Improve databricks_grants error messages (#1888)

nkvuong · web-flow · commit ebbd6d3f4060 · 2023-01-04T07:45:21.000Z
diff --git a/catalog/resource_grants.go b/catalog/resource_grants.go
@@ -154,6 +154,10 @@ func (sm securableMapping) validate(d attributeGetter, pl PermissionsList) error
 	for _, v := range pl.Assignments {
 		for _, priv := range v.Privileges {
 			if !allowed[strings.ToUpper(priv)] {
+				// check if user uses spaces instead of underscores
+				if allowed[strings.ReplaceAll(priv, " ", "_")] {
+					return fmt.Errorf(`%s is not allowed on %s. Did you mean %s?`, priv, securable, strings.ReplaceAll(priv, " ", "_"))
+				}
 				return fmt.Errorf(`%s is not allowed on %s`, priv, securable)
 			}
 		}
diff --git a/catalog/resource_grants_test.go b/catalog/resource_grants_test.go
@@ -347,3 +347,27 @@ func TestShareGrantUpdate(t *testing.T) {
 		}`,
 	}.ApplyNoError(t)
 }
+
+func TestPrivilegeWithSpace(t *testing.T) {
+	d := data{"table": "me"}
+	err := mapping.validate(d, PermissionsList{
+		Assignments: []PrivilegeAssignment{
+			{
+				Principal:  "me",
+				Privileges: []string{"ALL PRIVILEGES"},
+			},
+		},
+	})
+	assert.EqualError(t, err, "ALL PRIVILEGES is not allowed on table. Did you mean ALL_PRIVILEGES?")
+
+	d = data{"external_location": "me"}
+	err = mapping.validate(d, PermissionsList{
+		Assignments: []PrivilegeAssignment{
+			{
+				Principal:  "me",
+				Privileges: []string{"CREATE TABLE"},
+			},
+		},
+	})
+	assert.EqualError(t, err, "CREATE TABLE is not allowed on external_location. Did you mean CREATE_TABLE?")
+}
diff --git a/docs/resources/grants.md b/docs/resources/grants.md
@@ -33,7 +33,7 @@ Terraform will handle any configuration drift on every `terraform apply` run, ev
 
 It is required to define all permissions for a securable in a single resource, otherwise Terraform cannot guarantee config drift prevention.
 
-Below summarizes which privilege types apply to each securable object in the catalog:
+Unlike the [SQL specification](https://docs.databricks.com/sql/language-manual/sql-ref-privileges.html#privilege-types), all privileges to be written with underscore instead of space, e.g. `CREATE_TABLE` and not `CREATE TABLE`. Below summarizes which privilege types apply to each securable object in the catalog:
 
 ## Metastore grants
 

Original file line number	Diff line number	Diff line change
`@@ -154,6 +154,10 @@ func (sm securableMapping) validate(d attributeGetter, pl PermissionsList) error`
`154`	`154`	`for _, v := range pl.Assignments {`
`155`	`155`	`for _, priv := range v.Privileges {`
`156`	`156`	`if !allowed[strings.ToUpper(priv)] {`
	`157`	`+ // check if user uses spaces instead of underscores`
	`158`	`+ if allowed[strings.ReplaceAll(priv, " ", "_")] {`
	`159`	+ return fmt.Errorf(`%s is not allowed on %s. Did you mean %s?`, priv, securable, strings.ReplaceAll(priv, " ", "_"))
	`160`	`+ }`
`157`	`161`	return fmt.Errorf(`%s is not allowed on %s`, priv, securable)
`158`	`162`	`}`
`159`	`163`	`}`