Fixed bundle deploy to not update permissions for unbound resources (#3642)

## Changes
Fixed bundle deploy to not update permissions for unbound resources

## Why
The original issue occurred because we hadn't removed the permissions
section for the corresponding resources from the TF state. and
therefore, permissions were continued to be managed by TF and, as a
result, cleared out.

## Tests
Added an acceptance test

<!-- If your PR needs to be included in the release notes for next
release,
add a separate entry in NEXT_CHANGELOG.md as part of your PR. -->

Author: andrewnester

NEXT_CHANGELOG.md

@@ -10,6 +10,7 @@
 
 ### Bundles
 * Add new Lakeflow Pipelines support for bundle generate ([#3568](https://github.com/databricks/cli/pull/3568))
+* Fix bundle deploy to not update permissions or grants for unbound resources ([#3642](https://github.com/databricks/cli/pull/3642))
 * Introduce new bundle variable: `${workspace.current_user.domain_friendly_name}` ([#3623](https://github.com/databricks/cli/pull/3623))
 
 ### API Changes

acceptance/bundle/deploy/experimental-python/output.txt

@@ -8,6 +8,7 @@ Deployment complete!
 >>> [CLI] jobs list --output json
 [
   {
+    "creator_user_name": "[USERNAME]",
     "job_id": [NUMID],
     "settings": {
       "deployment": {

acceptance/bundle/deploy/python-notebook/output.txt

@@ -8,6 +8,7 @@ Deployment complete!
 >>> [CLI] jobs list --output json
 [
   {
+    "creator_user_name": "[USERNAME]",
     "job_id": [NUMID],
     "settings": {
       "deployment": {

acceptance/bundle/deployment/unbind/grants/databricks.yml.tmpl

@@ -0,0 +1,19 @@
+bundle:
+  name: unbind_grants-$UNIQUE_NAME
+
+workspace:
+  root_path: ~/.bundle/$UNIQUE_NAME
+
+variables:
+  suffix:
+    default: ""
+    description: "Suffix for the schema name"
+
+resources:
+  schemas:
+    schema_1:
+      name: "test-schema-$UNIQUE_NAME${var.suffix}"
+      catalog_name: "main"
+      grants:
+        - principal: "account users"
+          privileges: ["CREATE_VOLUME", "SELECT"]

acceptance/bundle/deployment/unbind/grants/out.test.toml

@@ -0,0 +1,49 @@
+
+>>> [CLI] bundle deploy
+Uploading bundle files to /Workspace/Users/[USERNAME]/.bundle/[UNIQUE_NAME]/files...
+Deploying resources...
+Updating deployment state...
+Deployment complete!
+
+>>> [CLI] grants get schema main.test-schema-[UNIQUE_NAME] --output json
+{
+  "principal": "account users",
+  "privileges": [
+    "CREATE_VOLUME",
+    "SELECT"
+  ]
+}
+
+>>> [CLI] bundle deployment unbind schema_1
+Updating deployment state...
+
+>>> [CLI] bundle deploy --var suffix=another
+Uploading bundle files to /Workspace/Users/[USERNAME]/.bundle/[UNIQUE_NAME]/files...
+Deploying resources...
+Updating deployment state...
+Deployment complete!
+
+=== Grants should be the same as before unbind
+>>> [CLI] grants get schema main.test-schema-[UNIQUE_NAME] --output json
+{
+  "principal": "account users",
+  "privileges": [
+    "CREATE_VOLUME",
+    "SELECT"
+  ]
+}
+
+>>> [CLI] bundle destroy --auto-approve
+The following resources will be deleted:
+  delete schema schema_1
+
+This action will result in the deletion of the following UC schemas. Any underlying data may be lost:
+  delete schema schema_1
+
+All files and directories at the following location will be deleted: /Workspace/Users/[USERNAME]/.bundle/[UNIQUE_NAME]
+
+Deleting files...
+Destroy complete!
+
+>>> [CLI] schemas delete main.test-schema-[UNIQUE_NAME]
+0

acceptance/bundle/deployment/unbind/grants/output.txt

@@ -0,0 +1,20 @@
+envsubst < databricks.yml.tmpl > databricks.yml
+
+cleanup() {
+    trace $CLI bundle destroy --auto-approve
+    if [[ -n "$schema_id" ]]; then
+        trace $CLI schemas delete $schema_id
+    fi
+    echo $?
+}
+trap cleanup EXIT
+
+trace $CLI bundle deploy
+schema_id=$($CLI bundle summary --output json | jq -r '.resources.schemas.schema_1.id')
+trace $CLI grants get schema $schema_id --output json | jq '.privilege_assignments[] | select(.principal == "account users")'
+
+trace $CLI bundle deployment unbind schema_1
+trace $CLI bundle deploy --var "suffix=another"
+
+title "Grants should be the same as before unbind"
+trace $CLI grants get schema $schema_id --output json | jq '.privilege_assignments[] | select(.principal == "account users")'

acceptance/bundle/deployment/unbind/grants/script

@@ -0,0 +1,8 @@
+RequiresUnityCatalog = true
+
+[EnvMatrix]
+  DATABRICKS_BUNDLE_ENGINE = ["terraform"]
+
+Ignore = [
+    ".databricks",
+]

acceptance/bundle/deployment/unbind/grants/test.toml

@@ -18,6 +18,7 @@ Deployment complete!
 
 >>> [CLI] jobs get [NUMID] --output json
 {
+  "creator_user_name":"[USERNAME]",
   "job_id":[NUMID],
   "settings": {
     "deployment": {

acceptance/bundle/deployment/unbind/job/output.txt

@@ -0,0 +1,13 @@
+bundle:
+  name: unbind_permissions
+
+workspace:
+  root_path: "~/.bundle/$UNIQUE_NAME"
+
+resources:
+  jobs:
+    job_1:
+      name: "Job name"
+      permissions:
+        - group_name: users
+          level: CAN_MANAGE