[ISSUE] Issue with `databricks_permissions` resource

[daniprado]

Configuration

resource "databricks_sql_global_config" "this" {
  security_policy           = "DATA_ACCESS_CONTROL"
  data_access_config        = {}
  sql_config_params         = {}
  enable_serverless_compute = true
}

resource "databricks_sql_endpoint" "this" {
  for_each = local.databricks_sql_warehouses

  name = each.value.name

  cluster_size              = try(each.value.cluster_size, "Small")
  min_num_clusters          = try(each.value.min_num_clusters, 1)
  max_num_clusters          = try(each.value.max_num_clusters, 1)
  auto_stop_mins            = try(each.value.auto_stop_mins, 10)
  spot_instance_policy      = try(each.value.spot_instance_policy, "COST_OPTIMIZED")
  enable_serverless_compute = try(each.value.enable_serverless_compute, true)
  warehouse_type            = "PRO"

  dynamic "channel" {
    for_each = try(each.value.channel_name, null) != null ? [ each.value.channel_name ] : []

    content {
      name = channel.value
    }
  }

  depends_on = [
    databricks_sql_global_config.this
  ]
}

resource "databricks_permissions" "sql_warehouse" {
  for_each = databricks_sql_endpoint.this

  sql_endpoint_id = each.value.id

  access_control {
    service_principal_name = local.databricks_sql_warehouses[each.key].manager
    permission_level = "CAN_MANAGE"
  }

  dynamic "access_control" {
    for_each = try(local.databricks_sql_warehouses[each.key].users, [])
    content {
      group_name       = access_control.value
      permission_level = "CAN_USE"
    }
  }
}

Expected Behavior

As IS_OWNER permission on access_control block cannot be provided, it should be completely ignored by the Terraform execution.

Actual Behavior

Whenever a terraform apply is executed, the IS_OWNER block is marked for deletion. This does not happen so that the block will appear again next time, causing the resource to be "modified" on every execution.

UPDATE: This apparently happens only when the current owner of the SQL Warehouse is not the user executing the Terraform plan/apply.

Steps to Reproduce

1. Create a databricks_sql_endpoint
2. Create a databricks_permissions resource attached to it.
3. Execute plan/apply for the same code a second time.

Terraform and provider versions

Terraform v1.4.0
on linux_amd64
+ provider registry.terraform.io/databricks/databricks v1.15.0

Debug Output

  # databricks_permissions.sql_warehouse["Serverless SQL Warehouse"] will be updated in-place
  ~ resource "databricks_permissions" "sql_warehouse" {
        id              = "/sql/warehouses/<<SQL_ENDPOINT_ID>>"
        # (2 unchanged attributes hidden)

      - access_control {
          - permission_level       = "CAN_MANAGE" -> null
          - service_principal_name = "<<SP_UUID>>" -> null
        }
      - access_control {
          - permission_level = "IS_OWNER" -> null
          - user_name        = "<<CURRENT_ENDPOINT_OWNER>>" -> null
        }
      - access_control {
          - group_name       = "datastewards" -> null
          - permission_level = "CAN_USE" -> null
        }
      + access_control {
          + group_name       = "datastewards"
          + permission_level = "CAN_USE"
        }
      + access_control {
          + permission_level       = "CAN_MANAGE"
          + service_principal_name = "<<SP_UUID>>"
        }
    }

Important Factoids

N/A

[panselaukik]

+1 Facing a similar issue

[panselaukik]

Principal: UserName(OWNER_EMAIL) does not exist, this is what we are getting for every Terraform Apply

[lsprangers]

+1 Facing exact same issue as @panselaukik

[marcin-sg]

There is the same problem with other resources e.g. jobs and clusters (provider sets implicitly the authenticated user as an owner). So my work around (to be able to see plan when running as a regular user) is to grant explicitly rights (IS_OWNER or CAN_MANAGE) to the service principal deploying the resource. However for sql endpoint: Error: permission_level IS_OWNER is not supported with sql_endpoint_id objects and this is the bigger issue for me.