[Feature] Add time_rotating argument to databricks_service_principal_secret to enable secret rotation (#4793)

## Changes
- Add `time_rotating` argument to `databricks_service_principal_secret`
to enable secret rotation

Close #4792

## Tests
<!-- 
How is this tested? Please see the checklist below and also describe any
other relevant tests
-->

- [x] `make test` run locally
- [x] relevant change in `docs/` folder

---------

Co-authored-by: Alex Ott <[email protected]>

Author: nkvuong

NEXT_CHANGELOG.md

@@ -5,6 +5,7 @@
 ### Breaking Changes
 
 ### New Features and Improvements
+ * Added `time_rotating` argument to `databricks_service_principal_secret` to enable secret rotation ([#4789](https://github.com/databricks/terraform-provider-databricks/pull/4789)).
 
 
 * Add AWS support for `databricks_mws_ncc_private_endpoint_rule` ([#4804](https://github.com/databricks/terraform-provider-databricks/pull/4804)).

docs/resources/service_principal_secret.md

@@ -21,19 +21,35 @@ resource "databricks_service_principal_secret" "terraform_sp" {
 }
 ```
 
+A secret can be automatically rotated by taking a dependency on the `time_rotating` resource:
+
+```hcl
+resource "time_rotating" "this" {
+  rotation_days = 30
+}
+
+resource "databricks_service_principal_secret" "terraform_sp" {
+  service_principal_id = databricks_service_principal.this.id
+
+  # Token is valid for 60 days but is rotated after 30 days.
+  time_rotating = "Terraform (created: ${time_rotating.this.rfc3339})"
+}
+```
+
 ## Argument Reference
 
 The following arguments are available:
 
 * `service_principal_id` (Required, string) - SCIM ID of the [databricks_service_principal](service_principal.md) (not application ID).
 * `lifetime` (Optional, string) - The lifetime of the secret in seconds formatted as `NNNNs`. If this parameter is not provided, the secret will have a default lifetime of 730 days (`63072000s`).  Expiration of secret will lead to generation of new secret.
+* `time_rotating` - (Optional, string) - Changing this argument forces recreation of the secret.
 
 ## Attribute Reference
 
 In addition to all arguments above, the following attributes are exported:
 
 * `id` - ID of the secret
-* `secret` - Generated secret for the service principal.
+* `secret` - **Sensitive** Generated secret for the service principal.
 * `create_time` - UTC time when the secret was created.
 * `expire_time` - UTC time when the secret will expire. If the field is not present, the secret does not expire.
 * `secret_hash` - Secret Hash.

tokens/resource_service_principal_secret.go

@@ -26,6 +26,11 @@ func createFailedToConvertServicePrincipalIdToNumericError(err error) error {
 func ResourceServicePrincipalSecret() common.Resource {
 	spnSecretSchema := common.StructToSchema(ServicePrincipalSecret{},
 		func(m map[string]*schema.Schema) map[string]*schema.Schema {
+			m["time_rotating"] = &schema.Schema{
+				Type:     schema.TypeString,
+				Optional: true,
+				ForceNew: true,
+			}
 			m["id"].Computed = true
 			m["create_time"].Computed = true
 			m["expire_time"].Computed = true