Add enum for schema grant privileges (#3396)

kanterov · web-flow · commit 1d38fdcc37c9 · 2025-08-29T09:56:59.000Z
## Changes Add an enum for schema grant privileges. It follows documented privileges in Terraform documentation: https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/grants#schema-grants ## Why Using enums gives better typing in JSON schema and allows generating enums in Python code ## Tests By inspecting the resulting JSON schema
diff --git a/bundle/config/resources/schema.go b/bundle/config/resources/schema.go
@@ -14,9 +14,54 @@ import (
 	"github.com/databricks/databricks-sdk-go/service/catalog"
 )
 
+type SchemaGrantPrivilege string
+
+const (
+	SchemaGrantPrivilegeAllPrivileges  SchemaGrantPrivilege = "ALL_PRIVILEGES"
+	SchemaGrantPrivilegeApplyTag       SchemaGrantPrivilege = "APPLY_TAG"
+	SchemaGrantPrivilegeCreateFunction SchemaGrantPrivilege = "CREATE_FUNCTION"
+	SchemaGrantPrivilegeCreateTable    SchemaGrantPrivilege = "CREATE_TABLE"
+	SchemaGrantPrivilegeCreateVolume   SchemaGrantPrivilege = "CREATE_VOLUME"
+	SchemaGrantPrivilegeManage         SchemaGrantPrivilege = "MANAGE"
+	SchemaGrantPrivilegeUseSchema      SchemaGrantPrivilege = "USE_SCHEMA"
+	SchemaGrantPrivilegeExecute        SchemaGrantPrivilege = "EXECUTE"
+	SchemaGrantPrivilegeModify         SchemaGrantPrivilege = "MODIFY"
+	SchemaGrantPrivilegeRefresh        SchemaGrantPrivilege = "REFRESH"
+	SchemaGrantPrivilegeSelect         SchemaGrantPrivilege = "SELECT"
+	SchemaGrantPrivilegeReadVolume     SchemaGrantPrivilege = "READ_VOLUME"
+	SchemaGrantPrivilegeWriteVolume    SchemaGrantPrivilege = "WRITE_VOLUME"
+)
+
+// Values returns all valid SchemaGrantPrivilege values
+func (SchemaGrantPrivilege) Values() []SchemaGrantPrivilege {
+	return []SchemaGrantPrivilege{
+		SchemaGrantPrivilegeAllPrivileges,
+		SchemaGrantPrivilegeApplyTag,
+		SchemaGrantPrivilegeCreateFunction,
+		SchemaGrantPrivilegeCreateTable,
+		SchemaGrantPrivilegeCreateVolume,
+		SchemaGrantPrivilegeManage,
+		SchemaGrantPrivilegeUseSchema,
+		SchemaGrantPrivilegeExecute,
+		SchemaGrantPrivilegeModify,
+		SchemaGrantPrivilegeRefresh,
+		SchemaGrantPrivilegeSelect,
+		SchemaGrantPrivilegeReadVolume,
+		SchemaGrantPrivilegeWriteVolume,
+	}
+}
+
+// SchemaGrant holds the grant level settings for a single principal in Unity Catalog.
+// Multiple of these can be defined on any schema.
+type SchemaGrant struct {
+	Privileges []SchemaGrantPrivilege `json:"privileges"`
+
+	Principal string `json:"principal"`
+}
+
 type Schema struct {
 	// List of grants to apply on this schema.
-	Grants []Grant `json:"grants,omitempty"`
+	Grants []SchemaGrant `json:"grants,omitempty"`
 
 	// Full name of the schema (catalog_name.schema_name). This value is read from
 	// the terraform state after deployment succeeds.
diff --git a/bundle/deploy/terraform/tfdyn/convert_schema_test.go b/bundle/deploy/terraform/tfdyn/convert_schema_test.go
@@ -25,14 +25,18 @@ func TestConvertSchema(t *testing.T) {
 			},
 			StorageRoot: "root",
 		},
-		Grants: []resources.Grant{
+		Grants: []resources.SchemaGrant{
 			{
-				Privileges: []string{"EXECUTE"},
-				Principal:  "jack@gmail.com",
+				Privileges: []resources.SchemaGrantPrivilege{
+					resources.SchemaGrantPrivilegeExecute,
+				},
+				Principal: "jack@gmail.com",
 			},
 			{
-				Privileges: []string{"RUN"},
-				Principal:  "jane@gmail.com",
+				Privileges: []resources.SchemaGrantPrivilege{
+					resources.SchemaGrantPrivilegeSelect,
+				},
+				Principal: "jane@gmail.com",
 			},
 		},
 	}
@@ -67,7 +71,7 @@ func TestConvertSchema(t *testing.T) {
 				Principal:  "jack@gmail.com",
 			},
 			{
-				Privileges: []string{"RUN"},
+				Privileges: []string{"SELECT"},
 				Principal:  "jane@gmail.com",
 			},
 		},
diff --git a/bundle/internal/schema/annotations.yml b/bundle/internal/schema/annotations.yml
@@ -664,6 +664,13 @@ github.com/databricks/cli/bundle/config/resources.PipelinePermission:
   "user_name":
     "description": |-
       PLACEHOLDER
+github.com/databricks/cli/bundle/config/resources.SchemaGrant:
+  "principal":
+    "description": |-
+      PLACEHOLDER
+  "privileges":
+    "description": |-
+      PLACEHOLDER
 github.com/databricks/cli/bundle/config/resources.SecretScope:
   "backend_type":
     "description": |-
diff --git a/bundle/internal/schema/annotations_openapi_overrides.yml b/bundle/internal/schema/annotations_openapi_overrides.yml
@@ -424,6 +424,35 @@ github.com/databricks/cli/bundle/config/resources.RegisteredModel:
   "grants":
     "description": |-
       PLACEHOLDER
+github.com/databricks/cli/bundle/config/resources.SchemaGrantPrivilege:
+  "_":
+    "enum":
+      - |-
+        ALL_PRIVILEGES
+      - |-
+        APPLY_TAG
+      - |-
+        CREATE_FUNCTION
+      - |-
+        CREATE_TABLE
+      - |-
+        CREATE_VOLUME
+      - |-
+        MANAGE
+      - |-
+        USE_SCHEMA
+      - |-
+        EXECUTE
+      - |-
+        MODIFY
+      - |-
+        REFRESH
+      - |-
+        SELECT
+      - |-
+        READ_VOLUME
+      - |-
+        WRITE_VOLUME
 github.com/databricks/cli/bundle/config/resources.Schema:
   "_":
     "markdown_description": |-
diff --git a/bundle/schema/jsonschema.json b/bundle/schema/jsonschema.json
