[Fix] Fix Inconsistent Plan Errors in Permissions Resource (#5091)

rauchy · alexott · web-flow · commit 0451da37f3c2 · 2025-10-22T07:20:59.000Z
## Changes
&lt;!-- Summary of your changes that are easy to understand --&gt;
This PR attempts to fix an issue where Terraform was intermittently
throwing "inconsistent final plan" errors when managing permissions,
where `access_control` elements appeared to be removed and re-added even
though their actual values were identical.

The hypothesis is that Terraform's `TypeSet` was treating `{group_name:
"X", permission_level: "Y"}` and `{group_name: "X", permission_level:
"Y", user_name: "", service_principal_name: ""}` as different elements
because the default hash function considers the presence of keys with
empty string values as distinct from absent keys, even though these are
semantically equivalent

The fix adds a custom hash function that normalizes elements by only
hashing non-empty string fields, so both representations produce the
same hash and are correctly recognized as identical.

## Tests
&lt;!--
How is this tested? Please see the checklist below and also describe any
other relevant tests
--&gt;
Existing test coverage + testing of the new hash function.

- [x] `make test` run locally
- [ ] relevant change in `docs/` folder
- [ ] covered with integration tests in `internal/acceptance`
- [ ] using Go SDK
- [ ] using TF Plugin Framework
- [ ] has entry in `NEXT_CHANGELOG.md` file

---------

Co-authored-by: Omer Lachish &lt;rauchy@users.noreply.github.com&gt;
Co-authored-by: Alex Ott &lt;alexey.ott@databricks.com&gt;
diff --git a/NEXT_CHANGELOG.md b/NEXT_CHANGELOG.md
@@ -10,6 +10,8 @@
 
 ### Bug Fixes
 
+* Fix Inconsistent Plan Errors in Permissions Resource ([#5091](https://github.com/databricks/terraform-provider-databricks/pull/5091))
+
 ### Documentation
 
 ### Exporter
diff --git a/permissions/resource_permissions.go b/permissions/resource_permissions.go
@@ -181,6 +181,32 @@ func ResourcePermissions() common.Resource {
 			}
 		}
 		s["access_control"].MinItems = 1
+
+		// Use a custom hash function that only considers non-empty fields.
+		// This prevents spurious diffs when comparing {group_name: "X", permission_level: "Y"}
+		// with {group_name: "X", permission_level: "Y", service_principal_name: "", user_name: ""}
+		acSchema := s["access_control"].Elem.(*schema.Resource).Schema
+		s["access_control"].Set = func(v interface{}) int {
+			m, ok := v.(map[string]interface{})
+			if !ok {
+				return 0
+			}
+			// Build a normalized map with only non-empty string fields for hashing
+			normalized := make(map[string]interface{})
+			for key, val := range m {
+				if _, exists := acSchema[key]; !exists {
+					continue // Skip fields not in schema
+				}
+				if strVal, ok := val.(string); ok {
+					if strVal != "" {
+						normalized[key] = strVal
+					}
+				}
+			}
+			// Use HashResource with a schema that only includes the fields we care about
+			hashSchema := &schema.Resource{Schema: acSchema}
+			return schema.HashResource(hashSchema)(normalized)
+		}
 		return s
 	})
 	return common.Resource{
diff --git a/permissions/resource_permissions_test.go b/permissions/resource_permissions_test.go
@@ -1868,3 +1868,53 @@ func TestResourcePermissionsRootDirectory(t *testing.T) {
 	assert.Equal(t, TestingUser, firstElem["user_name"])
 	assert.Equal(t, "CAN_READ", firstElem["permission_level"])
 }
+
+// TestAccessControlHashFunction verifies that the custom hash function treats
+// access_control elements with and without empty fields as equal.
+// This prevents "inconsistent final plan" errors reported in ES-1587799.
+func TestAccessControlHashFunction(t *testing.T) {
+	resource := ResourcePermissions()
+	s := resource.ToResource().Schema
+	acSchema := s["access_control"]
+
+	require.NotNil(t, acSchema.Set, "access_control should have a custom Set function")
+
+	// Test case 1: Elements with only populated fields should hash the same
+	// as elements with explicit empty fields
+	elem1 := map[string]interface{}{
+		"group_name":       "RSDB_Databricks_TSR_Residential_RW",
+		"permission_level": "CAN_USE",
+	}
+	elem2 := map[string]interface{}{
+		"group_name":             "RSDB_Databricks_TSR_Residential_RW",
+		"permission_level":       "CAN_USE",
+		"service_principal_name": "",
+		"user_name":              "",
+	}
+	hash1 := acSchema.Set(elem1)
+	hash2 := acSchema.Set(elem2)
+	assert.Equal(t, hash1, hash2, "Elements with and without empty fields should have the same hash")
+
+	// Test case 2: Different elements should have different hashes
+	elem3 := map[string]interface{}{
+		"user_name":        "different_user",
+		"permission_level": "CAN_USE",
+	}
+	hash3 := acSchema.Set(elem3)
+	assert.NotEqual(t, hash1, hash3, "Different elements should have different hashes")
+
+	// Test case 3: Service principal with and without empty fields
+	elem4 := map[string]interface{}{
+		"service_principal_name": "6d1fc824-191d-4a99-9fac-f62a27822946",
+		"permission_level":       "CAN_USE",
+	}
+	elem5 := map[string]interface{}{
+		"service_principal_name": "6d1fc824-191d-4a99-9fac-f62a27822946",
+		"permission_level":       "CAN_USE",
+		"group_name":             "",
+		"user_name":              "",
+	}
+	hash4 := acSchema.Set(elem4)
+	hash5 := acSchema.Set(elem5)
+	assert.Equal(t, hash4, hash5, "Service principal elements with and without empty fields should have the same hash")
+}
