Skip to main content
This tutorial is part of the Bytebase Terraform Provider series:

This tutorial series uses separate Terraform files for better organization. Files are numbered by tutorial part and sub-step (e.g., 1-1-env-setting.tf, 1-2-env-policy-rollout.tf for Part 1, 2-instances.tf for Part 2, etc.). Terraform automatically handles dependencies between files.
This tutorial configures workspace-level settings that apply to all projects and environments in your Bytebase workspace.

What You’ll Learn

  • Configure workspace profile settings including signup controls and external URL
  • Create multi-step, risk-based approval flows for database changes using CEL conditions

Prerequisites

Before starting this tutorial, ensure you have:

Setup

From the previous tutorials, you should have:
  • Bytebase workspaces and projects configured
  • Service account with Workspace Admin role
  • Your Terraform files ready for additional configurations

Configure General Settings

Step 1 - Workspace Profile Configuration

Terraform resourcebytebase_setting
Sample file4-1-workspace-profile.tf
Create 4-1-workspace-profile.tf with the workspace profile settings:
4-1-workspace-profile.tf
# Workspace profile configuration
resource "bytebase_setting" "workspace_profile" {
  name = "settings/WORKSPACE_PROFILE"

  workspace_profile {
    disallow_signup          = true
    domains                  = ["example.com"]
    enforce_identity_domain  = false
    external_url             = "https://your-bytebase-url.com"
  }
}
This configuration:
  • Disables public signup for security
  • Restricts users to specific email domains
  • Sets your Bytebase workspace’s external URL

Step 2 - Approval Flow Settings

Terraform resourcebytebase_setting
Sample file4-2-approval-flow.tf
Create 4-2-approval-flow.tf with approval flow configuration that requires multiple approvals for risky operations:
4-2-approval-flow.tf
# Approval flow settings
resource "bytebase_setting" "approval_flow" {
  name = "settings/WORKSPACE_APPROVAL"

  approval_flow {
    # Rule 1: risky database changes need a three-step approval
    rules {
      flow {
        title       = "Project Owner → DBA → Admin"
        description = "Need DBA and workspace admin approval"
        # The steps of the flow are executed in the order of the roles list.
        roles = [
          "roles/projectOwner",
          "roles/workspaceDBA",
          "roles/workspaceAdmin"
        ]
      }
      source    = "CHANGE_DATABASE"
      condition = "request.risk >= 100"
    }

    # Rule 2: fallback — everything else only needs a DBA
    rules {
      flow {
        title = "Fallback rule"
        roles = [
          "roles/workspaceDBA"
        ]
      }
      condition = "true"
    }
  }
}
Key Configuration Options:
  • flow.roles: Ordered list of roles that must approve the issue, in sequence.
  • source: The activity source this rule matches — CHANGE_DATABASE, CREATE_DATABASE, EXPORT_DATA, REQUEST_ROLE, or REQUEST_ACCESS. Omit for a fallback rule.
  • condition: A CEL expression evaluated against the request. Common variables include request.risk (100 = LOW, 200 = MODERATE, 300 = HIGH) and resource.project_id. Use "true" for a catch-all fallback.
  • Rules are evaluated in order; the first matching rule applies, so place the most specific rules first and keep a fallback last.

Step 3 - Apply Configuration

terraform plan
terraform apply

Step 4 - Verify Configuration

Workspace Profile Settings

  1. Go to Settings > General to verify workspace profile settings.
  2. Log out and try to signup which should be disabled.
  3. Visit the external URL to verify it is set.

Approval Flows

  1. Go to CI/CD > Custom Approval to see the approval flow. custom-approval
  2. Verify the Project Owner → DBA → Admin flow is configured for the CHANGE_DATABASE source with request.risk >= 100, and the Fallback rule catches everything else.
Risk levels (returned by request.risk in the CEL expression) are configured separately in CI/CD > Risks in the UI. Each risk rule maps an activity (DDL/DML/CREATE_DATABASE/EXPORT/REQUEST_ROLE) plus a CEL condition to a numeric level (100 LOW / 200 MODERATE / 300 HIGH), which is then evaluated against your approval-flow conditions here.

Key Points

  • Workspace Profile: Controls signup, domain restrictions, and external URL for your entire Bytebase workspace
  • Approval Flows: Define multi-step approval processes. Each rule binds a source + CEL condition to an ordered list of approver roles; rules are evaluated top-down, first match wins
  • Fallback Rule: Include a final rule with condition = "true" and no source so that every issue has a defined approval path
You can configure additional settings such as classification and semantic_types. These will be covered in upcoming tutorials.

Part 5: Manage SQL Review Rules with Terraform