[Feature] Add AWS support for databricks_mws_ncc_private_endpoint_rule (#4804)

## Changes

- Add documentation and tests for
`databricks_mws_ncc_private_endpoint_rule` on AWS.

Resolve #4685

## Tests
<!-- 
How is this tested? Please see the checklist below and also describe any
other relevant tests
-->

- [x] `make test` run locally
- [x] relevant change in `docs/` folder
- [x] covered with integration tests in `internal/acceptance`
- [x] using Go SDK

---------

Co-authored-by: Alex Ott <[email protected]>

Author: nkvuong

NEXT_CHANGELOG.md

@@ -5,16 +5,18 @@
 ### Breaking Changes
 
 ### New Features and Improvements
+
+
+* Add AWS support for `databricks_mws_ncc_private_endpoint_rule` ([#4804](https://github.com/databricks/terraform-provider-databricks/pull/4804)).
 * Added `key` argument to `databricks_jobs` data source to enable mapping by job ID and allow duplicate job names ([#4796](https://github.com/databricks/terraform-provider-databricks/pull/4796)).
 
 ### Bug Fixes
 
 ### Documentation
- * Added link to Workload Identity Federation page ([#4786](https://github.com/databricks/terraform-provider-databricks/pull/4786)).
 
+* Added link to Workload Identity Federation page ([#4786](https://github.com/databricks/terraform-provider-databricks/pull/4786)).
 * auto `zone_id` can only be used for fleet node types in `databricks_instance_pool` resource ([#4782](https://github.com/databricks/terraform-provider-databricks/pull/4782)).
 * Document `tags` attribute in `databricks_pipeline` resource ([#4783](https://github.com/databricks/terraform-provider-databricks/pull/4783)).
-
 * Recommend OAuth instead of PAT in guides ([#4787](https://github.com/databricks/terraform-provider-databricks/pull/4787))
 * Document new options in `databricks_model_serving` resource ([#4789](https://github.com/databricks/terraform-provider-databricks/pull/4789))
 

docs/resources/mws_ncc_private_endpoint_rule.md

@@ -7,10 +7,12 @@ Allows you to create a private endpoint in a [Network Connectivity Config](mws_n
 
 -> This resource can only be used with an account-level provider!
 
--> This feature is only available in Azure.
+-> This feature is available on Azure, and in Public Preview on AWS.
 
 ## Example Usage
 
+Create a private endpoint to an Azure storage account
+
 ```hcl
 variable "region" {}
 variable "prefix" {}
@@ -29,13 +31,42 @@ resource "databricks_mws_ncc_private_endpoint_rule" "storage" {
 }
 ```
 
+Create a private endpoint rule to an AWS VPC endpoint and to an S3 bucket
+
+```hcl
+variable "region" {}
+variable "prefix" {}
+
+resource "databricks_mws_network_connectivity_config" "ncc" {
+  provider = databricks.account
+  name     = "ncc-for-${var.prefix}"
+  region   = var.region
+}
+
+resource "databricks_mws_ncc_private_endpoint_rule" "storage" {
+  provider                       = databricks.account
+  network_connectivity_config_id = databricks_mws_network_connectivity_config.ncc.network_connectivity_config_id
+  resource_names                 = ["bucket"]
+}
+
+resource "databricks_mws_ncc_private_endpoint_rule" "vpce" {
+  provider                       = databricks.account  
+  network_connectivity_config_id = databricks_mws_network_connectivity_config.ncc.network_connectivity_config_id
+  endpoint_service               = "com.amazonaws.vpce.us-west-2.vpce-svc-xyz"
+  domain_names                   = ["subdomain.internal.net"]
+}
+```
+
 ## Argument Reference
 
 The following arguments are available:
 
 * `network_connectivity_config_id` - Canonical unique identifier of Network Connectivity Config in Databricks Account. Change forces creation of a new resource.
-* `resource_id` - The Azure resource ID of the target resource. Change forces creation of a new resource.
-* `group_id` - The sub-resource type (group ID) of the target resource. Must be one of supported resource types (i.e., `blob`, `dfs`, `sqlServer` , etc. Consult the [Azure documentation](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview#private-link-resource) for full list of supported resources). Note that to connect to workspace root storage (root DBFS), you need two endpoints, one for `blob` and one for `dfs`. Change forces creation of a new resource.
+* `resource_id` - (Azure only) The Azure resource ID of the target resource. Change forces creation of a new resource.
+* `group_id` - (Azure only) The sub-resource type (group ID) of the target resource. Must be one of supported resource types (i.e., `blob`, `dfs`, `sqlServer` , etc. Consult the [Azure documentation](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview#private-link-resource) for full list of supported resources). Note that to connect to workspace root storage (root DBFS), you need two endpoints, one for `blob` and one for `dfs`. Change forces creation of a new resource.
+* `domain_names` - (AWS only) Only used by private endpoints towards a VPC endpoint service behind a customer-managed VPC endpoint service. List of target AWS resource FQDNs accessible via the VPC endpoint service. Conflicts with `resource_names`.
+* `endpoint_service` - (AWS only) Example `com.amazonaws.vpce.us-east-1.vpce-svc-123abcc1298abc123`. The full target AWS endpoint service name that connects to the destination resources of the private endpoint.
+* `resource_names` - (AWS only) Only used by private endpoints towards AWS S3 service. List of globally unique S3 bucket names that will be accessed via the VPC endpoint. The bucket names must be in the same region as the NCC/endpoint service. Conflict with `domain_names`.
 
 ## Attribute Reference
 
@@ -53,6 +84,8 @@ The possible values are:
 * `deactivated_at` - Time in epoch milliseconds when this object was deactivated.
 * `creation_time` - Time in epoch milliseconds when this object was created.
 * `updated_time` - Time in epoch milliseconds when this object was updated.
+* `enabled` - Activation status. Only used by private endpoints towards an AWS S3 service.
+* `vpc_endpoint_id` - The AWS VPC endpoint ID. You can use this ID to identify the VPC endpoint created by Databricks.
 
 ## Import
 

mws/mws_network_connectivity_config_test.go

@@ -44,6 +44,11 @@ func TestMwsAccNetworkConnectivityConfig(t *testing.T) {
 				name = "tf-{var.RANDOM}"
 				region = "{env.AWS_REGION}"
 			}
+
+			resource "databricks_mws_ncc_private_endpoint_rule" "this" {
+				network_connectivity_config_id = databricks_mws_network_connectivity_config.this.network_connectivity_config_id
+				resource_names = ["{env.TEST_LOGDELIVERY_BUCKET}"]
+			}
 			`,
 		}, acceptance.Step{
 			Template: `
@@ -52,6 +57,11 @@ func TestMwsAccNetworkConnectivityConfig(t *testing.T) {
 				name = "tf-{var.RANDOM}"
 				region = "{env.AWS_REGION}"
 			}
+				
+			resource "databricks_mws_ncc_private_endpoint_rule" "this" {
+				network_connectivity_config_id = databricks_mws_network_connectivity_config.this.network_connectivity_config_id
+				resource_names = ["{env.TEST_LOGDELIVERY_BUCKET}"]
+			}				
 			`,
 		})
 	}

mws/resource_mws_ncc_private_endpoint_rule.go

@@ -11,12 +11,26 @@ import (
 
 func ResourceMwsNccPrivateEndpointRule() common.Resource {
 	s := common.StructToSchema(settings.NccPrivateEndpointRule{}, func(m map[string]*schema.Schema) map[string]*schema.Schema {
-		for _, p := range []string{"network_connectivity_config_id", "group_id", "resource_id"} {
-			common.CustomizeSchemaPath(m, p).SetRequired().SetForceNew()
+		for _, p := range []string{"endpoint_service", "group_id", "resource_id"} {
+			common.CustomizeSchemaPath(m, p).SetForceNew()
 		}
-		for _, p := range []string{"rule_id", "endpoint_name", "connection_state", "creation_time", "updated_time"} {
+		for _, p := range []string{"rule_id", "endpoint_name", "connection_state", "creation_time", "updated_time", "vpc_endpoint_id"} {
 			common.CustomizeSchemaPath(m, p).SetComputed()
 		}
+
+		common.CustomizeSchemaPath(m, "network_connectivity_config_id").SetRequired().SetForceNew()
+		common.CustomizeSchemaPath(m, "enabled").SetOptional().SetComputed()
+
+		supportedFields := []string{"group_id", "resource_names", "domain_names"}
+		for _, key := range supportedFields {
+			conflicts := make([]string, 0, len(supportedFields)-1)
+			for _, otherKey := range supportedFields {
+				if key != otherKey {
+					conflicts = append(conflicts, otherKey)
+				}
+			}
+			common.CustomizeSchemaPath(m, key).SetConflictsWith(conflicts)
+		}
 		return m
 	})
 	p := common.NewPairSeparatedID("network_connectivity_config_id", "rule_id", "/")