chore: update CEL attribute names for Bytebase 3.11 compatibility (#153)

Update CEL expressions to use the new namespaced attribute format
introduced in Bytebase 3.11. This migration aligns with the backend
changes in migration 3.11/0004##migrate_cel_attribute_names.sql.

Changes:
- Risk policies: Update environment_id → resource.environment_id and
  affected_rows → statement.affected_rows
- Masking policies: Add resource. prefix to environment_id, instance_id,
  and column_name attributes
- IAM policies: Update CEL generation to use resource.schema_name and
  resource.table_name instead of resource.schema and resource.table
- IAM policy parsing: Update to correctly parse expressions with new
  attribute names

Files updated:
- examples/setup/data_masking.tf
- examples/setup/risk.tf
- tutorials/4-2-risk.tf
- tutorials/8-3-global-data-masking.tf
- provider/resource_iam_policy.go
- provider/data_source_iam_policy.go

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude <noreply@anthropic.com>

Author: d-bytebase

examples/setup/data_masking.tf

@@ -158,13 +158,13 @@ resource "bytebase_policy" "global_masking_policy" {
 
   global_masking_policy {
     rules {
-      condition     = "environment_id in [\"test\"]"
+      condition     = "resource.environment_id in [\"test\"]"
       id            = "69df1d15-abe5-4bc9-be38-f2a4bef3f7e0"
       semantic_type = "bb.default-partial"
       title         = "Partial masking for test environment"
     }
     rules {
-      condition     = "instance_id in [\"prod-sample-instance\"]"
+      condition     = "resource.instance_id in [\"prod-sample-instance\"]"
       id            = "90adb734-0808-4c9f-b281-1f76f7a1a29a"
       semantic_type = "bb.default"
       title         = "Default masking for prod instance"

examples/setup/risk.tf

@@ -3,5 +3,5 @@ resource "bytebase_risk" "risk" {
   source    = "DML"
   level     = 300
   active    = true
-  condition = "environment_id == \"prod\" && affected_rows >= 100"
+  condition = "resource.environment_id == \"prod\" && statement.affected_rows >= 100"
 }

provider/data_source_iam_policy.go

@@ -184,15 +184,15 @@ func flattenIAMPolicy(p *v1pb.IamPolicy) ([]interface{}, error) {
 						`"`,
 					)
 				}
-				if strings.HasPrefix(expression, `resource.schema == "`) {
+				if strings.HasPrefix(expression, `resource.schema_name == "`) {
 					rawCondition["schema"] = strings.TrimSuffix(
-						strings.TrimPrefix(expression, `resource.schema == "`),
+						strings.TrimPrefix(expression, `resource.schema_name == "`),
 						`"`,
 					)
 				}
-				if strings.HasPrefix(expression, `resource.table in [`) {
+				if strings.HasPrefix(expression, `resource.table_name in [`) {
 					tableStr := strings.TrimSuffix(
-						strings.TrimPrefix(expression, `resource.table in [`),
+						strings.TrimPrefix(expression, `resource.table_name in [`),
 						`]`,
 					)
 					rawTableList := []interface{}{}

provider/resource_iam_policy.go

@@ -134,14 +134,14 @@ func convertToV1Condition(rawSchema interface{}) (*expr.Expr, error) {
 		expressions = append(expressions, fmt.Sprintf(`resource.database == "%s"`, database))
 	}
 	if schema, ok := rawCondition["schema"].(string); ok {
-		expressions = append(expressions, fmt.Sprintf(`resource.schema == "%s"`, schema))
+		expressions = append(expressions, fmt.Sprintf(`resource.schema_name == "%s"`, schema))
 	}
 	if tables, ok := rawCondition["tables"].(*schema.Set); ok && tables.Len() > 0 {
 		tableList := []string{}
 		for _, table := range tables.List() {
 			tableList = append(tableList, fmt.Sprintf(`"%s"`, table.(string)))
 		}
-		expressions = append(expressions, fmt.Sprintf(`resource.table in [%s]`, strings.Join(tableList, ",")))
+		expressions = append(expressions, fmt.Sprintf(`resource.table_name in [%s]`, strings.Join(tableList, ",")))
 	}
 	if rowLimit, ok := rawCondition["row_limit"].(int); ok && rowLimit > 0 {
 		expressions = append(expressions, fmt.Sprintf(`request.row_limit <= %d`, rowLimit))

tutorials/4-2-risk.tf

@@ -3,13 +3,13 @@ resource "bytebase_risk" "dml_moderate" {
   source    = "DML"
   level     = 200
   active    = true
-  condition = "environment_id == \"prod\" && affected_rows >= 100"
+  condition = "resource.environment_id == \"prod\" && statement.affected_rows >= 100"
 }
 
 resource "bytebase_risk" "ddl_high" {
   title     = "DDL High Risk"
   source    = "DDL"
   level     = 300
   active    = true
-  condition = "environment_id == \"prod\""
+  condition = "resource.environment_id == \"prod\""
 }

tutorials/8-3-global-data-masking.tf

@@ -12,14 +12,14 @@ resource "bytebase_policy" "global_masking_policy" {
   global_masking_policy {
 
     rules {
-      condition     = "column_name == \"birth_date\""
+      condition     = "resource.column_name == \"birth_date\""
       id            = "birth-date-mask"
       semantic_type = "date-year-mask"
       title = "Mask Birth Date Year"
     }
 
     rules {
-      condition     = "column_name == \"last_name\""
+      condition     = "resource.column_name == \"last_name\""
       id            = "last-name-first-letter-only"
       semantic_type = "name-first-letter-only"
       title = "Last Name Only Show First Letter"