chore: support raw_expression

Author: ecmadao

docs/data-sources/policy.md

@@ -87,14 +87,15 @@ Optional:
 
 Required:
 
-- `action` (String)
-- `member` (String) The member in user:{email} or group:{email} format.
+- `actions` (Set of String)
+- `members` (Set of String)
 
 Optional:
 
-- `column` (String)
+- `columns` (Set of String)
 - `database` (String) The database full name in instances/{instance resource id}/databases/{database name} format
 - `expire_timestamp` (String) The expiration timestamp in YYYY-MM-DDThh:mm:ss.000Z format
+- `raw_expression` (String) The raw CEL expression. We will use it as the masking exception and ignore the "database"/"schema"/"table"/"columns"/"expire_timestamp" fields if you provide the raw expression.
 - `reason` (String) The reason for the masking exemption
 - `schema` (String)
 - `table` (String)

docs/data-sources/policy_list.md

@@ -29,13 +29,34 @@ The policy data source list.
 
 Read-Only:
 
+- `data_source_query_policy` (List of Object) (see [below for nested schema](#nestedobjatt--policies--data_source_query_policy))
+- `disable_copy_data_policy` (List of Object) (see [below for nested schema](#nestedobjatt--policies--disable_copy_data_policy))
 - `enforce` (Boolean)
 - `global_masking_policy` (List of Object) (see [below for nested schema](#nestedobjatt--policies--global_masking_policy))
 - `inherit_from_parent` (Boolean)
 - `masking_exception_policy` (List of Object) (see [below for nested schema](#nestedobjatt--policies--masking_exception_policy))
 - `name` (String)
+- `rollout_policy` (List of Object) (see [below for nested schema](#nestedobjatt--policies--rollout_policy))
 - `type` (String)
 
+<a id="nestedobjatt--policies--data_source_query_policy"></a>
+### Nested Schema for `policies.data_source_query_policy`
+
+Read-Only:
+
+- `disallow_ddl` (Boolean)
+- `disallow_dml` (Boolean)
+- `restriction` (String)
+
+
+<a id="nestedobjatt--policies--disable_copy_data_policy"></a>
+### Nested Schema for `policies.disable_copy_data_policy`
+
+Read-Only:
+
+- `enable` (Boolean)
+
+
 <a id="nestedobjatt--policies--global_masking_policy"></a>
 ### Nested Schema for `policies.global_masking_policy`
 
@@ -67,13 +88,24 @@ Read-Only:
 
 Read-Only:
 
-- `action` (String)
-- `column` (String)
+- `actions` (Set of String)
+- `columns` (Set of String)
 - `database` (String)
 - `expire_timestamp` (String)
-- `member` (String)
+- `members` (Set of String)
+- `raw_expression` (String)
 - `reason` (String)
 - `schema` (String)
 - `table` (String)
 
 
+
+<a id="nestedobjatt--policies--rollout_policy"></a>
+### Nested Schema for `policies.rollout_policy`
+
+Read-Only:
+
+- `automatic` (Boolean)
+- `roles` (Set of String)
+
+

docs/resources/policy.md

@@ -87,14 +87,15 @@ Optional:
 
 Required:
 
-- `action` (String)
-- `member` (String) The member in user:{email} or group:{email} format.
+- `actions` (Set of String)
+- `members` (Set of String)
 
 Optional:
 
-- `column` (String)
+- `columns` (Set of String)
 - `database` (String) The database full name in instances/{instance resource id}/databases/{database name} format
 - `expire_timestamp` (String) The expiration timestamp in YYYY-MM-DDThh:mm:ss.000Z format
+- `raw_expression` (String) The raw CEL expression. We will use it as the masking exception and ignore the "database"/"schema"/"table"/"columns"/"expire_timestamp" fields if you provide the raw expression.
 - `reason` (String) The reason for the masking exemption
 - `schema` (String)
 - `table` (String)

examples/setup/data_masking.tf

@@ -131,7 +131,16 @@ resource "bytebase_policy" "masking_exception_policy" {
         format("user:%s", bytebase_user.workspace_dba.email),
       ]
       actions = ["EXPORT"]
-      reason  = "Grant access"
+      reason  = "Grant export access"
+    }
+
+    exceptions {
+      members = [
+        format("user:%s", bytebase_user.project_developer.email),
+      ]
+      actions        = ["QUERY"]
+      reason         = "Grant query access"
+      raw_expression = "resource.instance_id == \"test-sample-instance\" && resource.database_name == \"employee\" && resource.table_name == \"employee\" && resource.column_name in [\"first_name\", \"last_name\", \"gender\"]"
     }
   }
 }

provider/data_source_policy.go

@@ -159,6 +159,12 @@ func getMaskingExceptionPolicySchema(computed bool) *schema.Schema {
 								Optional:    true,
 								Description: "The expiration timestamp in YYYY-MM-DDThh:mm:ss.000Z format",
 							},
+							"raw_expression": {
+								Type:        schema.TypeString,
+								Computed:    computed,
+								Optional:    true,
+								Description: `The raw CEL expression. We will use it as the masking exception and ignore the "database"/"schema"/"table"/"columns"/"expire_timestamp" fields if you provide the raw expression.`,
+							},
 						},
 					},
 					Set: exceptionHash,
@@ -477,9 +483,10 @@ func flattenMaskingExceptionPolicy(p *v1pb.MaskingExceptionPolicy) ([]interface{
 
 	for _, combine := range exceptionMap {
 		raw := map[string]interface{}{
-			"members": schema.NewSet(schema.HashString, combine.members),
-			"actions": schema.NewSet(schema.HashString, combine.actions),
-			"reason":  combine.reason,
+			"members":        schema.NewSet(schema.HashString, combine.members),
+			"actions":        schema.NewSet(schema.HashString, combine.actions),
+			"reason":         combine.reason,
+			"raw_expression": combine.expression,
 		}
 
 		expressions := strings.Split(combine.expression, " && ")

provider/resource_policy.go

@@ -351,40 +351,46 @@ func convertToV1Exceptions(rawSchema interface{}) ([]*v1pb.MaskingExceptionPolic
 	rawException := rawSchema.(map[string]interface{})
 
 	expressions := []string{}
-	databaseFullName := rawException["database"].(string)
-	if databaseFullName != "" {
-		instanceID, databaseName, err := internal.GetInstanceDatabaseID(databaseFullName)
-		if err != nil {
-			return nil, errors.Wrapf(err, "invalid database full name: %v", databaseFullName)
-		}
-		expressions = append(
-			expressions,
-			fmt.Sprintf(`resource.instance_id == "%s"`, instanceID),
-			fmt.Sprintf(`resource.database_name == "%s"`, databaseName),
-		)
-
-		if schema, ok := rawException["schema"].(string); ok && schema != "" {
-			expressions = append(expressions, fmt.Sprintf(`resource.schema_name == "%s"`, schema))
-		}
-		if table, ok := rawException["table"].(string); ok && table != "" {
-			expressions = append(expressions, fmt.Sprintf(`resource.table_name == "%s"`, table))
-		}
+	rawExpression := rawException["raw_expression"].(string)
+
+	if rawExpression != "" {
+		expressions = append(expressions, rawExpression)
+	} else {
+		databaseFullName := rawException["database"].(string)
+		if databaseFullName != "" {
+			instanceID, databaseName, err := internal.GetInstanceDatabaseID(databaseFullName)
+			if err != nil {
+				return nil, errors.Wrapf(err, "invalid database full name: %v", databaseFullName)
+			}
+			expressions = append(
+				expressions,
+				fmt.Sprintf(`resource.instance_id == "%s"`, instanceID),
+				fmt.Sprintf(`resource.database_name == "%s"`, databaseName),
+			)
+
+			if schema, ok := rawException["schema"].(string); ok && schema != "" {
+				expressions = append(expressions, fmt.Sprintf(`resource.schema_name == "%s"`, schema))
+			}
+			if table, ok := rawException["table"].(string); ok && table != "" {
+				expressions = append(expressions, fmt.Sprintf(`resource.table_name == "%s"`, table))
+			}
 
-		if rawColumns, ok := rawException["columns"].(*schema.Set); ok && rawColumns.Len() > 0 {
-			columnNames := []string{}
-			for _, column := range rawColumns.List() {
-				columnNames = append(columnNames, fmt.Sprintf(`"%s"`, column.(string)))
+			if rawColumns, ok := rawException["columns"].(*schema.Set); ok && rawColumns.Len() > 0 {
+				columnNames := []string{}
+				for _, column := range rawColumns.List() {
+					columnNames = append(columnNames, fmt.Sprintf(`"%s"`, column.(string)))
+				}
+				expressions = append(expressions, fmt.Sprintf(`resource.column_name in [%s]`, strings.Join(columnNames, ", ")))
 			}
-			expressions = append(expressions, fmt.Sprintf(`resource.column_name in [%s]`, strings.Join(columnNames, ", ")))
 		}
-	}
 
-	if expire, ok := rawException["expire_timestamp"].(string); ok && expire != "" {
-		formattedTime, err := time.Parse(time.RFC3339, expire)
-		if err != nil {
-			return nil, errors.Wrapf(err, "invalid time: %v", expire)
+		if expire, ok := rawException["expire_timestamp"].(string); ok && expire != "" {
+			formattedTime, err := time.Parse(time.RFC3339, expire)
+			if err != nil {
+				return nil, errors.Wrapf(err, "invalid time: %v", expire)
+			}
+			expressions = append(expressions, fmt.Sprintf(`request.time < timestamp("%s")`, formattedTime.Format(time.RFC3339)))
 		}
-		expressions = append(expressions, fmt.Sprintf(`request.time < timestamp("%s")`, formattedTime.Format(time.RFC3339)))
 	}
 
 	exceptions := []*v1pb.MaskingExceptionPolicy_MaskingException{}