Added databricks_workspace_conf resource (#398)

* Added databricks_workspace_conf resource
* add changelog
* Enable testing with new state

        InstanceState: map[string]string{
			"custom_config.enableSomething": "true",
		},
		HCL: `custom_config {
			enableIpAccessLists = "true"
		}`,

* added unit tests for workspace conf

Co-authored-by: Serge Smertin <[email protected]>

Author: nfx

CHANGELOG.md

@@ -2,6 +2,7 @@
 
 ## 0.2.8
 
+* Added [databricks_workspace_conf](https://github.com/databrickslabs/terraform-provider-databricks/pull/398) resource
 * Added [databricks_mws_log_delivery](https://github.com/databrickslabs/terraform-provider-databricks/pull/343) resource for billable usage & audit logs consumption.
 * Added [databricks_node_type](https://github.com/databrickslabs/terraform-provider-databricks/pull/376) data source for simpler selection of node types across AWS & Azure.
 * Added [Azure Key Vault support](https://github.com/databrickslabs/terraform-provider-databricks/pull/381) for databricks_secret_scope for Azure CLI authenticated users.

README.md

@@ -22,6 +22,7 @@ End-to-end workspace creation on [AWS](scripts/awsmt-integration) or [Azure](scr
 | [databricks_group_member](docs/resources/group_member.md)
 | [databricks_instance_pool](docs/resources/instance_pool.md)
 | [databricks_instance_profile](docs/resources/instance_profile.md)
+| [databricks_ip_access_list](docs/resources/ip_access_list.md)
 | [databricks_job](docs/resources/job.md)
 | [databricks_mws_credentials](docs/resources/mws_credentials.md)
 | [databricks_mws_customer_managed_keys](docs/resources/mws_customer_managed_keys.md)
@@ -40,6 +41,7 @@ End-to-end workspace creation on [AWS](scripts/awsmt-integration) or [Azure](scr
 | [databricks_token](docs/resources/token.md)
 | [databricks_user](docs/resources/user.md)
 | [databricks_user_instance_profile](docs/resources/user_instance_profile.md)
+| [databricks_workspace_conf](docs/resources/workspace_conf.md)
 | [Contributing and Development Guidelines](CONTRIBUTING.md)
 | [Changelog](CHANGELOG.md)
 

docs/resources/ip_access_list.md

@@ -0,0 +1,43 @@
+# databricks_ip_access_list Resource
+
+Security-conscious enterprises that use cloud SaaS applications need to restrict access to their own employees. Authentication helps to prove user identity, but that does not enforce network location of the users. Accessing a cloud service from an unsecured network can pose security risks to an enterprise, especially when the user may have authorized access to sensitive or personal data. Enterprise network perimeters apply security policies and limit access to external services (for example, firewalls, proxies, DLP, and logging), so access beyond these controls are assumed to be untrusted. Please see [IP Access List](https://docs.databricks.com/security/network/ip-access-list.html) for full feature documentation.
+
+-> **Note** The total number of IP addresses and CIDR scopes provided across all ACL Lists in a workspace can not exceed 1000.  Refer to the docs above for specifics.
+
+## Example Usage
+
+```hcl
+resource "databricks_workspace_conf" "this" {
+  custom_config = {
+    "enableIpAccessLists": true
+  }
+}
+
+resource "databricks_ip_access_list" "allowed-list" {
+  label = "allow_in"
+  list_type = "ALLOW"
+  ip_addresses = [
+    "1.2.3.0/24",
+    "1.2.5.0/24"
+  ]
+  depends_on = [databricks_workspace_conf.this]
+}
+```
+## Argument Reference
+
+The following arguments are supported:
+
+* `list_type` -  Can only be "ALLOW" or "BLOCK"
+* `ip_addresses` -  This is a field to allow the group to have instance pool create priviliges.
+* `label` - (Optional) This is the display name for the given IP ACL List.
+* `enabled` - (Optional) Boolean `true` or `false` indicating whether this list should be active.  Defaults to `true`
+
+## Attribute Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `list_id` - Canonical unique identifier for the IP Access List.
+
+## Import
+
+Importing this resource is not currently supported.

docs/resources/ip_accessl_list.md

@@ -0,0 +1,29 @@
+# databricks_workspace_conf Resource
+
+-> **Note** This resource has evolving API, which may change in future versions of provider. 
+
+Manages workspace configuration for expert usage. Currently, more than one instance of resource can exist in Terraform state, though there's no deterministic behavior, when they manage same property. We strongly recommend to use single `databricks_workspace_conf` per workspace.
+
+## Example Usage
+
+Allows specification of custom configuration properties for expert usage:
+
+ * `enableIpAccessLists` - enables the use of [databricks_ip_access_list](ip_accessl_list.md) resources
+
+```hcl
+resource "databricks_workspace_conf" "this" {
+    custom_config = {
+        "enableIpAccessLists": true
+    }
+}
+```
+
+## Argument Reference
+
+The following arguments are available:
+
+* `custom_config` - (Required) Key-value map of strings, that represent workspace configuration. Upon resource deletion, properties that start with `enable` or `enforce` will be reset to `false` value, regardless of initial default one.
+
+## Import
+
+This resource cannot support import.

docs/resources/workspace_conf.md

@@ -63,9 +63,10 @@ type HTTPFixture struct {
 
 // ResourceFixture helps testing resources and commands
 type ResourceFixture struct {
-	Fixtures []HTTPFixture
-	Resource *schema.Resource
-	State    map[string]interface{}
+	Fixtures      []HTTPFixture
+	Resource      *schema.Resource
+	InstanceState map[string]string
+	State         map[string]interface{}
 	// HCL might be useful to test nested blocks
 	HCL         string
 	CommandMock common.CommandMock
@@ -167,7 +168,20 @@ func (f ResourceFixture) Apply(t *testing.T) (*schema.ResourceData, error) {
 				strings.ReplaceAll(diagsToString(diags), "\"", ""))
 		}
 	}
-	resourceData := schema.TestResourceDataRaw(t, f.Resource.Schema, f.State)
+	c := terraform.NewResourceConfigRaw(f.State)
+	sm := schema.InternalMap(f.Resource.Schema)
+	is := &terraform.InstanceState{
+		Attributes: f.InstanceState,
+	}
+	diff, err := sm.Diff(context.Background(), is, c, nil, nil, true)
+	if err != nil {
+		return nil, err
+	}
+	resourceData, err := sm.Data(is, diff)
+	if err != nil {
+		return nil, err
+	}
+	//resourceData := schema.TestResourceDataRaw(t, f.Resource.Schema, f.State)
 	err = f.Resource.InternalValidate(f.Resource.Schema, !f.NonWritable)
 	if err != nil {
 		return nil, err

internal/qa/testing.go

@@ -10,29 +10,29 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-func TestWorkspaceConfFullLifecycle(t *testing.T) {
+func TestAccWorkspaceConfFullLifecycle(t *testing.T) {
 	acceptance.AccTest(t, resource.TestCase{
-
 		Steps: []resource.TestStep{
 			{
 				Config: `
-				resource "databricks_workspace_conf" "features" {
-					enable_ip_access_lists = "true"
-				}
-				`,
+				resource "databricks_workspace_conf" "this" {
+					custom_config = {
+						"enableIpAccessLists": true
+					}
+				}`,
 				Check: resource.ComposeTestCheckFunc(
-					acceptance.ResourceCheck("databricks_workspace_conf.features",
+					acceptance.ResourceCheck("databricks_workspace_conf.this",
 						func(client *common.DatabricksClient, id string) error {
-							workspaceConf, err := workspace.NewWorkspaceConfAPI(client).Read("enableIpAccessLists")
-							if err != nil {
-								return err
+							conf := map[string]interface{}{
+								"enableIpAccessLists": nil,
 							}
-							assert.Len(t, workspaceConf, 1)
-							assert.Equal(t, workspaceConf["enableIpAccessLists"], "true")
+							err := workspace.NewWorkspaceConfAPI(client).Read(&conf)
+							assert.NoError(t, err)
+							assert.Len(t, conf, 1)
+							assert.Equal(t, conf["enableIpAccessLists"], "true")
 							return nil
 						}),
 				),
-				ExpectNonEmptyPlan: true,
 			},
 		},
 	})