feat: Terraform support for OpenSearch/document-DB objectSchema masking (#190)

* feat: add ObjectSchema JSON canonicalization helpers

Parse/Marshal/Normalize functions route user JSON through the
v1pb.ObjectSchema proto for type-aware validation, then canonicalize via
encoding/json with sorted map keys so plans don't flap on formatting
differences. Unit tests cover whitespace/key-order equivalence, invalid
proto rejection, malformed JSON rejection, empty input, and
deterministic output.

Part of BYT-9296.

* feat: add object_schema_json attribute to catalog table block

Surface the TableCatalog.object_schema oneof variant to HCL as a JSON
string. StateFunc normalizes via the ObjectSchema proto so state
matches what the server stores. ValidateDiagFunc rejects malformed or
structurally invalid JSON at plan time.

columns becomes Optional+Computed since a table using object_schema_json
has no columns to list; mutual exclusivity is enforced in Task 6's
convertToV1TableCatalog rewrite.

Part of BYT-9296.

* style: use any for new StateFunc/ValidateDiagFunc signatures

Per CLAUDE.md Go conventions, use `any` in new code instead of
`interface{}`. Only fixes the two signatures introduced in the previous
commit; pre-existing interface{} usage elsewhere in the file is out of
scope for PR2.

* feat: route object_schema_json through TableCatalog oneof on write

convertToV1TableCatalog now picks the ObjectSchema variant when
object_schema_json is set, the Columns variant otherwise. Mutually
exclusive — setting both returns a clear error at apply time.

Also softens the columns type assertion (now tolerates absent/nil sets
after Task 5 relaxed columns to Optional) and modernizes parameter type
from interface{} to any per CLAUDE.md.

Part of BYT-9296.

* feat: surface ObjectSchema in flattened catalog state

flattenDatabaseCatalog now populates object_schema_json when the server
returns an ObjectSchema variant, using the shared canonicalizer from
Task 4. Also nil-guards table.GetColumns() since the ObjectSchema
variant leaves the Columns oneof field nil, which the old code
dereferenced blindly.

Closes the read half of the round-trip; subsequent terraform plan on
an unchanged config now shows no diff.

Part of BYT-9296.

* test: acceptance coverage for object_schema_json round-trip

Create -> re-apply (no-op) -> update -> destroy. The PlanOnly re-apply
step catches canonicalization regressions that would otherwise surface
to users as spurious plan drift.

Also seed the mock with `test-db-objschema` so the new test can find
the database it manages, mirroring the pre-existing seeds for
`test-database` and `test-database-labels`.

Part of BYT-9296.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* docs: example and generated docs for object_schema_json

Commented-out example shows the OpenSearch masking pattern using
jsonencode for readability. Users substitute their semantic-type UUIDs
from the Bytebase UI. Regenerated resource + data source docs via
tfplugindocs.

Part of BYT-9296.

* docs: fix mislabeled nested schema heading in data source

terraform-plugin-docs v0.13.0 has a known bug for read-only "Set of
Object" nested schemas: it names the heading after the alphabetically-
last sibling attribute instead of the attribute whose nested schema is
being documented. Here the heading rendered as
`catalog.schemas.tables.object_schema_json` even though the block
beneath lists columns' attributes (classification, labels, name,
semantic_type). The anchor ID was already correct (--columns); only
the visible heading text needed fixing.

Leaving as a hand edit rather than upgrading tfplugindocs, which would
churn whitespace across all 44 generated docs — out of scope for PR2.

Part of BYT-9296.

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: vsai12

docs/data-sources/database.md

@@ -52,9 +52,10 @@ Read-Only:
 - `classification` (String)
 - `columns` (Set of Object) (see [below for nested schema](#nestedobjatt--catalog--schemas--tables--columns))
 - `name` (String)
+- `object_schema_json` (String)
 
 <a id="nestedobjatt--catalog--schemas--tables--columns"></a>
-### Nested Schema for `catalog.schemas.tables.name`
+### Nested Schema for `catalog.schemas.tables.columns`
 
 Read-Only:
 

docs/resources/database.md

@@ -55,12 +55,13 @@ Optional:
 
 Required:
 
-- `columns` (Block Set, Min: 1) (see [below for nested schema](#nestedblock--catalog--schemas--tables--columns))
 - `name` (String)
 
 Optional:
 
 - `classification` (String) The classification id
+- `columns` (Block Set) (see [below for nested schema](#nestedblock--catalog--schemas--tables--columns))
+- `object_schema_json` (String) JSON-encoded ObjectSchema for document-oriented databases (e.g. OpenSearch, Elasticsearch). Mutually exclusive with `columns` on the same table. The JSON must match the v1.ObjectSchema proto shape; see the Bytebase API docs.
 
 <a id="nestedblock--catalog--schemas--tables--columns"></a>
 ### Nested Schema for `catalog.schemas.tables.columns`

examples/database/main.tf

@@ -27,3 +27,39 @@ data "bytebase_database_list" "all" {
 output "all_databases" {
   value = data.bytebase_database_list.all
 }
+
+# Example: OpenSearch / document-DB nested masking via object_schema_json.
+# The JSON must match the v1.ObjectSchema proto shape.
+# Replace <uuid-from-ui> with real semantic type IDs from the Bytebase
+# UI at Settings -> Data Masking -> Semantic Types.
+#
+# resource "bytebase_database" "opensearch_users" {
+#   name        = "instances/opensearch-cluster/databases/node-1"
+#   project     = "projects/sample-project"
+#   environment = "environments/test"
+#
+#   catalog {
+#     schemas {
+#       name = ""
+#       tables {
+#         name = "users_index"
+#         object_schema_json = jsonencode({
+#           type = "OBJECT"
+#           structKind = {
+#             properties = {
+#               email = { type = "STRING", semanticType = "<uuid-from-ui>" }
+#               contact = {
+#                 type = "OBJECT"
+#                 structKind = {
+#                   properties = {
+#                     phone = { type = "STRING", semanticType = "<uuid-from-ui>" }
+#                   }
+#                 }
+#               }
+#             }
+#           }
+#         })
+#       }
+#     }
+#   }
+# }

provider/data_source_database.go

@@ -75,6 +75,11 @@ func dataSourceDatabase() *schema.Resource {
 													Computed:    true,
 													Description: "The classification id",
 												},
+												"object_schema_json": {
+													Type:        schema.TypeString,
+													Computed:    true,
+													Description: "JSON-encoded ObjectSchema for document-oriented databases.",
+												},
 												"columns": {
 													Computed: true,
 													Type:     schema.TypeSet,

provider/internal/mock_client.go

@@ -191,12 +191,21 @@ func (c *mockClient) CreateInstance(_ context.Context, instanceID string, instan
 		},
 	}
 
+	testDbObjSchema := &v1pb.Database{
+		Name:  fmt.Sprintf("%s/%stest-db-objschema", ins.Name, DatabaseIDPrefix),
+		State: v1pb.State_ACTIVE,
+		Labels: map[string]string{
+			"bb.environment": envID,
+		},
+	}
+
 	mu.Lock()
 	defer mu.Unlock()
 	c.instanceMap[ins.Name] = ins
 	c.databaseMap[defaultDb.Name] = defaultDb
 	c.databaseMap[testDb.Name] = testDb
 	c.databaseMap[testDbLabels.Name] = testDbLabels
+	c.databaseMap[testDbObjSchema.Name] = testDbObjSchema
 
 	// Also create empty catalogs for the databases
 	c.databaseCatalogMap[defaultDb.Name] = &v1pb.DatabaseCatalog{
@@ -208,6 +217,9 @@ func (c *mockClient) CreateInstance(_ context.Context, instanceID string, instan
 	c.databaseCatalogMap[testDbLabels.Name] = &v1pb.DatabaseCatalog{
 		Name: testDbLabels.Name,
 	}
+	c.databaseCatalogMap[testDbObjSchema.Name] = &v1pb.DatabaseCatalog{
+		Name: testDbObjSchema.Name,
+	}
 	return ins, nil
 }
 

provider/internal/object_schema.go

@@ -0,0 +1,97 @@
+package internal
+
+import (
+	"encoding/json"
+	"sort"
+
+	"github.com/pkg/errors"
+	"google.golang.org/protobuf/encoding/protojson"
+
+	v1pb "buf.build/gen/go/bytebase/bytebase/protocolbuffers/go/v1"
+)
+
+// ParseObjectSchemaJSON unmarshals the user-provided JSON string into a
+// v1pb.ObjectSchema. Returns an error with a user-friendly message if the
+// JSON is malformed or does not match the proto shape.
+func ParseObjectSchemaJSON(raw string) (*v1pb.ObjectSchema, error) {
+	if raw == "" {
+		return nil, nil
+	}
+	var schema v1pb.ObjectSchema
+	opts := protojson.UnmarshalOptions{DiscardUnknown: false}
+	if err := opts.Unmarshal([]byte(raw), &schema); err != nil {
+		return nil, errors.Wrap(err, "invalid object_schema_json")
+	}
+	return &schema, nil
+}
+
+// MarshalObjectSchemaToJSON serializes an ObjectSchema into a canonical
+// JSON string. We route through encoding/json after protojson so map keys
+// are sorted and whitespace is stripped — protojson itself does not
+// guarantee deterministic map-key order.
+func MarshalObjectSchemaToJSON(schema *v1pb.ObjectSchema) (string, error) {
+	if schema == nil {
+		return "", nil
+	}
+	pj, err := protojson.MarshalOptions{UseProtoNames: false}.Marshal(schema)
+	if err != nil {
+		return "", errors.Wrap(err, "protojson marshal")
+	}
+	return canonicalizeJSON(pj)
+}
+
+// NormalizeObjectSchemaJSON is the round-trip: parse user JSON through the
+// proto type (type-aware validation) and emit the canonical form. Used by
+// StateFunc so the same value stored in state matches what we'd read back
+// from the server.
+func NormalizeObjectSchemaJSON(raw string) (string, error) {
+	schema, err := ParseObjectSchemaJSON(raw)
+	if err != nil {
+		return "", err
+	}
+	return MarshalObjectSchemaToJSON(schema)
+}
+
+// canonicalizeJSON reparses raw JSON into a generic value and re-marshals
+// with sorted map keys. encoding/json emits map keys in sorted order when
+// marshaling map[string]any — we exploit that.
+func canonicalizeJSON(raw []byte) (string, error) {
+	var v any
+	if err := json.Unmarshal(raw, &v); err != nil {
+		return "", errors.Wrap(err, "canonicalize: reparse")
+	}
+	v = sortMapKeys(v)
+	out, err := json.Marshal(v)
+	if err != nil {
+		return "", errors.Wrap(err, "canonicalize: remarshal")
+	}
+	return string(out), nil
+}
+
+// sortMapKeys walks the decoded value and replaces any map[string]any with
+// a value whose marshaling order is deterministic. encoding/json already
+// sorts map[string]any keys, but we still need to descend into nested
+// arrays and maps to cover the full tree.
+func sortMapKeys(v any) any {
+	switch t := v.(type) {
+	case map[string]any:
+		keys := make([]string, 0, len(t))
+		for k := range t {
+			keys = append(keys, k)
+		}
+		sort.Strings(keys)
+		out := make(map[string]any, len(t))
+		for _, k := range keys {
+			out[k] = sortMapKeys(t[k])
+		}
+		return out
+	case []any:
+		out := make([]any, len(t))
+		for i, e := range t {
+			out[i] = sortMapKeys(e)
+		}
+		return out
+	default:
+		return v
+	}
+}

provider/internal/object_schema_test.go

@@ -0,0 +1,104 @@
+package internal
+
+import (
+	"strings"
+	"testing"
+
+	v1pb "buf.build/gen/go/bytebase/bytebase/protocolbuffers/go/v1"
+)
+
+func TestNormalizeObjectSchemaJSON_ProducesStableOutput(t *testing.T) {
+	// Two inputs with different whitespace and key order should normalize
+	// to the same canonical JSON.
+	inputA := `{"type":"OBJECT","structKind":{"properties":{"email":{"type":"STRING","semanticType":"abc"}}}}`
+	inputB := `{
+  "structKind": {
+    "properties": {
+      "email": { "semanticType": "abc", "type": "STRING" }
+    }
+  },
+  "type": "OBJECT"
+}`
+
+	gotA, err := NormalizeObjectSchemaJSON(inputA)
+	if err != nil {
+		t.Fatalf("normalize A: %v", err)
+	}
+	gotB, err := NormalizeObjectSchemaJSON(inputB)
+	if err != nil {
+		t.Fatalf("normalize B: %v", err)
+	}
+	if gotA != gotB {
+		t.Errorf("canonical forms differ:\nA=%s\nB=%s", gotA, gotB)
+	}
+}
+
+func TestNormalizeObjectSchemaJSON_RejectsInvalidProto(t *testing.T) {
+	_, err := NormalizeObjectSchemaJSON(`{"type":"NOT_A_REAL_TYPE"}`)
+	if err == nil {
+		t.Fatal("expected error for invalid enum value, got nil")
+	}
+}
+
+func TestNormalizeObjectSchemaJSON_RejectsInvalidJSON(t *testing.T) {
+	_, err := NormalizeObjectSchemaJSON(`not json at all`)
+	if err == nil {
+		t.Fatal("expected error for malformed JSON, got nil")
+	}
+}
+
+func TestNormalizeObjectSchemaJSON_EmptyString(t *testing.T) {
+	got, err := NormalizeObjectSchemaJSON("")
+	if err != nil {
+		t.Fatalf("empty: %v", err)
+	}
+	if got != "" {
+		t.Errorf("expected empty output for empty input, got %q", got)
+	}
+}
+
+func TestParseObjectSchemaJSON_RoundTripsThroughProto(t *testing.T) {
+	input := `{"type":"OBJECT","structKind":{"properties":{"x":{"type":"STRING","semanticType":"s"}}}}`
+	schema, err := ParseObjectSchemaJSON(input)
+	if err != nil {
+		t.Fatalf("parse: %v", err)
+	}
+	if schema.GetType() != v1pb.ObjectSchema_OBJECT {
+		t.Errorf("expected OBJECT, got %v", schema.GetType())
+	}
+	props := schema.GetStructKind().GetProperties()
+	if props["x"].GetSemanticType() != "s" {
+		t.Errorf("expected semanticType s, got %q", props["x"].GetSemanticType())
+	}
+}
+
+func TestMarshalObjectSchemaToJSON_DeterministicOrder(t *testing.T) {
+	// Build a proto with multiple map keys and verify marshal is
+	// byte-identical across calls AND that keys are sorted.
+	schema := &v1pb.ObjectSchema{
+		Type: v1pb.ObjectSchema_OBJECT,
+		Kind: &v1pb.ObjectSchema_StructKind_{
+			StructKind: &v1pb.ObjectSchema_StructKind{
+				Properties: map[string]*v1pb.ObjectSchema{
+					"zeta":  {Type: v1pb.ObjectSchema_STRING, SemanticType: "z"},
+					"alpha": {Type: v1pb.ObjectSchema_STRING, SemanticType: "a"},
+				},
+			},
+		},
+	}
+	a, err := MarshalObjectSchemaToJSON(schema)
+	if err != nil {
+		t.Fatalf("marshal a: %v", err)
+	}
+	b, err := MarshalObjectSchemaToJSON(schema)
+	if err != nil {
+		t.Fatalf("marshal b: %v", err)
+	}
+	if a != b {
+		t.Errorf("marshal not deterministic: %q vs %q", a, b)
+	}
+	// Alpha must appear before zeta since we sort map keys.
+	if strings.Index(a, "alpha") > strings.Index(a, "zeta") {
+		t.Errorf("expected sorted map keys in output, got %s", a)
+	}
+}