bytebase · ecmadao · Jul 23, 2025 · Jul 22, 2025 · Jul 23, 2025 · Jul 23, 2025
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-3.8.4
+3.8.5
diff --git a/api/client.go b/api/client.go
@@ -55,6 +55,10 @@ type UserFilter struct {
 type Client interface {
 	// GetCaller returns the API caller.
 	GetCaller() *v1pb.User
+	// CheckResourceExist check if the resource exists.
+	CheckResourceExist(ctx context.Context, name string) error
+	// DeleteResource force delete the resource by name.
+	DeleteResource(ctx context.Context, name string) error
 
 	// Instance
 	// ListInstance will return instances.
@@ -65,8 +69,6 @@ type Client interface {
 	CreateInstance(ctx context.Context, instanceID string, instance *v1pb.Instance) (*v1pb.Instance, error)
 	// UpdateInstance updates the instance.
 	UpdateInstance(ctx context.Context, patch *v1pb.Instance, updateMasks []string) (*v1pb.Instance, error)
-	// DeleteInstance deletes the instance.
-	DeleteInstance(ctx context.Context, instanceName string) error
 	// UndeleteInstance undeletes the instance.
 	UndeleteInstance(ctx context.Context, instanceName string) (*v1pb.Instance, error)
 	// SyncInstanceSchema will trigger the schema sync for an instance.
@@ -105,8 +107,6 @@ type Client interface {
 	CreateProject(ctx context.Context, projectID string, project *v1pb.Project) (*v1pb.Project, error)
 	// UpdateProject updates the project.
 	UpdateProject(ctx context.Context, patch *v1pb.Project, updateMask []string) (*v1pb.Project, error)
-	// DeleteProject deletes the project.
-	DeleteProject(ctx context.Context, projectName string) error
 	// UndeleteProject undeletes the project.
 	UndeleteProject(ctx context.Context, projectName string) (*v1pb.Project, error)
 	// GetProjectIAMPolicy gets the project IAM policy by project full name.
@@ -141,16 +141,12 @@ type Client interface {
 	GetUser(ctx context.Context, userName string) (*v1pb.User, error)
 	// UpdateUser updates the user.
 	UpdateUser(ctx context.Context, patch *v1pb.User, updateMasks []string) (*v1pb.User, error)
-	// DeleteUser deletes the user by name.
-	DeleteUser(ctx context.Context, userName string) error
 	// UndeleteUser undeletes the user by name.
 	UndeleteUser(ctx context.Context, userName string) (*v1pb.User, error)
 
 	// Role
 	// ListRole will returns all roles.
 	ListRole(ctx context.Context) (*v1pb.ListRolesResponse, error)
-	// DeleteRole deletes the role by name.
-	DeleteRole(ctx context.Context, name string) error
 	// CreateRole creates the role.
 	CreateRole(ctx context.Context, roleID string, role *v1pb.Role) (*v1pb.Role, error)
 	// GetRole gets the role by full name.
@@ -167,8 +163,6 @@ type Client interface {
 	GetGroup(ctx context.Context, name string) (*v1pb.Group, error)
 	// UpdateGroup updates the group.
 	UpdateGroup(ctx context.Context, patch *v1pb.Group, updateMasks []string) (*v1pb.Group, error)
-	// DeleteGroup deletes the group by name.
-	DeleteGroup(ctx context.Context, name string) error
 
 	// Workspace
 	// GetWorkspaceIAMPolicy gets the workspace IAM policy.
@@ -183,8 +177,6 @@ type Client interface {
 	GetReviewConfig(ctx context.Context, reviewName string) (*v1pb.ReviewConfig, error)
 	// UpsertReviewConfig updates or creates the review config.
 	UpsertReviewConfig(ctx context.Context, patch *v1pb.ReviewConfig, updateMasks []string) (*v1pb.ReviewConfig, error)
-	// DeleteReviewConfig deletes the review config.
-	DeleteReviewConfig(ctx context.Context, reviewName string) error
 
 	// Risk
 	// ListRisk lists the risk.
@@ -195,8 +187,6 @@ type Client interface {
 	CreateRisk(ctx context.Context, risk *v1pb.Risk) (*v1pb.Risk, error)
 	// UpdateRisk updates the risk.
 	UpdateRisk(ctx context.Context, patch *v1pb.Risk, updateMasks []string) (*v1pb.Risk, error)
-	// DeleteRisk deletes the risk by name.
-	DeleteRisk(ctx context.Context, name string) error
 
 	// ListDatabaseGroup list all database groups in a project.
 	ListDatabaseGroup(ctx context.Context, project string) (*v1pb.ListDatabaseGroupsResponse, error)
@@ -206,6 +196,4 @@ type Client interface {
 	GetDatabaseGroup(ctx context.Context, name string, view v1pb.DatabaseGroupView) (*v1pb.DatabaseGroup, error)
 	// UpdateDatabaseGroup updates the database group.
 	UpdateDatabaseGroup(ctx context.Context, patch *v1pb.DatabaseGroup, updateMasks []string) (*v1pb.DatabaseGroup, error)
-	// DeleteDatabaseGroup deletes the database group by name.
-	DeleteDatabaseGroup(ctx context.Context, name string) error
 }
diff --git a/client/client.go b/client/client.go
@@ -2,6 +2,7 @@
 package client
 
 import (
+	"context"
 	"fmt"
 	"io"
 	"net/http"
@@ -72,3 +73,16 @@ func (c *client) doRequest(req *http.Request) ([]byte, error) {
 func (c *client) GetCaller() *v1pb.User {
 	return c.caller
 }
+
+// CheckResourceExist check if the resource exists.
+func (c *client) CheckResourceExist(ctx context.Context, name string) error {
+	if _, err := c.getResource(ctx, name, ""); err != nil {
+		return err
+	}
+	return nil
+}
+
+// DeleteResource force delete the resource by name.
+func (c *client) DeleteResource(ctx context.Context, name string) error {
+	return c.execDelete(ctx, name)
+}
diff --git a/client/common.go b/client/common.go
@@ -14,9 +14,9 @@ import (
 // ProtojsonUnmarshaler is the unmarshal for protocol.
 var ProtojsonUnmarshaler = protojson.UnmarshalOptions{DiscardUnknown: true}
 
-// deleteResource deletes the resource by name.
-func (c *client) deleteResource(ctx context.Context, name string) error {
-	req, err := http.NewRequestWithContext(ctx, "DELETE", fmt.Sprintf("%s/%s/%s", c.url, c.version, url.QueryEscape(name)), nil)
+// execDelete deletes the resource by name.
+func (c *client) execDelete(ctx context.Context, name string) error {
+	req, err := http.NewRequestWithContext(ctx, "DELETE", fmt.Sprintf("%s/%s/%s?force=true", c.url, c.version, url.QueryEscape(name)), nil)
 	if err != nil {
 		return err
 	}
@@ -42,7 +42,7 @@ func (c *client) undeleteResource(ctx context.Context, name string) ([]byte, err
 	return body, nil
 }
 
-// deleteResource deletes the resource by name.
+// updateResource update the resource.
 func (c *client) updateResource(ctx context.Context, name string, patch protoreflect.ProtoMessage, updateMasks []string, allowMissing bool) ([]byte, error) {
 	payload, err := protojson.Marshal(patch)
 	if err != nil {

diff --git a/client/database_group.go b/client/database_group.go
@@ -86,8 +86,3 @@ func (c *client) UpdateDatabaseGroup(ctx context.Context, patch *v1pb.DatabaseGr
 
 	return &res, nil
 }
-
-// DeleteDatabaseGroup deletes the database group by name.
-func (c *client) DeleteDatabaseGroup(ctx context.Context, name string) error {
-	return c.deleteResource(ctx, name)
-}
diff --git a/client/group.go b/client/group.go
@@ -86,8 +86,3 @@ func (c *client) UpdateGroup(ctx context.Context, patch *v1pb.Group, updateMasks
 
 	return &res, nil
 }
-
-// DeleteGroup deletes the group by name.
-func (c *client) DeleteGroup(ctx context.Context, name string) error {
-	return c.deleteResource(ctx, name)
-}
diff --git a/client/instance.go b/client/instance.go
@@ -170,11 +170,6 @@ func (c *client) UpdateInstance(ctx context.Context, patch *v1pb.Instance, updat
 	return &res, nil
 }
 
-// DeleteInstance deletes the instance.
-func (c *client) DeleteInstance(ctx context.Context, instanceName string) error {
-	return c.deleteResource(ctx, instanceName)
-}
-
 // UndeleteInstance undeletes the instance.
 func (c *client) UndeleteInstance(ctx context.Context, instanceName string) (*v1pb.Instance, error) {
 	body, err := c.undeleteResource(ctx, instanceName)

diff --git a/client/policy.go b/client/policy.go
@@ -66,5 +66,5 @@ func (c *client) UpsertPolicy(ctx context.Context, policy *v1pb.Policy, updateMa
 
 // DeletePolicy deletes the policy.
 func (c *client) DeletePolicy(ctx context.Context, policyName string) error {
-	return c.deleteResource(ctx, policyName)
+	return c.execDelete(ctx, policyName)
 }
diff --git a/client/project.go b/client/project.go
@@ -268,11 +268,6 @@ func (c *client) UpdateProject(ctx context.Context, patch *v1pb.Project, updateM
 	return &res, nil
 }
 
-// DeleteProject deletes the project.
-func (c *client) DeleteProject(ctx context.Context, projectName string) error {
-	return c.deleteResource(ctx, projectName)
-}
-
 // UndeleteProject undeletes the project.
 func (c *client) UndeleteProject(ctx context.Context, projectName string) (*v1pb.Project, error) {
 	body, err := c.undeleteResource(ctx, projectName)

diff --git a/client/review_config.go b/client/review_config.go
@@ -57,8 +57,3 @@ func (c *client) UpsertReviewConfig(ctx context.Context, patch *v1pb.ReviewConfi
 
 	return &res, nil
 }
-
-// DeleteReviewConfig deletes the review config.
-func (c *client) DeleteReviewConfig(ctx context.Context, reviewName string) error {
-	return c.deleteResource(ctx, reviewName)
-}
diff --git a/client/risk.go b/client/risk.go
@@ -85,8 +85,3 @@ func (c *client) UpdateRisk(ctx context.Context, patch *v1pb.Risk, updateMasks [
 
 	return &res, nil
 }
-
-// DeleteRisk deletes the risk by name.
-func (c *client) DeleteRisk(ctx context.Context, name string) error {
-	return c.deleteResource(ctx, name)
-}
diff --git a/client/role.go b/client/role.go
@@ -51,11 +51,6 @@ func (c *client) CreateRole(ctx context.Context, roleID string, role *v1pb.Role)
 	return &res, nil
 }
 
-// DeleteRole deletes the role by name.
-func (c *client) DeleteRole(ctx context.Context, name string) error {
-	return c.deleteResource(ctx, name)
-}
-
 // UpdateRole updates the role.
 func (c *client) UpdateRole(ctx context.Context, patch *v1pb.Role, updateMasks []string) (*v1pb.Role, error) {
 	body, err := c.updateResource(ctx, patch.Name, patch, updateMasks, true /* allow missing = true*/)

diff --git a/client/user.go b/client/user.go
@@ -164,11 +164,6 @@ func (c *client) UpdateUser(ctx context.Context, patch *v1pb.User, updateMasks [
 	return &res, nil
 }
 
-// DeleteUser deletes the user by name.
-func (c *client) DeleteUser(ctx context.Context, userName string) error {
-	return c.deleteResource(ctx, userName)
-}
-
 // UndeleteUser undeletes the user by name.
 func (c *client) UndeleteUser(ctx context.Context, userName string) (*v1pb.User, error) {
 	body, err := c.undeleteResource(ctx, userName)

diff --git a/docs/data-sources/project_list.md b/docs/data-sources/project_list.md
@@ -32,6 +32,7 @@ The project data source list.
 Read-Only:
 
 - `allow_modify_statement` (Boolean)
+- `allow_self_approval` (Boolean)
 - `auto_enable_backup` (Boolean)
 - `auto_resolve_issue` (Boolean)
 - `databases` (Set of String)

diff --git a/docs/data-sources/setting.md b/docs/data-sources/setting.md
@@ -17,12 +17,14 @@ The setting data source.
 
 ### Required
 
-- `name` (String) The setting name in settings/{name} format. The name support "WORKSPACE_APPROVAL", "WORKSPACE_PROFILE", "DATA_CLASSIFICATION", "SEMANTIC_TYPES" and "ENVIRONMENT". Check the proto https://github.com/bytebase/bytebase/blob/main/proto/v1/v1/setting_service.proto#L109 for details
+- `name` (String) The setting name in settings/{name} format. The name support "WORKSPACE_APPROVAL", "WORKSPACE_PROFILE", "DATA_CLASSIFICATION", "SEMANTIC_TYPES", "ENVIRONMENT", "PASSWORD_RESTRICTION", "SQL_RESULT_SIZE_LIMIT". Check the proto https://github.com/bytebase/bytebase/blob/main/proto/v1/v1/setting_service.proto#L109 for details
 
 ### Optional
 
 - `classification` (Block List, Max: 1) Classification for data masking. Require ENTERPRISE subscription. (see [below for nested schema](#nestedblock--classification))
+- `password_restriction` (Block List, Max: 1) Restrict for login password (see [below for nested schema](#nestedblock--password_restriction))
 - `semantic_types` (Block List) Semantic types for data masking. Require ENTERPRISE subscription. (see [below for nested schema](#nestedblock--semantic_types))
+- `sql_query_restriction` (Block List, Max: 1) Restrict for SQL query result (see [below for nested schema](#nestedblock--sql_query_restriction))
 - `workspace_profile` (Block List, Max: 1) (see [below for nested schema](#nestedblock--workspace_profile))
 
 ### Read-Only
@@ -73,6 +75,20 @@ Optional:
 
 
 
+<a id="nestedblock--password_restriction"></a>
+### Nested Schema for `password_restriction`
+
+Optional:
+
+- `min_length` (Number) min_length is the minimum length for password, should no less than 8.
+- `password_rotation_in_seconds` (Number) password_rotation requires users to reset their password after the duration. The duration should be at least 86400 (one day).
+- `require_letter` (Boolean) require_letter requires the password must contains at least one letter, regardless of upper case or lower case.
+- `require_number` (Boolean) require_number requires the password must contains at least one number.
+- `require_reset_password_for_first_login` (Boolean) require_reset_password_for_first_login requires users to reset their password after the 1st login.
+- `require_special_character` (Boolean) require_special_character requires the password must contains at least one special character.
+- `require_uppercase_letter` (Boolean) require_uppercase_letter requires the password must contains at least one upper case letter.
+
+
 <a id="nestedblock--semantic_types"></a>
 ### Nested Schema for `semantic_types`
 
@@ -143,6 +159,15 @@ Required:
 
 
 
+<a id="nestedblock--sql_query_restriction"></a>
+### Nested Schema for `sql_query_restriction`
+
+Optional:
+
+- `maximum_result_rows` (Number) The return rows limit. If the value <= 0, will be treated as no limit. The default value is -1.
+- `maximum_result_size` (Number) The size limit in bytes. The default value is 100MB, we will use the default value if the setting not exists, or the limit <= 0.
+
+
 <a id="nestedblock--workspace_profile"></a>
 ### Nested Schema for `workspace_profile`
 

diff --git a/docs/resources/setting.md b/docs/resources/setting.md
@@ -17,14 +17,16 @@ The setting resource.
 
 ### Required
 
-- `name` (String) The setting name in settings/{name} format. The name support "WORKSPACE_APPROVAL", "WORKSPACE_PROFILE", "DATA_CLASSIFICATION", "SEMANTIC_TYPES" and "ENVIRONMENT". Check the proto https://github.com/bytebase/bytebase/blob/main/proto/v1/v1/setting_service.proto#L109 for details
+- `name` (String) The setting name in settings/{name} format. The name support "WORKSPACE_APPROVAL", "WORKSPACE_PROFILE", "DATA_CLASSIFICATION", "SEMANTIC_TYPES", "ENVIRONMENT", "PASSWORD_RESTRICTION", "SQL_RESULT_SIZE_LIMIT". Check the proto https://github.com/bytebase/bytebase/blob/main/proto/v1/v1/setting_service.proto#L109 for details
 
 ### Optional
 
 - `approval_flow` (Block List) Configure risk level and approval flow for different tasks. Require ENTERPRISE subscription. (see [below for nested schema](#nestedblock--approval_flow))
 - `classification` (Block List, Max: 1) Classification for data masking. Require ENTERPRISE subscription. (see [below for nested schema](#nestedblock--classification))
 - `environment_setting` (Block List) The environment (see [below for nested schema](#nestedblock--environment_setting))
+- `password_restriction` (Block List, Max: 1) Restrict for login password (see [below for nested schema](#nestedblock--password_restriction))
 - `semantic_types` (Block List) Semantic types for data masking. Require ENTERPRISE subscription. (see [below for nested schema](#nestedblock--semantic_types))
+- `sql_query_restriction` (Block List, Max: 1) Restrict for SQL query result (see [below for nested schema](#nestedblock--sql_query_restriction))
 - `workspace_profile` (Block List, Max: 1) (see [below for nested schema](#nestedblock--workspace_profile))
 
 ### Read-Only
@@ -149,6 +151,20 @@ Read-Only:
 
 
 
+<a id="nestedblock--password_restriction"></a>
+### Nested Schema for `password_restriction`
+
+Optional:
+
+- `min_length` (Number) min_length is the minimum length for password, should no less than 8.
+- `password_rotation_in_seconds` (Number) password_rotation requires users to reset their password after the duration. The duration should be at least 86400 (one day).
+- `require_letter` (Boolean) require_letter requires the password must contains at least one letter, regardless of upper case or lower case.
+- `require_number` (Boolean) require_number requires the password must contains at least one number.
+- `require_reset_password_for_first_login` (Boolean) require_reset_password_for_first_login requires users to reset their password after the 1st login.
+- `require_special_character` (Boolean) require_special_character requires the password must contains at least one special character.
+- `require_uppercase_letter` (Boolean) require_uppercase_letter requires the password must contains at least one upper case letter.
+
+
 <a id="nestedblock--semantic_types"></a>
 ### Nested Schema for `semantic_types`
 
@@ -219,6 +235,15 @@ Required:
 
 
 
+<a id="nestedblock--sql_query_restriction"></a>
+### Nested Schema for `sql_query_restriction`
+
+Optional:
+
+- `maximum_result_rows` (Number) The return rows limit. If the value <= 0, will be treated as no limit. The default value is -1.
+- `maximum_result_size` (Number) The size limit in bytes. The default value is 100MB, we will use the default value if the setting not exists, or the limit <= 0.
+
+
 <a id="nestedblock--workspace_profile"></a>
 ### Nested Schema for `workspace_profile`