Manage Users and Groups with Terraform

This tutorial is part of the Bytebase Terraform Provider series:

Part 1: Manage Environments with Terraform - Set up environments with policies
Part 2: Manage Databases with Terraform - Register database instances
Part 3: Manage Projects with Terraform - Organize databases into projects
Part 4: Manage Bytebase Settings with Terraform - Configure workspace profile and approval policies
Part 5: Manage SQL Review Rules with Terraform - Define SQL review policies
Part 6: Manage Users and Groups with Terraform 👈
Part 7: Manage Database Access Control with Terraform - Grant database permissions
Part 8: Manage Data Masking with Terraform - Protect sensitive data

This tutorial series uses separate Terraform files for better organization. Files are numbered by tutorial part and sub-step (e.g., 1-1-env-setting.tf, 1-2-env-policy-rollout.tf for Part 1, 2-instances.tf for Part 2, etc.). Terraform automatically handles dependencies between files.

What You’ll Learn

Create users and service accounts for team members
Organize users into groups for easier management
Understand the difference between users and service accounts
Prepare for setting up permissions in the next tutorial

Prerequisites

Before starting this tutorial, ensure you have:

Completed Part 5: Manage SQL Review Rules with Terraform
Bytebase running with service account configured
Your Terraform files from the previous tutorials

Setup

From the previous tutorials, you should have:

Bytebase workspaces and projects configured
Workspace settings and approval flows set up
Service account with Workspace Admin role

Understanding User Management in Bytebase

Bytebase adopts Identity and Access Management (IAM) system with:

Users: Individual accounts for team members
Service Accounts: Automated accounts for API/Terraform access
Groups: Collections of users for easier permission management

Configure Users and Groups

Step 1 - Create Users and Service Accounts

Resource	Provider documentation
`bytebase_user`	bytebase_user
`bytebase_service_account`	bytebase_service_account
`bytebase_workload_identity`	bytebase_workload_identity


Sample file	6-1-users.tf

Create 6-1-users.tf to define your team structure:

6-1-users.tf

# Create users
resource "bytebase_user" "workspace_admin" {
  email = "admin@example.com"
  title = "Workspace Admin"
}

resource "bytebase_user" "workspace_dba1" {
  email = "dba@example.com"
  title = "Database Administrator 1"
}

resource "bytebase_user" "workspace_dba2" {
  email = "dba2@example.com"
  title = "Database Administrator 2"
}

resource "bytebase_user" "dev1" {
  email = "dev1@example.com"
  title = "Developer 1"
}

resource "bytebase_user" "dev2" {
  email = "dev2@example.com"
  title = "Developer 2"
}

resource "bytebase_user" "dev3" {
  email = "dev3@example.com"
  title = "Developer 3"
}

resource "bytebase_user" "qa1" {
  email = "qa1@example.com"
  title = "QA Tester 1"
}

resource "bytebase_user" "qa2" {
  email = "qa2@example.com"
  title = "QA Tester 2"
}

# Create service account for Terraform automation
resource "bytebase_service_account" "tf_service_account" {
  # parent defaults to workspace when not specified.
  service_account_id = "tf"
  title              = "Terraform Service Account"
}

# Create workload identity for GitHub Actions CI/CD
resource "bytebase_workload_identity" "github_ci" {
  # parent defaults to workspace when not specified.
  workload_identity_id = "github-ci"
  title                = "GitHub CI"

  workload_identity_config {
    provider_type   = "GITHUB"
    subject_pattern = "repo:example/repo:ref:refs/heads/main"
  }
}

Step 2 - Apply User Configuration

terraform plan
terraform apply

Step 3 - Create Groups

Groups simplify permission management by allowing you to assign roles to multiple users at once.

Each group has an owner who can manage group membership. Regular members inherit permissions assigned to the group.


Terraform resource	bytebase_group
Sample file	6-2-groups.tf

Add the following groups to your 6-2-groups.tf file:

6-2-groups.tf

# Create groups
resource "bytebase_group" "developers" {
  email       = "developers@example.com"
  title       = "Developer Team"
  description = "Group for all developers"

  members {
    member = "users/${bytebase_user.dev1.email}"
    role   = "OWNER"
  }

  members {
    member = "users/${bytebase_user.dev2.email}"
    role   = "MEMBER"
  }

  members {
    member = "users/${bytebase_user.dev3.email}"
    role   = "MEMBER"
  }
}

resource "bytebase_group" "qa" {
  email       = "qa@example.com"
  title       = "QA Team"
  description = "Group for all QA testers"

  members {
    member = "users/${bytebase_user.qa1.email}"
    role   = "OWNER"
  }

  members {
    member = "users/${bytebase_user.qa2.email}"
    role   = "MEMBER"
  }
}

Step 4 - Apply Complete Configuration

terraform plan
terraform apply

Step 5 - Verify in Bytebase

Go to IAM & Admin > Users & Groups to see all users:
Click the Groups tab to verify groups:
- Developer Team: 3 members (dev1 as owner, dev2 and dev3 as members)
- QA Team: 2 members (qa1 as owner, qa2 as member)

Key Points

User Types: Regular users (bytebase_user) for team members, service accounts (bytebase_service_account) for API/automation, workload identities (bytebase_workload_identity) for CI/CD
Group Roles: Each group has owners (manage membership) and members (inherit permissions)
Organization: Groups simplify permission management - assign roles to groups instead of individual users

UI-Driven Workflow

GitOps Workflow

Database Access Control

Terraform

Integration

Manage Users and Groups with Terraform

What You’ll Learn

Prerequisites

Setup

Understanding User Management in Bytebase

Configure Users and Groups

Step 1 - Create Users and Service Accounts

Step 2 - Apply User Configuration

Step 3 - Create Groups

Step 4 - Apply Complete Configuration

Step 5 - Verify in Bytebase

Key Points

Part 7: Manage Database Access Control with Terraform

UI-Driven Workflow

GitOps Workflow

Database Access Control

Terraform

Integration

​What You’ll Learn

​Prerequisites

​Setup

​Understanding User Management in Bytebase

​Configure Users and Groups

​Step 1 - Create Users and Service Accounts

​Step 2 - Apply User Configuration

​Step 3 - Create Groups

​Step 4 - Apply Complete Configuration

​Step 5 - Verify in Bytebase

​Key Points

Part 7: Manage Database Access Control with Terraform

What You’ll Learn

Prerequisites

Setup

Understanding User Management in Bytebase

Configure Users and Groups

Step 1 - Create Users and Service Accounts

Step 2 - Apply User Configuration

Step 3 - Create Groups

Step 4 - Apply Complete Configuration

Step 5 - Verify in Bytebase

Key Points