Skip to main content
This tutorial is part of the Bytebase Terraform Provider series:

This tutorial series uses separate Terraform files for better organization. Files are numbered by tutorial part and sub-step (e.g., 1-1-env-setting.tf, 1-2-env-policy-rollout.tf for Part 1, 2-instances.tf for Part 2, etc.). Terraform automatically handles dependencies between files.
This tutorial configures workspace-level settings that apply to all projects and environments in your Bytebase workspace.

What You’ll Learn

  • Configure workspace profile settings including signup controls and external URL
  • Create multi-step and risk-based approval flows for database changes

Prerequisites

Before starting this tutorial, ensure you have:

Setup

From the previous tutorials, you should have:
  • Bytebase workspaces and projects configured
  • Service account with Workspace Admin role
  • Your Terraform files ready for additional configurations

Configure General Settings

Step 1 - Workspace Profile Configuration

Terraform resourcebytebase_setting
Sample file4-1-workspace-profile.tf
Create 4-1-workspace-profile.tf with the workspace profile settings:
4-1-workspace-profile.tf
# Workspace profile configuration
resource "bytebase_setting" "workspace_profile" {
  name = "settings/WORKSPACE_PROFILE"

  workspace_profile {
    disallow_signup          = true
    domains                  = ["example.com"]
    enforce_identity_domain  = false
    external_url             = "https://example.com"
  }
}
This configuration:
  • Disables public signup for security
  • Restricts users to specific email domains
  • Sets your Bytebase workspace’s external URL

Step 2 - Approval Flow Settings

Terraform resourcebytebase_setting
Sample file4-2-approval-flow.tf
Create 4-2-approval-flow.tf with approval flow configuration that requires multiple approvals for risky operations:
4-2-approval-flow.tf
# Approval flow settings
resource "bytebase_setting" "approval_flow" {
  name = "settings/WORKSPACE_APPROVAL"

  approval_flow {
    rules {
      flow {
        title       = "Project Owner → DBA → Admin"
        description = "Need DBA and workspace admin approval"
        roles = [
          "roles/projectOwner",
          "roles/workspaceDBA",
          "roles/workspaceAdmin"
        ]
      }
      source    = "CHANGE_DATABASE"
      condition = "request.risk >= 100"
    }

    rules {
      flow {
        title = "Fallback rule"
        # Approval flow following the step order.
        roles = [
          "roles/workspaceDBA"
        ]
      }
      condition = "true"
    }
  }
}
Each rule defines:
  • flow.roles: An ordered list of roles that form the approval chain
  • source (optional): The operation type to match for that rule (e.g., CHANGE_DATABASE, CREATE_DATABASE)
  • condition: A CEL expression that determines when the rule applies

Step 3 - Apply Configuration

terraform plan
terraform apply

Step 4 - Verify Configuration

Workspace Profile Settings

  1. Go to Settings > General to verify workspace profile settings.
  2. Log out and try to signup which should be disabled.
  3. Visit the external URL to verify it is set.

Approval Flows

  1. Go to CI/CD > Custom Approval to see the approval flow. custom-approval
  2. Verify the Project Owner → DBA → Admin flow is configured.

Key Points

  • Workspace Profile: Controls signup, domain restrictions, and external URL for your entire Bytebase workspace
  • Approval Flows: Define multi-step approval processes with CEL conditions for database change governance
You can configure additional settings such as classification and semantic_types. These will be covered in upcoming tutorials.

Part 4: Manage SQL Review Rules with Terraform