[Fix] Fix metastore ID interpolation for account-level storage credential imports (#4980)

## Changes

When importing account-level storage credentials, the metastore ID was
not being interpolated correctly, causing API calls to fail with
malformed URLs containing double slashes
(`/api/2.0/accounts/.../metastores//storage-credentials/...`). This
occurred because during import, the Terraform state is empty and
`d.Get("metastore_id")` returned an empty string.

Added a `parseStorageCredentialId()` function that handles composite IDs
in the format `metastore_id|storage_credential_name` for account-level
imports, extracting the metastore ID and setting it in the state before
making API calls. This maintains backward compatibility with
workspace-level imports using simple credential names and includes
comprehensive unit tests and updated documentation.

## Tests

- [x] `make test` run locally
- [x] relevant change in `docs/` folder
- [ ] covered with integration tests in `internal/acceptance`
- [x] using Go SDK
- [ ] using TF Plugin Framework  
- [x] has entry in `NEXT_CHANGELOG.md` file

Fixes: ES-1561726

---------

Co-authored-by: Claude <[email protected]>
Co-authored-by: Omer Lachish <[email protected]>
Co-authored-by: Alex Ott <[email protected]>
Co-authored-by: Omer Lachish <[email protected]>
Co-authored-by: vuong-nguyen <[email protected]>
Co-authored-by: Alex Ott <[email protected]>

Author: 5 people

NEXT_CHANGELOG.md

@@ -14,6 +14,7 @@
 * Correct which file event fields should be reset in `databricks_external_location` ([#4945](https://github.com/databricks/terraform-provider-databricks/pull/4945))
 * Fix `ExactlyOneOf` in `databricks_app` ([#4946](https://github.com/databricks/terraform-provider-databricks/pull/4946))
 * Enable update of `databricks_mws_ncc_private_endpoint_rule` resource ([#4957](https://github.com/databricks/terraform-provider-databricks/pull/4957))
+* Fix metastore ID interpolation for account-level storage credential imports ([#4980](https://github.com/databricks/terraform-provider-databricks/pull/4980)). Storage credentials can now be imported using two formats: `<storage_credential_name>` when using a workspace-level provider, and `<metastore_id>|<storage_credential_name>` when using an account-level provider. Previously, importing storage credentials with an account-level provider would fail due to missing metastore ID in the API call.
 
 ### Documentation
 

catalog/resource_storage_credential.go

@@ -2,6 +2,8 @@ package catalog
 
 import (
 	"context"
+	"fmt"
+	"strings"
 
 	"github.com/databricks/databricks-sdk-go"
 	"github.com/databricks/databricks-sdk-go/service/catalog"
@@ -37,6 +39,39 @@ var storageCredentialSchema = common.StructToSchema(StorageCredentialInfo{},
 		return adjustDataAccessSchema(m)
 	})
 
+// parseStorageCredentialId parses the resource ID to extract metastore_id and storage_credential_name
+// for composite IDs in the format "metastore_id|storage_credential_name" (account-level)
+// or just returns the ID as is for workspace-level resources
+func parseStorageCredentialId(d *schema.ResourceData) (metastoreId, storageCredentialName string, err error) {
+	id := d.Id()
+	parts := strings.Split(id, "|")
+
+	if len(parts) == 2 {
+		// Account-level format: metastore_id|storage_credential_name
+		metastoreId = parts[0]
+		storageCredentialName = parts[1]
+
+		// Set the metastore_id in the state if not already set
+		if d.Get("metastore_id").(string) == "" {
+			if err := d.Set("metastore_id", metastoreId); err != nil {
+				return "", "", fmt.Errorf("failed to set metastore_id: %w", err)
+			}
+		}
+
+		// Update the resource ID to just the storage credential name
+		d.SetId(storageCredentialName)
+		return metastoreId, storageCredentialName, nil
+	} else if len(parts) == 1 {
+		// Workspace-level format: just the storage credential name
+		// Get metastore_id from the existing state
+		metastoreId = d.Get("metastore_id").(string)
+		storageCredentialName = id
+		return metastoreId, storageCredentialName, nil
+	} else {
+		return "", "", fmt.Errorf("invalid storage credential ID format: expected 'name' or 'metastore_id|name', got '%s'", id)
+	}
+}
+
 func ResourceStorageCredential() common.Resource {
 	return common.Resource{
 		Schema: storageCredentialSchema,
@@ -104,10 +139,16 @@ func ResourceStorageCredential() common.Resource {
 			})
 		},
 		Read: func(ctx context.Context, d *schema.ResourceData, c *common.DatabricksClient) error {
+			// Parse the ID to handle both composite and simple formats
+			metastoreId, storageCredentialName, err := parseStorageCredentialId(d)
+			if err != nil {
+				return err
+			}
+
 			return c.AccountOrWorkspaceRequest(func(acc *databricks.AccountClient) error {
 				storageCredential, err := acc.StorageCredentials.Get(ctx, catalog.GetAccountStorageCredentialRequest{
-					MetastoreId:           d.Get("metastore_id").(string),
-					StorageCredentialName: d.Id(),
+					MetastoreId:           metastoreId,
+					StorageCredentialName: storageCredentialName,
 				})
 				if err != nil {
 					return err
@@ -132,7 +173,7 @@ func ResourceStorageCredential() common.Resource {
 				d.Set("storage_credential_id", storageCredential.CredentialInfo.Id)
 				return nil
 			}, func(w *databricks.WorkspaceClient) error {
-				storageCredential, err := w.StorageCredentials.GetByName(ctx, d.Id())
+				storageCredential, err := w.StorageCredentials.GetByName(ctx, storageCredentialName)
 				if err != nil {
 					return err
 				}
@@ -158,10 +199,16 @@ func ResourceStorageCredential() common.Resource {
 			})
 		},
 		Update: func(ctx context.Context, d *schema.ResourceData, c *common.DatabricksClient) error {
+			// Parse the ID to handle both composite and simple formats
+			metastoreId, storageCredentialName, err := parseStorageCredentialId(d)
+			if err != nil {
+				return err
+			}
+
 			var update catalog.UpdateStorageCredential
 			force := d.Get("force_update").(bool)
 			common.DataToStructPointer(d, storageCredentialSchema, &update)
-			update.Name = d.Id()
+			update.Name = storageCredentialName
 			update.Force = force
 			if _, ok := d.GetOk("azure_managed_identity"); ok {
 				update.AzureManagedIdentity.CredentialId = ""
@@ -173,8 +220,8 @@ func ResourceStorageCredential() common.Resource {
 							Name:  update.Name,
 							Owner: update.Owner,
 						},
-						MetastoreId:           d.Get("metastore_id").(string),
-						StorageCredentialName: d.Id(),
+						MetastoreId:           metastoreId,
+						StorageCredentialName: storageCredentialName,
 					})
 					if err != nil {
 						return err
@@ -194,8 +241,8 @@ func ResourceStorageCredential() common.Resource {
 				update.Owner = ""
 				_, err := acc.StorageCredentials.Update(ctx, catalog.AccountsUpdateStorageCredential{
 					CredentialInfo:        &update,
-					MetastoreId:           d.Get("metastore_id").(string),
-					StorageCredentialName: d.Id(),
+					MetastoreId:           metastoreId,
+					StorageCredentialName: storageCredentialName,
 				})
 				if err != nil {
 					if d.HasChange("owner") {
@@ -206,8 +253,8 @@ func ResourceStorageCredential() common.Resource {
 								Name:  update.Name,
 								Owner: old.(string),
 							},
-							MetastoreId:           d.Get("metastore_id").(string),
-							StorageCredentialName: d.Id(),
+							MetastoreId:           metastoreId,
+							StorageCredentialName: storageCredentialName,
 						})
 						if rollbackErr != nil {
 							return common.OwnerRollbackError(err, rollbackErr, old.(string), new.(string))
@@ -217,7 +264,7 @@ func ResourceStorageCredential() common.Resource {
 				}
 				return nil
 			}, func(w *databricks.WorkspaceClient) error {
-				err := validateMetastoreId(ctx, w, d.Get("metastore_id").(string))
+				err := validateMetastoreId(ctx, w, metastoreId)
 				if err != nil {
 					return err
 				}
@@ -262,21 +309,27 @@ func ResourceStorageCredential() common.Resource {
 			})
 		},
 		Delete: func(ctx context.Context, d *schema.ResourceData, c *common.DatabricksClient) error {
+			// Parse the ID to handle both composite and simple formats
+			metastoreId, storageCredentialName, err := parseStorageCredentialId(d)
+			if err != nil {
+				return err
+			}
+
 			force := d.Get("force_destroy").(bool)
 			return c.AccountOrWorkspaceRequest(func(acc *databricks.AccountClient) error {
 				return acc.StorageCredentials.Delete(ctx, catalog.DeleteAccountStorageCredentialRequest{
 					Force:                 force,
-					StorageCredentialName: d.Id(),
-					MetastoreId:           d.Get("metastore_id").(string),
+					StorageCredentialName: storageCredentialName,
+					MetastoreId:           metastoreId,
 				})
 			}, func(w *databricks.WorkspaceClient) error {
-				err := validateMetastoreId(ctx, w, d.Get("metastore_id").(string))
+				err := validateMetastoreId(ctx, w, metastoreId)
 				if err != nil {
 					return err
 				}
 				return w.StorageCredentials.Delete(ctx, catalog.DeleteStorageCredentialRequest{
 					Force: force,
-					Name:  d.Id(),
+					Name:  storageCredentialName,
 				})
 			})
 		},

catalog/resource_storage_credential_test.go

@@ -905,3 +905,64 @@ func TestUpdateAzStorageCredentialSpn(t *testing.T) {
 		"azure_service_principal.0.client_secret":  "CHANGED",
 	})
 }
+
+func TestStorageCredentialImportAccountLevel(t *testing.T) {
+	qa.ResourceFixture{
+		Fixtures: []qa.HTTPFixture{
+			{
+				Method:   "GET",
+				Resource: "/api/2.0/accounts/account_id/metastores/metastore_id/storage-credentials/storage_credential_name?",
+				Response: &catalog.AccountsStorageCredentialInfo{
+					CredentialInfo: &catalog.StorageCredentialInfo{
+						Name: "storage_credential_name",
+						AwsIamRole: &catalog.AwsIamRoleResponse{
+							RoleArn: "arn:aws:iam::1234567890:role/MyRole-AJJHDSKSDF",
+						},
+						Id:          "1234-5678",
+						MetastoreId: "metastore_id",
+					},
+				},
+			},
+		},
+		Resource:  ResourceStorageCredential(),
+		AccountID: "account_id",
+		Read:      true,
+		ID:        "metastore_id|storage_credential_name",
+	}.ApplyAndExpectData(t, map[string]any{
+		"metastore_id":          "metastore_id",
+		"storage_credential_id": "1234-5678",
+	})
+}
+
+func TestStorageCredentialImportWorkspaceLevel(t *testing.T) {
+	qa.ResourceFixture{
+		Fixtures: []qa.HTTPFixture{
+			{
+				Method:   "GET",
+				Resource: "/api/2.1/unity-catalog/storage-credentials/storage_credential_name?",
+				Response: catalog.StorageCredentialInfo{
+					Name: "storage_credential_name",
+					AwsIamRole: &catalog.AwsIamRoleResponse{
+						RoleArn: "arn:aws:iam::1234567890:role/MyRole-AJJHDSKSDF",
+					},
+					Id:          "1234-5678",
+					MetastoreId: "metastore_id",
+				},
+			},
+		},
+		Resource: ResourceStorageCredential(),
+		Read:     true,
+		ID:       "storage_credential_name",
+	}.ApplyAndExpectData(t, map[string]any{
+		"metastore_id":          "metastore_id",
+		"storage_credential_id": "1234-5678",
+	})
+}
+
+func TestStorageCredentialImportInvalidFormat(t *testing.T) {
+	qa.ResourceFixture{
+		Resource: ResourceStorageCredential(),
+		Read:     true,
+		ID:       "invalid|format|with|too|many|parts",
+	}.ExpectError(t, "invalid storage credential ID format: expected 'name' or 'metastore_id|name', got 'invalid|format|with|too|many|parts'")
+}

docs/resources/storage_credential.md

@@ -119,17 +119,30 @@ In addition to all arguments above, the following attributes are exported:
 
 ## Import
 
-This resource can be imported by name:
+When using a workspace-level provider to manage storage credentials, this resource can be imported by name:
 
 ```hcl
 import {
   to = databricks_storage_credential.this
-  id = "<name>"
+  id = "<storage_credential_name>"
+}
+```
+
+When using an account-level provider to manage storage credentials, use the format `<metastore_id>|<storage_credential_name>`:
+
+```hcl
+import {
+  to = databricks_storage_credential.this
+  id = "<metastore_id>|<storage_credential_name>"
 }
 ```
 
 Alternatively, when using `terraform` version 1.4 or earlier, import using the `terraform import` command:
 
 ```bash
-terraform import databricks_storage_credential.this <name>
+# When using a workspace-level provider
+terraform import databricks_storage_credential.this <storage_credential_name>
+
+# When using an account-level provider
+terraform import databricks_storage_credential.this <metastore_id>|<storage_credential_name>
 ```