chore: update docs for 3.16.3 (#178)

Author: ecmadao

docs/data-sources/project.md

@@ -21,6 +21,7 @@ The project data source.
 
 ### Read-Only
 
+- `allow_just_in_time_access` (Boolean) Whether to allow just-in-time access in this project.
 - `allow_request_role` (Boolean) Whether to allow requesting roles in this project.
 - `allow_self_approval` (Boolean) Whether to allow the issue creator to self-approve the issue.
 - `data_classification_config_id` (String) The data classification configuration ID for the project.

docs/data-sources/project_list.md

@@ -31,6 +31,7 @@ The project data source list.
 
 Read-Only:
 
+- `allow_just_in_time_access` (Boolean)
 - `allow_request_role` (Boolean)
 - `allow_self_approval` (Boolean)
 - `data_classification_config_id` (String)

docs/data-sources/setting.md

@@ -144,6 +144,7 @@ Required:
 
 Optional:
 
+- `access_token_duration_in_seconds` (Number) The duration for access token in seconds. Default is 3600 (1 hour). The duration should be at least 60 (one minute).
 - `announcement` (Block List, Max: 1) Custom announcement. Will show as a banner in the Bytebase UI. Require ENTERPRISE subscription. (see [below for nested schema](#nestedblock--workspace_profile--announcement))
 - `branding_logo` (String) The branding logo as a data URI (e.g. data:image/png;base64,...).
 - `database_change_mode` (String) The workspace database change mode, support EDITOR or PIPELINE. Default PIPELINE
@@ -155,7 +156,6 @@ Optional:
 - `external_url` (String) The URL user visits Bytebase. The external URL is used for: 1. Constructing the correct callback URL when configuring the VCS provider. The callback URL points to the frontend; 2. Creating the correct webhook endpoint when configuring the project GitOps workflow. The webhook endpoint points to the backend.
 - `maximum_role_expiration_in_seconds` (Number) The max duration in seconds for role expired. If the value is less than or equal to 0, we will remove the setting. AKA no limit.
 - `password_restriction` (Block List, Max: 1) Password restriction settings. (see [below for nested schema](#nestedblock--workspace_profile--password_restriction))
-- `access_token_duration_in_seconds` (Number) The duration for access token in seconds. Default is 3600 (1 hour). The duration should be at least 60 (one minute).
 - `query_timeout_in_seconds` (Number) The maximum time allowed for a query to run in SQL Editor, in seconds. No limit when the value <= 0.
 - `refresh_token_duration_in_seconds` (Number) The duration for refresh token in seconds. Default is 604800 (7 days). The duration should be at least 3600 (one hour).
 - `sql_result_size` (Number) The size limit in bytes for SQL query results. The default value is 100MB.

docs/resources/project.md

@@ -22,6 +22,7 @@ The project resource.
 
 ### Optional
 
+- `allow_just_in_time_access` (Boolean) Whether to allow just-in-time access in this project.
 - `allow_request_role` (Boolean) Whether to allow requesting roles in this project.
 - `allow_self_approval` (Boolean) Whether to allow the issue creator to self-approve the issue.
 - `ci_sampling_size` (Number) The maximum databases of rows to sample during CI data validation. Without specification, sampling is disabled, resulting in a full validation.

docs/resources/setting.md

@@ -204,6 +204,7 @@ Required:
 
 Optional:
 
+- `access_token_duration_in_seconds` (Number) The duration for access token in seconds. Default is 3600 (1 hour). The duration should be at least 60 (one minute).
 - `announcement` (Block List, Max: 1) Custom announcement. Will show as a banner in the Bytebase UI. Require ENTERPRISE subscription. (see [below for nested schema](#nestedblock--workspace_profile--announcement))
 - `branding_logo` (String) The branding logo as a data URI (e.g. data:image/png;base64,...).
 - `database_change_mode` (String) The workspace database change mode, support EDITOR or PIPELINE. Default PIPELINE
@@ -215,7 +216,6 @@ Optional:
 - `external_url` (String) The URL user visits Bytebase. The external URL is used for: 1. Constructing the correct callback URL when configuring the VCS provider. The callback URL points to the frontend; 2. Creating the correct webhook endpoint when configuring the project GitOps workflow. The webhook endpoint points to the backend.
 - `maximum_role_expiration_in_seconds` (Number) The max duration in seconds for role expired. If the value is less than or equal to 0, we will remove the setting. AKA no limit.
 - `password_restriction` (Block List, Max: 1) Password restriction settings. (see [below for nested schema](#nestedblock--workspace_profile--password_restriction))
-- `access_token_duration_in_seconds` (Number) The duration for access token in seconds. Default is 3600 (1 hour). The duration should be at least 60 (one minute).
 - `query_timeout_in_seconds` (Number) The maximum time allowed for a query to run in SQL Editor, in seconds. No limit when the value <= 0.
 - `refresh_token_duration_in_seconds` (Number) The duration for refresh token in seconds. Default is 604800 (7 days). The duration should be at least 3600 (one hour).
 - `sql_result_size` (Number) The size limit in bytes for SQL query results. The default value is 100MB.

examples/setup/main.tf

@@ -31,10 +31,12 @@ resource "bytebase_setting" "workspace_profile" {
   name = "settings/WORKSPACE_PROFILE"
 
   workspace_profile {
-    external_url             = "https://bytebase.example.com"
-    domains                  = ["bytebase.com"]
-    sql_result_size          = 200 * 1024 * 1024 # 200MB
-    query_timeout_in_seconds = 60                # 60 seconds
+    external_url                      = "https://bytebase.example.com"
+    domains                           = ["bytebase.com"]
+    sql_result_size                   = 200 * 1024 * 1024 # 200MB
+    query_timeout_in_seconds          = 60                # 60 seconds
+    refresh_token_duration_in_seconds = 604800            # 7 days
+    access_token_duration_in_seconds  = 3600              # 1 hour
 
     password_restriction {
       min_length                             = 8

migration/3.16.3.md

@@ -0,0 +1,42 @@
+# Migrate from 3.16.1 to 3.16.3
+
+## Bug Fixes
+
+### Fix perpetual Terraform plan diffs for workspace_profile and data_sources
+
+Previously, several `workspace_profile` fields and instance `data_sources` would show spurious diffs on every `terraform plan`, even when no actual changes were made. This has been fixed in two ways:
+
+1. **Workspace profile fields now have `Computed: true`**: The following fields are set by the server when not explicitly configured, so they are now marked as both `Optional` and `Computed` to prevent Terraform from detecting phantom changes:
+
+   - `external_url`
+   - `maximum_role_expiration_in_seconds`
+   - `sql_result_size`
+   - `query_timeout_in_seconds`
+   - `password_restriction` (and all its nested fields: `min_length`, `require_number`, `require_letter`, `require_uppercase_letter`, `require_special_character`, `require_reset_password_for_first_login`, `password_rotation_in_seconds`)
+
+2. **Redis-specific fields are no longer set for non-Redis instances**: The `redis_type`, `master_name`, and `master_username` data source fields are now only populated when the instance engine is `REDIS`. Previously, the API would return spurious default values for these fields on non-Redis instances, causing unexpected diffs.
+
+No action is required. After upgrading, run `terraform plan` to confirm the spurious diffs are resolved.
+
+## Features
+
+### Add `refresh_token_duration` and `access_token_duration` to workspace profile settings
+
+The `workspace_profile` block in the `bytebase_setting` resource and data source now supports two new fields for controlling token lifetimes:
+
+- `refresh_token_duration_in_seconds` - The duration for refresh tokens. Default is 604800 (7 days). Minimum value is 3600 (1 hour).
+- `access_token_duration_in_seconds` - The duration for access tokens. Default is 3600 (1 hour). Minimum value is 60 (1 minute).
+
+```terraform
+resource "bytebase_setting" "profile" {
+  name = "settings/WORKSPACE_PROFILE"
+
+  workspace_profile {
+    external_url = "https://bytebase.example.com"
+
+    # New fields
+    refresh_token_duration_in_seconds = 604800  # 7 days
+    access_token_duration_in_seconds  = 3600    # 1 hour
+  }
+}
+```