[Feature] Add databricks_disable_legacy_access_setting resource to disable legacy access methods (#4578)

## Changes
<!-- Summary of your changes that are easy to understand -->

Add the TF support for setting DisableLegacyAccess.

## Tests
<!-- 
How is this tested? Please see the checklist below and also describe any
other relevant tests
-->

- [x] `make test` run locally
- [x] relevant change in `docs/` folder
- [x] covered with integration tests in `internal/acceptance`
- [ ] using Go SDK
- [ ] using TF Plugin Framework

---------

Co-authored-by: Alex Ott <[email protected]>
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Alex Ott <[email protected]>

Author: 3 people

NEXT_CHANGELOG.md

@@ -4,6 +4,7 @@
 
 ### New Features and Improvements
 
+ * Add `databricks_disable_legacy_access_setting` resource to disable legacy access methods ([#4578](https://github.com/databricks/terraform-provider-databricks/pull/4578)).
  * Customize and document `event_log` block in `databricks_pipeline` ([#4612](https://github.com/databricks/terraform-provider-databricks/pull/4612))
  * Add automatic clustering support for `databricks_sql_table` ([#4607](https://github.com/databricks/terraform-provider-databricks/pull/4607))
 

docs/resources/disable_default_legacy_access.md

@@ -0,0 +1,41 @@
+---
+subcategory: "Settings"
+---
+
+# databricks_disable_legacy_access_setting Resource
+
+-> This resource can only be used with a workspace-level provider!
+
+The `databricks_disable_legacy_access_setting` resource allows you to disable legacy access. It has the following impact:
+
+1. Disables direct access to Hive Metastores from the workspace. However, you can still access a Hive Metastore through Hive Metastore federation.
+2. Disables Fallback Mode on any External Location access from the workspace.
+3. Disables Databricks Runtime versions prior to 13.3LTS.
+
+It may take 5 minutes to take effect and requires a restart of clusters and SQL warehouses.
+Please also set the default namespace using [databricks_default_namespace_setting](default_namespace_setting.md) to any value other than `hive_metastore` to avoid potential issues.
+
+## Example Usage
+
+```hcl
+resource "databricks_disable_legacy_access_setting" "this" {
+  disable_legacy_access {
+    value = true
+  }
+}
+```
+
+## Argument Reference
+
+The resource supports the following arguments:
+
+* `disable_legacy_access` - (Required) The configuration details.
+* `value` - (Required) The boolean value for the setting.
+
+## Import
+
+This resource can be imported by predefined name `global`:
+
+```bash
+terraform import databricks_disable_legacy_access_setting.this global
+```

settings/all_settings.go

@@ -22,5 +22,6 @@ func AllSettingsResources() map[string]common.Resource {
 		"automatic_cluster_update_workspace":        makeSettingResource[settings.AutomaticClusterUpdateSetting, *databricks.WorkspaceClient](automaticClusterUpdateSetting),
 		"aibi_dashboard_embedding_access_policy":    makeSettingResource[settings.AibiDashboardEmbeddingAccessPolicySetting, *databricks.WorkspaceClient](aibiDashboardEmbeddingAccessPolicySetting),
 		"aibi_dashboard_embedding_approved_domains": makeSettingResource[settings.AibiDashboardEmbeddingApprovedDomainsSetting, *databricks.WorkspaceClient](aibiDashboardEmbeddingApprovedDomainsSetting),
+		"disable_legacy_access":                     makeSettingResource[settings.DisableLegacyAccess, *databricks.WorkspaceClient](disableLegacyAccess),
 	}
 }

settings/disable_legacy_access_setting_test.go

@@ -0,0 +1,78 @@
+package settings_test
+
+import (
+	"context"
+	"errors"
+	"testing"
+
+	"github.com/databricks/databricks-sdk-go/apierr"
+	"github.com/databricks/databricks-sdk-go/service/settings"
+	"github.com/databricks/terraform-provider-databricks/common"
+	"github.com/databricks/terraform-provider-databricks/internal/acceptance"
+	"github.com/hashicorp/terraform-plugin-testing/terraform"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestAccDisableLegacyAccessSetting(t *testing.T) {
+	template := `
+ 	resource "databricks_disable_legacy_access_setting" "this" {
+ 		disable_legacy_access {
+ 			value = "true"
+ 		}
+ 	}
+ 	`
+	acceptance.WorkspaceLevel(t, acceptance.Step{
+		Template: template,
+		Check: acceptance.ResourceCheckWithState("databricks_disable_legacy_access_setting.this",
+			func(ctx context.Context, client *common.DatabricksClient, state *terraform.InstanceState) error {
+				ctx = context.WithValue(ctx, common.Api, common.API_2_1)
+				w, err := client.WorkspaceClient()
+				require.NoError(t, err)
+				etag := state.Attributes["etag"]
+				require.NotEmpty(t, etag)
+				res, err := w.Settings.DisableLegacyAccess().Get(ctx, settings.GetDisableLegacyAccessRequest{
+					Etag: etag,
+				})
+				require.NoError(t, err)
+				// Check that the resource has been created and that it has the correct value.
+				assert.True(t, res.DisableLegacyAccess.Value)
+				return nil
+			}),
+	},
+		acceptance.Step{
+			Template: template,
+			Destroy:  true,
+			Check: acceptance.ResourceCheck("databricks_disable_legacy_access_setting.this", func(ctx context.Context, client *common.DatabricksClient, id string) error {
+				ctx = context.WithValue(ctx, common.Api, common.API_2_1)
+				w, err := client.WorkspaceClient()
+				require.NoError(t, err)
+				// Terraform Check returns the latest resource status before it is destroyed, which has an outdated eTag.
+				// We are making an update call to get the correct eTag in the response error.
+				_, err = w.Settings.DisableLegacyAccess().Update(ctx, settings.UpdateDisableLegacyAccessRequest{
+					AllowMissing: true,
+					Setting: settings.DisableLegacyAccess{
+						DisableLegacyAccess: settings.BooleanMessage{
+							Value: false,
+						},
+					},
+					FieldMask: "disable_legacy_access.value",
+				})
+				assert.Error(t, err)
+				var aerr *apierr.APIError
+				if !errors.As(err, &aerr) {
+					assert.FailNow(t, "cannot parse error message %v", err)
+				}
+				etag := aerr.Details[0].Metadata["etag"]
+				res, err := w.Settings.DisableLegacyAccess().Get(ctx, settings.GetDisableLegacyAccessRequest{
+					Etag: etag,
+				})
+				// we should not be getting any error
+				assert.NoError(t, err)
+				// setting should go back to default
+				assert.False(t, res.DisableLegacyAccess.Value)
+				return nil
+			}),
+		},
+	)
+}

settings/resource_disable_legacy_access_setting.go

@@ -0,0 +1,45 @@
+package settings
+
+import (
+	"context"
+
+	"github.com/databricks/databricks-sdk-go"
+	"github.com/databricks/databricks-sdk-go/service/settings"
+	"github.com/databricks/terraform-provider-databricks/common"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+// Disable Legacy Access setting
+var disableLegacyAccess = workspaceSetting[settings.DisableLegacyAccess]{
+	settingStruct: settings.DisableLegacyAccess{},
+	customizeSchemaFunc: func(s map[string]*schema.Schema) map[string]*schema.Schema {
+		common.CustomizeSchemaPath(s, "disable_legacy_access", "value").SetRequired()
+		return s
+	},
+	readFunc: func(ctx context.Context, w *databricks.WorkspaceClient, etag string) (*settings.DisableLegacyAccess, error) {
+		return w.Settings.DisableLegacyAccess().Get(ctx, settings.GetDisableLegacyAccessRequest{
+			Etag: etag,
+		})
+	},
+	updateFunc: func(ctx context.Context, w *databricks.WorkspaceClient, t settings.DisableLegacyAccess) (string, error) {
+		t.SettingName = "disable_legacy_access"
+		res, err := w.Settings.DisableLegacyAccess().Update(ctx, settings.UpdateDisableLegacyAccessRequest{
+			AllowMissing: true,
+			Setting:      t,
+			FieldMask:    "disable_legacy_access.value",
+		})
+		if err != nil {
+			return "", err
+		}
+		return res.Etag, nil
+	},
+	deleteFunc: func(ctx context.Context, w *databricks.WorkspaceClient, etag string) (string, error) {
+		res, err := w.Settings.DisableLegacyAccess().Delete(ctx, settings.DeleteDisableLegacyAccessRequest{
+			Etag: etag,
+		})
+		if err != nil {
+			return "", err
+		}
+		return res.Etag, err
+	},
+}