Fix ADMIN assignment in databricks_permission_assignment resource (#5109)

## Changes
<!-- Summary of your changes that are easy to understand -->

It was found that assignment by name works only for the `USER` role, so
the direct assignment as `ADMIN` fails. This PR fixes this issue by
doing assignment as `USER` first, and then changing it to `ADMIN`.

Resolves #5106


## Tests
<!--
How is this tested? Please see the checklist below and also describe any
other relevant tests
-->

- [x] `make test` run locally
- [ ] relevant change in `docs/` folder
- [ ] covered with integration tests in `internal/acceptance`
- [ ] using Go SDK
- [ ] using TF Plugin Framework
- [x] has entry in `NEXT_CHANGELOG.md` file

Author: alexott

NEXT_CHANGELOG.md

@@ -9,6 +9,7 @@
 ### Bug Fixes
 
 * Fix crash when error happens during reading `databricks_job` ([#5110](https://github.com/databricks/terraform-provider-databricks/pull/5110))
+* Fix `ADMIN` assignment in `databricks_permission_assignment` resource ([#5109](https://github.com/databricks/terraform-provider-databricks/pull/5109))
 
 ### Documentation
 

access/resource_permission_assignment.go

@@ -4,7 +4,9 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"log"
 	"net/http"
+	"slices"
 	"strconv"
 
 	"github.com/databricks/databricks-sdk-go/apierr"
@@ -148,11 +150,28 @@ func ResourcePermissionAssignment() common.Resource {
 			var assignment permissionAssignmentEntity
 			common.DataToStructPointer(d, s, &assignment)
 			api := NewPermissionAssignmentAPI(ctx, c)
+			// We need this because assignment by name doesn't work for admins, so we need to
+			// first assign them as users.  And then reassign them as admins.
+			shouldReassignAdmin := false
+			if assignment.PrincipalId == 0 && slices.Contains(assignment.Permissions, "ADMIN") {
+				shouldReassignAdmin = true
+				assignment.Permissions = []string{"USER"}
+			}
 			principal, err := api.CreateOrUpdate(assignment)
 			if err != nil {
 				return err
 			}
 			d.SetId(strconv.FormatInt(principal.PrincipalID, 10))
+			if shouldReassignAdmin {
+				common.DataToStructPointer(d, s, &assignment)
+				assignment.PrincipalId = principal.PrincipalID
+				_, err := api.CreateOrUpdate(assignment)
+				if err != nil {
+					log.Printf("[WARN] error reassigning admin permissions: %v", err)
+					api.Remove(d.Id())
+				}
+				return err
+			}
 			return nil
 		},
 		Read: func(ctx context.Context, d *schema.ResourceData, c *common.DatabricksClient) error {

access/resource_permission_assignment_test.go

@@ -101,6 +101,128 @@ func TestPermissionAssignmentCreateWithUserName(t *testing.T) {
 	}.ApplyNoError(t)
 }
 
+func TestPermissionAssignmentCreateWithUserNameAndAdminPermissions(t *testing.T) {
+	qa.ResourceFixture{
+		Fixtures: []qa.HTTPFixture{
+			{
+				Method:   "POST",
+				Resource: "/api/2.0/preview/permissionassignments",
+				ExpectedRequest: permissionAssignmentRequest{
+					PermissionAssignments: []permissionAssignmentRequestItem{
+						{
+							principalInfo: principalInfo{
+								UserName: "[email protected]",
+							},
+							Permissions: []string{"USER"},
+						},
+					},
+				},
+				Response: permissionAssignmentResponse{
+					PermissionAssignments: []permissionAssignmentResponseItem{
+						{
+							Permissions: []string{"USER"},
+							Principal: principalInfo{
+								PrincipalID: 123,
+								UserName:    "[email protected]",
+							},
+						},
+					},
+				},
+			},
+			{
+				Method:   "PUT",
+				Resource: "/api/2.0/preview/permissionassignments/principals/123",
+				ExpectedRequest: Permissions{
+					Permissions: []string{"ADMIN"},
+				},
+				Response: permissionAssignmentResponseItem{
+					Permissions: []string{"ADMIN"},
+					Principal: principalInfo{
+						PrincipalID: 123,
+						UserName:    "[email protected]",
+					},
+				},
+			},
+			{
+				Method:   "GET",
+				Resource: "/api/2.0/preview/permissionassignments",
+				Response: permissionAssignmentResponse{
+					PermissionAssignments: []permissionAssignmentResponseItem{
+						{
+							Permissions: []string{"ADMIN"},
+							Principal: principalInfo{
+								PrincipalID: 123,
+								UserName:    "[email protected]",
+							},
+						},
+					},
+				},
+			},
+		},
+		Resource: ResourcePermissionAssignment(),
+		Create:   true,
+		New:      true,
+		HCL: `
+		user_name   = "[email protected]"
+		permissions = ["ADMIN"]
+		`,
+	}.ApplyNoError(t)
+}
+
+func TestPermissionAssignmentCreateWithUserNameAndAdminPermissionsError(t *testing.T) {
+	qa.ResourceFixture{
+		Fixtures: []qa.HTTPFixture{
+			{
+				Method:   "POST",
+				Resource: "/api/2.0/preview/permissionassignments",
+				ExpectedRequest: permissionAssignmentRequest{
+					PermissionAssignments: []permissionAssignmentRequestItem{
+						{
+							principalInfo: principalInfo{
+								UserName: "[email protected]",
+							},
+							Permissions: []string{"USER"},
+						},
+					},
+				},
+				Response: permissionAssignmentResponse{
+					PermissionAssignments: []permissionAssignmentResponseItem{
+						{
+							Permissions: []string{"USER"},
+							Principal: principalInfo{
+								PrincipalID: 123,
+								UserName:    "[email protected]",
+							},
+						},
+					},
+				},
+			},
+			{
+				Method:   "PUT",
+				Resource: "/api/2.0/preview/permissionassignments/principals/123",
+				ExpectedRequest: Permissions{
+					Permissions: []string{"ADMIN"},
+				},
+				Status: 500,
+				Response: permissionAssignmentResponseItem{
+					Error: "Internal error",
+				},
+			},
+			{
+				Method:   "DELETE",
+				Resource: "/api/2.0/preview/permissionassignments/principals/123",
+			},
+		},
+		Resource: ResourcePermissionAssignment(),
+		Create:   true,
+		New:      true,
+		HCL: `
+		user_name   = "[email protected]"
+		permissions = ["ADMIN"]
+		`,
+	}.ExpectError(t, "Internal error")
+}
+
 func TestPermissionAssignmentCreateWithServicePrincipalName(t *testing.T) {
 	qa.ResourceFixture{
 		Fixtures: []qa.HTTPFixture{