Skip to content

direct: Add support for secret scopes #3886

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
shreyas-goenka merged 62 commits into from
Dec 10, 2025
Merged

direct: Add support for secret scopes #3886

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
62 commits
Select commit Hold shift + click to select a range
bbd0a4b
[WIP] direct: secret scopes
shreyas-goenka Nov 5, 2025
bf86538
wip fix for the permissions issue. still needs some more work
shreyas-goenka Nov 5, 2025
df29329
test stableized
shreyas-goenka Nov 5, 2025
b16328a
merge
shreyas-goenka Nov 5, 2025
0da6f68
Merge remote-tracking branch 'origin' into direct-secret-scope
shreyas-goenka Nov 7, 2025
a4ac665
update tests
shreyas-goenka Nov 7, 2025
b1e7a45
update tests
shreyas-goenka Nov 7, 2025
ba52db8
update-scope
shreyas-goenka Nov 10, 2025
559ca0a
merge
shreyas-goenka Nov 10, 2025
df9c9f5
better acl implementation
shreyas-goenka Nov 10, 2025
37e7e22
best tests
shreyas-goenka Nov 10, 2025
7ad9d05
-
shreyas-goenka Nov 10, 2025
0b8aca6
undo key sort';
shreyas-goenka Nov 10, 2025
cdec26a
-
shreyas-goenka Nov 10, 2025
50af43a
more robust check
shreyas-goenka Nov 10, 2025
1cc1283
cleanup todos
shreyas-goenka Nov 10, 2025
ae2be0f
cleanup
shreyas-goenka Nov 10, 2025
bf90ffd
lint
shreyas-goenka Nov 10, 2025
d8565d3
update ref schema
shreyas-goenka Nov 10, 2025
9797954
make test all work
shreyas-goenka Nov 10, 2025
07c9b0d
fix TestFieldTriggers
shreyas-goenka Nov 10, 2025
def2450
merge
shreyas-goenka Nov 18, 2025
700dd4a
Only add current user manage permissions if missing
shreyas-goenka Nov 20, 2025
46a1ea6
Merge remote-tracking branch 'origin' into direct-secret-scope
shreyas-goenka Nov 20, 2025
b23e59e
fix build
shreyas-goenka Nov 20, 2025
9a98a75
add todo
shreyas-goenka Nov 20, 2025
e6342b3
update resources
shreyas-goenka Nov 20, 2025
fc53266
add collapse for scope permissions
shreyas-goenka Nov 21, 2025
b43a123
add test for permissions collaspe
shreyas-goenka Nov 21, 2025
ed28144
fix tests
shreyas-goenka Nov 21, 2025
6a8d847
fix test
shreyas-goenka Nov 21, 2025
83eb2e9
merge
shreyas-goenka Nov 21, 2025
855f24a
-
shreyas-goenka Nov 21, 2025
b930e94
update permissions
shreyas-goenka Nov 21, 2025
52e1b49
update test
shreyas-goenka Nov 24, 2025
1522887
Merge remote-tracking branch 'origin' into direct-secret-scope
shreyas-goenka Nov 24, 2025
d21d1af
fix basic tesT
shreyas-goenka Nov 24, 2025
eb71e4c
merge test
shreyas-goenka Nov 24, 2025
26f29e6
fix tests
shreyas-goenka Nov 24, 2025
229a17d
disabw the basic test
shreyas-goenka Nov 24, 2025
bfbc695
fix out.test.toml
shreyas-goenka Nov 24, 2025
9c3e809
fix direct test
shreyas-goenka Nov 25, 2025
364d6da
Merge remote-tracking branch 'origin' into direct-secret-scope
shreyas-goenka Nov 25, 2025
18bd490
update after main
shreyas-goenka Nov 25, 2025
50bd6cc
do not print json plan to prevent out of order issues
shreyas-goenka Nov 25, 2025
ebdb11c
Merge remote-tracking branch 'origin' into direct-secret-scope
shreyas-goenka Nov 25, 2025
b7c5d35
disable tests on gcp
shreyas-goenka Nov 25, 2025
e083ed5
Merge remote-tracking branch 'origin' into direct-secret-scope
shreyas-goenka Nov 27, 2025
2e33133
fix unit test
shreyas-goenka Nov 27, 2025
f29fb8e
fix tests
shreyas-goenka Nov 27, 2025
c307c2a
fix permissions test
shreyas-goenka Nov 27, 2025
aa8e185
merge
shreyas-goenka Nov 27, 2025
af7277b
remove unused arg
shreyas-goenka Dec 3, 2025
4d2fbd3
Merge remote-tracking branch 'origin' into direct-secret-scope
shreyas-goenka Dec 3, 2025
17bd12c
do not return scopeName in setAcls
shreyas-goenka Dec 3, 2025
39e0c66
merge
shreyas-goenka Dec 4, 2025
d7a207b
run tests locally as well
shreyas-goenka Dec 4, 2025
db9236b
verify and fix persistent drift
shreyas-goenka Dec 9, 2025
836eb82
update basic test
shreyas-goenka Dec 10, 2025
83a5689
Merge remote-tracking branch 'origin' into direct-secret-scope
shreyas-goenka Dec 10, 2025
a789294
run cloud tests again
shreyas-goenka Dec 10, 2025
7e1c917
stop parallelism
shreyas-goenka Dec 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 27 additions & 0 deletions acceptance/bundle/refschema/out.fields.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3480,6 +3480,33 @@ resources.schemas.*.grants.grants[*].principal string ALL
resources.schemas.*.grants.grants[*].privileges []catalog.Privilege ALL
resources.schemas.*.grants.grants[*].privileges[*] catalog.Privilege ALL
resources.schemas.*.grants.securable_type string ALL
resources.secret_scopes.*.backend_azure_keyvault *workspace.AzureKeyVaultSecretScopeMetadata STATE
resources.secret_scopes.*.backend_azure_keyvault.dns_name string STATE
resources.secret_scopes.*.backend_azure_keyvault.resource_id string STATE
resources.secret_scopes.*.backend_type workspace.ScopeBackendType INPUT REMOTE
resources.secret_scopes.*.id string INPUT
resources.secret_scopes.*.initial_manage_principal string STATE
resources.secret_scopes.*.keyvault_metadata *workspace.AzureKeyVaultSecretScopeMetadata INPUT REMOTE
resources.secret_scopes.*.keyvault_metadata.dns_name string INPUT REMOTE
resources.secret_scopes.*.keyvault_metadata.resource_id string INPUT REMOTE
resources.secret_scopes.*.lifecycle resources.Lifecycle INPUT
resources.secret_scopes.*.lifecycle.prevent_destroy bool INPUT
resources.secret_scopes.*.modified_status string INPUT
resources.secret_scopes.*.name string INPUT REMOTE
resources.secret_scopes.*.permissions []resources.SecretScopePermission INPUT
resources.secret_scopes.*.permissions[*] resources.SecretScopePermission INPUT
resources.secret_scopes.*.permissions[*].group_name string INPUT
resources.secret_scopes.*.permissions[*].level resources.SecretScopePermissionLevel INPUT
resources.secret_scopes.*.permissions[*].service_principal_name string INPUT
resources.secret_scopes.*.permissions[*].user_name string INPUT
resources.secret_scopes.*.scope string STATE
resources.secret_scopes.*.scope_backend_type workspace.ScopeBackendType STATE
resources.secret_scopes.*.url string INPUT
resources.secret_scopes.*.permissions.acls []workspace.AclItem ALL
resources.secret_scopes.*.permissions.acls[*] workspace.AclItem ALL
resources.secret_scopes.*.permissions.acls[*].permission workspace.AclPermission ALL
resources.secret_scopes.*.permissions.acls[*].principal string ALL
resources.secret_scopes.*.permissions.scope_name string ALL
Copy link
Contributor

@pietern pietern Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This aliases the other permissions block.

I can see this being a potential issue. Especially because one of them is a slice and the other an object.

@denik

Copy link
Contributor Author

@shreyas-goenka shreyas-goenka Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't follow, what's the issue? The interface is still the same as other resources:

resources:
  secret_scopes:
    my_scope:
      name: $SECRET_SCOPE_NAME
      backend_type: "DATABRICKS"
      permissions:
        - service_principal_name: $TEST_SP_APPLICATION_ID
          level: WRITE

This bit comes from the [dresources.SecretScopeAclsState] struct which is an internal state used to map the permissions schema to the ACLs schema needed by secret scopes.

resources.sql_warehouses.*.auto_stop_mins int ALL
resources.sql_warehouses.*.channel *sql.Channel ALL
resources.sql_warehouses.*.channel.dbsql_version string ALL
Expand Down
2 changes: 1 addition & 1 deletion acceptance/bundle/resources/secret_scopes/backend-type/out.test.toml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

18 changes: 11 additions & 7 deletions acceptance/bundle/resources/secret_scopes/backend-type/output.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,16 @@ Deploying resources...
Updating deployment state...
Deployment complete!

>>> jq -s .[] | select(.path=="/api/2.0/secrets/scopes/create") | .body out.requests.txt
>>> print_requests.py //secrets
{
"backend_azure_keyvault": {
"dns_name": "my_azure_keyvault_dns_name",
"resource_id": "my_azure_keyvault_id"
},
"scope": "test-secrets-azure-backend",
"scope_backend_type": "AZURE_KEYVAULT"
"method": "POST",
"path": "/api/2.0/secrets/scopes/create",
"body": {
"backend_azure_keyvault": {
"dns_name": "my_azure_keyvault_dns_name",
"resource_id": "my_azure_keyvault_id"
},
"scope": "test-secrets-azure-backend",
"scope_backend_type": "AZURE_KEYVAULT"
}
}
3 changes: 1 addition & 2 deletions acceptance/bundle/resources/secret_scopes/backend-type/script
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,2 @@
trace $CLI bundle deploy
trace jq -s '.[] | select(.path=="/api/2.0/secrets/scopes/create") | .body' out.requests.txt
rm out.requests.txt
trace print_requests.py //secrets
8 changes: 3 additions & 5 deletions ...sources/secret_scopes/databricks.yml.tmpl → ...s/secret_scopes/basic/databricks.yml.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,11 @@
bundle:
name: deploy-secret-scope-test-$UNIQUE_NAME
name: secret-scope-basic-$UNIQUE_NAME

resources:
secret_scopes:
secret_scope1:
my_scope:
name: $SECRET_SCOPE_NAME
backend_type: "DATABRICKS"
permissions:
- user_name: admins
- user_name: [email protected]
level: WRITE
- user_name: users
level: READ
40 changes: 40 additions & 0 deletions acceptance/bundle/resources/secret_scopes/basic/out.plan1.direct.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
{
"plan": {
"resources.secret_scopes.my_scope": {
"action": "create",
"new_state": {
"value": {
"scope": "test-scope-[UNIQUE_NAME]-1",
"scope_backend_type": "DATABRICKS"
}
}
},
"resources.secret_scopes.my_scope.permissions": {
"depends_on": [
{
"node": "resources.secret_scopes.my_scope",
"label": "${resources.secret_scopes.my_scope.name}"
}
],
"action": "create",
"new_state": {
"value": {
"scope_name": "",
"acls": [
{
"permission": "MANAGE",
"principal": "[USERNAME]"
},
{
"permission": "WRITE",
"principal": "[email protected]"
}
]
},
"vars": {
"scope_name": "${resources.secret_scopes.my_scope.name}"
}
}
}
}
}
7 changes: 7 additions & 0 deletions acceptance/bundle/resources/secret_scopes/basic/out.plan1.terraform.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
{
"plan": {
"resources.secret_scopes.my_scope": {
"action": "create"
}
}
}
71 changes: 71 additions & 0 deletions acceptance/bundle/resources/secret_scopes/basic/out.plan2.direct.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
{
"plan": {
"resources.secret_scopes.my_scope": {
"action": "recreate",
"new_state": {
"value": {
"scope": "test-scope-[UNIQUE_NAME]-2",
"scope_backend_type": "DATABRICKS"
}
},
"changes": {
"local": {
"scope": {
"action": "recreate",
"old": "test-scope-[UNIQUE_NAME]-1",
"new": "test-scope-[UNIQUE_NAME]-2"
}
}
}
},
"resources.secret_scopes.my_scope.permissions": {
"depends_on": [
{
"node": "resources.secret_scopes.my_scope",
"label": "${resources.secret_scopes.my_scope.name}"
}
],
"action": "update_id",
"new_state": {
"value": {
"scope_name": "",
"acls": [
{
"permission": "MANAGE",
"principal": "[USERNAME]"
},
{
"permission": "WRITE",
"principal": "[email protected]"
}
]
},
"vars": {
"scope_name": "${resources.secret_scopes.my_scope.name}"
}
},
"remote_state": {
"scope_name": "test-scope-[UNIQUE_NAME]-1",
"acls": [
{
"permission": "WRITE",
"principal": "[email protected]"
},
{
"permission": "MANAGE",
"principal": "[USERNAME]"
}
]
},
"changes": {
"local": {
"scope_name": {
"action": "update_id",
"old": "test-scope-[UNIQUE_NAME]-1",
"new": ""
}
}
}
}
}
}
7 changes: 7 additions & 0 deletions acceptance/bundle/resources/secret_scopes/basic/out.plan2.terraform.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
{
"plan": {
"resources.secret_scopes.my_scope": {
"action": "recreate"
}
}
}
33 changes: 33 additions & 0 deletions acceptance/bundle/resources/secret_scopes/basic/out.plan_verify_no_drift.direct.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
{
"plan": {
"resources.secret_scopes.my_scope": {
"action": "skip",
"remote_state": {
"backend_type": "DATABRICKS",
"name": "test-scope-[UNIQUE_NAME]-2"
}
},
"resources.secret_scopes.my_scope.permissions": {
"depends_on": [
{
"node": "resources.secret_scopes.my_scope",
"label": "${resources.secret_scopes.my_scope.name}"
}
],
"action": "skip",
"remote_state": {
"scope_name": "test-scope-[UNIQUE_NAME]-2",
"acls": [
{
"permission": "WRITE",
"principal": "[email protected]"
},
{
"permission": "MANAGE",
"principal": "[USERNAME]"
}
]
}
}
}
}
7 changes: 7 additions & 0 deletions acceptance/bundle/resources/secret_scopes/basic/out.plan_verify_no_drift.terraform.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
{
"plan": {
"resources.secret_scopes.my_scope": {
"action": "skip"
}
}
}
24 changes: 24 additions & 0 deletions acceptance/bundle/resources/secret_scopes/basic/out.recreate-requests.direct.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
{
"method": "POST",
"path": "/api/2.0/secrets/scopes/delete",
"body": {
"scope": "test-scope-[UNIQUE_NAME]-1"
}
}
{
"method": "POST",
"path": "/api/2.0/secrets/scopes/create",
"body": {
"scope": "test-scope-[UNIQUE_NAME]-2",
"scope_backend_type": "DATABRICKS"
}
}
{
"method": "POST",
"path": "/api/2.0/secrets/acls/put",
"body": {
"permission": "WRITE",
"principal": "[email protected]",
"scope": "test-scope-[UNIQUE_NAME]-2"
}
}
32 changes: 32 additions & 0 deletions acceptance/bundle/resources/secret_scopes/basic/out.recreate-requests.terraform.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
{
"method": "POST",
"path": "/api/2.0/secrets/acls/delete",
"body": {
"principal": "[email protected]",
"scope": "test-scope-[UNIQUE_NAME]-1"
}
}
{
"method": "POST",
"path": "/api/2.0/secrets/scopes/delete",
"body": {
"scope": "test-scope-[UNIQUE_NAME]-1"
}
}
{
"method": "POST",
"path": "/api/2.0/secrets/scopes/create",
"body": {
"scope": "test-scope-[UNIQUE_NAME]-2",
"scope_backend_type": "DATABRICKS"
}
}
{
"method": "POST",
"path": "/api/2.0/secrets/acls/put",
"body": {
"permission": "WRITE",
"principal": "[email protected]",
"scope": "test-scope-[UNIQUE_NAME]-2"
}
}
5 changes: 5 additions & 0 deletions acceptance/bundle/resources/secret_scopes/basic/out.test.toml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading