direct: pipelines: Ignore run_as change from the backend

acceptance/bundle/migrate/runas/databricks.yml.tmpl

@@ -0,0 +1,40 @@
+bundle:
+  name: dabs_revenue-$UNIQUE_NAME
+
+permissions:
+  - level: CAN_VIEW
+    group_name: users
+
+resources:
+  pipelines:
+    foo:
+      name: DABs Revenue Pipeline
+
+      libraries:
+        - notebook:
+            path: sql.sql
+
+      serverless: true
+
+targets:
+  development:
+    default: true
+    mode: development
+
+    resources:
+      pipelines:
+        # Make the pipeline write to the current user's schema in logfood.
+        foo:
+          catalog: users
+          target: ${workspace.current_user.short_name}
+
+  production:
+    run_as:
+      service_principal_name: $TEST_SP_APPLICATION_ID
+
+    resources:
+      pipelines:
+        # Make the pipeline write to the team's schema in logfood.
+        foo:
+          catalog: main
+          target: team_eng_deco

acceptance/bundle/migrate/runas/output.txt

@@ -0,0 +1,56 @@
+
+>>> DATABRICKS_BUNDLE_ENGINE=terraform [CLI] bundle plan -t production
+Recommendation: permissions section should explicitly include the current deployment identity '[USERNAME]' or one of its groups
+If it is not included, CAN_MANAGE permissions are only applied if the present identity is used to deploy.
+
+Consider using a adding a top-level permissions section such as the following:
+
+  permissions:
+    - user_name: [USERNAME]
+      level: CAN_MANAGE
+
+See https://docs.databricks.com/dev-tools/bundles/permissions.html to learn more about permission configuration.
+  in databricks.yml:5:3
+
+create pipelines.foo
+create pipelines.foo.permissions
+
+Plan: 2 to add, 0 to change, 0 to delete, 0 unchanged
+
+>>> DATABRICKS_BUNDLE_ENGINE=terraform [CLI] bundle deploy -t production
+Recommendation: permissions section should explicitly include the current deployment identity '[USERNAME]' or one of its groups
+If it is not included, CAN_MANAGE permissions are only applied if the present identity is used to deploy.
+
+Consider using a adding a top-level permissions section such as the following:
+
+  permissions:
+    - user_name: [USERNAME]
+      level: CAN_MANAGE
+
+See https://docs.databricks.com/dev-tools/bundles/permissions.html to learn more about permission configuration.
+  in databricks.yml:5:3
+
+Uploading bundle files to /Workspace/Users/[USERNAME]/.bundle/dabs_revenue-[UNIQUE_NAME]/production/files...
+Deploying resources...
+Updating deployment state...
+Deployment complete!
+
+>>> print_requests.py //pipelines
+File [TEST_TMP_DIR]/out.requests.txt not found
+
+>>> [CLI] bundle destroy --auto-approve
+Recommendation: permissions section should explicitly include the current deployment identity '[USERNAME]' or one of its groups
+If it is not included, CAN_MANAGE permissions are only applied if the present identity is used to deploy.
+
+Consider using a adding a top-level permissions section such as the following:
+
+  permissions:
+    - user_name: [USERNAME]
+      level: CAN_MANAGE
+
+See https://docs.databricks.com/dev-tools/bundles/permissions.html to learn more about permission configuration.
+  in databricks.yml:5:3
+
+No active deployment found to destroy!
+
+Exit code: 1

acceptance/bundle/migrate/runas/script

@@ -0,0 +1,27 @@
+if [ -z "${TEST_SP_APPLICATION_ID+x}" ]; then
+    export TEST_SP_APPLICATION_ID="123b0db3-ba48-4e12-be3b-3b7898cdf000"
+fi
+
+envsubst < databricks.yml.tmpl > databricks.yml
+trace DATABRICKS_BUNDLE_ENGINE=terraform $CLI bundle plan -t production
+
+cleanup() {
+    trace $CLI bundle destroy --auto-approve
+}
+
+
+trap cleanup EXIT
+
+trace DATABRICKS_BUNDLE_ENGINE=terraform $CLI bundle deploy -t production
+trace print_requests.py //pipelines > out.create_requests.json
+trace print_state.py -t production > out.old_state.json
+
+pipeline_id=$($CLI bundle summary -t production --output json | jq -r '.resources.pipelines.foo.id')
+trace $CLI pipelines get $pipeline_id > out.pipelines_get.json
+
+trace DATABRICKS_BUNDLE_ENGINE=terraform $CLI bundle plan -t production
+trace DATABRICKS_BUNDLE_ENGINE= $CLI bundle deployment migrate -t production
+trace print_state.py -t production > out.new_state.json
+trace DATABRICKS_BUNDLE_ENGINE= $CLI bundle plan -t production
+trace DATABRICKS_BUNDLE_ENGINE= $CLI bundle plan -t production -o json > out.plan.json
+#trace DATABRICKS_BUNDLE_ENGINE= $CLI bundle deployment deploy -t production

acceptance/bundle/migrate/runas/sql.sql

@@ -0,0 +1 @@
+-- Databricks notebook source

acceptance/bundle/migrate/runas/test.toml

@@ -0,0 +1,3 @@
+Cloud = false
+RecordRequests = false
+Ignore = [".databricks"]

bundle/direct/dresources/pipeline.go

@@ -120,13 +120,23 @@ func (r *ResourcePipeline) DoDelete(ctx context.Context, id string) error {
 	return r.client.Pipelines.DeleteByPipelineId(ctx, id)
 }
 
-func (*ResourcePipeline) FieldTriggers(_ bool) map[string]deployplan.ActionType {
-	return map[string]deployplan.ActionType{
+func (*ResourcePipeline) FieldTriggers(isLocal bool) map[string]deployplan.ActionType {
+	result := map[string]deployplan.ActionType{
 		"storage":                              deployplan.ActionTypeRecreate,
 		"catalog":                              deployplan.ActionTypeRecreate,
 		"ingestion_definition.connection_name": deployplan.ActionTypeRecreate,
 		"ingestion_definition.ingestion_gateway_id": deployplan.ActionTypeRecreate,
 	}
+
+	if !isLocal {
+		// We've seen that run_as is not consistently set by the backend
+		// TF also ignores it (by not copying it here:
+		// https://github.com/databricks/terraform-provider-databricks/blob/15e951f976e3857d9f01651c4b2513657f137796/pipelines/resource_pipeline.go#L304-L317
+		// TODO: Rather than skipping, consider ignoring the change if run_as is not present but still triggering an update if run_as is different.
+		result["run_as"] = deployplan.ActionTypeSkip
+	}
+
+	return result
 }
 
 // Note, terraform provider either