docs(tutorials): sync tutorial .tf files with provider 3.17.1 (#186)

adela-bytebase · web-flow · commit 486232e3ec45 · 2026-04-15T16:48:08.000+08:00
diff --git a/tutorials/1-3-env-policy-data.tf b/tutorials/1-3-env-policy-data.tf
@@ -0,0 +1,13 @@
+# Restrict SQL Editor data access on production
+resource "bytebase_policy" "query_data_policy_prod" {
+  depends_on = [bytebase_setting.environments]
+  parent     = bytebase_setting.environments.environment_setting[0].environment[1].name
+  type       = "DATA_QUERY"
+
+  query_data_policy {
+    maximum_result_rows     = 1000
+    disable_copy_data       = true
+    disable_export          = true
+    allow_admin_data_source = false
+  }
+}
diff --git a/tutorials/3-projects.tf b/tutorials/3-projects.tf
@@ -6,7 +6,6 @@ resource "bytebase_project" "project-one" {
   resource_id = "project-one"
   title       = "Project One"
 
-  auto_enable_backup          = false
   enforce_sql_review          = true
   require_issue_approval      = true
   require_plan_check_no_error = false
diff --git a/tutorials/7-1-workspace-iam.tf b/tutorials/7-1-workspace-iam.tf
@@ -16,6 +16,9 @@ resource "bytebase_iam_policy" "workspace_iam" {
       role = "roles/workspaceAdmin"
       members = [
         format("user:%s", bytebase_user.workspace_admin.email),
+        # Keep the Terraform-running service account as Workspace Admin so
+        # subsequent `terraform apply` runs retain full permissions.
+        format("serviceAccount:%s", bytebase_service_account.tf_service_account.email),
       ]
     }
 
@@ -24,7 +27,6 @@ resource "bytebase_iam_policy" "workspace_iam" {
       members = [
         format("user:%s", bytebase_user.workspace_dba1.email),
         format("user:%s", bytebase_user.workspace_dba2.email),
-        format("serviceAccount:%s", bytebase_service_account.tf_service_account.email),
         format("workloadIdentity:%s", bytebase_workload_identity.github_ci.email),
       ]
     }
diff --git a/tutorials/8-3-global-data-masking.tf b/tutorials/8-3-global-data-masking.tf
@@ -26,7 +26,7 @@ resource "bytebase_policy" "global_masking_policy" {
     }
     
     rules {
-      condition     = "classification_level in [\"2\"]"
+      condition     = "resource.classification_level == 2"
       id            = "classification-level-2"
       semantic_type = "full-mask"
       title = "Full Mask for Classification Level 2"

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,9 @@ resource "bytebase_iam_policy" "workspace_iam" {`
`16`	`16`	`role = "roles/workspaceAdmin"`
`17`	`17`	`members = [`
`18`	`18`	`format("user:%s", bytebase_user.workspace_admin.email),`
	`19`	`+ # Keep the Terraform-running service account as Workspace Admin so`
	`20`	+ # subsequent `terraform apply` runs retain full permissions.
	`21`	`+ format("serviceAccount:%s", bytebase_service_account.tf_service_account.email),`
`19`	`22`	`]`
`20`	`23`	`}`
`21`	`24`
`@@ -24,7 +27,6 @@ resource "bytebase_iam_policy" "workspace_iam" {`
`24`	`27`	`members = [`
`25`	`28`	`format("user:%s", bytebase_user.workspace_dba1.email),`
`26`	`29`	`format("user:%s", bytebase_user.workspace_dba2.email),`
`27`		`- format("serviceAccount:%s", bytebase_service_account.tf_service_account.email),`
`28`	`30`	`format("workloadIdentity:%s", bytebase_workload_identity.github_ci.email),`
`29`	`31`	`]`
`30`	`32`	`}`
Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ resource "bytebase_policy" "global_masking_policy" {`
`26`	`26`	`}`
`27`	`27`
`28`	`28`	`rules {`
`29`		`- condition = "classification_level in [\"2\"]"`
	`29`	`+ condition = "resource.classification_level == 2"`
`30`	`30`	`id = "classification-level-2"`
`31`	`31`	`semantic_type = "full-mask"`
`32`	`32`	`title = "Full Mask for Classification Level 2"`