[Fix] Drift in databricks_cluster resource when using data_security_mode aliases (#4911)

840 · web-flow · commit 736679a49dec · 2025-08-11T06:32:59.000Z
## Changes Suppress diff for `data_security_mode` aliases in `databricks_cluster` resource Fixes #4909 ## Tests Tested in my environment and wrote unit tests: ```tf data "databricks_spark_version" "latest_lts" { long_term_support = true } resource "databricks_cluster" "dedicated" { cluster_name = "Dedicated cluster" spark_version = data.databricks_spark_version.latest_lts.id node_type_id = "i3.xlarge" kind = "CLASSIC_PREVIEW" data_security_mode = "DATA_SECURITY_MODE_DEDICATED" autotermination_minutes = 20 single_user_name = "abc@databricks.com" autoscale { min_workers = 1 max_workers = 2 } } resource "databricks_cluster" "standard" { cluster_name = "Standard cluster" spark_version = data.databricks_spark_version.latest_lts.id node_type_id = "i3.xlarge" kind = "CLASSIC_PREVIEW" data_security_mode = "DATA_SECURITY_MODE_STANDARD" autotermination_minutes = 20 single_user_name = "abc@databricks.com" autoscale { min_workers = 1 max_workers = 2 } } resource "databricks_cluster" "auto" { cluster_name = "Auto cluster" spark_version = data.databricks_spark_version.latest_lts.id node_type_id = "i3.xlarge" kind = "CLASSIC_PREVIEW" data_security_mode = "DATA_SECURITY_MODE_AUTO" autotermination_minutes = 20 single_user_name = "abc@databricks.com" autoscale { min_workers = 1 max_workers = 2 } } ``` ``` > terraform apply Apply complete! Resources: 3 added, 0 changed, 0 destroyed. > terraform plan databricks_cluster.standard: Refreshing state... [id=0806-170022-8nt4x91u] databricks_cluster.auto: Refreshing state... [id=0806-170022-bu1bijv6] databricks_cluster.dedicated: Refreshing state... [id=0806-170022-ylvekmoi] No changes. Your infrastructure matches the configuration. ``` - [x] `make test` run locally - [x] relevant change in `docs/` folder - [ ] covered with integration tests in `internal/acceptance` - [x] using Go SDK - [x] using TF Plugin Framework - [x] has entry in `NEXT_CHANGELOG.md` file
diff --git a/NEXT_CHANGELOG.md b/NEXT_CHANGELOG.md
@@ -8,6 +8,8 @@
 
 ### Bug Fixes
 
+* Suppress `data_security_mode` aliases for `databricks_cluster` resource ([#4911](https://github.com/databricks/terraform-provider-databricks/pull/4911)).
+
 ### Documentation
 
 * Document `email_notifications` block in model serving resources ([#4910](https://github.com/databricks/terraform-provider-databricks/pull/4910))
diff --git a/clusters/resource_cluster.go b/clusters/resource_cluster.go
@@ -102,6 +102,18 @@ func SparkConfDiffSuppressFunc(k, old, new string, d *schema.ResourceData) bool
 	return false
 }
 
+// These are aliases which is the reason why we suppress these changes
+func DataSecurityModeDiffSuppressFunc(k, old, new string, d *schema.ResourceData) bool {
+	if (old != "" && new == "") ||
+		(old == "SINGLE_USER" && new == "DATA_SECURITY_MODE_DEDICATED") ||
+		(old == "USER_ISOLATION" && new == "DATA_SECURITY_MODE_STANDARD") ||
+		((old == "SINGLE_USER" || old == "USER_ISOLATION") && new == "DATA_SECURITY_MODE_AUTO") {
+		log.Printf("[DEBUG] Suppressing diff for k=%#v old=%#v new=%#v", k, old, new)
+		return true
+	}
+	return false
+}
+
 // This method is a duplicate of ModifyRequestOnInstancePool() in clusters/clusters_api.go that uses Go SDK.
 // Long term, ModifyRequestOnInstancePool() in clusters_api.go will be removed once all the resources using clusters are migrated to Go SDK.
 func ModifyRequestOnInstancePool(cluster any) error {
@@ -336,7 +348,7 @@ func (ClusterSpec) CustomizeSchema(s *common.CustomizableSchema) *common.Customi
 		Optional: true,
 		ForceNew: true,
 	})
-	s.SchemaPath("data_security_mode").SetSuppressDiff()
+	s.SchemaPath("data_security_mode").SetCustomSuppressDiff(DataSecurityModeDiffSuppressFunc)
 	s.SchemaPath("docker_image", "url").SetRequired()
 	s.SchemaPath("docker_image", "basic_auth", "password").SetRequired().SetSensitive()
 	s.SchemaPath("docker_image", "basic_auth", "username").SetRequired()
diff --git a/clusters/resource_cluster_test.go b/clusters/resource_cluster_test.go
@@ -2,6 +2,9 @@ package clusters
 
 import (
 	"fmt"
+	"github.com/databricks/databricks-sdk-go/experimental/mocks"
+	"github.com/databricks/databricks-sdk-go/listing"
+	"github.com/stretchr/testify/mock"
 	"strings"
 	"testing"
 
@@ -1908,3 +1911,174 @@ func TestResourceClusterUpdate_LocalSsdCount(t *testing.T) {
 
 	assert.NoError(t, err)
 }
+
+func TestResourceClusterAliasDedicatedNoDrift_DataSecurityMode(t *testing.T) {
+	d, err := qa.ResourceFixture{
+		MockWorkspaceClientFunc: func(a *mocks.MockWorkspaceClient) {
+			api := a.GetMockClustersAPI().EXPECT()
+			api.List(mock.Anything, compute.ListClustersRequest{
+				FilterBy: &compute.ListClustersFilterBy{
+					IsPinned: true,
+				},
+				PageSize: 100,
+			}).Return(&listing.SliceIterator[compute.ClusterDetails]{})
+			api.GetByClusterId(mock.Anything, "abc").Return(
+				&compute.ClusterDetails{
+					ClusterId:              "abc",
+					NumWorkers:             100,
+					ClusterName:            "Dedicated Cluster",
+					DataSecurityMode:       compute.DataSecurityModeSingleUser,
+					SparkVersion:           "7.1-scala12",
+					NodeTypeId:             "i3.xlarge",
+					AutoterminationMinutes: 15,
+					State:                  compute.StateTerminated,
+					GcpAttributes: &compute.GcpAttributes{
+						LocalSsdCount: 2,
+					},
+				}, nil,
+			)
+		},
+		ID:       "abc",
+		Read:     true,
+		Resource: ResourceCluster(),
+		InstanceState: map[string]string{
+			"autotermination_minutes": "15",
+			"cluster_name":            "Dedicated Cluster",
+			"data_security_mode":      "SINGLE_USER",
+			"spark_version":           "7.1-scala12",
+			"node_type_id":            "i3.xlarge",
+			"num_workers":             "100",
+			"gcp_attributes": `"{
+				local_ssd_count = 2
+			}"`,
+		},
+		HCL: `
+		autotermination_minutes = 15,
+		cluster_name =            "Dedicated Cluster"
+		data_security_mode =      "DATA_SECURITY_MODE_DEDICATED"
+		spark_version =           "7.1-scala12"
+		node_type_id =            "i3.xlarge"
+		num_workers =             100
+		gcp_attributes = {
+			local_ssd_count = 0
+		},
+		`,
+	}.Apply(t)
+
+	assert.NoError(t, err)
+	assert.False(t, d.HasChanges("data_security_mode"))
+}
+
+func TestResourceClusterAliasStandardNoDrift_DataSecurityMode(t *testing.T) {
+	d, err := qa.ResourceFixture{
+		MockWorkspaceClientFunc: func(a *mocks.MockWorkspaceClient) {
+			api := a.GetMockClustersAPI().EXPECT()
+			api.List(mock.Anything, compute.ListClustersRequest{
+				FilterBy: &compute.ListClustersFilterBy{
+					IsPinned: true,
+				},
+				PageSize: 100,
+			}).Return(&listing.SliceIterator[compute.ClusterDetails]{})
+			api.GetByClusterId(mock.Anything, "abc").Return(
+				&compute.ClusterDetails{
+					ClusterId:              "abc",
+					NumWorkers:             100,
+					ClusterName:            "Standard Cluster",
+					DataSecurityMode:       compute.DataSecurityModeUserIsolation,
+					SparkVersion:           "7.1-scala12",
+					NodeTypeId:             "i3.xlarge",
+					AutoterminationMinutes: 15,
+					State:                  compute.StateTerminated,
+					GcpAttributes: &compute.GcpAttributes{
+						LocalSsdCount: 2,
+					},
+				}, nil,
+			)
+		},
+		ID:       "abc",
+		Read:     true,
+		Resource: ResourceCluster(),
+		InstanceState: map[string]string{
+			"autotermination_minutes": "15",
+			"cluster_name":            "Standard Cluster",
+			"data_security_mode":      "USER_ISOLATION",
+			"spark_version":           "7.1-scala12",
+			"node_type_id":            "i3.xlarge",
+			"num_workers":             "100",
+			"gcp_attributes": `"{
+				local_ssd_count = 2
+			}"`,
+		},
+		HCL: `
+		autotermination_minutes = 15,
+		cluster_name =            "Standard Cluster"
+		data_security_mode =      "DATA_SECURITY_MODE_STANDARD"
+		spark_version =           "7.1-scala12"
+		node_type_id =            "i3.xlarge"
+		num_workers =             100
+		gcp_attributes = {
+			local_ssd_count = 0
+		},
+		`,
+	}.Apply(t)
+
+	assert.NoError(t, err)
+	assert.False(t, d.HasChanges("data_security_mode"))
+}
+
+func TestResourceClusterAliasAutoNoDrift_DataSecurityMode(t *testing.T) {
+	d, err := qa.ResourceFixture{
+		MockWorkspaceClientFunc: func(a *mocks.MockWorkspaceClient) {
+			api := a.GetMockClustersAPI().EXPECT()
+			api.List(mock.Anything, compute.ListClustersRequest{
+				FilterBy: &compute.ListClustersFilterBy{
+					IsPinned: true,
+				},
+				PageSize: 100,
+			}).Return(&listing.SliceIterator[compute.ClusterDetails]{})
+			api.GetByClusterId(mock.Anything, "abc").Return(
+				&compute.ClusterDetails{
+					ClusterId:              "abc",
+					NumWorkers:             100,
+					ClusterName:            "Auto Cluster",
+					DataSecurityMode:       compute.DataSecurityModeUserIsolation,
+					SparkVersion:           "7.1-scala12",
+					NodeTypeId:             "i3.xlarge",
+					AutoterminationMinutes: 15,
+					State:                  compute.StateTerminated,
+					GcpAttributes: &compute.GcpAttributes{
+						LocalSsdCount: 2,
+					},
+				}, nil,
+			)
+		},
+		ID:       "abc",
+		Read:     true,
+		Resource: ResourceCluster(),
+		InstanceState: map[string]string{
+			"autotermination_minutes": "15",
+			"cluster_name":            "Auto Cluster",
+			"data_security_mode":      "USER_ISOLATION",
+			"spark_version":           "7.1-scala12",
+			"node_type_id":            "i3.xlarge",
+			"num_workers":             "100",
+			"gcp_attributes": `"{
+				local_ssd_count = 2
+			}"`,
+		},
+		HCL: `
+		autotermination_minutes = 15,
+		cluster_name =            "Auto Cluster"
+		data_security_mode =      "DATA_SECURITY_MODE_AUTO"
+		spark_version =           "7.1-scala12"
+		node_type_id =            "i3.xlarge"
+		num_workers =             100
+		gcp_attributes = {
+			local_ssd_count = 0
+		},
+		`,
+	}.Apply(t)
+
+	assert.NoError(t, err)
+	assert.False(t, d.HasChanges("data_security_mode"))
+}
