[ISSUE] Issue with databricks_database_instance resource when applying databricks_permissions

[ieva1011]

I wanted to use new databricks_database_instance resource and apply databricks_permissions on that.

Configuration

resource "databricks_database_instance" "lakebase" {
  name                        = var.database_instance_name
  capacity                    = var.capacity
  node_count                  = var.node_count
  enable_readable_secondaries = var.enable_readable_secondaries
  enable_pg_native_login      = var.enable_pg_native_login
  retention_window_in_days    = var.retention_window_in_days
  usage_policy_id             = var.budget_policy_id
  custom_tags = [
    {
      key   = "ITSystemCode"
      value = var.ITSystemCode
    },
    {
      key   = "node_id"
      value = var.node_id
    }
  ]
}
resource "databricks_permissions" "lakebase_permissions" {
  database_instance_name = var.database_instance_name

  dynamic "access_control" {
    for_each = var.can_manage_list
    content {
      group_name       = access_control.value
      permission_level = "CAN_MANAGE"
    }
  }

  dynamic "access_control" {
    for_each = var.can_use_list
    content {
      group_name       = access_control.value
      permission_level = "CAN_USE"
    }
  }

Expected Behavior

Databricks Lakebase database instance deployed and permissions applied.

Actual Behavior

Databricks Lakebase database instance deployed, permissions not applied. Error:

│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to module.lakebase_database_instance.module.lakebase_permissions.databricks_permissions.lakebase_permissions, provider
│ "provider["registry.terraform.io/databricks/databricks"]" produced an unexpected new value: Root object was present, but now absent.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

Steps to Reproduce

Terraform and provider versions

Terraform v1.13.3
provider registry.terraform.io/databricks/databricks v1.95.0

Is it a regression?

This is a new (preview) feature.

Debug Output

2025-11-03T09:06:14.923+0200 [DEBUG] provider.terraform-provider-databricks_v1.95.0.exe: GET /api/2.0/permissions/database-instances/example-dbw-001-lakebase
< HTTP/2.0 200 OK
< {
< "access_control_list": [
< {
< "all_permissions": [
< {
< "inherited": true,
< "inherited_from_object": [
< "/database-instances"
< ],
< "permission_level": "CAN_CREATE"
< }
< ],
< "group_name": "users"
< },
< {
< "all_permissions": [
< {
< "inherited": false,
< "permission_level": "CAN_MANAGE"
< }
< ],
< "display_name": "XXX",
< "service_principal_name": "XXX"
< },
< {
< "all_permissions": [
< {
< "inherited": true,
< "inherited_from_object": [
< "/database-instances"
< ],
< "permission_level": "CAN_MANAGE"
< }
< ],
< "group_name": "admins"
< }
< ],
< "object_id": "/database-instances/XXX",
< "object_type": "database-instances"
< }: @caller=/home/runner/work/terraform-provider-databricks/terraform-provider-databricks/logger/logger.go:38 @module=databricks tf_provider_addr=registry.terraform.io/databricks/databricks tf_mux_provider=tf5to6server.v5tov6Server tf_req_id=d474a31f-37e2-5a2b-d8c1-acb3809c24d5 tf_rpc=ConfigureProvider timestamp="2025-11-03T09:06:14.923+0200"
2025-11-03T09:06:14.925+0200 [DEBUG] State storage *remote.State declined to persist a state snapshot
2025-11-03T09:06:14.926+0200 [ERROR] vertex "module.lakebase_database_instance.module.lakebase_permissions.databricks_permissions.lakebase_permissions" error: Provider produced inconsistent result after apply

[alexott]

Can you show the plan? and share the full debug log - to see the PUT request with permissions.

In your case, the resource was removed because there are only the inherited permissions.

[ieva1011]

Hi, added plan and missing debug log. Thanks!
Lakebase_debugPUT.txt
lakebase_tfplan.txt

[alexott]

Hmmm, looks like the backend problem - we submit 3 permissions, but get back only 1 + inherited. I'll ping Lakebase team regarding it.

[alexott]

Are all principals (groups, users, ...) already assigned to the workspace? If no, can you add them to the workspace? If yes, can you file a support ticket and notify your account team?

[ieva1011]

Yes, they all are assigned for a long time.

[alexott]

Ok, then we need a support ticket as it's a backend problem

[ieva1011]

Sorry :) just wanted to clarify, what kind of support ticket we need?

[alexott]

Azure support ticket if you're on azure, or Databricks support ticket on other clouds. Or contact your account team, so they can create a ticket inside Databricks.

[ieva1011]

Thanks! Will proceed with ticket.

[ieva1011]

Submitted ticket to Azure,
Support request number:2511060050000174