Fix databricks_grant & databricks_grants failing with empty permissions diff for shares (#5095)

## Changes
When using `databricks_grant` or `databricks_grants` on a share where
permissions are already correctly configured, the provider would make a
PATCH API call with an empty changes array. For shares, this gets
serialized as an empty body {}, causing the API to return: "Missing
required field: permissions_diff".

This fix skips the UpdatePermissions call when diff is empty. This also
has the side effect of this skipping any waiting for permissions to
update, improving performance. We can do this for all permission types,
so the performance improvement applies to all securable types, not just
shares.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

## Tests
Added an additional unit test for this case.

---------

Co-authored-by: Claude <[email protected]>
Co-authored-by: Alex Ott <[email protected]>

Author: 3 people

NEXT_CHANGELOG.md

@@ -2,7 +2,10 @@
 
 ## Release v1.95.0
 
-### Breaking Changes
+### New Features and Improvements
+
+* Add `arm` option to `databricks_node_type` instead of `graviton` ([#5028](https://github.com/databricks/terraform-provider-databricks/pull/5028))
+* Optimize `databricks_grant` and `databricks_grants` to not call the `Update` API if the requested permissions are already granted ([#5095](https://github.com/databricks/terraform-provider-databricks/pull/5095))
 
 ### New Features and Improvements
 

catalog/resource_grant.go

@@ -72,7 +72,12 @@ func replacePermissionsForPrincipal(a permissions.UnityCatalogPermissionsAPI, se
 	if err != nil {
 		return err
 	}
-	err = a.UpdatePermissions(securableType, name, diffPermissionsForPrincipal(principal, list.PrivilegeAssignments, existing.PrivilegeAssignments))
+	diff := diffPermissionsForPrincipal(principal, list.PrivilegeAssignments, existing.PrivilegeAssignments)
+	if len(diff) == 0 {
+		// The permissions are already correct, no need to update or wait
+		return nil
+	}
+	err = a.UpdatePermissions(securableType, name, diff)
 	if err != nil {
 		return err
 	}

catalog/resource_grant_test.go

@@ -849,3 +849,43 @@ func TestResourceGrantModelGrantCreate(t *testing.T) {
 		`,
 	}.ApplyNoError(t)
 }
+
+func TestResourceGrantShareGrantCreateNoChange(t *testing.T) {
+	qa.ResourceFixture{
+		Fixtures: []qa.HTTPFixture{
+			{
+				Method:   "GET",
+				Resource: "/api/2.1/unity-catalog/shares/myshare/permissions?",
+				Response: catalog.GetPermissionsResponse{
+					PrivilegeAssignments: []catalog.PrivilegeAssignment{
+						{
+							Principal:  "recipient1",
+							Privileges: []catalog.Privilege{"SELECT"},
+						},
+					},
+				},
+			},
+			// No PATCH request should be made since permissions are already correct
+			{
+				Method:   "GET",
+				Resource: "/api/2.1/unity-catalog/shares/myshare/permissions?",
+				Response: catalog.GetPermissionsResponse{
+					PrivilegeAssignments: []catalog.PrivilegeAssignment{
+						{
+							Principal:  "recipient1",
+							Privileges: []catalog.Privilege{"SELECT"},
+						},
+					},
+				},
+			},
+		},
+		Resource: ResourceGrant(),
+		Create:   true,
+		HCL: `
+		share = "myshare"
+
+		principal = "recipient1"
+		privileges = ["SELECT"]
+		`,
+	}.ApplyNoError(t)
+}

catalog/resource_grants.go

@@ -80,7 +80,12 @@ func replaceAllPermissions(a permissions.UnityCatalogPermissionsAPI, securable s
 	if err != nil {
 		return err
 	}
-	err = a.UpdatePermissions(securableType, name, diffPermissions(list.PrivilegeAssignments, existing.PrivilegeAssignments))
+	diff := diffPermissions(list.PrivilegeAssignments, existing.PrivilegeAssignments)
+	if len(diff) == 0 {
+		// The permissions are already correct, no need to update or wait
+		return nil
+	}
+	err = a.UpdatePermissions(securableType, name, diff)
 	if err != nil {
 		return err
 	}

catalog/resource_grants_test.go

@@ -581,6 +581,47 @@ func TestShareGrantUpdate(t *testing.T) {
 	}.ApplyNoError(t)
 }
 
+func TestShareGrantCreateNoChange(t *testing.T) {
+	qa.ResourceFixture{
+		Fixtures: []qa.HTTPFixture{
+			{
+				Method:   "GET",
+				Resource: "/api/2.1/unity-catalog/shares/myshare/permissions?",
+				Response: catalog.GetPermissionsResponse{
+					PrivilegeAssignments: []catalog.PrivilegeAssignment{
+						{
+							Principal:  "recipient1",
+							Privileges: []catalog.Privilege{"SELECT"},
+						},
+					},
+				},
+			},
+			// No PATCH request should be made since permissions are already correct
+			{
+				Method:   "GET",
+				Resource: "/api/2.1/unity-catalog/shares/myshare/permissions?",
+				Response: catalog.GetPermissionsResponse{
+					PrivilegeAssignments: []catalog.PrivilegeAssignment{
+						{
+							Principal:  "recipient1",
+							Privileges: []catalog.Privilege{"SELECT"},
+						},
+					},
+				},
+			},
+		},
+		Resource: ResourceGrants(),
+		Create:   true,
+		HCL: `
+		share = "myshare"
+
+		grant {
+			principal = "recipient1"
+			privileges = ["SELECT"]
+		}`,
+	}.ApplyNoError(t)
+}
+
 func TestConnectionGrantCreate(t *testing.T) {
 	qa.ResourceFixture{
 		Fixtures: []qa.HTTPFixture{