feat: update to new masking exemption API (#164)

This updates the Terraform provider to use the new protobuf schema
and API changes for masking exemption policies.

Changes:
- Update protobuf dependencies to fb04b193baa94bd0aaca101006b5c9d7
- Rename MASKING_EXCEPTION to MASKING_EXEMPTION throughout
- Update API from single Member+Action to Members array model
- Remove deprecated actions field completely
- Simplify flatten/convert logic to work directly with Members array
- Rename all "exception" references to "exemption" in masking context
- Update examples, tutorials, and tests to use new API

Breaking changes:
- masking_exception_policy renamed to masking_exemption_policy
- exceptions field renamed to exemptions
- actions field removed (no longer supported in API)
- API now uses Members array instead of individual Member+Action pairs

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: d-bytebase

docs/data-sources/policy.md

@@ -24,7 +24,7 @@ The policy data source.
 
 - `data_source_query_policy` (Block List, Max: 1) Restrict querying admin data sources (see [below for nested schema](#nestedblock--data_source_query_policy))
 - `global_masking_policy` (Block List, Max: 1) (see [below for nested schema](#nestedblock--global_masking_policy))
-- `masking_exception_policy` (Block List, Max: 1) (see [below for nested schema](#nestedblock--masking_exception_policy))
+- `masking_exemption_policy` (Block List, Max: 1) (see [below for nested schema](#nestedblock--masking_exemption_policy))
 - `query_data_policy` (Block List, Max: 1) The policy for query data (see [below for nested schema](#nestedblock--query_data_policy))
 - `rollout_policy` (Block List, Max: 1) Control issue rollout. Learn more: https://docs.bytebase.com/administration/environment-policy/rollout-policy (see [below for nested schema](#nestedblock--rollout_policy))
 
@@ -67,15 +67,15 @@ Optional:
 
 
 
-<a id="nestedblock--masking_exception_policy"></a>
-### Nested Schema for `masking_exception_policy`
+<a id="nestedblock--masking_exemption_policy"></a>
+### Nested Schema for `masking_exemption_policy`
 
 Optional:
 
-- `exceptions` (Block Set) (see [below for nested schema](#nestedblock--masking_exception_policy--exceptions))
+- `exemptions` (Block Set) (see [below for nested schema](#nestedblock--masking_exemption_policy--exemptions))
 
-<a id="nestedblock--masking_exception_policy--exceptions"></a>
-### Nested Schema for `masking_exception_policy.exceptions`
+<a id="nestedblock--masking_exemption_policy--exemptions"></a>
+### Nested Schema for `masking_exemption_policy.exemptions`
 
 Required:
 
@@ -87,7 +87,7 @@ Optional:
 - `columns` (Set of String)
 - `database` (String) The database full name in instances/{instance resource id}/databases/{database name} format
 - `expire_timestamp` (String) The expiration timestamp in YYYY-MM-DDThh:mm:ss.000Z format
-- `raw_expression` (String) The raw CEL expression. We will use it as the masking exception and ignore the "database"/"schema"/"table"/"columns"/"expire_timestamp" fields if you provide the raw expression.
+- `raw_expression` (String) The raw CEL expression. We will use it as the masking exemption and ignore the "database"/"schema"/"table"/"columns"/"expire_timestamp" fields if you provide the raw expression.
 - `reason` (String) The reason for the masking exemption
 - `schema` (String)
 - `table` (String)

docs/data-sources/policy_list.md

@@ -33,7 +33,7 @@ Read-Only:
 - `enforce` (Boolean)
 - `global_masking_policy` (List of Object) (see [below for nested schema](#nestedobjatt--policies--global_masking_policy))
 - `inherit_from_parent` (Boolean)
-- `masking_exception_policy` (List of Object) (see [below for nested schema](#nestedobjatt--policies--masking_exception_policy))
+- `masking_exemption_policy` (List of Object) (see [below for nested schema](#nestedobjatt--policies--masking_exemption_policy))
 - `name` (String)
 - `query_data_policy` (List of Object) (see [below for nested schema](#nestedobjatt--policies--query_data_policy))
 - `rollout_policy` (List of Object) (see [below for nested schema](#nestedobjatt--policies--rollout_policy))
@@ -68,15 +68,15 @@ Read-Only:
 
 
 
-<a id="nestedobjatt--policies--masking_exception_policy"></a>
-### Nested Schema for `policies.masking_exception_policy`
+<a id="nestedobjatt--policies--masking_exemption_policy"></a>
+### Nested Schema for `policies.masking_exemption_policy`
 
 Read-Only:
 
-- `exceptions` (Set of Object) (see [below for nested schema](#nestedobjatt--policies--masking_exception_policy--exceptions))
+- `exemptions` (Set of Object) (see [below for nested schema](#nestedobjatt--policies--masking_exemption_policy--exemptions))
 
-<a id="nestedobjatt--policies--masking_exception_policy--exceptions"></a>
-### Nested Schema for `policies.masking_exception_policy.exceptions`
+<a id="nestedobjatt--policies--masking_exemption_policy--exemptions"></a>
+### Nested Schema for `policies.masking_exemption_policy.exemptions`
 
 Read-Only:
 

docs/resources/policy.md

@@ -26,7 +26,7 @@ The policy resource.
 - `enforce` (Boolean) Decide if the policy is enforced.
 - `global_masking_policy` (Block List, Max: 1) (see [below for nested schema](#nestedblock--global_masking_policy))
 - `inherit_from_parent` (Boolean) Decide if the policy should inherit from the parent.
-- `masking_exception_policy` (Block List, Max: 1) (see [below for nested schema](#nestedblock--masking_exception_policy))
+- `masking_exemption_policy` (Block List, Max: 1) (see [below for nested schema](#nestedblock--masking_exemption_policy))
 - `query_data_policy` (Block List, Max: 1) The policy for query data (see [below for nested schema](#nestedblock--query_data_policy))
 - `rollout_policy` (Block List, Max: 1) Control issue rollout. Learn more: https://docs.bytebase.com/administration/environment-policy/rollout-policy (see [below for nested schema](#nestedblock--rollout_policy))
 
@@ -67,15 +67,15 @@ Optional:
 
 
 
-<a id="nestedblock--masking_exception_policy"></a>
-### Nested Schema for `masking_exception_policy`
+<a id="nestedblock--masking_exemption_policy"></a>
+### Nested Schema for `masking_exemption_policy`
 
 Optional:
 
-- `exceptions` (Block Set) (see [below for nested schema](#nestedblock--masking_exception_policy--exceptions))
+- `exemptions` (Block Set) (see [below for nested schema](#nestedblock--masking_exemption_policy--exemptions))
 
-<a id="nestedblock--masking_exception_policy--exceptions"></a>
-### Nested Schema for `masking_exception_policy.exceptions`
+<a id="nestedblock--masking_exemption_policy--exemptions"></a>
+### Nested Schema for `masking_exemption_policy.exemptions`
 
 Required:
 
@@ -87,7 +87,7 @@ Optional:
 - `columns` (Set of String)
 - `database` (String) The database full name in instances/{instance resource id}/databases/{database name} format
 - `expire_timestamp` (String) The expiration timestamp in YYYY-MM-DDThh:mm:ss.000Z format
-- `raw_expression` (String) The raw CEL expression. We will use it as the masking exception and ignore the "database"/"schema"/"table"/"columns"/"expire_timestamp" fields if you provide the raw expression.
+- `raw_expression` (String) The raw CEL expression. We will use it as the masking exemption and ignore the "database"/"schema"/"table"/"columns"/"expire_timestamp" fields if you provide the raw expression.
 - `reason` (String) The reason for the masking exemption
 - `schema` (String)
 - `table` (String)

examples/policies/main.tf

@@ -17,13 +17,13 @@ provider "bytebase" {
   url = "https://bytebase.example.com"
 }
 
-data "bytebase_policy" "masking_exception_policy" {
+data "bytebase_policy" "masking_exemption_policy" {
   parent = "projects/project-sample"
-  type   = "MASKING_EXCEPTION"
+  type   = "MASKING_EXEMPTION"
 }
 
-output "masking_exception_policy" {
-  value = data.bytebase_policy.masking_exception_policy
+output "masking_exemption_policy" {
+  value = data.bytebase_policy.masking_exemption_policy
 }
 
 data "bytebase_policy" "global_masking_policy" {

examples/setup/data_masking.tf

@@ -97,7 +97,7 @@ resource "bytebase_setting" "semantic_types" {
   }
 }
 
-resource "bytebase_policy" "masking_exception_policy" {
+resource "bytebase_policy" "masking_exemption_policy" {
   depends_on = [
     bytebase_project.sample_project,
     bytebase_instance.test,
@@ -106,39 +106,36 @@ resource "bytebase_policy" "masking_exception_policy" {
   ]
 
   parent              = bytebase_project.sample_project.name
-  type                = "MASKING_EXCEPTION"
+  type                = "MASKING_EXEMPTION"
   enforce             = true
   inherit_from_parent = false
 
-  masking_exception_policy {
-    exceptions {
+  masking_exemption_policy {
+    exemptions {
       database = "instances/test-sample-instance/databases/employee"
       table    = "salary"
       columns  = ["amount", "emp_no"]
       members = [
         format("user:%s", bytebase_user.project_developer.email),
         format("user:%s", bytebase_user.workspace_dba.email),
       ]
-      actions = ["QUERY", "EXPORT"]
       reason  = "Grant access"
     }
 
-    exceptions {
+    exemptions {
       database = "instances/test-sample-instance/databases/employee"
       table    = "employee"
       columns  = ["emp_no"]
       members = [
         format("user:%s", bytebase_user.workspace_dba.email),
       ]
-      actions = ["EXPORT"]
       reason  = "Grant export access"
     }
 
-    exceptions {
+    exemptions {
       members = [
         format("user:%s", bytebase_user.project_developer.email),
       ]
-      actions        = ["QUERY"]
       reason         = "Grant query access"
       raw_expression = "resource.instance_id == \"test-sample-instance\" && resource.database_name == \"employee\" && resource.table_name == \"employee\" && resource.column_name in [\"first_name\", \"last_name\", \"gender\"]"
     }

go.mod

@@ -5,8 +5,8 @@ go 1.24.4
 toolchain go1.24.5
 
 require (
-	buf.build/gen/go/bytebase/bytebase/connectrpc/go v1.19.1-20251213023536-6609958f901e.2
-	buf.build/gen/go/bytebase/bytebase/protocolbuffers/go v1.36.11-20251213023536-6609958f901e.1
+	buf.build/gen/go/bytebase/bytebase/connectrpc/go v1.19.1-20251214112515-fb04b193baa9.2
+	buf.build/gen/go/bytebase/bytebase/protocolbuffers/go v1.36.11-20251214112515-fb04b193baa9.1
 	connectrpc.com/connect v1.19.1
 	github.com/hashicorp/go-cty v1.5.0
 	github.com/hashicorp/terraform-plugin-docs v0.13.0

go.sum

@@ -1,9 +1,9 @@
 buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.11-20250912141014-52f32327d4b0.1 h1:oKTVB9QIhFBU9y07QCs2lX2EhGkqWKTX3tTOl/ZbU9o=
 buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.11-20250912141014-52f32327d4b0.1/go.mod h1:tvtbpgaVXZX4g6Pn+AnzFycuRK3MOz5HJfEGeEllXYM=
-buf.build/gen/go/bytebase/bytebase/connectrpc/go v1.19.1-20251213023536-6609958f901e.2 h1:9DZmVi/FAPVp6rGhhznpW7awGgaMPtQ+qbzlg3bzofk=
-buf.build/gen/go/bytebase/bytebase/connectrpc/go v1.19.1-20251213023536-6609958f901e.2/go.mod h1:qgJoWoSPMmskQRAk/vKEu8qmskfaLzVgdOoHHcX6XMk=
-buf.build/gen/go/bytebase/bytebase/protocolbuffers/go v1.36.11-20251213023536-6609958f901e.1 h1:EIfN8MN/kG3Vr7GGUFhMwYrkqbE0N3I2yhOrUSVjwmY=
-buf.build/gen/go/bytebase/bytebase/protocolbuffers/go v1.36.11-20251213023536-6609958f901e.1/go.mod h1:Y8s/Z9IfQ1KR8k09qLsiYcrIPmozthp/dNL2+/mBCPY=
+buf.build/gen/go/bytebase/bytebase/connectrpc/go v1.19.1-20251214112515-fb04b193baa9.2 h1:ZSI0P/0kPFz4JDToqEfEoLxM5Cj9rDeT4B8Setfrtz4=
+buf.build/gen/go/bytebase/bytebase/connectrpc/go v1.19.1-20251214112515-fb04b193baa9.2/go.mod h1:HUQjHrRSWi2ed3LvkAu5qrLdm25GT0gs3nwFHT6Fdog=
+buf.build/gen/go/bytebase/bytebase/protocolbuffers/go v1.36.11-20251214112515-fb04b193baa9.1 h1:hD0jpq7ygiGhM4L3ISRWGx6VHXak1rCh8UadLRSpGaY=
+buf.build/gen/go/bytebase/bytebase/protocolbuffers/go v1.36.11-20251214112515-fb04b193baa9.1/go.mod h1:Y8s/Z9IfQ1KR8k09qLsiYcrIPmozthp/dNL2+/mBCPY=
 connectrpc.com/connect v1.19.1 h1:R5M57z05+90EfEvCY1b7hBxDVOUl45PrtXtAV2fOC14=
 connectrpc.com/connect v1.19.1/go.mod h1:tN20fjdGlewnSFeZxLKb0xwIZ6ozc3OQs2hTXy4du9w=
 dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=

provider/data_source_policy.go

@@ -42,7 +42,7 @@ func dataSourcePolicy() *schema.Resource {
 				Type:     schema.TypeString,
 				Required: true,
 				ValidateFunc: validation.StringInSlice([]string{
-					v1pb.PolicyType_MASKING_EXCEPTION.String(),
+					v1pb.PolicyType_MASKING_EXEMPTION.String(),
 					v1pb.PolicyType_MASKING_RULE.String(),
 					v1pb.PolicyType_DATA_SOURCE_QUERY.String(),
 					v1pb.PolicyType_ROLLOUT_POLICY.String(),
@@ -65,7 +65,7 @@ func dataSourcePolicy() *schema.Resource {
 				Computed:    true,
 				Description: "Decide if the policy is enforced.",
 			},
-			"masking_exception_policy": getMaskingExceptionPolicySchema(true),
+			"masking_exemption_policy": getMaskingExemptionPolicySchema(true),
 			"global_masking_policy":    getGlobalMaskingPolicySchema(true),
 			"data_source_query_policy": getDataSourceQueryPolicySchema(true),
 			"rollout_policy":           getRolloutPolicySchema(true),
@@ -74,7 +74,7 @@ func dataSourcePolicy() *schema.Resource {
 	}
 }
 
-func getMaskingExceptionPolicySchema(computed bool) *schema.Schema {
+func getMaskingExemptionPolicySchema(computed bool) *schema.Schema {
 	return &schema.Schema{
 		Computed: computed,
 		Optional: true,
@@ -84,7 +84,7 @@ func getMaskingExceptionPolicySchema(computed bool) *schema.Schema {
 		MaxItems: 1,
 		Elem: &schema.Resource{
 			Schema: map[string]*schema.Schema{
-				"exceptions": {
+				"exemptions": {
 					Computed: computed,
 					Optional: true,
 					Default:  nil,
@@ -135,19 +135,6 @@ func getMaskingExceptionPolicySchema(computed bool) *schema.Schema {
 									),
 								},
 							},
-							"actions": {
-								Type:     schema.TypeSet,
-								Required: true,
-								MinItems: 1,
-								Elem: &schema.Schema{
-									Type:        schema.TypeString,
-									Description: "The action to allow for members. Support QUERY or EXPORT",
-									ValidateFunc: validation.StringInSlice([]string{
-										v1pb.MaskingExceptionPolicy_MaskingException_QUERY.String(),
-										v1pb.MaskingExceptionPolicy_MaskingException_EXPORT.String(),
-									}, false),
-								},
-							},
 							"reason": {
 								Type:        schema.TypeString,
 								Optional:    true,
@@ -163,11 +150,11 @@ func getMaskingExceptionPolicySchema(computed bool) *schema.Schema {
 								Type:        schema.TypeString,
 								Computed:    computed,
 								Optional:    true,
-								Description: `The raw CEL expression. We will use it as the masking exception and ignore the "database"/"schema"/"table"/"columns"/"expire_timestamp" fields if you provide the raw expression.`,
+								Description: `The raw CEL expression. We will use it as the masking exemption and ignore the "database"/"schema"/"table"/"columns"/"expire_timestamp" fields if you provide the raw expression.`,
 							},
 						},
 					},
-					Set: exceptionHash,
+					Set: exemptionHash,
 				},
 			},
 		},
@@ -381,13 +368,13 @@ func flattenPolicyPayload(policy *v1pb.Policy) (string, interface{}, diag.Diagno
 		return "", nil, diag.Errorf("cannot parse name for policy: %s", err.Error())
 	}
 	switch policyType {
-	case v1pb.PolicyType_MASKING_EXCEPTION:
-		if p := policy.GetMaskingExceptionPolicy(); p != nil {
-			exceptionPolicy, err := flattenMaskingExceptionPolicy(p)
+	case v1pb.PolicyType_MASKING_EXEMPTION:
+		if p := policy.GetMaskingExemptionPolicy(); p != nil {
+			exemptionPolicy, err := flattenMaskingExemptionPolicy(p)
 			if err != nil {
 				return "", nil, diag.FromErr(err)
 			}
-			return "masking_exception_policy", exceptionPolicy, nil
+			return "masking_exemption_policy", exemptionPolicy, nil
 		}
 	case v1pb.PolicyType_MASKING_RULE:
 		if p := policy.GetMaskingRulePolicy(); p != nil {
@@ -469,45 +456,34 @@ func flattenGlobalMaskingPolicy(p *v1pb.MaskingRulePolicy) ([]interface{}, error
 	return []interface{}{policy}, nil
 }
 
-type combineException struct {
-	expression string
-	reason     string
-	members    []interface{}
-	actions    []interface{}
-}
-
-func flattenMaskingExceptionPolicy(p *v1pb.MaskingExceptionPolicy) ([]interface{}, error) {
-	exceptionList := []interface{}{}
-	exceptionMap := map[string]*combineException{}
+func flattenMaskingExemptionPolicy(p *v1pb.MaskingExemptionPolicy) ([]interface{}, error) {
+	exemptionList := []interface{}{}
 
-	for _, exception := range p.MaskingExceptions {
-		if exception.Condition == nil || exception.Condition.Expression == "" {
+	for _, exemption := range p.Exemptions {
+		if exemption.Condition == nil || exemption.Condition.Expression == "" {
 			// Skip invalid data.
 			continue
 		}
 
-		key := fmt.Sprintf("[expression:%s] [reason:%s]", exception.Condition.Expression, exception.Condition.Description)
-		if _, ok := exceptionMap[key]; !ok {
-			exceptionMap[key] = &combineException{
-				expression: exception.Condition.Expression,
-				reason:     exception.Condition.Description,
-				members:    []interface{}{},
-				actions:    []interface{}{},
-			}
+		// The new API uses Condition.Title for the reason/description
+		reason := exemption.Condition.Title
+		if reason == "" {
+			reason = exemption.Condition.Description
+		}
+
+		// Convert members to interface slice for schema.Set
+		members := []interface{}{}
+		for _, member := range exemption.Members {
+			members = append(members, member)
 		}
-		exceptionMap[key].members = append(exceptionMap[key].members, exception.Member)
-		exceptionMap[key].actions = append(exceptionMap[key].actions, exception.Action.String())
-	}
 
-	for _, combine := range exceptionMap {
 		raw := map[string]interface{}{
-			"members":        schema.NewSet(schema.HashString, combine.members),
-			"actions":        schema.NewSet(schema.HashString, combine.actions),
-			"reason":         combine.reason,
-			"raw_expression": combine.expression,
+			"members":        schema.NewSet(schema.HashString, members),
+			"reason":         reason,
+			"raw_expression": exemption.Condition.Expression,
 		}
 
-		expressions := strings.Split(combine.expression, " && ")
+		expressions := strings.Split(exemption.Condition.Expression, " && ")
 		instanceID := ""
 		databaseName := ""
 		columns := []interface{}{}
@@ -571,21 +547,21 @@ func flattenMaskingExceptionPolicy(p *v1pb.MaskingExceptionPolicy) ([]interface{
 		if len(columns) > 0 {
 			raw["columns"] = schema.NewSet(schema.HashString, columns)
 		}
-		exceptionList = append(exceptionList, raw)
+		exemptionList = append(exemptionList, raw)
 	}
 
 	policy := map[string]interface{}{
-		"exceptions": exceptionList,
+		"exemptions": exemptionList,
 	}
 	return []interface{}{policy}, nil
 }
 
-func exceptionHash(rawSchema interface{}) int {
-	exceptions, err := convertToV1Exceptions(rawSchema)
+func exemptionHash(rawSchema interface{}) int {
+	exemptions, err := convertToV1Exemptions(rawSchema)
 	if err != nil {
 		return 0
 	}
-	return internal.ToHash(&v1pb.MaskingExceptionPolicy{
-		MaskingExceptions: exceptions,
+	return internal.ToHash(&v1pb.MaskingExemptionPolicy{
+		Exemptions: exemptions,
 	})
 }