+    "instances/prod-sample-instance/databases/hr_prod"
+  ]
+}

tutorials/3-settings.tf

@@ -0,0 +1,72 @@
+# Environment Settings
+resource "bytebase_setting" "environments" {
+  name = "settings/ENVIRONMENT"
+
+  environment_setting {
+    environment {
+      id        = "test"
+      title     = "Test"
+      protected = false
+    }
+    environment {
+      id        = "prod"
+      title     = "Prod"
+      protected = true
+    }
+  }
+}
+
+# Step 1: Workspace profile configuration
+resource "bytebase_setting" "workspace_profile" {
+  name = "settings/WORKSPACE_PROFILE"
+
+  workspace_profile {
+    disallow_signup          = true
+    domains                  = ["example.com"]
+    enforce_identity_domain  = false
+    external_url             = "https://valid-just-tadpole.ngrok-free.app"
+  }
+}
+
+# Step 2: Approval flow settings
+resource "bytebase_setting" "approval_flow" {
+  name = "settings/WORKSPACE_APPROVAL"
+
+  approval_flow {
+    rules {
+      flow {
+        title       = "Project Owner → DBA → Admin"
+        description = "Need DBA and workspace admin approval"
+
+        steps { role = "roles/projectOwner" }
+        steps { role = "roles/workspaceDBA" }
+        steps { role = "roles/workspaceAdmin" }
+      }
+      conditions {
+        source = "DML"
+        level  = "MODERATE"
+      }
+      conditions {
+        source = "DDL"
+        level  = "HIGH"
+      }
+    }
+  }
+}
+
+# Step 3: Risk management policies
+resource "bytebase_risk" "dml_moderate" {
+  title     = "DML Moderate Risk"
+  source    = "DML"
+  level     = 200
+  active    = true
+  condition = "environment_id == \"prod\" && affected_rows >= 100"
+}
+
+resource "bytebase_risk" "ddl_high" {
+  title     = "DDL High Risk"
+  source    = "DDL"
+  level     = 300
+  active    = true
+  condition = "environment_id == \"prod\""
+}

tutorials/4-user-iam.tf

@@ -0,0 +1,182 @@
+# Create users and groups
+resource "bytebase_user" "workspace_admin" {
+  email = "admin@example.com"
+  title = "Workspace Admin"
+  type  = "USER"
+}
+
+resource "bytebase_user" "tf_service_account" {
+  email = "tf@service.bytebase.com"
+  title = "Terraform Service Account"
+  type  = "SERVICE_ACCOUNT"
+}
+
+resource "bytebase_user" "workspace_dba1" {
+  email = "dba@example.com"
+  title = "Database Administrator 1"
+  type  = "USER"
+}
+
+resource "bytebase_user" "workspace_dba2" {
+  email = "dba2@example.com"
+  title = "Database Administrator 2"
+  type  = "USER"
+}
+
+resource "bytebase_user" "dev1" {
+  email = "dev1@example.com"
+  title = "Developer 1"
+  type  = "USER"
+}
+
+resource "bytebase_user" "dev2" {
+  email = "dev2@example.com"
+  title = "Developer 2"
+  type  = "USER"
+}
+
+resource "bytebase_user" "dev3" {
+  email = "dev3@example.com"
+  title = "Developer 3"
+  type  = "USER"
+}
+
+resource "bytebase_user" "qa1" {
+  email = "qa1@example.com"
+  title = "QA Tester 1"
+  type  = "USER"
+}
+
+resource "bytebase_user" "qa2" {
+  email = "qa2@example.com"
+  title = "QA Tester 2"
+  type  = "USER"
+}
+
+# Create groups
+resource "bytebase_group" "developers" {
+  email       = "developers@example.com"
+  title       = "Developer Team"
+  description = "Group for all developers"
+  
+  members {
+    member = "users/${bytebase_user.dev1.email}"
+    role   = "OWNER"
+  }
+  
+  members {
+    member = "users/${bytebase_user.dev2.email}"
+    role   = "MEMBER"
+  }
+  
+  members {
+    member = "users/${bytebase_user.dev3.email}"
+    role   = "MEMBER"
+  }
+}
+
+resource "bytebase_group" "qa" {
+  email       = "qa@example.com"
+  title       = "QA Team"
+  description = "Group for all QA testers"
+  
+  members {
+    member = "users/${bytebase_user.qa1.email}"
+    role   = "OWNER"
+  }
+  
+  members {
+    member = "users/${bytebase_user.qa2.email}"
+    role   = "MEMBER"
+  }
+}
+
+resource "bytebase_iam_policy" "workspace_iam" {
+  depends_on = [
+    bytebase_user.workspace_admin,
+    bytebase_user.tf_service_account,
+    bytebase_user.workspace_dba1,
+    bytebase_user.workspace_dba2,
+    bytebase_group.qa
+  ]
+
+  parent = "workspaces/-"
+
+  iam_policy {
+
+    binding {
+      role = "roles/workspaceAdmin"
+      members = [
+        format("user:%s", bytebase_user.workspace_admin.email),
+        format("user:%s", bytebase_user.tf_service_account.email),
+      ]
+    }
+
+    binding {
+      role = "roles/workspaceDBA"
+      members = [
+        format("user:%s", bytebase_user.workspace_dba1.email),
+        format("user:%s", bytebase_user.workspace_dba2.email)
+      ]
+    }
+
+    binding {
+      role = "roles/workspaceMember"
+      members = [
+        format("user:%s", bytebase_user.dev1.email),
+        format("user:%s", bytebase_user.dev2.email),
+        format("user:%s", bytebase_user.dev3.email)
+      ]
+    }
+
+    binding {
+      role = "roles/projectViewer"
+      members = [
+        format("group:%s", bytebase_group.qa.email),
+      ]
+    }
+  }
+}
+
+resource "bytebase_iam_policy" "project_iam" {
+  depends_on = [
+    bytebase_group.developers,
+    bytebase_user.workspace_dba1,
+    bytebase_user.workspace_dba2
+  ]
+
+  parent = bytebase_project.project-two.name
+
+  iam_policy {
+
+    binding {
+      role = "roles/projectOwner"
+      members = [
+        format("user:%s", bytebase_user.workspace_dba1.email),
+        format("user:%s", bytebase_user.workspace_dba2.email)
+      ]
+    }
+
+    binding {
+      role = "roles/projectDeveloper"
+      members = [
+        "allUsers",
+        format("group:%s", bytebase_group.developers.email)
+      ]
+    }
+
+    binding {
+      role = "roles/sqlEditorUser"
+      members = [
+        format("group:%s", bytebase_group.developers.email)
+      ]
+      condition {
+        database         = "instances/prod-sample-instance/databases/hr_prod"
+        schema           = "public"
+        tables           = ["employee","department"]
+        expire_timestamp = "2027-07-10T16:17:49Z"
+      }
+    }
+
+  }
+}