direct: Add support for secret scopes (#3886)

## Changes
Adds direct deployment support for secret scopes.

### Mock Server Fix
Fixed `libs/testserver/secret_scopes.go` to automatically grant MANAGE
permission to the creator when a scope is created, matching real
Databricks behavior.

## Tests
New local and cloud acceptance tests.

Author: shreyas-goenka

acceptance/bundle/refschema/out.fields.txt

@@ -3480,6 +3480,33 @@ resources.schemas.*.grants.grants[*].principal	string	ALL
 resources.schemas.*.grants.grants[*].privileges	[]catalog.Privilege	ALL
 resources.schemas.*.grants.grants[*].privileges[*]	catalog.Privilege	ALL
 resources.schemas.*.grants.securable_type	string	ALL
+resources.secret_scopes.*.backend_azure_keyvault	*workspace.AzureKeyVaultSecretScopeMetadata	STATE
+resources.secret_scopes.*.backend_azure_keyvault.dns_name	string	STATE
+resources.secret_scopes.*.backend_azure_keyvault.resource_id	string	STATE
+resources.secret_scopes.*.backend_type	workspace.ScopeBackendType	INPUT	REMOTE
+resources.secret_scopes.*.id	string	INPUT
+resources.secret_scopes.*.initial_manage_principal	string	STATE
+resources.secret_scopes.*.keyvault_metadata	*workspace.AzureKeyVaultSecretScopeMetadata	INPUT	REMOTE
+resources.secret_scopes.*.keyvault_metadata.dns_name	string	INPUT	REMOTE
+resources.secret_scopes.*.keyvault_metadata.resource_id	string	INPUT	REMOTE
+resources.secret_scopes.*.lifecycle	resources.Lifecycle	INPUT
+resources.secret_scopes.*.lifecycle.prevent_destroy	bool	INPUT
+resources.secret_scopes.*.modified_status	string	INPUT
+resources.secret_scopes.*.name	string	INPUT	REMOTE
+resources.secret_scopes.*.permissions	[]resources.SecretScopePermission	INPUT
+resources.secret_scopes.*.permissions[*]	resources.SecretScopePermission	INPUT
+resources.secret_scopes.*.permissions[*].group_name	string	INPUT
+resources.secret_scopes.*.permissions[*].level	resources.SecretScopePermissionLevel	INPUT
+resources.secret_scopes.*.permissions[*].service_principal_name	string	INPUT
+resources.secret_scopes.*.permissions[*].user_name	string	INPUT
+resources.secret_scopes.*.scope	string	STATE
+resources.secret_scopes.*.scope_backend_type	workspace.ScopeBackendType	STATE
+resources.secret_scopes.*.url	string	INPUT
+resources.secret_scopes.*.permissions.acls	[]workspace.AclItem	ALL
+resources.secret_scopes.*.permissions.acls[*]	workspace.AclItem	ALL
+resources.secret_scopes.*.permissions.acls[*].permission	workspace.AclPermission	ALL
+resources.secret_scopes.*.permissions.acls[*].principal	string	ALL
+resources.secret_scopes.*.permissions.scope_name	string	ALL
 resources.sql_warehouses.*.auto_stop_mins	int	ALL
 resources.sql_warehouses.*.channel	*sql.Channel	ALL
 resources.sql_warehouses.*.channel.dbsql_version	string	ALL

acceptance/bundle/resources/secret_scopes/backend-type/out.test.toml

@@ -5,12 +5,16 @@ Deploying resources...
 Updating deployment state...
 Deployment complete!
 
->>> jq -s .[] | select(.path=="/api/2.0/secrets/scopes/create") | .body out.requests.txt
+>>> print_requests.py //secrets
 {
-  "backend_azure_keyvault": {
-    "dns_name": "my_azure_keyvault_dns_name",
-    "resource_id": "my_azure_keyvault_id"
-  },
-  "scope": "test-secrets-azure-backend",
-  "scope_backend_type": "AZURE_KEYVAULT"
+  "method": "POST",
+  "path": "/api/2.0/secrets/scopes/create",
+  "body": {
+    "backend_azure_keyvault": {
+      "dns_name": "my_azure_keyvault_dns_name",
+      "resource_id": "my_azure_keyvault_id"
+    },
+    "scope": "test-secrets-azure-backend",
+    "scope_backend_type": "AZURE_KEYVAULT"
+  }
 }

acceptance/bundle/resources/secret_scopes/backend-type/output.txt

@@ -1,3 +1,2 @@
 trace $CLI bundle deploy
-trace jq -s '.[] | select(.path=="/api/2.0/secrets/scopes/create") | .body' out.requests.txt
-rm out.requests.txt
+trace print_requests.py //secrets

acceptance/bundle/resources/secret_scopes/backend-type/script

@@ -1,13 +1,11 @@
 bundle:
-  name: deploy-secret-scope-test-$UNIQUE_NAME
+  name: secret-scope-basic-$UNIQUE_NAME
 
 resources:
   secret_scopes:
-    secret_scope1:
+    my_scope:
       name: $SECRET_SCOPE_NAME
       backend_type: "DATABRICKS"
       permissions:
-        - user_name: admins
+        - user_name: [email protected]
           level: WRITE
-        - user_name: users
-          level: READ

…ources/secret_scopes/databricks.yml.tmpl …/secret_scopes/basic/databricks.yml.tmplacceptance/bundle/resources/secret_scopes/databricks.yml.tmpl renamed to acceptance/bundle/resources/secret_scopes/basic/databricks.yml.tmpl acceptance/bundle/resources/secret_scopes/databricks.yml.tmpl renamed to acceptance/bundle/resources/secret_scopes/basic/databricks.yml.tmpl

@@ -0,0 +1,40 @@
+{
+  "plan": {
+    "resources.secret_scopes.my_scope": {
+      "action": "create",
+      "new_state": {
+        "value": {
+          "scope": "test-scope-[UNIQUE_NAME]-1",
+          "scope_backend_type": "DATABRICKS"
+        }
+      }
+    },
+    "resources.secret_scopes.my_scope.permissions": {
+      "depends_on": [
+        {
+          "node": "resources.secret_scopes.my_scope",
+          "label": "${resources.secret_scopes.my_scope.name}"
+        }
+      ],
+      "action": "create",
+      "new_state": {
+        "value": {
+          "scope_name": "",
+          "acls": [
+            {
+              "permission": "MANAGE",
+              "principal": "[USERNAME]"
+            },
+            {
+              "permission": "WRITE",
+              "principal": "[email protected]"
+            }
+          ]
+        },
+        "vars": {
+          "scope_name": "${resources.secret_scopes.my_scope.name}"
+        }
+      }
+    }
+  }
+}

acceptance/bundle/resources/secret_scopes/basic/out.plan1.direct.json

@@ -0,0 +1,7 @@
+{
+  "plan": {
+    "resources.secret_scopes.my_scope": {
+      "action": "create"
+    }
+  }
+}

acceptance/bundle/resources/secret_scopes/basic/out.plan1.terraform.json

@@ -0,0 +1,71 @@
+{
+  "plan": {
+    "resources.secret_scopes.my_scope": {
+      "action": "recreate",
+      "new_state": {
+        "value": {
+          "scope": "test-scope-[UNIQUE_NAME]-2",
+          "scope_backend_type": "DATABRICKS"
+        }
+      },
+      "changes": {
+        "local": {
+          "scope": {
+            "action": "recreate",
+            "old": "test-scope-[UNIQUE_NAME]-1",
+            "new": "test-scope-[UNIQUE_NAME]-2"
+          }
+        }
+      }
+    },
+    "resources.secret_scopes.my_scope.permissions": {
+      "depends_on": [
+        {
+          "node": "resources.secret_scopes.my_scope",
+          "label": "${resources.secret_scopes.my_scope.name}"
+        }
+      ],
+      "action": "update_id",
+      "new_state": {
+        "value": {
+          "scope_name": "",
+          "acls": [
+            {
+              "permission": "MANAGE",
+              "principal": "[USERNAME]"
+            },
+            {
+              "permission": "WRITE",
+              "principal": "[email protected]"
+            }
+          ]
+        },
+        "vars": {
+          "scope_name": "${resources.secret_scopes.my_scope.name}"
+        }
+      },
+      "remote_state": {
+        "scope_name": "test-scope-[UNIQUE_NAME]-1",
+        "acls": [
+          {
+            "permission": "WRITE",
+            "principal": "[email protected]"
+          },
+          {
+            "permission": "MANAGE",
+            "principal": "[USERNAME]"
+          }
+        ]
+      },
+      "changes": {
+        "local": {
+          "scope_name": {
+            "action": "update_id",
+            "old": "test-scope-[UNIQUE_NAME]-1",
+            "new": ""
+          }
+        }
+      }
+    }
+  }
+}

acceptance/bundle/resources/secret_scopes/basic/out.plan2.direct.json

@@ -0,0 +1,7 @@
+{
+  "plan": {
+    "resources.secret_scopes.my_scope": {
+      "action": "recreate"
+    }
+  }
+}

acceptance/bundle/resources/secret_scopes/basic/out.plan2.terraform.json

@@ -0,0 +1,33 @@
+{
+  "plan": {
+    "resources.secret_scopes.my_scope": {
+      "action": "skip",
+      "remote_state": {
+        "backend_type": "DATABRICKS",
+        "name": "test-scope-[UNIQUE_NAME]-2"
+      }
+    },
+    "resources.secret_scopes.my_scope.permissions": {
+      "depends_on": [
+        {
+          "node": "resources.secret_scopes.my_scope",
+          "label": "${resources.secret_scopes.my_scope.name}"
+        }
+      ],
+      "action": "skip",
+      "remote_state": {
+        "scope_name": "test-scope-[UNIQUE_NAME]-2",
+        "acls": [
+          {
+            "permission": "WRITE",
+            "principal": "[email protected]"
+          },
+          {
+            "permission": "MANAGE",
+            "principal": "[USERNAME]"
+          }
+        ]
+      }
+    }
+  }
+}