Added databricks_user_role resource (#1054)

* Added `databricks_user_role` resource

Adding AWS instance profile to a user

```hcl
resource "databricks_instance_profile" "instance_profile" {
  instance_profile_arn = "my_instance_profile_arn"
}

resource "databricks_user" "my_user" {
  user_name = "[email protected]"
}

resource "databricks_user_role" "my_user_role" {
  user_id = databricks_user.my_user.id
  role    = databricks_instance_profile.instance_profile.id
}
```

Adding user as administrator to Databricks Account

```hcl
provider "databricks" {
  host       = "https://accounts.cloud.databricks.com"
  account_id = var.databricks_account_id
  username   = var.databricks_user
  password   = var.databricks_password
}

resource "databricks_user" "my_user" {
  user_name = "[email protected]"
}

resource "databricks_user_role" "my_user_account_admin" {
  user_id = databricks_user.my_user.id
  role    = "account_admin"
}
```

* whoopsie

* remove unused

* typo

Author: nfx

CHANGELOG.md

@@ -4,6 +4,11 @@
 
 * Clarified error messages around `azure_workspace_resource_id` provider configuration ([#1049](https://github.com/databrickslabs/terraform-provider-databricks/issues/1049)).
 * Added optional `force` argument to `databricks_user` resource to ignore `cannot create user: User with username X already exists` errors and implicitly import the specific user into Terraform state, enforcing entitlements defined in the instance of resource ([#1048](https://github.com/databrickslabs/terraform-provider-databricks/pull/1048)).
+* Added `databricks_user_role` resource, that can assign roles on Databricks Account or `databricks_instance_profile` for data access ([#1047](https://github.com/databrickslabs/terraform-provider-databricks/pull/1047)).
+
+**Deprecations**
+
+* `databricks_user_instance_profile` is deprecated in favor of `databricks_user_role`.
 
 Updated dependency versions:
 

aws/resource_user_instance_profile.go

@@ -12,7 +12,7 @@ import (
 
 // ResourceUserInstanceProfile binds user and instance profile
 func ResourceUserInstanceProfile() *schema.Resource {
-	return common.NewPairID("user_id", "instance_profile_id").Schema(func(
+	r := common.NewPairID("user_id", "instance_profile_id").Schema(func(
 		m map[string]*schema.Schema) map[string]*schema.Schema {
 		m["instance_profile_id"].ValidateDiagFunc = ValidInstanceProfile
 		return m
@@ -33,4 +33,6 @@ func ResourceUserInstanceProfile() *schema.Resource {
 				"remove", fmt.Sprintf(`roles[value eq "%s"]`, roleARN), ""))
 		},
 	})
+	r.DeprecationMessage = "Please migrate to `databricks_user_role`. This resource will be removed in v0.5.x"
+	return r
 }

aws/resource_user_instance_profile_test.go

@@ -59,7 +59,7 @@ func TestResourceUserInstanceProfileCreate_Error_BadARN(t *testing.T) {
 		},
 		Create: true,
 	}.Apply(t)
-	assert.EqualError(t, err, "invalid config supplied. [instance_profile_id] Invalid ARN")
+	assert.EqualError(t, err, "invalid config supplied. [instance_profile_id] Invalid ARN. Deprecated Resource")
 }
 
 func TestResourceUserInstanceProfileCreate_Error(t *testing.T) {

aws/resource_user_role.go

@@ -0,0 +1,30 @@
+package aws
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/databrickslabs/terraform-provider-databricks/common"
+	"github.com/databrickslabs/terraform-provider-databricks/scim"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func ResourceUserRole() *schema.Resource {
+	return common.NewPairID("user_id", "role").BindResource(common.BindResource{
+		CreateContext: func(ctx context.Context, userID, role string, c *common.DatabricksClient) error {
+			return scim.NewUsersAPI(ctx, c).Patch(userID, scim.PatchRequest("add", "roles", role))
+		},
+		ReadContext: func(ctx context.Context, userID, roleARN string, c *common.DatabricksClient) error {
+			user, err := scim.NewUsersAPI(ctx, c).Read(userID)
+			hasRole := scim.ComplexValues(user.Roles).HasValue(roleARN)
+			if err == nil && !hasRole {
+				return common.NotFound("User has no role")
+			}
+			return err
+		},
+		DeleteContext: func(ctx context.Context, userID, roleARN string, c *common.DatabricksClient) error {
+			return scim.NewUsersAPI(ctx, c).Patch(userID, scim.PatchRequest(
+				"remove", fmt.Sprintf(`roles[value eq "%s"]`, roleARN), ""))
+		},
+	})
+}

aws/resource_user_role_test.go

@@ -0,0 +1,37 @@
+package aws
+
+import (
+	"testing"
+
+	"github.com/databrickslabs/terraform-provider-databricks/qa"
+	"github.com/databrickslabs/terraform-provider-databricks/scim"
+)
+
+func TestUserRoleCornerCases(t *testing.T) {
+	qa.ResourceCornerCases(t, ResourceUserRole(), 
+		qa.CornerCaseID("a|b"), 
+		qa.CornerCaseSkipCRUD("create"))
+}
+
+func TestUserRoleCreate_AndGetResourceDrift(t *testing.T) {
+	qa.ResourceFixture{
+		Fixtures: []qa.HTTPFixture{
+			{
+				Method:   "PATCH",
+				Resource: "/api/2.0/preview/scim/v2/Users/a",
+				ExpectedRequest: scim.PatchRequest("add", "roles", "b"),
+			},
+			{
+				Method:   "GET",
+				Resource: "/api/2.0/preview/scim/v2/Users/a",
+				Response: scim.User{},
+			},
+		},
+		Create: true,
+		Resource: ResourceUserRole(),
+		HCL: `
+		user_id = "a"
+		role = "b"
+		`,
+	}.ExpectError(t, "User has no role")
+}

docs/resources/user_instance_profile.md

@@ -3,7 +3,7 @@ subcategory: "Security"
 ---
 # databricks_user_instance_profile Resource
 
--> **Note** This resource has an evolving API, which may change in future versions of the provider.
+-> **Deprecated** Please rewrite with [databricks_user_role](user_role.md). This resource will be removed in v0.5.x
 
 This resource allows you to attach [databricks_instance_profile](instance_profile.md) (AWS) to [databricks_user](user.md).
 

docs/resources/user_role.md

@@ -0,0 +1,69 @@
+---
+subcategory: "Security"
+---
+# databricks_user_role Resource
+
+This resource allows you to attach a role or [databricks_instance_profile](instance_profile.md) (AWS) to [databricks_user](user.md).
+
+## Example Usage
+
+Adding AWS instance profile to a user
+
+```hcl
+resource "databricks_instance_profile" "instance_profile" {
+  instance_profile_arn = "my_instance_profile_arn"
+}
+
+resource "databricks_user" "my_user" {
+  user_name = "[email protected]"
+}
+
+resource "databricks_user_role" "my_user_role" {
+  user_id = databricks_user.my_user.id
+  role    = databricks_instance_profile.instance_profile.id
+}
+```
+
+Adding user as administrator to Databricks Account
+
+```hcl
+provider "databricks" {
+  host       = "https://accounts.cloud.databricks.com"
+  account_id = var.databricks_account_id
+  username   = var.databricks_user
+  password   = var.databricks_password
+}
+
+resource "databricks_user" "my_user" {
+  user_name = "[email protected]"
+}
+
+resource "databricks_user_role" "my_user_account_admin" {
+  user_id = databricks_user.my_user.id
+  role    = "account_admin"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `user_id` - (Required) This is the id of the [user](user.md) resource.
+* `role` -  (Required) Either a role name or the id of the [instance profile](instance_profile.md) resource.
+
+## Attribute Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+*  `id` - The id in the format `<user_id>|<role>`.
+
+## Related Resources
+
+The following resources are often used in the same context:
+
+* [End to end workspace management](../guides/workspace-management.md) guide.
+* [databricks_group_instance_profile](group_instance_profile.md) to attach [databricks_instance_profile](instance_profile.md) (AWS) to [databricks_group](group.md).
+* [databricks_group_member](group_member.md) to attach [users](user.md) and [groups](group.md) as group members.
+* [databricks_instance_profile](instance_profile.md) to manage AWS EC2 instance profiles that users can launch [databricks_cluster](cluster.md) and access data, like [databricks_mount](mount.md).
+* [databricks_user](user.md) to [manage users](https://docs.databricks.com/administration-guide/users-groups/users.html), that could be added to [databricks_group](group.md) within the workspace.
+* [databricks_user](../data-sources/user.md) data to retrieves information about [databricks_user](user.md).

provider/provider.go

@@ -108,6 +108,7 @@ func DatabricksProvider() *schema.Provider {
 			"databricks_token":                       tokens.ResourceToken(),
 			"databricks_user":                        scim.ResourceUser(),
 			"databricks_user_instance_profile":       aws.ResourceUserInstanceProfile(),
+			"databricks_user_role":                   aws.ResourceUserRole(),
 			"databricks_workspace_conf":              workspace.ResourceWorkspaceConf(),
 		},
 		Schema: providerSchema(),

qa/testing.go

@@ -333,7 +333,7 @@ func ResourceCornerCases(t *testing.T, resource *schema.Resource, cc ...CornerCa
 			}
 			diags := v(ctx, validData, client)
 			if assert.Len(t, diags, 1) {
-				assert.Equalf(t, diags[0].Summary, config["expect_error"],
+				assert.Equalf(t, config["expect_error"], diags[0].Summary,
 					"%s didn't handle correct error on valid data", n)
 			}
 		}