Add resource databricks_grant for managing singular principal (#3024)

* Add resource "databricks_grant" for managing singular principal

* resource_grant: tweak method names to avoid clash with resource_grants

* resource_grants: refactor internals to be common with resource_grant

* internal/acceptance/schema_test.go: Add acceptance test for databricks_grant resource

* resource_grant: Append principal to ID for uniqueness

* resource_grants: Remove outdated comment

* resource_grant: Use StructToSchema function & add some tests to cover field validation

* resource_grant: flip requiresnew test for principal

* docs: add docco for databricks_grant & run fmt-docs

* Update docs/resources/grants.md

Co-authored-by: vuong-nguyen <[email protected]>

* resource_grant: remove validation of priveleges to securable

* catalog/resource_grants.go: revert refactor as code diverges with resource_grant.go

* resource_grant: refactor to use sdk

* resource_grant: use type rather than raw string for securable

* resource_grant: Port changes from #3026 for resource_grants

* resource_grant: Port changes from #3034 for resource_grants acceptance tests

* Add missing link on readme

* resource_grant: Handle special case for "model" which is documented & supported by resource_grants

* Update docs/resources/grant.md

Co-authored-by: vuong-nguyen <[email protected]>

* Update docs/resources/grant.md

Co-authored-by: vuong-nguyen <[email protected]>

* docs/resources/grant.md: reference grants.md for list of permissions

* resource_grants: review comments

* resource_grants: remove redundant ToPrivilegeSlice function

* resource_grants: address review comment to preserve type and add extra defensive check

* resource_grant: address review comment to encapsulate ID wrangling & clean up usage

* Update internal/acceptance/grant_test.go

Co-authored-by: vuong-nguyen <[email protected]>

---------

Co-authored-by: vuong-nguyen <[email protected]>

Author: martin-walsh

README.md

@@ -24,6 +24,7 @@
 | [databricks_external_location](docs/resources/external_location.md)
 | [databricks_git_credential](docs/resources/git_credential.md)
 | [databricks_global_init_script](docs/resources/global_init_script.md)
+| [databricks_grant](docs/resources/grant.md)
 | [databricks_grants](docs/resources/grants.md)
 | [databricks_group](docs/resources/group.md)
 | [databricks_group](docs/data-sources/group.md) data

catalog/permissions/permissions.go

@@ -0,0 +1,145 @@
+package permissions
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"time"
+
+	"github.com/databricks/databricks-sdk-go"
+	"github.com/databricks/databricks-sdk-go/service/catalog"
+	"github.com/databricks/databricks-sdk-go/service/sharing"
+	"github.com/databricks/terraform-provider-databricks/common"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/retry"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+// API
+type UnityCatalogPermissionsAPI struct {
+	client  *databricks.WorkspaceClient
+	context context.Context
+}
+
+func NewUnityCatalogPermissionsAPI(ctx context.Context, m any) UnityCatalogPermissionsAPI {
+	client, _ := m.(*common.DatabricksClient).WorkspaceClient()
+	return UnityCatalogPermissionsAPI{client, ctx}
+}
+
+func (a UnityCatalogPermissionsAPI) GetPermissions(securable catalog.SecurableType, name string) (list *catalog.PermissionsList, err error) {
+	if securable.String() == "share" {
+		list, err = a.client.Shares.SharePermissions(a.context, sharing.SharePermissionsRequest{name})
+		return
+	}
+	list, err = a.client.Grants.GetBySecurableTypeAndFullName(a.context, securable, name)
+	return
+}
+
+func (a UnityCatalogPermissionsAPI) UpdatePermissions(securable catalog.SecurableType, name string, diff []catalog.PermissionsChange) error {
+	if securable.String() == "share" {
+		return a.client.Shares.UpdatePermissions(a.context, sharing.UpdateSharePermissions{
+			Changes: diff,
+			Name:    name,
+		})
+	}
+	_, err := a.client.Grants.Update(a.context, catalog.UpdatePermissions{
+		Changes:       diff,
+		SecurableType: securable,
+		FullName:      name,
+	})
+	return err
+}
+
+func (a UnityCatalogPermissionsAPI) WaitForUpdate(timeout time.Duration, securable catalog.SecurableType, name string, desired catalog.PermissionsList, diff func(*catalog.PermissionsList, catalog.PermissionsList) []catalog.PermissionsChange) error {
+	return retry.RetryContext(a.context, timeout, func() *retry.RetryError {
+		current, err := a.GetPermissions(securable, name)
+		if err != nil {
+			return retry.NonRetryableError(err)
+		}
+		log.Printf("[DEBUG] Permissions for %s-%s are: %v", securable.String(), name, current)
+		if diff(current, desired) == nil {
+			return nil
+		}
+		return retry.RetryableError(
+			fmt.Errorf("permissions for %s-%s are %v, but have to be %v", securable.String(), name, current, desired),
+		)
+	})
+}
+
+// Terraform Schema
+type UnityCatalogPrivilegeAssignment struct {
+	Principal  string   `json:"principal"`
+	Privileges []string `json:"privileges" tf:"slice_set"`
+}
+
+// Permission Mappings
+
+type SecurableMapping map[string]catalog.SecurableType
+
+// reuse ResourceDiff and ResourceData
+type attributeGetter interface {
+	Get(key string) any
+}
+
+func (sm SecurableMapping) GetSecurableType(securable string) catalog.SecurableType {
+	return sm[securable]
+}
+
+func (sm SecurableMapping) KeyValue(d attributeGetter) (string, string) {
+	for field := range sm {
+		v := d.Get(field).(string)
+		if v == "" {
+			continue
+		}
+		return field, v
+	}
+	return "unknown", "unknown"
+}
+func (sm SecurableMapping) Id(d *schema.ResourceData) string {
+	securable, name := sm.KeyValue(d)
+	return fmt.Sprintf("%s/%s", securable, name)
+}
+
+// Mappings
+// See https://docs.databricks.com/api/workspace/grants/update for full list
+// Omitting provider as a reserved keyword
+var Mappings = SecurableMapping{
+	"catalog":            catalog.SecurableType("catalog"),
+	"foreign_connection": catalog.SecurableType("connection"),
+	"external_location":  catalog.SecurableType("external_location"),
+	"function":           catalog.SecurableType("function"),
+	"metastore":          catalog.SecurableType("metastore"),
+	"model":              catalog.SecurableType("function"),
+	"pipeline":           catalog.SecurableType("pipeline"),
+	"recipient":          catalog.SecurableType("recipient"),
+	"schema":             catalog.SecurableType("schema"),
+	"share":              catalog.SecurableType("share"),
+	"storage_credential": catalog.SecurableType("storage_credential"),
+	"table":              catalog.SecurableType("table"),
+	"volume":             catalog.SecurableType("volume"),
+}
+
+// Utils for Slice and Set
+func SliceToSet(in []catalog.Privilege) *schema.Set {
+	var out []any
+	for _, v := range in {
+		out = append(out, v.String())
+	}
+	return schema.NewSet(schema.HashString, out)
+}
+
+func SetToSlice(set *schema.Set) (ss []catalog.Privilege) {
+	for _, v := range set.List() {
+		ss = append(ss, catalog.Privilege(v.(string)))
+	}
+	return
+}
+
+func SliceWithoutString(in []string, without string) (out []string) {
+	for _, v := range in {
+		if v == without {
+			continue
+		}
+		out = append(out, v)
+	}
+	return
+}

catalog/resource_grant.go

@@ -0,0 +1,207 @@
+package catalog
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"sort"
+	"strings"
+	"time"
+
+	"github.com/databricks/databricks-sdk-go/apierr"
+	"github.com/databricks/databricks-sdk-go/service/catalog"
+	"github.com/databricks/terraform-provider-databricks/catalog/permissions"
+	"github.com/databricks/terraform-provider-databricks/common"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+// diffPermissionsForPrincipal returns an array of catalog.PermissionsChange of this permissions list with `diff` privileges removed
+func diffPermissionsForPrincipal(principal string, desired catalog.PermissionsList, existing catalog.PermissionsList) (diff []catalog.PermissionsChange) {
+	// diffs change sets for principal
+	configured := map[string]*schema.Set{}
+	for _, v := range desired.PrivilegeAssignments {
+		if v.Principal == principal {
+			configured[v.Principal] = permissions.SliceToSet(v.Privileges)
+		}
+	}
+	// existing permissions that needs removal for principal
+	remote := map[string]*schema.Set{}
+	for _, v := range existing.PrivilegeAssignments {
+		if v.Principal == principal {
+			remote[v.Principal] = permissions.SliceToSet(v.Privileges)
+		}
+	}
+	// STEP 1: detect overlaps
+	for principal, confPrivs := range configured {
+		remotePrivs, ok := remote[principal]
+		if !ok {
+			remotePrivs = permissions.SliceToSet([]catalog.Privilege{})
+		}
+		add := permissions.SetToSlice(confPrivs.Difference(remotePrivs))
+		remove := permissions.SetToSlice(remotePrivs.Difference(confPrivs))
+		if len(add) == 0 && len(remove) == 0 {
+			continue
+		}
+		diff = append(diff, catalog.PermissionsChange{
+			Principal: principal,
+			Add:       add,
+			Remove:    remove,
+		})
+	}
+	// STEP 2: non overlap - simply remove
+	for principal, remove := range remote {
+		_, ok := configured[principal]
+		if ok { // already handled in STEP 1
+			continue
+		}
+		diff = append(diff, catalog.PermissionsChange{
+			Principal: principal,
+			Remove:    permissions.SetToSlice(remove),
+		})
+	}
+	// so that we can deterministic tests
+	sort.Slice(diff, func(i, j int) bool {
+		return diff[i].Principal < diff[j].Principal
+	})
+	return diff
+}
+
+// replacePermissionsForPrincipal merges removal diff of existing permissions on the platform
+func replacePermissionsForPrincipal(a permissions.UnityCatalogPermissionsAPI, securable string, name string, principal string, list catalog.PermissionsList) error {
+	securableType := permissions.Mappings.GetSecurableType(securable)
+	existing, err := a.GetPermissions(securableType, name)
+	if err != nil {
+		return err
+	}
+	err = a.UpdatePermissions(securableType, name, diffPermissionsForPrincipal(principal, list, *existing))
+	if err != nil {
+		return err
+	}
+	return a.WaitForUpdate(1*time.Minute, securableType, name, list, func(current *catalog.PermissionsList, desired catalog.PermissionsList) []catalog.PermissionsChange {
+		return diffPermissionsForPrincipal(principal, desired, *current)
+	})
+}
+
+// filterPermissionsForPrincipal extracts permissions for the given principal and transforms to permissions.UnityCatalogPrivilegeAssignment to match Schema
+func filterPermissionsForPrincipal(in catalog.PermissionsList, principal string) (*permissions.UnityCatalogPrivilegeAssignment, error) {
+	grantsForPrincipal := []permissions.UnityCatalogPrivilegeAssignment{}
+	for _, v := range in.PrivilegeAssignments {
+		privileges := []string{}
+		if v.Principal == principal {
+			for _, p := range v.Privileges {
+				privileges = append(privileges, p.String())
+			}
+			grantsForPrincipal = append(grantsForPrincipal, permissions.UnityCatalogPrivilegeAssignment{
+				Principal:  v.Principal,
+				Privileges: privileges,
+			})
+		}
+	}
+	if len(grantsForPrincipal) == 0 {
+		return nil, apierr.NotFound("got empty permissions list")
+	}
+	if len(grantsForPrincipal) > 1 {
+		return nil, errors.New("got more than one principal in permissions list")
+	}
+	return &grantsForPrincipal[0], nil
+}
+
+func toSecurableId(d *schema.ResourceData) string {
+	principal := d.Get("principal").(string)
+	return fmt.Sprintf("%s/%s", permissions.Mappings.Id(d), principal)
+}
+
+func parseSecurableId(d *schema.ResourceData) (string, string, string, error) {
+	split := strings.SplitN(d.Id(), "/", 3)
+	if len(split) != 3 {
+		return "", "", "", fmt.Errorf("ID must be three elements split by `/`: %s", d.Id())
+	}
+	return split[0], split[1], split[2], nil
+}
+
+func ResourceGrant() *schema.Resource {
+	s := common.StructToSchema(permissions.UnityCatalogPrivilegeAssignment{},
+		func(m map[string]*schema.Schema) map[string]*schema.Schema {
+
+			m["principal"].ForceNew = true
+
+			allFields := []string{}
+			for field := range permissions.Mappings {
+				allFields = append(allFields, field)
+			}
+			for field := range permissions.Mappings {
+				m[field] = &schema.Schema{
+					Type:          schema.TypeString,
+					Optional:      true,
+					ForceNew:      true,
+					AtLeastOneOf:  allFields,
+					ConflictsWith: permissions.SliceWithoutString(allFields, field),
+				}
+			}
+			return m
+		})
+
+	return common.Resource{
+		Schema: s,
+		Create: func(ctx context.Context, d *schema.ResourceData, c *common.DatabricksClient) error {
+			principal := d.Get("principal").(string)
+			privileges := permissions.SetToSlice(d.Get("privileges").(*schema.Set))
+			var grants = catalog.PermissionsList{
+				PrivilegeAssignments: []catalog.PrivilegeAssignment{
+					{
+						Principal:  principal,
+						Privileges: privileges,
+					},
+				},
+			}
+			securable, name := permissions.Mappings.KeyValue(d)
+			unityCatalogPermissionsAPI := permissions.NewUnityCatalogPermissionsAPI(ctx, c)
+			err := replacePermissionsForPrincipal(unityCatalogPermissionsAPI, securable, name, principal, grants)
+			if err != nil {
+				return err
+			}
+			d.SetId(toSecurableId(d))
+			return nil
+		},
+		Read: func(ctx context.Context, d *schema.ResourceData, c *common.DatabricksClient) error {
+			securable, name, principal, err := parseSecurableId(d)
+			if err != nil {
+				return err
+			}
+			grants, err := permissions.NewUnityCatalogPermissionsAPI(ctx, c).GetPermissions(permissions.Mappings.GetSecurableType(securable), name)
+			if err != nil {
+				return err
+			}
+			grantsForPrincipal, err := filterPermissionsForPrincipal(*grants, principal)
+			if err != nil {
+				return err
+			}
+			return common.StructToData(*grantsForPrincipal, s, d)
+		},
+		Update: func(ctx context.Context, d *schema.ResourceData, c *common.DatabricksClient) error {
+			securable, name, principal, err := parseSecurableId(d)
+			if err != nil {
+				return err
+			}
+			privileges := permissions.SetToSlice(d.Get("privileges").(*schema.Set))
+			var grants = catalog.PermissionsList{
+				PrivilegeAssignments: []catalog.PrivilegeAssignment{
+					{
+						Principal:  principal,
+						Privileges: privileges,
+					},
+				},
+			}
+			unityCatalogPermissionsAPI := permissions.NewUnityCatalogPermissionsAPI(ctx, c)
+			return replacePermissionsForPrincipal(unityCatalogPermissionsAPI, securable, name, principal, grants)
+		},
+		Delete: func(ctx context.Context, d *schema.ResourceData, c *common.DatabricksClient) error {
+			securable, name, principal, err := parseSecurableId(d)
+			if err != nil {
+				return err
+			}
+			unityCatalogPermissionsAPI := permissions.NewUnityCatalogPermissionsAPI(ctx, c)
+			return replacePermissionsForPrincipal(unityCatalogPermissionsAPI, securable, name, principal, catalog.PermissionsList{})
+		},
+	}.ToResource()
+}