[Feature] Add CAN_VIEW permission for SQL warehouse (#4464)

jiabin-hu · alexott · nkvuong · web-flow · commit a76703c03794 · 2025-03-30T15:33:58.000Z
## Changes
Add CAN_VIEW permission for SQL warehouse

## Tests
Locally installed and tested. See the following output:

```
% terraform apply -var="databricks_host=REDACTED"  -var="databricks_token=REDACTED"
databricks_sql_endpoint.sql_warehouse: Refreshing state... [id=REDACTED]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # databricks_permissions.sql_warehouse_usage will be created
  + resource "databricks_permissions" "sql_warehouse_usage" {
      + id              = (known after apply)
      + object_type     = (known after apply)
      + sql_endpoint_id = "REDACTED"

      + access_control {
          + permission_level = "CAN_VIEW"
          + user_name        = "REDACTED"
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

databricks_permissions.sql_warehouse_usage: Creating...
databricks_permissions.sql_warehouse_usage: Creation complete after 2s [id=/sql/warehouses/REDACTED]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Outputs:

warehouse_id = "REDACTED"
```

- [x] `make test` run locally
- [x] relevant change in `docs/` folder
- [x] covered with integration tests in `internal/acceptance`
- [no] using Go SDK
- [x] using TF Plugin Framework

---------

Co-authored-by: Alex Ott &lt;alexey.ott@databricks.com&gt;
Co-authored-by: vuong-nguyen &lt;44292934+nkvuong@users.noreply.github.com&gt;
diff --git a/NEXT_CHANGELOG.md b/NEXT_CHANGELOG.md
@@ -5,6 +5,7 @@
 ### New Features and Improvements
 
  * Mark GKE-related fields for `databricks_mws_workspaces` and `databricks_mws_networks` as deprecated([#4531](https://github.com/databricks/terraform-provider-databricks/pull/4531)).
+ * Add support for `CAN_VIEW` permission level in `databricks_permissions`, which can be assigned to `databricks_sql_endpoint` ([#4464](https://github.com/databricks/terraform-provider-databricks/pull/4464)).
  * Add support for `aws-us-gov-dod` (AWS Govcloud DoD shard) ([#4594](https://github.com/databricks/terraform-provider-databricks/pull/4594/commits/5ac01118f546070ae5b8938f06807c8325d0f5d7))
 
 ### Bug Fixes
diff --git a/docs/resources/permissions.md b/docs/resources/permissions.md
@@ -722,7 +722,7 @@ resource "databricks_permissions" "token_usage" {
 
 ## SQL warehouse usage
 
-[SQL warehouses](https://docs.databricks.com/sql/user/security/access-control/sql-endpoint-acl.html) have four possible permissions: `CAN_USE`, `CAN_MONITOR`, `CAN_MANAGE` and `IS_OWNER`:
+[SQL warehouses](https://docs.databricks.com/sql/user/security/access-control/sql-endpoint-acl.html) have five possible permissions: `CAN_USE`, `CAN_MONITOR`, `CAN_MANAGE`, `CAN_VIEW` and `IS_OWNER`:
 
 - The creator of a warehouse has `IS_OWNER` permission. Destroying `databricks_permissions` resource for a warehouse would revert ownership to the creator.
 - A warehouse must have exactly one owner. If a resource is changed and no owner is specified, the currently authenticated principal would become the new owner of the warehouse. Nothing would change, per se, if the warehouse was created through Terraform.
diff --git a/permissions/permission_definitions.go b/permissions/permission_definitions.go
@@ -567,6 +567,7 @@ func allResourcePermissions() []resourcePermissions {
 				"CAN_USE":     {isManagementPermission: false},
 				"CAN_MANAGE":  {isManagementPermission: true},
 				"CAN_MONITOR": {isManagementPermission: false},
+				"CAN_VIEW":    {isManagementPermission: false},
 				"IS_OWNER":    {isManagementPermission: true},
 			},
 			updateAclCustomizers: []update.ACLCustomizer{update.AddCurrentUserAsManage},
diff --git a/permissions/permissions_test.go b/permissions/permissions_test.go
@@ -680,7 +680,7 @@ func TestAccPermissions_SqlWarehouses(t *testing.T) {
 	acceptance.WorkspaceLevel(t, acceptance.Step{
 		Template: sqlWarehouseTemplate + makePermissionsTestStage("sql_endpoint_id", "databricks_sql_endpoint.this.id", groupPermissions("CAN_USE")),
 	}, acceptance.Step{
-		Template: sqlWarehouseTemplate + makePermissionsTestStage("sql_endpoint_id", "databricks_sql_endpoint.this.id", currentPrincipalPermission(t, "IS_OWNER"), allPrincipalPermissions("CAN_USE", "CAN_MANAGE", "CAN_MONITOR")),
+		Template: sqlWarehouseTemplate + makePermissionsTestStage("sql_endpoint_id", "databricks_sql_endpoint.this.id", currentPrincipalPermission(t, "IS_OWNER"), allPrincipalPermissions("CAN_USE", "CAN_MANAGE", "CAN_MONITOR", "CAN_VIEW")),
 		// Note: ideally we could test making a new user/SP the owner of the warehouse, but the new user
 		// needs cluster creation permissions, and the SCIM API doesn't provide get-after-put consistency,
 		// so this would introduce flakiness.
