Merge branch 'main' into feature/logout

.codegen.json

@@ -11,6 +11,7 @@
     "toolchain": {
         "required": ["go"],
         "post_generate": [
+            "go test -timeout 240s -run TestConsistentDatabricksSdkVersion github.com/databricks/cli/internal/build",
             "go run ./bundle/internal/schema/*.go ./bundle/schema/jsonschema.json",
             "echo 'bundle/internal/tf/schema/\\*.go linguist-generated=true' >> ./.gitattributes",
             "echo 'go.sum linguist-generated=true' >> ./.gitattributes",

.codegen/_openapi_sha

@@ -1 +1 @@
-6f6b1371e640f2dfeba72d365ac566368656f6b6
+0c86ea6dbd9a730c24ff0d4e509603e476955ac5

.codegen/service.go.tmpl

@@ -5,6 +5,7 @@ package {{(.TrimPrefix "account").SnakeName}}
 import (
     "github.com/databricks/cli/libs/cmdio"
     "github.com/databricks/cli/libs/flags"
+	"github.com/databricks/cli/libs/diag"
 	"github.com/databricks/cli/cmd/root"
 	"github.com/databricks/databricks-sdk-go/service/{{.Package.Name}}"
 	"github.com/spf13/cobra"
@@ -231,10 +232,16 @@ func new{{.PascalName}}() *cobra.Command {
 		{{- if .Request }}
 			{{ if .CanUseJson }}
 			if cmd.Flags().Changed("json") {
-					err = {{.CamelName}}Json.Unmarshal(&{{.CamelName}}Req)
+					diags := {{.CamelName}}Json.Unmarshal(&{{.CamelName}}Req)
+					if diags.HasError() {
+						return diags.Error()
+					}
+					if len(diags) > 0 {
+						err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 						if err != nil {
 							return err
 						}
+					}
 			}{{end}}{{ if .MustUseJson }}else {
 				return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 			}{{- end}}

CHANGELOG.md

@@ -1,5 +1,33 @@
 # Version changelog
 
+## [Release] Release v0.230.0
+
+Notable changes for Databricks Asset Bundles:
+
+Workspace paths are automatically prefixed with `/Workspace`. In addition, all usage of path strings such as `/Workspace/${workspace.root_path}/...` in bundle configuration is automatically replaced with `${workspace.root_path}/...` and generates a warning as part of bundle validate.
+
+More details can be found here: https://docs.databricks.com/en/release-notes/dev-tools/bundles.html#workspace-paths
+
+Bundles:
+ * Add an error if state files grow bigger than the export limit ([#1795](https://github.com/databricks/cli/pull/1795)).
+ * Always prepend bundle remote paths with /Workspace ([#1724](https://github.com/databricks/cli/pull/1724)).
+ * Add resource path field to bundle workspace configuration ([#1800](https://github.com/databricks/cli/pull/1800)).
+ * Add validation for files with a `.(resource-name).yml` extension ([#1780](https://github.com/databricks/cli/pull/1780)).
+
+Internal:
+ * Remove deprecated or readonly fields from the bundle schema ([#1809](https://github.com/databricks/cli/pull/1809)).
+
+API Changes:
+ * Changed `databricks git-credentials create`, `databricks git-credentials delete`, `databricks git-credentials get`, `databricks git-credentials list`, `databricks git-credentials update` commands .
+ * Changed `databricks repos create`, `databricks repos delete`, `databricks repos get`, `databricks repos update`  command .
+
+OpenAPI commit 0c86ea6dbd9a730c24ff0d4e509603e476955ac5 (2024-10-02)
+Dependency updates:
+ * Upgrade TF provider to 1.53.0 ([#1815](https://github.com/databricks/cli/pull/1815)).
+ * Bump golang.org/x/term from 0.24.0 to 0.25.0 ([#1811](https://github.com/databricks/cli/pull/1811)).
+ * Bump golang.org/x/text from 0.18.0 to 0.19.0 ([#1812](https://github.com/databricks/cli/pull/1812)).
+ * Bump github.com/databricks/databricks-sdk-go from 0.47.0 to 0.48.0 ([#1810](https://github.com/databricks/cli/pull/1810)).
+
 ## [Release] Release v0.229.0
 
 Bundles:

bundle/config/loader/entry_point_test.go

@@ -18,7 +18,7 @@ func TestEntryPointNoRootPath(t *testing.T) {
 
 func TestEntryPoint(t *testing.T) {
 	b := &bundle.Bundle{
-		BundleRootPath: "testdata",
+		BundleRootPath: "testdata/basic",
 	}
 	diags := bundle.Apply(context.Background(), b, loader.EntryPoint())
 	require.NoError(t, diags.Error())

bundle/config/loader/process_include.go

@@ -3,12 +3,135 @@ package loader
 import (
 	"context"
 	"fmt"
+	"slices"
+	"sort"
+	"strings"
 
 	"github.com/databricks/cli/bundle"
 	"github.com/databricks/cli/bundle/config"
 	"github.com/databricks/cli/libs/diag"
+	"github.com/databricks/cli/libs/dyn"
 )
 
+func validateFileFormat(configRoot dyn.Value, filePath string) diag.Diagnostics {
+	for _, resourceDescription := range config.SupportedResources() {
+		singularName := resourceDescription.SingularName
+
+		for _, yamlExt := range []string{"yml", "yaml"} {
+			ext := fmt.Sprintf(".%s.%s", singularName, yamlExt)
+			if strings.HasSuffix(filePath, ext) {
+				return validateSingleResourceDefined(configRoot, ext, singularName)
+			}
+		}
+	}
+
+	return nil
+}
+
+func validateSingleResourceDefined(configRoot dyn.Value, ext, typ string) diag.Diagnostics {
+	type resource struct {
+		path  dyn.Path
+		value dyn.Value
+		typ   string
+		key   string
+	}
+
+	resources := []resource{}
+	supportedResources := config.SupportedResources()
+
+	// Gather all resources defined in the resources block.
+	_, err := dyn.MapByPattern(
+		configRoot,
+		dyn.NewPattern(dyn.Key("resources"), dyn.AnyKey(), dyn.AnyKey()),
+		func(p dyn.Path, v dyn.Value) (dyn.Value, error) {
+			// The key for the resource, e.g. "my_job" for jobs.my_job.
+			k := p[2].Key()
+			// The type of the resource, e.g. "job" for jobs.my_job.
+			typ := supportedResources[p[1].Key()].SingularName
+
+			resources = append(resources, resource{path: p, value: v, typ: typ, key: k})
+			return v, nil
+		})
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	// Gather all resources defined in a target block.
+	_, err = dyn.MapByPattern(
+		configRoot,
+		dyn.NewPattern(dyn.Key("targets"), dyn.AnyKey(), dyn.Key("resources"), dyn.AnyKey(), dyn.AnyKey()),
+		func(p dyn.Path, v dyn.Value) (dyn.Value, error) {
+			// The key for the resource, e.g. "my_job" for jobs.my_job.
+			k := p[4].Key()
+			// The type of the resource, e.g. "job" for jobs.my_job.
+			typ := supportedResources[p[3].Key()].SingularName
+
+			resources = append(resources, resource{path: p, value: v, typ: typ, key: k})
+			return v, nil
+		})
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	typeMatch := true
+	seenKeys := map[string]struct{}{}
+	for _, rr := range resources {
+		// case: The resource is not of the correct type.
+		if rr.typ != typ {
+			typeMatch = false
+			break
+		}
+
+		seenKeys[rr.key] = struct{}{}
+	}
+
+	// Format matches. There's at most one resource defined in the file.
+	// The resource is also of the correct type.
+	if typeMatch && len(seenKeys) <= 1 {
+		return nil
+	}
+
+	detail := strings.Builder{}
+	detail.WriteString("The following resources are defined or configured in this file:\n")
+	lines := []string{}
+	for _, r := range resources {
+		lines = append(lines, fmt.Sprintf("  - %s (%s)\n", r.key, r.typ))
+	}
+	// Sort the lines to print to make the output deterministic.
+	sort.Strings(lines)
+	// Compact the lines before writing them to the message to remove any duplicate lines.
+	// This is needed because we do not dedup earlier when gathering the resources
+	// and it's valid to define the same resource in both the resources and targets block.
+	lines = slices.Compact(lines)
+	for _, l := range lines {
+		detail.WriteString(l)
+	}
+
+	locations := []dyn.Location{}
+	paths := []dyn.Path{}
+	for _, rr := range resources {
+		locations = append(locations, rr.value.Locations()...)
+		paths = append(paths, rr.path)
+	}
+	// Sort the locations and paths to make the output deterministic.
+	sort.Slice(locations, func(i, j int) bool {
+		return locations[i].String() < locations[j].String()
+	})
+	sort.Slice(paths, func(i, j int) bool {
+		return paths[i].String() < paths[j].String()
+	})
+
+	return diag.Diagnostics{
+		{
+			Severity:  diag.Recommendation,
+			Summary:   fmt.Sprintf("define a single %s in a file with the %s extension.", strings.ReplaceAll(typ, "_", " "), ext),
+			Detail:    detail.String(),
+			Locations: locations,
+			Paths:     paths,
+		},
+	}
+}
+
 type processInclude struct {
 	fullPath string
 	relPath  string
@@ -31,6 +154,13 @@ func (m *processInclude) Apply(_ context.Context, b *bundle.Bundle) diag.Diagnos
 	if diags.HasError() {
 		return diags
 	}
+
+	// Add any diagnostics associated with the file format.
+	diags = append(diags, validateFileFormat(this.Value(), m.relPath)...)
+	if diags.HasError() {
+		return diags
+	}
+
 	err := b.Config.Merge(this)
 	if err != nil {
 		diags = diags.Extend(diag.FromErr(err))

bundle/config/loader/process_include_test.go

@@ -8,13 +8,15 @@ import (
 	"github.com/databricks/cli/bundle"
 	"github.com/databricks/cli/bundle/config"
 	"github.com/databricks/cli/bundle/config/loader"
+	"github.com/databricks/cli/libs/diag"
+	"github.com/databricks/cli/libs/dyn"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
 func TestProcessInclude(t *testing.T) {
 	b := &bundle.Bundle{
-		BundleRootPath: "testdata",
+		BundleRootPath: "testdata/basic",
 		Config: config.Root{
 			Workspace: config.Workspace{
 				Host: "foo",
@@ -33,3 +35,184 @@ func TestProcessInclude(t *testing.T) {
 	require.NoError(t, diags.Error())
 	assert.Equal(t, "bar", b.Config.Workspace.Host)
 }
+
+func TestProcessIncludeFormatMatch(t *testing.T) {
+	for _, fileName := range []string{
+		"one_job.job.yml",
+		"one_pipeline.pipeline.yaml",
+		"two_job.yml",
+		"job_and_pipeline.yml",
+		"multiple_resources.yml",
+	} {
+		t.Run(fileName, func(t *testing.T) {
+			b := &bundle.Bundle{
+				BundleRootPath: "testdata/format_match",
+				Config: config.Root{
+					Bundle: config.Bundle{
+						Name: "format_test",
+					},
+				},
+			}
+
+			m := loader.ProcessInclude(filepath.Join(b.BundleRootPath, fileName), fileName)
+			diags := bundle.Apply(context.Background(), b, m)
+			assert.Empty(t, diags)
+		})
+	}
+}
+
+func TestProcessIncludeFormatNotMatch(t *testing.T) {
+	for fileName, expectedDiags := range map[string]diag.Diagnostics{
+		"single_job.pipeline.yaml": {
+			{
+				Severity: diag.Recommendation,
+				Summary:  "define a single pipeline in a file with the .pipeline.yaml extension.",
+				Detail:   "The following resources are defined or configured in this file:\n  - job1 (job)\n",
+				Locations: []dyn.Location{
+					{File: filepath.FromSlash("testdata/format_not_match/single_job.pipeline.yaml"), Line: 11, Column: 11},
+					{File: filepath.FromSlash("testdata/format_not_match/single_job.pipeline.yaml"), Line: 4, Column: 7},
+				},
+				Paths: []dyn.Path{
+					dyn.MustPathFromString("resources.jobs.job1"),
+					dyn.MustPathFromString("targets.target1.resources.jobs.job1"),
+				},
+			},
+		},
+		"job_and_pipeline.job.yml": {
+			{
+				Severity: diag.Recommendation,
+				Summary:  "define a single job in a file with the .job.yml extension.",
+				Detail:   "The following resources are defined or configured in this file:\n  - job1 (job)\n  - pipeline1 (pipeline)\n",
+				Locations: []dyn.Location{
+					{File: filepath.FromSlash("testdata/format_not_match/job_and_pipeline.job.yml"), Line: 11, Column: 11},
+					{File: filepath.FromSlash("testdata/format_not_match/job_and_pipeline.job.yml"), Line: 4, Column: 7},
+				},
+				Paths: []dyn.Path{
+					dyn.MustPathFromString("resources.pipelines.pipeline1"),
+					dyn.MustPathFromString("targets.target1.resources.jobs.job1"),
+				},
+			},
+		},
+		"job_and_pipeline.experiment.yml": {
+			{
+				Severity: diag.Recommendation,
+				Summary:  "define a single experiment in a file with the .experiment.yml extension.",
+				Detail:   "The following resources are defined or configured in this file:\n  - job1 (job)\n  - pipeline1 (pipeline)\n",
+				Locations: []dyn.Location{
+					{File: filepath.FromSlash("testdata/format_not_match/job_and_pipeline.experiment.yml"), Line: 11, Column: 11},
+					{File: filepath.FromSlash("testdata/format_not_match/job_and_pipeline.experiment.yml"), Line: 4, Column: 7},
+				},
+				Paths: []dyn.Path{
+					dyn.MustPathFromString("resources.pipelines.pipeline1"),
+					dyn.MustPathFromString("targets.target1.resources.jobs.job1"),
+				},
+			},
+		},
+		"two_jobs.job.yml": {
+			{
+				Severity: diag.Recommendation,
+				Summary:  "define a single job in a file with the .job.yml extension.",
+				Detail:   "The following resources are defined or configured in this file:\n  - job1 (job)\n  - job2 (job)\n",
+				Locations: []dyn.Location{
+					{File: filepath.FromSlash("testdata/format_not_match/two_jobs.job.yml"), Line: 4, Column: 7},
+					{File: filepath.FromSlash("testdata/format_not_match/two_jobs.job.yml"), Line: 7, Column: 7},
+				},
+				Paths: []dyn.Path{
+					dyn.MustPathFromString("resources.jobs.job1"),
+					dyn.MustPathFromString("resources.jobs.job2"),
+				},
+			},
+		},
+		"second_job_in_target.job.yml": {
+			{
+				Severity: diag.Recommendation,
+				Summary:  "define a single job in a file with the .job.yml extension.",
+				Detail:   "The following resources are defined or configured in this file:\n  - job1 (job)\n  - job2 (job)\n",
+				Locations: []dyn.Location{
+					{File: filepath.FromSlash("testdata/format_not_match/second_job_in_target.job.yml"), Line: 11, Column: 11},
+					{File: filepath.FromSlash("testdata/format_not_match/second_job_in_target.job.yml"), Line: 4, Column: 7},
+				},
+				Paths: []dyn.Path{
+					dyn.MustPathFromString("resources.jobs.job1"),
+					dyn.MustPathFromString("targets.target1.resources.jobs.job2"),
+				},
+			},
+		},
+		"two_jobs_in_target.job.yml": {
+			{
+				Severity: diag.Recommendation,
+				Summary:  "define a single job in a file with the .job.yml extension.",
+				Detail:   "The following resources are defined or configured in this file:\n  - job1 (job)\n  - job2 (job)\n",
+				Locations: []dyn.Location{
+					{File: filepath.FromSlash("testdata/format_not_match/two_jobs_in_target.job.yml"), Line: 6, Column: 11},
+					{File: filepath.FromSlash("testdata/format_not_match/two_jobs_in_target.job.yml"), Line: 8, Column: 11},
+				},
+				Paths: []dyn.Path{
+					dyn.MustPathFromString("targets.target1.resources.jobs.job1"),
+					dyn.MustPathFromString("targets.target1.resources.jobs.job2"),
+				},
+			},
+		},
+		"multiple_resources.model_serving_endpoint.yml": {
+			{
+				Severity: diag.Recommendation,
+				Summary:  "define a single model serving endpoint in a file with the .model_serving_endpoint.yml extension.",
+				Detail: `The following resources are defined or configured in this file:
+  - experiment1 (experiment)
+  - job1 (job)
+  - job2 (job)
+  - job3 (job)
+  - model1 (model)
+  - model_serving_endpoint1 (model_serving_endpoint)
+  - pipeline1 (pipeline)
+  - pipeline2 (pipeline)
+  - quality_monitor1 (quality_monitor)
+  - registered_model1 (registered_model)
+  - schema1 (schema)
+`,
+				Locations: []dyn.Location{
+					{File: filepath.FromSlash("testdata/format_not_match/multiple_resources.model_serving_endpoint.yml"), Line: 12, Column: 7},
+					{File: filepath.FromSlash("testdata/format_not_match/multiple_resources.model_serving_endpoint.yml"), Line: 14, Column: 7},
+					{File: filepath.FromSlash("testdata/format_not_match/multiple_resources.model_serving_endpoint.yml"), Line: 18, Column: 7},
+					{File: filepath.FromSlash("testdata/format_not_match/multiple_resources.model_serving_endpoint.yml"), Line: 22, Column: 7},
+					{File: filepath.FromSlash("testdata/format_not_match/multiple_resources.model_serving_endpoint.yml"), Line: 24, Column: 7},
+					{File: filepath.FromSlash("testdata/format_not_match/multiple_resources.model_serving_endpoint.yml"), Line: 28, Column: 7},
+					{File: filepath.FromSlash("testdata/format_not_match/multiple_resources.model_serving_endpoint.yml"), Line: 35, Column: 11},
+					{File: filepath.FromSlash("testdata/format_not_match/multiple_resources.model_serving_endpoint.yml"), Line: 39, Column: 11},
+					{File: filepath.FromSlash("testdata/format_not_match/multiple_resources.model_serving_endpoint.yml"), Line: 43, Column: 11},
+					{File: filepath.FromSlash("testdata/format_not_match/multiple_resources.model_serving_endpoint.yml"), Line: 4, Column: 7},
+					{File: filepath.FromSlash("testdata/format_not_match/multiple_resources.model_serving_endpoint.yml"), Line: 8, Column: 7},
+				},
+				Paths: []dyn.Path{
+					dyn.MustPathFromString("resources.experiments.experiment1"),
+					dyn.MustPathFromString("resources.jobs.job1"),
+					dyn.MustPathFromString("resources.jobs.job2"),
+					dyn.MustPathFromString("resources.model_serving_endpoints.model_serving_endpoint1"),
+					dyn.MustPathFromString("resources.models.model1"),
+					dyn.MustPathFromString("resources.pipelines.pipeline1"),
+					dyn.MustPathFromString("resources.pipelines.pipeline2"),
+					dyn.MustPathFromString("resources.schemas.schema1"),
+					dyn.MustPathFromString("targets.target1.resources.jobs.job3"),
+					dyn.MustPathFromString("targets.target1.resources.quality_monitors.quality_monitor1"),
+					dyn.MustPathFromString("targets.target1.resources.registered_models.registered_model1"),
+				},
+			},
+		},
+	} {
+		t.Run(fileName, func(t *testing.T) {
+			b := &bundle.Bundle{
+				BundleRootPath: "testdata/format_not_match",
+				Config: config.Root{
+					Bundle: config.Bundle{
+						Name: "format_test",
+					},
+				},
+			}
+
+			m := loader.ProcessInclude(filepath.Join(b.BundleRootPath, fileName), fileName)
+			diags := bundle.Apply(context.Background(), b, m)
+			require.Len(t, diags, 1)
+			assert.Equal(t, expectedDiags, diags)
+		})
+	}
+}

bundle/config/loader/testdata/format_match/job_and_pipeline.yml

@@ -0,0 +1,11 @@
+resources:
+  pipelines:
+    pipeline1:
+      name: pipeline1
+
+targets:
+  target1:
+    resources:
+      jobs:
+        job1:
+          name: job1

bundle/config/loader/testdata/format_match/multiple_resources.yml

@@ -0,0 +1,43 @@
+resources:
+  experiments:
+    experiment1:
+      name: experiment1
+
+  model_serving_endpoints:
+    model_serving_endpoint1:
+      name: model_serving_endpoint1
+
+  jobs:
+    job1:
+      name: job1
+    job2:
+      name: job2
+
+  models:
+    model1:
+      name: model1
+
+  pipelines:
+    pipeline1:
+      name: pipeline1
+    pipeline2:
+      name: pipeline2
+
+  schemas:
+    schema1:
+      name: schema1
+
+targets:
+  target1:
+    resources:
+      quality_monitors:
+        quality_monitor1:
+          baseline_table_name: quality_monitor1
+
+      jobs:
+        job3:
+          name: job3
+
+      registered_models:
+        registered_model1:
+          name: registered_model1

bundle/config/loader/testdata/format_match/one_job.job.yml

@@ -0,0 +1,11 @@
+resources:
+  jobs:
+    job1:
+      name: job1
+
+targets:
+  target1:
+    resources:
+      jobs:
+        job1:
+          description: job1

bundle/config/loader/testdata/format_match/one_pipeline.pipeline.yaml

@@ -0,0 +1,4 @@
+resources:
+  pipelines:
+    pipeline1:
+      name: pipeline1

bundle/config/loader/testdata/format_match/two_job.yml

@@ -0,0 +1,7 @@
+resources:
+  jobs:
+    job1:
+      name: job1
+
+    job2:
+      name: job2

bundle/config/loader/testdata/format_not_match/job_and_pipeline.experiment.yml

@@ -0,0 +1,11 @@
+resources:
+  pipelines:
+    pipeline1:
+      name: pipeline1
+
+targets:
+  target1:
+    resources:
+      jobs:
+        job1:
+          name: job1

bundle/config/loader/testdata/format_not_match/job_and_pipeline.job.yml

@@ -0,0 +1,11 @@
+resources:
+  pipelines:
+    pipeline1:
+      name: pipeline1
+
+targets:
+  target1:
+    resources:
+      jobs:
+        job1:
+          name: job1

bundle/config/loader/testdata/format_not_match/multiple_resources.model_serving_endpoint.yml

@@ -0,0 +1,43 @@
+resources:
+  experiments:
+    experiment1:
+      name: experiment1
+
+  model_serving_endpoints:
+    model_serving_endpoint1:
+      name: model_serving_endpoint1
+
+  jobs:
+    job1:
+      name: job1
+    job2:
+      name: job2
+
+  models:
+    model1:
+      name: model1
+
+  pipelines:
+    pipeline1:
+      name: pipeline1
+    pipeline2:
+      name: pipeline2
+
+  schemas:
+    schema1:
+      name: schema1
+
+targets:
+  target1:
+    resources:
+      quality_monitors:
+        quality_monitor1:
+          baseline_table_name: quality_monitor1
+
+      jobs:
+        job3:
+          name: job3
+
+      registered_models:
+        registered_model1:
+          name: registered_model1

bundle/config/loader/testdata/format_not_match/second_job_in_target.job.yml

@@ -0,0 +1,11 @@
+resources:
+  jobs:
+    job1:
+      name: job1
+
+targets:
+  target1:
+    resources:
+      jobs:
+        job2:
+          name: job2

bundle/config/loader/testdata/format_not_match/single_job.pipeline.yaml

@@ -0,0 +1,11 @@
+resources:
+  jobs:
+    job1:
+      name: job1
+
+targets:
+  target1:
+    resources:
+      jobs:
+        job1:
+          description: job1

bundle/config/loader/testdata/format_not_match/two_jobs.job.yml

@@ -0,0 +1,7 @@
+resources:
+  jobs:
+    job1:
+      name: job1
+
+    job2:
+      name: job2

bundle/config/loader/testdata/format_not_match/two_jobs_in_target.job.yml

@@ -0,0 +1,8 @@
+targets:
+  target1:
+    resources:
+      jobs:
+        job1:
+          description: job1
+        job2:
+          description: job2

bundle/config/mutator/populate_current_user.go

@@ -5,8 +5,8 @@ import (
 
 	"github.com/databricks/cli/bundle"
 	"github.com/databricks/cli/bundle/config"
-	"github.com/databricks/cli/libs/auth"
 	"github.com/databricks/cli/libs/diag"
+	"github.com/databricks/cli/libs/iamutil"
 	"github.com/databricks/cli/libs/tags"
 )
 
@@ -33,7 +33,7 @@ func (m *populateCurrentUser) Apply(ctx context.Context, b *bundle.Bundle) diag.
 	}
 
 	b.Config.Workspace.CurrentUser = &config.User{
-		ShortName: auth.GetShortUserName(me),
+		ShortName: iamutil.GetShortUserName(me),
 		User:      me,
 	}
 

bundle/config/mutator/process_target_mode.go

@@ -6,9 +6,9 @@ import (
 
 	"github.com/databricks/cli/bundle"
 	"github.com/databricks/cli/bundle/config"
-	"github.com/databricks/cli/libs/auth"
 	"github.com/databricks/cli/libs/diag"
 	"github.com/databricks/cli/libs/dyn"
+	"github.com/databricks/cli/libs/iamutil"
 	"github.com/databricks/cli/libs/log"
 )
 
@@ -174,7 +174,7 @@ func (m *processTargetMode) Apply(ctx context.Context, b *bundle.Bundle) diag.Di
 		transformDevelopmentMode(ctx, b)
 		return diags
 	case config.Production:
-		isPrincipal := auth.IsServicePrincipal(b.Config.Workspace.CurrentUser.UserName)
+		isPrincipal := iamutil.IsServicePrincipal(b.Config.Workspace.CurrentUser.User)
 		return validateProductionMode(ctx, b, isPrincipal)
 	case "":
 		// No action

bundle/config/mutator/run_as.go

@@ -30,50 +30,44 @@ func (m *setRunAs) Name() string {
 	return "SetRunAs"
 }
 
-type errUnsupportedResourceTypeForRunAs struct {
+func reportRunAsNotSupported(resourceType string, location dyn.Location, currentUser string, runAsUser string) diag.Diagnostics {
-	resourceType     string
+	return diag.Diagnostics{{
-	resourceLocation dyn.Location
+		Summary: fmt.Sprintf("%s do not support a setting a run_as user that is different from the owner.\n"+
-	currentUser      string
+			"Current identity: %s. Run as identity: %s.\n"+
-	runAsUser        string
+			"See https://docs.databricks.com/dev-tools/bundles/run-as.html to learn more about the run_as property.", resourceType, currentUser, runAsUser),
+		Locations: []dyn.Location{location},
+		Severity:  diag.Error,
+	}}
 }
 
-func (e errUnsupportedResourceTypeForRunAs) Error() string {
+func validateRunAs(b *bundle.Bundle) diag.Diagnostics {
-	return fmt.Sprintf("%s are not supported when the current deployment user is different from the bundle's run_as identity. Please deploy as the run_as identity. Please refer to the documentation at https://docs.databricks.com/dev-tools/bundles/run-as.html for more details. Location of the unsupported resource: %s. Current identity: %s. Run as identity: %s", e.resourceType, e.resourceLocation, e.currentUser, e.runAsUser)
+	diags := diag.Diagnostics{}
-}
 
-type errBothSpAndUserSpecified struct {
+	neitherSpecifiedErr := diag.Diagnostics{{
-	spName   string
+		Summary:   "run_as section must specify exactly one identity. Neither service_principal_name nor user_name is specified",
-	spLoc    dyn.Location
+		Locations: []dyn.Location{b.Config.GetLocation("run_as")},
-	userName string
+		Severity:  diag.Error,
-	userLoc  dyn.Location
+	}}
-}
 
-func (e errBothSpAndUserSpecified) Error() string {
+	// Fail fast if neither service_principal_name nor user_name are specified, but the
-	return fmt.Sprintf("run_as section must specify exactly one identity. A service_principal_name %q is specified at %s. A user_name %q is defined at %s", e.spName, e.spLoc, e.userName, e.userLoc)
-}
-
-func validateRunAs(b *bundle.Bundle) error {
-	neitherSpecifiedErr := fmt.Errorf("run_as section must specify exactly one identity. Neither service_principal_name nor user_name is specified at %s", b.Config.GetLocation("run_as"))
-	// Error if neither service_principal_name nor user_name are specified, but the
 	// run_as section is present.
 	if b.Config.Value().Get("run_as").Kind() == dyn.KindNil {
 		return neitherSpecifiedErr
 	}
-	// Error if one or both of service_principal_name and user_name are specified,
+
+	// Fail fast if one or both of service_principal_name and user_name are specified,
 	// but with empty values.
-	if b.Config.RunAs.ServicePrincipalName == "" && b.Config.RunAs.UserName == "" {
+	runAs := b.Config.RunAs
+	if runAs.ServicePrincipalName == "" && runAs.UserName == "" {
 		return neitherSpecifiedErr
 	}
 
-	// Error if both service_principal_name and user_name are specified
-	runAs := b.Config.RunAs
 	if runAs.UserName != "" && runAs.ServicePrincipalName != "" {
-		return errBothSpAndUserSpecified{
+		diags = diags.Extend(diag.Diagnostics{{
-			spName:   runAs.ServicePrincipalName,
+			Summary:   "run_as section cannot specify both user_name and service_principal_name",
-			userName: runAs.UserName,
+			Locations: []dyn.Location{b.Config.GetLocation("run_as")},
-			spLoc:    b.Config.GetLocation("run_as.service_principal_name"),
+			Severity:  diag.Error,
-			userLoc:  b.Config.GetLocation("run_as.user_name"),
+		}})
-		}
 	}
 
 	identity := runAs.ServicePrincipalName
@@ -83,40 +77,40 @@ func validateRunAs(b *bundle.Bundle) error {
 
 	// All resources are supported if the run_as identity is the same as the current deployment identity.
 	if identity == b.Config.Workspace.CurrentUser.UserName {
-		return nil
+		return diags
 	}
 
 	// DLT pipelines do not support run_as in the API.
 	if len(b.Config.Resources.Pipelines) > 0 {
-		return errUnsupportedResourceTypeForRunAs{
+		diags = diags.Extend(reportRunAsNotSupported(
-			resourceType:     "pipelines",
+			"pipelines",
-			resourceLocation: b.Config.GetLocation("resources.pipelines"),
+			b.Config.GetLocation("resources.pipelines"),
-			currentUser:      b.Config.Workspace.CurrentUser.UserName,
+			b.Config.Workspace.CurrentUser.UserName,
-			runAsUser:        identity,
+			identity,
-		}
+		))
 	}
 
 	// Model serving endpoints do not support run_as in the API.
 	if len(b.Config.Resources.ModelServingEndpoints) > 0 {
-		return errUnsupportedResourceTypeForRunAs{
+		diags = diags.Extend(reportRunAsNotSupported(
-			resourceType:     "model_serving_endpoints",
+			"model_serving_endpoints",
-			resourceLocation: b.Config.GetLocation("resources.model_serving_endpoints"),
+			b.Config.GetLocation("resources.model_serving_endpoints"),
-			currentUser:      b.Config.Workspace.CurrentUser.UserName,
+			b.Config.Workspace.CurrentUser.UserName,
-			runAsUser:        identity,
+			identity,
-		}
+		))
 	}
 
 	// Monitors do not support run_as in the API.
 	if len(b.Config.Resources.QualityMonitors) > 0 {
-		return errUnsupportedResourceTypeForRunAs{
+		diags = diags.Extend(reportRunAsNotSupported(
-			resourceType:     "quality_monitors",
+			"quality_monitors",
-			resourceLocation: b.Config.GetLocation("resources.quality_monitors"),
+			b.Config.GetLocation("resources.quality_monitors"),
-			currentUser:      b.Config.Workspace.CurrentUser.UserName,
+			b.Config.Workspace.CurrentUser.UserName,
-			runAsUser:        identity,
+			identity,
-		}
+		))
 	}
 
-	return nil
+	return diags
 }
 
 func setRunAsForJobs(b *bundle.Bundle) {
@@ -187,8 +181,9 @@ func (m *setRunAs) Apply(_ context.Context, b *bundle.Bundle) diag.Diagnostics {
 	}
 
 	// Assert the run_as configuration is valid in the context of the bundle
-	if err := validateRunAs(b); err != nil {
+	diags := validateRunAs(b)
-		return diag.FromErr(err)
+	if diags.HasError() {
+		return diags
 	}
 
 	setRunAsForJobs(b)

bundle/config/mutator/run_as_test.go

@@ -188,11 +188,8 @@ func TestRunAsErrorForUnsupportedResources(t *testing.T) {
 			Config: *r,
 		}
 		diags := bundle.Apply(context.Background(), b, SetRunAs())
-		assert.Equal(t, diags.Error().Error(), errUnsupportedResourceTypeForRunAs{
+		assert.Contains(t, diags.Error().Error(), "do not support a setting a run_as user that is different from the owner.\n"+
-			resourceType:     rt,
+			"Current identity: alice. Run as identity: bob.\n"+
-			resourceLocation: dyn.Location{},
+			"See https://docs.databricks.com/dev-tools/bundles/run-as.html to learn more about the run_as property.", rt)
-			currentUser:      "alice",
-			runAsUser:        "bob",
-		}.Error(), "expected run_as with a different identity than the current deployment user to not supported for resources of type: %s", rt)
 	}
 }

bundle/config/resources.go

@@ -59,3 +59,22 @@ func (r *Resources) FindResourceByConfigKey(key string) (ConfigResource, error)
 
 	return found[0], nil
 }
+
+type ResourceDescription struct {
+	SingularName string
+}
+
+// The keys of the map corresponds to the resource key in the bundle configuration.
+func SupportedResources() map[string]ResourceDescription {
+	return map[string]ResourceDescription{
+		"jobs":                    {SingularName: "job"},
+		"pipelines":               {SingularName: "pipeline"},
+		"models":                  {SingularName: "model"},
+		"experiments":             {SingularName: "experiment"},
+		"model_serving_endpoints": {SingularName: "model_serving_endpoint"},
+		"registered_models":       {SingularName: "registered_model"},
+		"quality_monitors":        {SingularName: "quality_monitor"},
+		"schemas":                 {SingularName: "schema"},
+		"clusters":                {SingularName: "cluster"},
+	}
+}

bundle/config/resources_test.go

@@ -3,6 +3,7 @@ package config
 import (
 	"encoding/json"
 	"reflect"
+	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -61,3 +62,18 @@ func TestCustomMarshallerIsImplemented(t *testing.T) {
 		}, "Resource %s does not have a custom unmarshaller", field.Name)
 	}
 }
+
+func TestSupportedResources(t *testing.T) {
+	expected := map[string]ResourceDescription{}
+	typ := reflect.TypeOf(Resources{})
+	for i := 0; i < typ.NumField(); i++ {
+		field := typ.Field(i)
+		jsonTags := strings.Split(field.Tag.Get("json"), ",")
+		singularName := strings.TrimSuffix(jsonTags[0], "s")
+		expected[jsonTags[0]] = ResourceDescription{SingularName: singularName}
+	}
+
+	// Please add your resource to the SupportedResources() function in resources.go
+	// if you are adding a new resource.
+	assert.Equal(t, expected, SupportedResources())
+}

bundle/deploy/files/upload.go

@@ -2,9 +2,12 @@ package files
 
 import (
 	"context"
+	"errors"
 	"fmt"
+	"io/fs"
 
 	"github.com/databricks/cli/bundle"
+	"github.com/databricks/cli/bundle/permissions"
 	"github.com/databricks/cli/libs/cmdio"
 	"github.com/databricks/cli/libs/diag"
 	"github.com/databricks/cli/libs/log"
@@ -35,6 +38,9 @@ func (m *upload) Apply(ctx context.Context, b *bundle.Bundle) diag.Diagnostics {
 
 	b.Files, err = sync.RunOnce(ctx)
 	if err != nil {
+		if errors.Is(err, fs.ErrPermission) {
+			return permissions.ReportPossiblePermissionDenied(ctx, b, b.Config.Workspace.FilePath)
+		}
 		return diag.FromErr(err)
 	}
 

bundle/deploy/lock/acquire.go

@@ -3,8 +3,10 @@ package lock
 import (
 	"context"
 	"errors"
+	"io/fs"
 
 	"github.com/databricks/cli/bundle"
+	"github.com/databricks/cli/bundle/permissions"
 	"github.com/databricks/cli/libs/diag"
 	"github.com/databricks/cli/libs/filer"
 	"github.com/databricks/cli/libs/locker"
@@ -51,12 +53,17 @@ func (m *acquire) Apply(ctx context.Context, b *bundle.Bundle) diag.Diagnostics
 	if err != nil {
 		log.Errorf(ctx, "Failed to acquire deployment lock: %v", err)
 
+		if errors.Is(err, fs.ErrPermission) {
+			return permissions.ReportPossiblePermissionDenied(ctx, b, b.Config.Workspace.StatePath)
+		}
+
 		notExistsError := filer.NoSuchDirectoryError{}
 		if errors.As(err, &notExistsError) {
 			// If we get a "doesn't exist" error from the API this indicates
 			// we either don't have permissions or the path is invalid.
-			return diag.Errorf("cannot write to deployment root (this can indicate a previous deploy was done with a different identity): %s", b.Config.Workspace.RootPath)
+			return permissions.ReportPossiblePermissionDenied(ctx, b, b.Config.Workspace.StatePath)
 		}
+
 		return diag.FromErr(err)
 	}
 

bundle/deploy/terraform/apply.go

@@ -4,6 +4,7 @@ import (
 	"context"
 
 	"github.com/databricks/cli/bundle"
+	"github.com/databricks/cli/bundle/permissions"
 	"github.com/databricks/cli/libs/diag"
 	"github.com/databricks/cli/libs/log"
 	"github.com/hashicorp/terraform-exec/tfexec"
@@ -34,6 +35,10 @@ func (w *apply) Apply(ctx context.Context, b *bundle.Bundle) diag.Diagnostics {
 	// Apply terraform according to the computed plan
 	err := tf.Apply(ctx, tfexec.DirOrPlan(b.Plan.Path))
 	if err != nil {
+		diags := permissions.TryExtendTerraformPermissionError(ctx, b, err)
+		if diags != nil {
+			return diags
+		}
 		return diag.Errorf("terraform apply: %v", err)
 	}
 

bundle/deploy/terraform/tfdyn/convert_cluster.go

@@ -40,7 +40,7 @@ func (clusterConverter) Convert(ctx context.Context, key string, vin dyn.Value,
 
 	// Configure permissions for this resource.
 	if permissions := convertPermissionsResource(ctx, vin); permissions != nil {
-		permissions.JobId = fmt.Sprintf("${databricks_cluster.%s.id}", key)
+		permissions.ClusterId = fmt.Sprintf("${databricks_cluster.%s.id}", key)
 		out.Permissions["cluster_"+key] = permissions
 	}
 

bundle/deploy/terraform/tfdyn/convert_cluster_test.go

@@ -81,7 +81,7 @@ func TestConvertCluster(t *testing.T) {
 
 	// Assert equality on the permissions
 	assert.Equal(t, &schema.ResourcePermissions{
-		JobId: "${databricks_cluster.my_cluster.id}",
+		ClusterId: "${databricks_cluster.my_cluster.id}",
 		AccessControl: []schema.ResourcePermissionsAccessControl{
 			{
 				PermissionLevel: "CAN_RUN",

bundle/internal/schema/main.go

@@ -8,8 +8,10 @@ import (
 	"reflect"
 
 	"github.com/databricks/cli/bundle/config"
+	"github.com/databricks/cli/bundle/config/resources"
 	"github.com/databricks/cli/bundle/config/variable"
 	"github.com/databricks/cli/libs/jsonschema"
+	"github.com/databricks/databricks-sdk-go/service/jobs"
 )
 
 func interpolationPattern(s string) string {
@@ -66,6 +68,31 @@ func addInterpolationPatterns(typ reflect.Type, s jsonschema.Schema) jsonschema.
 	}
 }
 
+func removeJobsFields(typ reflect.Type, s jsonschema.Schema) jsonschema.Schema {
+	switch typ {
+	case reflect.TypeOf(resources.Job{}):
+		// This field has been deprecated in jobs API v2.1 and is always set to
+		// "MULTI_TASK" in the backend. We should not expose it to the user.
+		delete(s.Properties, "format")
+
+		// These fields are only meant to be set by the DABs client (ie the CLI)
+		// and thus should not be exposed to the user. These are used to annotate
+		// jobs that were created by DABs.
+		delete(s.Properties, "deployment")
+		delete(s.Properties, "edit_mode")
+
+	case reflect.TypeOf(jobs.GitSource{}):
+		// These fields are readonly and are not meant to be set by the user.
+		delete(s.Properties, "job_source")
+		delete(s.Properties, "git_snapshot")
+
+	default:
+		// Do nothing
+	}
+
+	return s
+}
+
 func main() {
 	if len(os.Args) != 2 {
 		fmt.Println("Usage: go run main.go <output-file>")
@@ -90,6 +117,7 @@ func main() {
 	s, err := jsonschema.FromType(reflect.TypeOf(config.Root{}), []func(reflect.Type, jsonschema.Schema) jsonschema.Schema{
 		p.addDescriptions,
 		p.addEnums,
+		removeJobsFields,
 		addInterpolationPatterns,
 	})
 	if err != nil {

bundle/internal/schema/testdata/fail/deprecated_job_field_format.yml

@@ -0,0 +1,4 @@
+resources:
+  jobs:
+    foo:
+      format: SINGLE_TASK

bundle/internal/schema/testdata/fail/hidden_job_field_deployment.yml

@@ -0,0 +1,6 @@
+resources:
+  jobs:
+    foo:
+      deployment:
+        kind: BUNDLE
+        metadata_file_path: /a/b/c

bundle/internal/schema/testdata/fail/hidden_job_field_edit_mode.yml

@@ -0,0 +1,6 @@
+targets:
+  foo:
+    resources:
+      jobs:
+        bar:
+          edit_mode: whatever

bundle/internal/schema/testdata/fail/readonly_job_field_git_snapshot.yml

@@ -0,0 +1,8 @@
+resources:
+  jobs:
+    foo:
+      git_source:
+        git_provider: GITHUB
+        git_url: www.whatever.com
+        git_snapshot:
+          used_commit: abcdef

bundle/internal/schema/testdata/fail/readonly_job_field_job_source.yml

@@ -0,0 +1,9 @@
+resources:
+  jobs:
+    foo:
+      git_source:
+        git_provider: GITHUB
+        git_url: www.whatever.com
+        job_source:
+          import_from_git_branch: master
+          job_config_path: def

bundle/internal/schema/testdata/pass/job.yml

@@ -32,7 +32,6 @@ resources:
       name: myjob
       continuous:
         pause_status: PAUSED
-      edit_mode: EDITABLE
       max_concurrent_runs: 10
       description: "my job description"
       email_notifications:
@@ -43,10 +42,12 @@ resources:
             dependencies:
               - python=3.7
             client: "myclient"
-      format: MULTI_TASK
       tags:
         foo: bar
         bar: baz
+      git_source:
+        git_provider: gitHub
+        git_url: www.github.com/a/b
       tasks:
         - task_key: mytask
           notebook_task:

bundle/internal/tf/codegen/schema/version.go

@@ -1,3 +1,3 @@
 package schema
 
-const ProviderVersion = "1.52.0"
+const ProviderVersion = "1.53.0"

bundle/internal/tf/schema/data_source_current_metastore.go

@@ -10,6 +10,7 @@ type DataSourceCurrentMetastoreMetastoreInfo struct {
 	DeltaSharingOrganizationName                string `json:"delta_sharing_organization_name,omitempty"`
 	DeltaSharingRecipientTokenLifetimeInSeconds int    `json:"delta_sharing_recipient_token_lifetime_in_seconds,omitempty"`
 	DeltaSharingScope                           string `json:"delta_sharing_scope,omitempty"`
+	ExternalAccessEnabled                       bool   `json:"external_access_enabled,omitempty"`
 	GlobalMetastoreId                           string `json:"global_metastore_id,omitempty"`
 	MetastoreId                                 string `json:"metastore_id,omitempty"`
 	Name                                        string `json:"name,omitempty"`

bundle/internal/tf/schema/data_source_metastore.go

@@ -10,6 +10,7 @@ type DataSourceMetastoreMetastoreInfo struct {
 	DeltaSharingOrganizationName                string `json:"delta_sharing_organization_name,omitempty"`
 	DeltaSharingRecipientTokenLifetimeInSeconds int    `json:"delta_sharing_recipient_token_lifetime_in_seconds,omitempty"`
 	DeltaSharingScope                           string `json:"delta_sharing_scope,omitempty"`
+	ExternalAccessEnabled                       bool   `json:"external_access_enabled,omitempty"`
 	GlobalMetastoreId                           string `json:"global_metastore_id,omitempty"`
 	MetastoreId                                 string `json:"metastore_id,omitempty"`
 	Name                                        string `json:"name,omitempty"`

bundle/internal/tf/schema/data_source_mlflow_models.go

@@ -0,0 +1,8 @@
+// Generated from Databricks Terraform provider schema. DO NOT EDIT.
+
+package schema
+
+type DataSourceMlflowModels struct {
+	Id    string   `json:"id,omitempty"`
+	Names []string `json:"names,omitempty"`
+}

bundle/internal/tf/schema/data_sources.go

@@ -30,6 +30,7 @@ type DataSources struct {
 	Metastores                      map[string]any `json:"databricks_metastores,omitempty"`
 	MlflowExperiment                map[string]any `json:"databricks_mlflow_experiment,omitempty"`
 	MlflowModel                     map[string]any `json:"databricks_mlflow_model,omitempty"`
+	MlflowModels                    map[string]any `json:"databricks_mlflow_models,omitempty"`
 	MwsCredentials                  map[string]any `json:"databricks_mws_credentials,omitempty"`
 	MwsWorkspaces                   map[string]any `json:"databricks_mws_workspaces,omitempty"`
 	NodeType                        map[string]any `json:"databricks_node_type,omitempty"`
@@ -85,6 +86,7 @@ func NewDataSources() *DataSources {
 		Metastores:                      make(map[string]any),
 		MlflowExperiment:                make(map[string]any),
 		MlflowModel:                     make(map[string]any),
+		MlflowModels:                    make(map[string]any),
 		MwsCredentials:                  make(map[string]any),
 		MwsWorkspaces:                   make(map[string]any),
 		NodeType:                        make(map[string]any),

bundle/internal/tf/schema/resource_budget.go

@@ -0,0 +1,49 @@
+// Generated from Databricks Terraform provider schema. DO NOT EDIT.
+
+package schema
+
+type ResourceBudgetAlertConfigurationsActionConfigurations struct {
+	ActionConfigurationId string `json:"action_configuration_id,omitempty"`
+	ActionType            string `json:"action_type,omitempty"`
+	Target                string `json:"target,omitempty"`
+}
+
+type ResourceBudgetAlertConfigurations struct {
+	AlertConfigurationId string                                                  `json:"alert_configuration_id,omitempty"`
+	QuantityThreshold    string                                                  `json:"quantity_threshold,omitempty"`
+	QuantityType         string                                                  `json:"quantity_type,omitempty"`
+	TimePeriod           string                                                  `json:"time_period,omitempty"`
+	TriggerType          string                                                  `json:"trigger_type,omitempty"`
+	ActionConfigurations []ResourceBudgetAlertConfigurationsActionConfigurations `json:"action_configurations,omitempty"`
+}
+
+type ResourceBudgetFilterTagsValue struct {
+	Operator string   `json:"operator,omitempty"`
+	Values   []string `json:"values,omitempty"`
+}
+
+type ResourceBudgetFilterTags struct {
+	Key   string                         `json:"key,omitempty"`
+	Value *ResourceBudgetFilterTagsValue `json:"value,omitempty"`
+}
+
+type ResourceBudgetFilterWorkspaceId struct {
+	Operator string `json:"operator,omitempty"`
+	Values   []int  `json:"values,omitempty"`
+}
+
+type ResourceBudgetFilter struct {
+	Tags        []ResourceBudgetFilterTags       `json:"tags,omitempty"`
+	WorkspaceId *ResourceBudgetFilterWorkspaceId `json:"workspace_id,omitempty"`
+}
+
+type ResourceBudget struct {
+	AccountId             string                              `json:"account_id,omitempty"`
+	BudgetConfigurationId string                              `json:"budget_configuration_id,omitempty"`
+	CreateTime            int                                 `json:"create_time,omitempty"`
+	DisplayName           string                              `json:"display_name,omitempty"`
+	Id                    string                              `json:"id,omitempty"`
+	UpdateTime            int                                 `json:"update_time,omitempty"`
+	AlertConfigurations   []ResourceBudgetAlertConfigurations `json:"alert_configurations,omitempty"`
+	Filter                *ResourceBudgetFilter               `json:"filter,omitempty"`
+}

bundle/internal/tf/schema/resource_model_serving.go

@@ -2,6 +2,57 @@
 
 package schema
 
+type ResourceModelServingAiGatewayGuardrailsInputPii struct {
+	Behavior string `json:"behavior"`
+}
+
+type ResourceModelServingAiGatewayGuardrailsInput struct {
+	InvalidKeywords []string                                         `json:"invalid_keywords,omitempty"`
+	Safety          bool                                             `json:"safety,omitempty"`
+	ValidTopics     []string                                         `json:"valid_topics,omitempty"`
+	Pii             *ResourceModelServingAiGatewayGuardrailsInputPii `json:"pii,omitempty"`
+}
+
+type ResourceModelServingAiGatewayGuardrailsOutputPii struct {
+	Behavior string `json:"behavior"`
+}
+
+type ResourceModelServingAiGatewayGuardrailsOutput struct {
+	InvalidKeywords []string                                          `json:"invalid_keywords,omitempty"`
+	Safety          bool                                              `json:"safety,omitempty"`
+	ValidTopics     []string                                          `json:"valid_topics,omitempty"`
+	Pii             *ResourceModelServingAiGatewayGuardrailsOutputPii `json:"pii,omitempty"`
+}
+
+type ResourceModelServingAiGatewayGuardrails struct {
+	Input  *ResourceModelServingAiGatewayGuardrailsInput  `json:"input,omitempty"`
+	Output *ResourceModelServingAiGatewayGuardrailsOutput `json:"output,omitempty"`
+}
+
+type ResourceModelServingAiGatewayInferenceTableConfig struct {
+	CatalogName     string `json:"catalog_name,omitempty"`
+	Enabled         bool   `json:"enabled,omitempty"`
+	SchemaName      string `json:"schema_name,omitempty"`
+	TableNamePrefix string `json:"table_name_prefix,omitempty"`
+}
+
+type ResourceModelServingAiGatewayRateLimits struct {
+	Calls         int    `json:"calls"`
+	Key           string `json:"key,omitempty"`
+	RenewalPeriod string `json:"renewal_period"`
+}
+
+type ResourceModelServingAiGatewayUsageTrackingConfig struct {
+	Enabled bool `json:"enabled,omitempty"`
+}
+
+type ResourceModelServingAiGateway struct {
+	Guardrails           *ResourceModelServingAiGatewayGuardrails           `json:"guardrails,omitempty"`
+	InferenceTableConfig *ResourceModelServingAiGatewayInferenceTableConfig `json:"inference_table_config,omitempty"`
+	RateLimits           []ResourceModelServingAiGatewayRateLimits          `json:"rate_limits,omitempty"`
+	UsageTrackingConfig  *ResourceModelServingAiGatewayUsageTrackingConfig  `json:"usage_tracking_config,omitempty"`
+}
+
 type ResourceModelServingConfigAutoCaptureConfig struct {
 	CatalogName     string `json:"catalog_name,omitempty"`
 	Enabled         bool   `json:"enabled,omitempty"`
@@ -139,6 +190,7 @@ type ResourceModelServing struct {
 	Name              string                           `json:"name"`
 	RouteOptimized    bool                             `json:"route_optimized,omitempty"`
 	ServingEndpointId string                           `json:"serving_endpoint_id,omitempty"`
+	AiGateway         *ResourceModelServingAiGateway   `json:"ai_gateway,omitempty"`
 	Config            *ResourceModelServingConfig      `json:"config,omitempty"`
 	RateLimits        []ResourceModelServingRateLimits `json:"rate_limits,omitempty"`
 	Tags              []ResourceModelServingTags       `json:"tags,omitempty"`

bundle/internal/tf/schema/resource_permissions.go

@@ -4,7 +4,7 @@ package schema
 
 type ResourcePermissionsAccessControl struct {
 	GroupName            string `json:"group_name,omitempty"`
-	PermissionLevel      string `json:"permission_level"`
+	PermissionLevel      string `json:"permission_level,omitempty"`
 	ServicePrincipalName string `json:"service_principal_name,omitempty"`
 	UserName             string `json:"user_name,omitempty"`
 }

bundle/internal/tf/schema/resource_pipeline.go

@@ -238,6 +238,7 @@ type ResourcePipelineTrigger struct {
 
 type ResourcePipeline struct {
 	AllowDuplicateNames  bool                                 `json:"allow_duplicate_names,omitempty"`
+	BudgetPolicyId       string                               `json:"budget_policy_id,omitempty"`
 	Catalog              string                               `json:"catalog,omitempty"`
 	Cause                string                               `json:"cause,omitempty"`
 	Channel              string                               `json:"channel,omitempty"`
@@ -254,6 +255,7 @@ type ResourcePipeline struct {
 	Name                 string                               `json:"name,omitempty"`
 	Photon               bool                                 `json:"photon,omitempty"`
 	RunAsUserName        string                               `json:"run_as_user_name,omitempty"`
+	Schema               string                               `json:"schema,omitempty"`
 	Serverless           bool                                 `json:"serverless,omitempty"`
 	State                string                               `json:"state,omitempty"`
 	Storage              string                               `json:"storage,omitempty"`

bundle/internal/tf/schema/resource_sql_table.go

@@ -4,9 +4,11 @@ package schema
 
 type ResourceSqlTableColumn struct {
 	Comment  string `json:"comment,omitempty"`
+	Identity string `json:"identity,omitempty"`
 	Name     string `json:"name"`
 	Nullable bool   `json:"nullable,omitempty"`
 	Type     string `json:"type,omitempty"`
+	TypeJson string `json:"type_json,omitempty"`
 }
 
 type ResourceSqlTable struct {

bundle/internal/tf/schema/resources.go

@@ -10,6 +10,7 @@ type Resources struct {
 	AzureAdlsGen1Mount                         map[string]any `json:"databricks_azure_adls_gen1_mount,omitempty"`
 	AzureAdlsGen2Mount                         map[string]any `json:"databricks_azure_adls_gen2_mount,omitempty"`
 	AzureBlobMount                             map[string]any `json:"databricks_azure_blob_mount,omitempty"`
+	Budget                                     map[string]any `json:"databricks_budget,omitempty"`
 	Catalog                                    map[string]any `json:"databricks_catalog,omitempty"`
 	CatalogWorkspaceBinding                    map[string]any `json:"databricks_catalog_workspace_binding,omitempty"`
 	Cluster                                    map[string]any `json:"databricks_cluster,omitempty"`
@@ -112,6 +113,7 @@ func NewResources() *Resources {
 		AzureAdlsGen1Mount:                     make(map[string]any),
 		AzureAdlsGen2Mount:                     make(map[string]any),
 		AzureBlobMount:                         make(map[string]any),
+		Budget:                                 make(map[string]any),
 		Catalog:                                make(map[string]any),
 		CatalogWorkspaceBinding:                make(map[string]any),
 		Cluster:                                make(map[string]any),

bundle/internal/tf/schema/root.go

@@ -21,7 +21,7 @@ type Root struct {
 
 const ProviderHost = "registry.terraform.io"
 const ProviderSource = "databricks/databricks"
-const ProviderVersion = "1.52.0"
+const ProviderVersion = "1.53.0"
 
 func NewRoot() *Root {
 	return &Root{

bundle/permissions/permission_diagnostics.go

@@ -0,0 +1,110 @@
+package permissions
+
+import (
+	"context"
+	"fmt"
+	"sort"
+	"strings"
+
+	"github.com/databricks/cli/bundle"
+	"github.com/databricks/cli/libs/diag"
+	"github.com/databricks/cli/libs/dyn"
+	"github.com/databricks/cli/libs/set"
+)
+
+type permissionDiagnostics struct{}
+
+func PermissionDiagnostics() bundle.Mutator {
+	return &permissionDiagnostics{}
+}
+
+func (m *permissionDiagnostics) Name() string {
+	return "CheckPermissions"
+}
+
+func (m *permissionDiagnostics) Apply(ctx context.Context, b *bundle.Bundle) diag.Diagnostics {
+	if len(b.Config.Permissions) == 0 {
+		// Only warn if there is an explicit top-level permissions section
+		return nil
+	}
+
+	canManageBundle, _ := analyzeBundlePermissions(b)
+	if canManageBundle {
+		return nil
+	}
+
+	return diag.Diagnostics{{
+		Severity:  diag.Warning,
+		Summary:   fmt.Sprintf("permissions section should include %s or one of their groups with CAN_MANAGE permissions", b.Config.Workspace.CurrentUser.UserName),
+		Locations: []dyn.Location{b.Config.GetLocation("permissions")},
+		ID:        diag.PermissionNotIncluded,
+	}}
+}
+
+// analyzeBundlePermissions analyzes the top-level permissions of the bundle.
+// This permission set is important since it determines the permissions of the
+// target workspace folder.
+//
+// Returns:
+// - isManager: true if the current user is can manage the bundle resources.
+// - assistance: advice on who to contact as to manage this project
+func analyzeBundlePermissions(b *bundle.Bundle) (bool, string) {
+	canManageBundle := false
+	otherManagers := set.NewSet[string]()
+	if b.Config.RunAs != nil && b.Config.RunAs.UserName != "" && b.Config.RunAs.UserName != b.Config.Workspace.CurrentUser.UserName {
+		// The run_as user is another human that could be contacted
+		// about this bundle.
+		otherManagers.Add(b.Config.RunAs.UserName)
+	}
+
+	currentUser := b.Config.Workspace.CurrentUser.UserName
+	targetPermissions := b.Config.Permissions
+	for _, p := range targetPermissions {
+		if p.Level != CAN_MANAGE {
+			continue
+		}
+
+		if p.UserName == currentUser || p.ServicePrincipalName == currentUser {
+			canManageBundle = true
+			continue
+		}
+
+		if isGroupOfCurrentUser(b, p.GroupName) {
+			canManageBundle = true
+			continue
+		}
+
+		// Permission doesn't apply to current user; add to otherManagers
+		otherManager := p.UserName
+		if otherManager == "" {
+			otherManager = p.GroupName
+		}
+		if otherManager == "" {
+			// Skip service principals
+			continue
+		}
+		otherManagers.Add(otherManager)
+	}
+
+	assistance := "For assistance, contact the owners of this project."
+	if otherManagers.Size() > 0 {
+		list := otherManagers.Values()
+		sort.Strings(list)
+		assistance = fmt.Sprintf(
+			"For assistance, users or groups with appropriate permissions may include: %s.",
+			strings.Join(list, ", "),
+		)
+	}
+	return canManageBundle, assistance
+}
+
+func isGroupOfCurrentUser(b *bundle.Bundle, groupName string) bool {
+	currentUserGroups := b.Config.Workspace.CurrentUser.User.Groups
+
+	for _, g := range currentUserGroups {
+		if g.Display == groupName {
+			return true
+		}
+	}
+	return false
+}

bundle/permissions/permission_diagnostics_test.go

@@ -0,0 +1,52 @@
+package permissions_test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/databricks/cli/bundle"
+	"github.com/databricks/cli/bundle/config"
+	"github.com/databricks/cli/bundle/config/resources"
+	"github.com/databricks/cli/bundle/permissions"
+	"github.com/databricks/cli/libs/diag"
+	"github.com/databricks/databricks-sdk-go/service/iam"
+	"github.com/stretchr/testify/require"
+)
+
+func TestPermissionDiagnosticsApplySuccess(t *testing.T) {
+	b := mockBundle([]resources.Permission{
+		{Level: "CAN_MANAGE", UserName: "testuser@databricks.com"},
+	})
+
+	diags := permissions.PermissionDiagnostics().Apply(context.Background(), b)
+	require.NoError(t, diags.Error())
+}
+
+func TestPermissionDiagnosticsApplyFail(t *testing.T) {
+	b := mockBundle([]resources.Permission{
+		{Level: "CAN_VIEW", UserName: "testuser@databricks.com"},
+	})
+
+	diags := permissions.PermissionDiagnostics().Apply(context.Background(), b)
+	require.Equal(t, diags[0].Severity, diag.Warning)
+	require.Contains(t, diags[0].Summary, "permissions section should include testuser@databricks.com or one of their groups with CAN_MANAGE permissions")
+}
+
+func mockBundle(permissions []resources.Permission) *bundle.Bundle {
+	return &bundle.Bundle{
+		Config: config.Root{
+			Workspace: config.Workspace{
+				CurrentUser: &config.User{
+					User: &iam.User{
+						UserName:    "testuser@databricks.com",
+						DisplayName: "Test User",
+						Groups: []iam.ComplexValue{
+							{Display: "testgroup"},
+						},
+					},
+				},
+			},
+			Permissions: permissions,
+		},
+	}
+}

bundle/permissions/permission_report.go

@@ -0,0 +1,52 @@
+package permissions
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/databricks/cli/bundle"
+	"github.com/databricks/cli/libs/diag"
+	"github.com/databricks/cli/libs/iamutil"
+	"github.com/databricks/cli/libs/log"
+)
+
+// ReportPossiblePermissionDenied generates a diagnostic message when a permission denied error is encountered.
+//
+// Note that since the workspace API doesn't always distinguish between permission denied and path errors,
+// we must treat this as a "possible permission error". See acquire.go for more about this.
+func ReportPossiblePermissionDenied(ctx context.Context, b *bundle.Bundle, path string) diag.Diagnostics {
+	log.Errorf(ctx, "Failed to update, encountered possible permission error: %v", path)
+
+	me := b.Config.Workspace.CurrentUser.User
+	userName := me.UserName
+	if iamutil.IsServicePrincipal(me) {
+		userName = me.DisplayName
+	}
+	canManageBundle, assistance := analyzeBundlePermissions(b)
+
+	if !canManageBundle {
+		return diag.Diagnostics{{
+			Summary: fmt.Sprintf("unable to deploy to %s as %s.\n"+
+				"Please make sure the current user or one of their groups is listed under the permissions of this bundle.\n"+
+				"%s\n"+
+				"They may need to redeploy the bundle to apply the new permissions.\n"+
+				"Please refer to https://docs.databricks.com/dev-tools/bundles/permissions.html for more on managing permissions.",
+				path, userName, assistance),
+			Severity: diag.Error,
+			ID:       diag.PathPermissionDenied,
+		}}
+	}
+
+	// According databricks.yml, the current user has the right permissions.
+	// But we're still seeing permission errors. So someone else will need
+	// to redeploy the bundle with the right set of permissions.
+	return diag.Diagnostics{{
+		Summary: fmt.Sprintf("unable to deploy to %s as %s. Cannot apply local deployment permissions.\n"+
+			"%s\n"+
+			"They can redeploy the project to apply the latest set of permissions.\n"+
+			"Please refer to https://docs.databricks.com/dev-tools/bundles/permissions.html for more on managing permissions.",
+			path, userName, assistance),
+		Severity: diag.Error,
+		ID:       diag.CannotChangePathPermissions,
+	}}
+}

bundle/permissions/permission_report_test.go

@@ -0,0 +1,76 @@
+package permissions_test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/databricks/cli/bundle/config/resources"
+	"github.com/databricks/cli/bundle/permissions"
+	"github.com/stretchr/testify/require"
+)
+
+func TestPermissionsReportPermissionDeniedWithGroup(t *testing.T) {
+	b := mockBundle([]resources.Permission{
+		{Level: "CAN_MANAGE", GroupName: "testgroup"},
+	})
+
+	diags := permissions.ReportPossiblePermissionDenied(context.Background(), b, "testpath")
+	expected := "EPERM3: unable to deploy to testpath as testuser@databricks.com. Cannot apply local deployment permissions.\n" +
+		"For assistance, contact the owners of this project.\n" +
+		"They can redeploy the project to apply the latest set of permissions.\n" +
+		"Please refer to https://docs.databricks.com/dev-tools/bundles/permissions.html for more on managing permissions."
+	require.ErrorContains(t, diags.Error(), expected)
+}
+
+func TestPermissionsReportPermissionDeniedWithOtherGroup(t *testing.T) {
+	b := mockBundle([]resources.Permission{
+		{Level: "CAN_MANAGE", GroupName: "othergroup"},
+	})
+
+	diags := permissions.ReportPossiblePermissionDenied(context.Background(), b, "testpath")
+	expected := "EPERM1: unable to deploy to testpath as testuser@databricks.com.\n" +
+		"Please make sure the current user or one of their groups is listed under the permissions of this bundle.\n" +
+		"For assistance, users or groups with appropriate permissions may include: othergroup.\n" +
+		"They may need to redeploy the bundle to apply the new permissions.\n" +
+		"Please refer to https://docs.databricks.com/dev-tools/bundles/permissions.html for more on managing permissions."
+	require.ErrorContains(t, diags.Error(), expected)
+}
+
+func TestPermissionsReportPermissionDeniedWithoutPermission(t *testing.T) {
+	b := mockBundle([]resources.Permission{
+		{Level: "CAN_VIEW", UserName: "testuser@databricks.com"},
+	})
+
+	diags := permissions.ReportPossiblePermissionDenied(context.Background(), b, "testpath")
+	expected := "EPERM1: unable to deploy to testpath as testuser@databricks.com.\n" +
+		"Please make sure the current user or one of their groups is listed under the permissions of this bundle.\n" +
+		"For assistance, contact the owners of this project.\n" +
+		"They may need to redeploy the bundle to apply the new permissions.\n" +
+		"Please refer to https://docs.databricks.com/dev-tools/bundles/permissions.html for more on managing permissions."
+	require.ErrorContains(t, diags.Error(), expected)
+}
+
+func TestPermissionsReportPermissionDeniedNilPermission(t *testing.T) {
+	b := mockBundle(nil)
+
+	diags := permissions.ReportPossiblePermissionDenied(context.Background(), b, "testpath")
+	expected := "EPERM1: unable to deploy to testpath as testuser@databricks.com.\n" +
+		"Please make sure the current user or one of their groups is listed under the permissions of this bundle.\n" +
+		"For assistance, contact the owners of this project.\n" +
+		"They may need to redeploy the bundle to apply the new permissions.\n" +
+		"Please refer to https://docs.databricks.com/dev-tools/bundles/permissions.html for more on managing permissions"
+	require.ErrorContains(t, diags.Error(), expected)
+}
+
+func TestPermissionsReportFindOtherOwners(t *testing.T) {
+	b := mockBundle([]resources.Permission{
+		{Level: "CAN_MANAGE", GroupName: "testgroup"},
+		{Level: "CAN_MANAGE", UserName: "alice@databricks.com"},
+	})
+
+	diags := permissions.ReportPossiblePermissionDenied(context.Background(), b, "testpath")
+	require.ErrorContains(t, diags.Error(), "EPERM3: unable to deploy to testpath as testuser@databricks.com. Cannot apply local deployment permissions.\n"+
+		"For assistance, users or groups with appropriate permissions may include: alice@databricks.com.\n"+
+		"They can redeploy the project to apply the latest set of permissions.\n"+
+		"Please refer to https://docs.databricks.com/dev-tools/bundles/permissions.html for more on managing permissions.")
+}

bundle/permissions/terraform_errors.go

@@ -0,0 +1,47 @@
+package permissions
+
+import (
+	"context"
+	"fmt"
+	"regexp"
+	"strings"
+
+	"github.com/databricks/cli/bundle"
+	"github.com/databricks/cli/libs/diag"
+	"github.com/databricks/cli/libs/log"
+)
+
+func TryExtendTerraformPermissionError(ctx context.Context, b *bundle.Bundle, err error) diag.Diagnostics {
+	_, assistance := analyzeBundlePermissions(b)
+
+	// In a best-effort attempt to provide actionable error messages, we match
+	// against a few specific error messages that come from the Jobs and Pipelines API.
+	// For matching errors we provide a more specific error message that includes
+	// details on how to resolve the issue.
+	if !strings.Contains(err.Error(), "cannot update permissions") &&
+		!strings.Contains(err.Error(), "permissions on pipeline") &&
+		!strings.Contains(err.Error(), "cannot read permissions") &&
+		!strings.Contains(err.Error(), "cannot set run_as to user") {
+		return nil
+	}
+
+	log.Errorf(ctx, "Terraform error during deployment: %v", err.Error())
+
+	// Best-effort attempt to extract the resource name from the error message.
+	re := regexp.MustCompile(`databricks_(\w*)\.(\w*)`)
+	match := re.FindStringSubmatch(err.Error())
+	resource := "resource"
+	if len(match) > 1 {
+		resource = match[2]
+	}
+
+	return diag.Diagnostics{{
+		Summary: fmt.Sprintf("permission denied creating or updating %s.\n"+
+			"%s\n"+
+			"They can redeploy the project to apply the latest set of permissions.\n"+
+			"Please refer to https://docs.databricks.com/dev-tools/bundles/permissions.html for more on managing permissions.",
+			resource, assistance),
+		Severity: diag.Error,
+		ID:       diag.ResourcePermissionDenied,
+	}}
+}

bundle/permissions/terraform_errors_test.go

@@ -0,0 +1,97 @@
+package permissions_test
+
+import (
+	"context"
+	"errors"
+	"testing"
+
+	"github.com/databricks/cli/bundle/config/resources"
+	"github.com/databricks/cli/bundle/permissions"
+	"github.com/databricks/databricks-sdk-go/service/jobs"
+	"github.com/stretchr/testify/require"
+)
+
+func TestTryExtendTerraformPermissionError1(t *testing.T) {
+	ctx := context.Background()
+	b := mockBundle([]resources.Permission{
+		{Level: "CAN_MANAGE", UserName: "alice@databricks.com"},
+	})
+	err := permissions.TryExtendTerraformPermissionError(ctx, b, errors.New("Error: terraform apply: exit status 1\n"+
+		"\n"+
+		"Error: cannot update permissions: ...\n"+
+		"\n"+
+		"	with databricks_pipeline.my_project_pipeline,\n"+
+		"	on bundle.tf.json line 39, in resource.databricks_pipeline.my_project_pipeline:\n"+
+		"	39:       }")).Error()
+
+	expected := "EPERM2: permission denied creating or updating my_project_pipeline.\n" +
+		"For assistance, users or groups with appropriate permissions may include: alice@databricks.com.\n" +
+		"They can redeploy the project to apply the latest set of permissions.\n" +
+		"Please refer to https://docs.databricks.com/dev-tools/bundles/permissions.html for more on managing permissions"
+
+	require.ErrorContains(t, err, expected)
+}
+
+func TestTryExtendTerraformPermissionError2(t *testing.T) {
+	ctx := context.Background()
+	b := mockBundle([]resources.Permission{
+		{Level: "CAN_MANAGE", UserName: "alice@databricks.com"},
+		{Level: "CAN_MANAGE", UserName: "bob@databricks.com"},
+	})
+	err := permissions.TryExtendTerraformPermissionError(ctx, b, errors.New("Error: terraform apply: exit status 1\n"+
+		"\n"+
+		"Error: cannot read pipeline: User xyz does not have View permissions on pipeline 4521dbb6-42aa-418c-b94d-b5f4859a3454.\n"+
+		"\n"+
+		"	with databricks_pipeline.my_project_pipeline,\n"+
+		"	on bundle.tf.json line 39, in resource.databricks_pipeline.my_project_pipeline:\n"+
+		"	39:       }")).Error()
+
+	expected := "EPERM2: permission denied creating or updating my_project_pipeline.\n" +
+		"For assistance, users or groups with appropriate permissions may include: alice@databricks.com, bob@databricks.com.\n" +
+		"They can redeploy the project to apply the latest set of permissions.\n" +
+		"Please refer to https://docs.databricks.com/dev-tools/bundles/permissions.html for more on managing permissions."
+	require.ErrorContains(t, err, expected)
+}
+
+func TestTryExtendTerraformPermissionError3(t *testing.T) {
+	ctx := context.Background()
+	b := mockBundle([]resources.Permission{
+		{Level: "CAN_MANAGE", UserName: "testuser@databricks.com"},
+	})
+	err := permissions.TryExtendTerraformPermissionError(ctx, b, errors.New("Error: terraform apply: exit status 1\n"+
+		"\n"+
+		"Error: cannot read permissions: 1706906c-c0a2-4c25-9f57-3a7aa3cb8b90 does not have Owner permissions on Job with ID: ElasticJobId(28263044278868). Please contact the owner or an administrator for access.\n"+
+		"\n"+
+		"	with databricks_pipeline.my_project_pipeline,\n"+
+		"	on bundle.tf.json line 39, in resource.databricks_pipeline.my_project_pipeline:\n"+
+		"	39:       }")).Error()
+
+	expected := "EPERM2: permission denied creating or updating my_project_pipeline.\n" +
+		"For assistance, contact the owners of this project.\n" +
+		"They can redeploy the project to apply the latest set of permissions.\n" +
+		"Please refer to https://docs.databricks.com/dev-tools/bundles/permissions.html for more on managing permissions."
+	require.ErrorContains(t, err, expected)
+}
+
+func TestTryExtendTerraformPermissionErrorNotOwner(t *testing.T) {
+	ctx := context.Background()
+	b := mockBundle([]resources.Permission{
+		{Level: "CAN_MANAGE", GroupName: "data_team@databricks.com"},
+	})
+	b.Config.RunAs = &jobs.JobRunAs{
+		UserName: "testuser@databricks.com",
+	}
+	err := permissions.TryExtendTerraformPermissionError(ctx, b, errors.New("Error: terraform apply: exit status 1\n"+
+		"\n"+
+		"Error: cannot read pipeline: User xyz does not have View permissions on pipeline 4521dbb6-42aa-418c-b94d-b5f4859a3454.\n"+
+		"\n"+
+		"	with databricks_pipeline.my_project_pipeline,\n"+
+		"	on bundle.tf.json line 39, in resource.databricks_pipeline.my_project_pipeline:\n"+
+		"	39:       }")).Error()
+
+	expected := "EPERM2: permission denied creating or updating my_project_pipeline.\n" +
+		"For assistance, users or groups with appropriate permissions may include: data_team@databricks.com.\n" +
+		"They can redeploy the project to apply the latest set of permissions.\n" +
+		"Please refer to https://docs.databricks.com/dev-tools/bundles/permissions.html for more on managing permissions."
+	require.ErrorContains(t, err, expected)
+}

bundle/phases/initialize.go

@@ -62,6 +62,8 @@ func Initialize() bundle.Mutator {
 				"workspace",
 				"variables",
 			),
+			// Provide permission config errors & warnings after initializing all variables
+			permissions.PermissionDiagnostics(),
 			mutator.SetRunAs(),
 			mutator.OverrideCompute(),
 			mutator.ProcessTargetMode(),

bundle/render/render_text_output.go

@@ -8,6 +8,7 @@ import (
 	"text/template"
 
 	"github.com/databricks/cli/bundle"
+	"github.com/databricks/cli/libs/cmdio"
 	"github.com/databricks/cli/libs/diag"
 	"github.com/databricks/databricks-sdk-go/service/iam"
 	"github.com/fatih/color"
@@ -28,34 +29,6 @@ var renderFuncMap = template.FuncMap{
 	},
 }
 
-const errorTemplate = `{{ "Error" | red }}: {{ .Summary }}
-{{- range $index, $element := .Paths }}
-  {{ if eq $index 0 }}at {{else}}   {{ end}}{{ $element.String | green }}
-{{- end }}
-{{- range $index, $element := .Locations }}
-  {{ if eq $index 0 }}in {{else}}   {{ end}}{{ $element.String | cyan }}
-{{- end }}
-{{- if .Detail }}
-
-{{ .Detail }}
-{{- end }}
-
-`
-
-const warningTemplate = `{{ "Warning" | yellow }}: {{ .Summary }}
-{{- range $index, $element := .Paths }}
-  {{ if eq $index 0 }}at {{else}}   {{ end}}{{ $element.String | green }}
-{{- end }}
-{{- range $index, $element := .Locations }}
-  {{ if eq $index 0 }}in {{else}}   {{ end}}{{ $element.String | cyan }}
-{{- end }}
-{{- if .Detail }}
-
-{{ .Detail }}
-{{- end }}
-
-`
-
 const summaryTemplate = `{{- if .Name -}}
 Name: {{ .Name | bold }}
 {{- if .Target }}
@@ -94,9 +67,20 @@ func buildTrailer(diags diag.Diagnostics) string {
 	if warnings := len(diags.Filter(diag.Warning)); warnings > 0 {
 		parts = append(parts, color.YellowString(pluralize(warnings, "warning", "warnings")))
 	}
-	if len(parts) > 0 {
+	if recommendations := len(diags.Filter(diag.Recommendation)); recommendations > 0 {
-		return fmt.Sprintf("Found %s", strings.Join(parts, " and "))
+		parts = append(parts, color.BlueString(pluralize(recommendations, "recommendation", "recommendations")))
-	} else {
+	}
+	switch {
+	case len(parts) >= 3:
+		first := strings.Join(parts[:len(parts)-1], ", ")
+		last := parts[len(parts)-1]
+		return fmt.Sprintf("Found %s, and %s", first, last)
+	case len(parts) == 2:
+		return fmt.Sprintf("Found %s and %s", parts[0], parts[1])
+	case len(parts) == 1:
+		return fmt.Sprintf("Found %s", parts[0])
+	default:
+		// No diagnostics to print.
 		return color.GreenString("Validation OK!")
 	}
 }
@@ -128,19 +112,7 @@ func renderSummaryTemplate(out io.Writer, b *bundle.Bundle, diags diag.Diagnosti
 }
 
 func renderDiagnostics(out io.Writer, b *bundle.Bundle, diags diag.Diagnostics) error {
-	errorT := template.Must(template.New("error").Funcs(renderFuncMap).Parse(errorTemplate))
-	warningT := template.Must(template.New("warning").Funcs(renderFuncMap).Parse(warningTemplate))
-
-	// Print errors and warnings.
 	for _, d := range diags {
-		var t *template.Template
-		switch d.Severity {
-		case diag.Error:
-			t = errorT
-		case diag.Warning:
-			t = warningT
-		}
-
 		for i := range d.Locations {
 			if b == nil {
 				break
@@ -155,15 +127,9 @@ func renderDiagnostics(out io.Writer, b *bundle.Bundle, diags diag.Diagnostics)
 				}
 			}
 		}
-
-		// Render the diagnostic with the appropriate template.
-		err := t.Execute(out, d)
-		if err != nil {
-			return fmt.Errorf("failed to render template: %w", err)
-		}
 	}
 
-	return nil
+	return cmdio.RenderDiagnostics(out, diags)
 }
 
 // RenderOptions contains options for rendering diagnostics.

bundle/render/render_text_output_test.go

@@ -45,6 +45,19 @@ func TestRenderTextOutput(t *testing.T) {
 				"\n" +
 				"Found 1 error\n",
 		},
+		{
+			name: "nil bundle and 1 recommendation",
+			diags: diag.Diagnostics{
+				{
+					Severity: diag.Recommendation,
+					Summary:  "recommendation",
+				},
+			},
+			opts: RenderOptions{RenderSummaryTable: true},
+			expected: "Recommendation: recommendation\n" +
+				"\n" +
+				"Found 1 recommendation\n",
+		},
 		{
 			name:   "bundle during 'load' and 1 error",
 			bundle: loadingBundle,
@@ -84,7 +97,7 @@ func TestRenderTextOutput(t *testing.T) {
 				"Found 2 warnings\n",
 		},
 		{
-			name:   "bundle during 'load' and 2 errors, 1 warning with details",
+			name:   "bundle during 'load' and 2 errors, 1 warning and 1 recommendation with details",
 			bundle: loadingBundle,
 			diags: diag.Diagnostics{
 				diag.Diagnostic{
@@ -105,6 +118,12 @@ func TestRenderTextOutput(t *testing.T) {
 					Detail:    "detail (3)",
 					Locations: []dyn.Location{{File: "foo.py", Line: 3, Column: 1}},
 				},
+				diag.Diagnostic{
+					Severity:  diag.Recommendation,
+					Summary:   "recommendation (4)",
+					Detail:    "detail (4)",
+					Locations: []dyn.Location{{File: "foo.py", Line: 4, Column: 1}},
+				},
 			},
 			opts: RenderOptions{RenderSummaryTable: true},
 			expected: "Error: error (1)\n" +
@@ -122,10 +141,114 @@ func TestRenderTextOutput(t *testing.T) {
 				"\n" +
 				"detail (3)\n" +
 				"\n" +
+				"Recommendation: recommendation (4)\n" +
+				"  in foo.py:4:1\n" +
+				"\n" +
+				"detail (4)\n" +
+				"\n" +
 				"Name: test-bundle\n" +
 				"Target: test-target\n" +
 				"\n" +
-				"Found 2 errors and 1 warning\n",
+				"Found 2 errors, 1 warning, and 1 recommendation\n",
+		},
+		{
+			name:   "bundle during 'load' and 1 error and 1 warning",
+			bundle: loadingBundle,
+			diags: diag.Diagnostics{
+				diag.Diagnostic{
+					Severity:  diag.Error,
+					Summary:   "error (1)",
+					Detail:    "detail (1)",
+					Locations: []dyn.Location{{File: "foo.py", Line: 1, Column: 1}},
+				},
+				diag.Diagnostic{
+					Severity:  diag.Warning,
+					Summary:   "warning (2)",
+					Detail:    "detail (2)",
+					Locations: []dyn.Location{{File: "foo.py", Line: 2, Column: 1}},
+				},
+			},
+			opts: RenderOptions{RenderSummaryTable: true},
+			expected: "Error: error (1)\n" +
+				"  in foo.py:1:1\n" +
+				"\n" +
+				"detail (1)\n" +
+				"\n" +
+				"Warning: warning (2)\n" +
+				"  in foo.py:2:1\n" +
+				"\n" +
+				"detail (2)\n" +
+				"\n" +
+				"Name: test-bundle\n" +
+				"Target: test-target\n" +
+				"\n" +
+				"Found 1 error and 1 warning\n",
+		},
+		{
+			name:   "bundle during 'load' and 1 errors, 2 warning and 2 recommendations with details",
+			bundle: loadingBundle,
+			diags: diag.Diagnostics{
+				diag.Diagnostic{
+					Severity:  diag.Error,
+					Summary:   "error (1)",
+					Detail:    "detail (1)",
+					Locations: []dyn.Location{{File: "foo.py", Line: 1, Column: 1}},
+				},
+				diag.Diagnostic{
+					Severity:  diag.Warning,
+					Summary:   "warning (2)",
+					Detail:    "detail (2)",
+					Locations: []dyn.Location{{File: "foo.py", Line: 2, Column: 1}},
+				},
+				diag.Diagnostic{
+					Severity:  diag.Warning,
+					Summary:   "warning (3)",
+					Detail:    "detail (3)",
+					Locations: []dyn.Location{{File: "foo.py", Line: 3, Column: 1}},
+				},
+				diag.Diagnostic{
+					Severity:  diag.Recommendation,
+					Summary:   "recommendation (4)",
+					Detail:    "detail (4)",
+					Locations: []dyn.Location{{File: "foo.py", Line: 4, Column: 1}},
+				},
+				diag.Diagnostic{
+					Severity:  diag.Recommendation,
+					Summary:   "recommendation (5)",
+					Detail:    "detail (5)",
+					Locations: []dyn.Location{{File: "foo.py", Line: 5, Column: 1}},
+				},
+			},
+			opts: RenderOptions{RenderSummaryTable: true},
+			expected: "Error: error (1)\n" +
+				"  in foo.py:1:1\n" +
+				"\n" +
+				"detail (1)\n" +
+				"\n" +
+				"Warning: warning (2)\n" +
+				"  in foo.py:2:1\n" +
+				"\n" +
+				"detail (2)\n" +
+				"\n" +
+				"Warning: warning (3)\n" +
+				"  in foo.py:3:1\n" +
+				"\n" +
+				"detail (3)\n" +
+				"\n" +
+				"Recommendation: recommendation (4)\n" +
+				"  in foo.py:4:1\n" +
+				"\n" +
+				"detail (4)\n" +
+				"\n" +
+				"Recommendation: recommendation (5)\n" +
+				"  in foo.py:5:1\n" +
+				"\n" +
+				"detail (5)\n" +
+				"\n" +
+				"Name: test-bundle\n" +
+				"Target: test-target\n" +
+				"\n" +
+				"Found 1 error, 2 warnings, and 2 recommendations\n",
 		},
 		{
 			name: "bundle during 'init'",
@@ -158,7 +281,7 @@ func TestRenderTextOutput(t *testing.T) {
 				"Validation OK!\n",
 		},
 		{
-			name:   "nil bundle without summary with 1 error and 1 warning",
+			name:   "nil bundle without summary with 1 error, 1 warning and 1 recommendation",
 			bundle: nil,
 			diags: diag.Diagnostics{
 				diag.Diagnostic{
@@ -173,6 +296,12 @@ func TestRenderTextOutput(t *testing.T) {
 					Detail:    "detail (2)",
 					Locations: []dyn.Location{{File: "foo.py", Line: 3, Column: 1}},
 				},
+				diag.Diagnostic{
+					Severity:  diag.Recommendation,
+					Summary:   "recommendation (3)",
+					Detail:    "detail (3)",
+					Locations: []dyn.Location{{File: "foo.py", Line: 5, Column: 1}},
+				},
 			},
 			opts: RenderOptions{RenderSummaryTable: false},
 			expected: "Error: error (1)\n" +
@@ -184,6 +313,11 @@ func TestRenderTextOutput(t *testing.T) {
 				"  in foo.py:3:1\n" +
 				"\n" +
 				"detail (2)\n" +
+				"\n" +
+				"Recommendation: recommendation (3)\n" +
+				"  in foo.py:5:1\n" +
+				"\n" +
+				"detail (3)\n" +
 				"\n",
 		},
 	}
@@ -304,6 +438,30 @@ func TestRenderDiagnostics(t *testing.T) {
 				"\n" +
 				"'name' is required\n\n",
 		},
+		{
+			name: "recommendation with multiple paths and locations",
+			diags: diag.Diagnostics{
+				{
+					Severity: diag.Recommendation,
+					Summary:  "summary",
+					Detail:   "detail",
+					Paths: []dyn.Path{
+						dyn.MustPathFromString("resources.jobs.xxx"),
+						dyn.MustPathFromString("resources.jobs.yyy"),
+					},
+					Locations: []dyn.Location{
+						{File: "foo.yaml", Line: 1, Column: 2},
+						{File: "bar.yaml", Line: 3, Column: 4},
+					},
+				},
+			},
+			expected: "Recommendation: summary\n" +
+				"  at resources.jobs.xxx\n" +
+				"     resources.jobs.yyy\n" +
+				"  in foo.yaml:1:2\n" +
+				"     bar.yaml:3:4\n\n" +
+				"detail\n\n",
+		},
 	}
 
 	for _, tc := range testCases {

bundle/schema/embed_test.go

@@ -39,7 +39,7 @@ func TestJsonSchema(t *testing.T) {
 
 	// Assert job fields have their descriptions loaded.
 	resourceJob := walk(s.Definitions, "github.com", "databricks", "cli", "bundle", "config", "resources.Job")
-	fields := []string{"name", "continuous", "deployment", "tasks", "trigger"}
+	fields := []string{"name", "continuous", "tasks", "trigger"}
 	for _, field := range fields {
 		assert.NotEmpty(t, resourceJob.AnyOf[0].Properties[field].Description)
 	}
@@ -53,7 +53,7 @@ func TestJsonSchema(t *testing.T) {
 
 	// Assert descriptions are loaded for pipelines
 	pipeline := walk(s.Definitions, "github.com", "databricks", "cli", "bundle", "config", "resources.Pipeline")
-	fields = []string{"name", "catalog", "clusters", "channel", "continuous", "deployment", "development"}
+	fields = []string{"name", "catalog", "clusters", "channel", "continuous", "development"}
 	for _, field := range fields {
 		assert.NotEmpty(t, pipeline.AnyOf[0].Properties[field].Description)
 	}

bundle/schema/jsonschema.json

@@ -213,18 +213,10 @@
                         "description": "An optional continuous property for this job. The continuous property will ensure that there is always one run executing. Only one of `schedule` and `continuous` can be used.",
                         "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/jobs.Continuous"
                       },
-                      "deployment": {
-                        "description": "Deployment information for jobs managed by external sources.",
-                        "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/jobs.JobDeployment"
-                      },
                       "description": {
                         "description": "An optional description for the job. The maximum length is 27700 characters in UTF-8 encoding.",
                         "$ref": "#/$defs/string"
                       },
-                      "edit_mode": {
-                        "description": "Edit mode of the job.\n\n* `UI_LOCKED`: The job is in a locked UI state and cannot be modified.\n* `EDITABLE`: The job is in an editable state and can be modified.",
-                        "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/jobs.JobEditMode"
-                      },
                       "email_notifications": {
                         "description": "An optional set of email addresses that is notified when runs of this job begin or complete as well as when this job is deleted.",
                         "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/jobs.JobEmailNotifications"
@@ -233,10 +225,6 @@
                         "description": "A list of task execution environment specifications that can be referenced by serverless tasks of this job.\nAn environment is required to be present for serverless tasks.\nFor serverless notebook tasks, the environment is accessible in the notebook environment panel.\nFor other serverless tasks, the task environment is required to be specified using environment_key in the task settings.",
                         "$ref": "#/$defs/slice/github.com/databricks/databricks-sdk-go/service/jobs.JobEnvironment"
                       },
-                      "format": {
-                        "description": "Used to tell what is the format of the job. This field is ignored in Create/Update/Reset calls. When using the Jobs API 2.1 this value is always set to `\"MULTI_TASK\"`.",
-                        "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/jobs.Format"
-                      },
                       "git_source": {
                         "description": "An optional specification for a remote Git repository containing the source code used by tasks. Version-controlled source code is supported by notebook, dbt, Python script, and SQL File tasks.\n\nIf `git_source` is set, these tasks retrieve the file from the remote repository by default. However, this behavior can be overridden by setting `source` to `WORKSPACE` on the task.\n\nNote: dbt and SQL File tasks support only version-controlled sources. If dbt or SQL File tasks are used, `git_source` must be defined on the job.",
                         "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/jobs.GitSource"
@@ -402,6 +390,10 @@
                   {
                     "type": "object",
                     "properties": {
+                      "ai_gateway": {
+                        "description": "The AI Gateway configuration for the serving endpoint. NOTE: only external model endpoints are supported as of now.",
+                        "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/serving.AiGatewayConfig"
+                      },
                       "config": {
                         "description": "The core config of the serving endpoint.",
                         "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/serving.EndpointCoreConfigInput"
@@ -472,6 +464,10 @@
                   {
                     "type": "object",
                     "properties": {
+                      "budget_policy_id": {
+                        "description": "Budget policy of this pipeline.",
+                        "$ref": "#/$defs/string"
+                      },
                       "catalog": {
                         "description": "A catalog in Unity Catalog to publish data from this pipeline to. If `target` is specified, tables in this pipeline are published to a `target` schema inside `catalog` (for example, `catalog`.`target`.`table`). If `target` is not specified, no data is published to Unity Catalog.",
                         "$ref": "#/$defs/string"
@@ -539,6 +535,10 @@
                         "description": "Whether Photon is enabled for this pipeline.",
                         "$ref": "#/$defs/bool"
                       },
+                      "schema": {
+                        "description": "The default schema (database) where tables are read from or published to. The presence of this field implies that the pipeline is in direct publishing mode.",
+                        "$ref": "#/$defs/string"
+                      },
                       "serverless": {
                         "description": "Whether serverless compute is enabled for this pipeline.",
                         "$ref": "#/$defs/bool"
@@ -1206,6 +1206,9 @@
                     "profile": {
                       "$ref": "#/$defs/string"
                     },
+                    "resource_path": {
+                      "$ref": "#/$defs/string"
+                    },
                     "root_path": {
                       "$ref": "#/$defs/string"
                     },
@@ -2532,9 +2535,6 @@
                       "description": "Unique identifier of the service used to host the Git repository. The value is case insensitive.",
                       "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/jobs.GitProvider"
                     },
-                    "git_snapshot": {
-                      "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/jobs.GitSnapshot"
-                    },
                     "git_tag": {
                       "description": "Name of the tag to be checked out and used by this job. This field cannot be specified in conjunction with git_branch or git_commit.",
                       "$ref": "#/$defs/string"
@@ -2542,10 +2542,6 @@
                     "git_url": {
                       "description": "URL of the repository to be cloned by this job.",
                       "$ref": "#/$defs/string"
-                    },
-                    "job_source": {
-                      "description": "The source of the job specification in the remote repository when the job is source controlled.",
-                      "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/jobs.JobSource"
                     }
                   },
                   "additionalProperties": false,
@@ -2632,7 +2628,7 @@
                   "type": "object",
                   "properties": {
                     "no_alert_for_skipped_runs": {
-                      "description": "If true, do not send email to recipients specified in `on_failure` if the run is skipped.",
+                      "description": "If true, do not send email to recipients specified in `on_failure` if the run is skipped.\nThis field is `deprecated`. Please use the `notification_settings.no_alert_for_skipped_runs` field.",
                       "$ref": "#/$defs/bool"
                     },
                     "on_duration_warning_threshold_exceeded": {
@@ -3073,6 +3069,7 @@
                       "$ref": "#/$defs/map/string"
                     },
                     "pipeline_params": {
+                      "description": "Controls whether the pipeline should perform a full refresh",
                       "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/jobs.PipelineParams"
                     },
                     "python_named_params": {
@@ -3547,7 +3544,7 @@
                   "type": "object",
                   "properties": {
                     "no_alert_for_skipped_runs": {
-                      "description": "If true, do not send email to recipients specified in `on_failure` if the run is skipped.",
+                      "description": "If true, do not send email to recipients specified in `on_failure` if the run is skipped.\nThis field is `deprecated`. Please use the `notification_settings.no_alert_for_skipped_runs` field.",
                       "$ref": "#/$defs/bool"
                     },
                     "on_duration_warning_threshold_exceeded": {
@@ -4365,6 +4362,207 @@
                 }
               ]
             },
+            "serving.AiGatewayConfig": {
+              "anyOf": [
+                {
+                  "type": "object",
+                  "properties": {
+                    "guardrails": {
+                      "description": "Configuration for AI Guardrails to prevent unwanted data and unsafe data in requests and responses.",
+                      "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/serving.AiGatewayGuardrails"
+                    },
+                    "inference_table_config": {
+                      "description": "Configuration for payload logging using inference tables. Use these tables to monitor and audit data being sent to and received from model APIs and to improve model quality.",
+                      "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/serving.AiGatewayInferenceTableConfig"
+                    },
+                    "rate_limits": {
+                      "description": "Configuration for rate limits which can be set to limit endpoint traffic.",
+                      "$ref": "#/$defs/slice/github.com/databricks/databricks-sdk-go/service/serving.AiGatewayRateLimit"
+                    },
+                    "usage_tracking_config": {
+                      "description": "Configuration to enable usage tracking using system tables. These tables allow you to monitor operational usage on endpoints and their associated costs.",
+                      "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/serving.AiGatewayUsageTrackingConfig"
+                    }
+                  },
+                  "additionalProperties": false
+                },
+                {
+                  "type": "string",
+                  "pattern": "\\$\\{(var(\\.[a-zA-Z]+([-_]?[a-zA-Z0-9]+)*(\\[[0-9]+\\])*)+)\\}"
+                }
+              ]
+            },
+            "serving.AiGatewayGuardrailParameters": {
+              "anyOf": [
+                {
+                  "type": "object",
+                  "properties": {
+                    "invalid_keywords": {
+                      "description": "List of invalid keywords. AI guardrail uses keyword or string matching to decide if the keyword exists in the request or response content.",
+                      "$ref": "#/$defs/slice/string"
+                    },
+                    "pii": {
+                      "description": "Configuration for guardrail PII filter.",
+                      "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/serving.AiGatewayGuardrailPiiBehavior"
+                    },
+                    "safety": {
+                      "description": "Indicates whether the safety filter is enabled.",
+                      "$ref": "#/$defs/bool"
+                    },
+                    "valid_topics": {
+                      "description": "The list of allowed topics. Given a chat request, this guardrail flags the request if its topic is not in the allowed topics.",
+                      "$ref": "#/$defs/slice/string"
+                    }
+                  },
+                  "additionalProperties": false
+                },
+                {
+                  "type": "string",
+                  "pattern": "\\$\\{(var(\\.[a-zA-Z]+([-_]?[a-zA-Z0-9]+)*(\\[[0-9]+\\])*)+)\\}"
+                }
+              ]
+            },
+            "serving.AiGatewayGuardrailPiiBehavior": {
+              "anyOf": [
+                {
+                  "type": "object",
+                  "properties": {
+                    "behavior": {
+                      "description": "Behavior for PII filter. Currently only 'BLOCK' is supported. If 'BLOCK' is set for the input guardrail and the request contains PII, the request is not sent to the model server and 400 status code is returned; if 'BLOCK' is set for the output guardrail and the model response contains PII, the PII info in the response is redacted and 400 status code is returned.",
+                      "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/serving.AiGatewayGuardrailPiiBehaviorBehavior",
+                      "enum": [
+                        "NONE",
+                        "BLOCK"
+                      ]
+                    }
+                  },
+                  "additionalProperties": false,
+                  "required": [
+                    "behavior"
+                  ]
+                },
+                {
+                  "type": "string",
+                  "pattern": "\\$\\{(var(\\.[a-zA-Z]+([-_]?[a-zA-Z0-9]+)*(\\[[0-9]+\\])*)+)\\}"
+                }
+              ]
+            },
+            "serving.AiGatewayGuardrailPiiBehaviorBehavior": {
+              "type": "string"
+            },
+            "serving.AiGatewayGuardrails": {
+              "anyOf": [
+                {
+                  "type": "object",
+                  "properties": {
+                    "input": {
+                      "description": "Configuration for input guardrail filters.",
+                      "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/serving.AiGatewayGuardrailParameters"
+                    },
+                    "output": {
+                      "description": "Configuration for output guardrail filters.",
+                      "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/serving.AiGatewayGuardrailParameters"
+                    }
+                  },
+                  "additionalProperties": false
+                },
+                {
+                  "type": "string",
+                  "pattern": "\\$\\{(var(\\.[a-zA-Z]+([-_]?[a-zA-Z0-9]+)*(\\[[0-9]+\\])*)+)\\}"
+                }
+              ]
+            },
+            "serving.AiGatewayInferenceTableConfig": {
+              "anyOf": [
+                {
+                  "type": "object",
+                  "properties": {
+                    "catalog_name": {
+                      "description": "The name of the catalog in Unity Catalog. Required when enabling inference tables. NOTE: On update, you have to disable inference table first in order to change the catalog name.",
+                      "$ref": "#/$defs/string"
+                    },
+                    "enabled": {
+                      "description": "Indicates whether the inference table is enabled.",
+                      "$ref": "#/$defs/bool"
+                    },
+                    "schema_name": {
+                      "description": "The name of the schema in Unity Catalog. Required when enabling inference tables. NOTE: On update, you have to disable inference table first in order to change the schema name.",
+                      "$ref": "#/$defs/string"
+                    },
+                    "table_name_prefix": {
+                      "description": "The prefix of the table in Unity Catalog. NOTE: On update, you have to disable inference table first in order to change the prefix name.",
+                      "$ref": "#/$defs/string"
+                    }
+                  },
+                  "additionalProperties": false
+                },
+                {
+                  "type": "string",
+                  "pattern": "\\$\\{(var(\\.[a-zA-Z]+([-_]?[a-zA-Z0-9]+)*(\\[[0-9]+\\])*)+)\\}"
+                }
+              ]
+            },
+            "serving.AiGatewayRateLimit": {
+              "anyOf": [
+                {
+                  "type": "object",
+                  "properties": {
+                    "calls": {
+                      "description": "Used to specify how many calls are allowed for a key within the renewal_period.",
+                      "$ref": "#/$defs/int"
+                    },
+                    "key": {
+                      "description": "Key field for a rate limit. Currently, only 'user' and 'endpoint' are supported, with 'endpoint' being the default if not specified.",
+                      "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/serving.AiGatewayRateLimitKey",
+                      "enum": [
+                        "user",
+                        "endpoint"
+                      ]
+                    },
+                    "renewal_period": {
+                      "description": "Renewal period field for a rate limit. Currently, only 'minute' is supported.",
+                      "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/serving.AiGatewayRateLimitRenewalPeriod",
+                      "enum": [
+                        "minute"
+                      ]
+                    }
+                  },
+                  "additionalProperties": false,
+                  "required": [
+                    "calls",
+                    "renewal_period"
+                  ]
+                },
+                {
+                  "type": "string",
+                  "pattern": "\\$\\{(var(\\.[a-zA-Z]+([-_]?[a-zA-Z0-9]+)*(\\[[0-9]+\\])*)+)\\}"
+                }
+              ]
+            },
+            "serving.AiGatewayRateLimitKey": {
+              "type": "string"
+            },
+            "serving.AiGatewayRateLimitRenewalPeriod": {
+              "type": "string"
+            },
+            "serving.AiGatewayUsageTrackingConfig": {
+              "anyOf": [
+                {
+                  "type": "object",
+                  "properties": {
+                    "enabled": {
+                      "description": "Whether to enable usage tracking.",
+                      "$ref": "#/$defs/bool"
+                    }
+                  },
+                  "additionalProperties": false
+                },
+                {
+                  "type": "string",
+                  "pattern": "\\$\\{(var(\\.[a-zA-Z]+([-_]?[a-zA-Z0-9]+)*(\\[[0-9]+\\])*)+)\\}"
+                }
+              ]
+            },
             "serving.AmazonBedrockConfig": {
               "anyOf": [
                 {
@@ -5569,6 +5767,20 @@
                   }
                 ]
               },
+              "serving.AiGatewayRateLimit": {
+                "anyOf": [
+                  {
+                    "type": "array",
+                    "items": {
+                      "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/serving.AiGatewayRateLimit"
+                    }
+                  },
+                  {
+                    "type": "string",
+                    "pattern": "\\$\\{(var(\\.[a-zA-Z]+([-_]?[a-zA-Z0-9]+)*(\\[[0-9]+\\])*)+)\\}"
+                  }
+                ]
+              },
               "serving.EndpointTag": {
                 "anyOf": [
                   {

bundle/tests/run_as_test.go

@@ -3,7 +3,6 @@ package config_tests
 import (
 	"context"
 	"fmt"
-	"path/filepath"
 	"testing"
 
 	"github.com/databricks/cli/bundle"
@@ -113,8 +112,9 @@ func TestRunAsErrorForPipelines(t *testing.T) {
 	diags := bundle.Apply(ctx, b, mutator.SetRunAs())
 	err := diags.Error()
 
-	configPath := filepath.FromSlash("run_as/not_allowed/pipelines/databricks.yml")
+	assert.ErrorContains(t, err, "pipelines do not support a setting a run_as user that is different from the owner.\n"+
-	assert.EqualError(t, err, fmt.Sprintf("pipelines are not supported when the current deployment user is different from the bundle's run_as identity. Please deploy as the run_as identity. Please refer to the documentation at https://docs.databricks.com/dev-tools/bundles/run-as.html for more details. Location of the unsupported resource: %s:14:5. Current identity: jane@doe.com. Run as identity: my_service_principal", configPath))
+		"Current identity: jane@doe.com. Run as identity: my_service_principal.\n"+
+		"See https://docs")
 }
 
 func TestRunAsNoErrorForPipelines(t *testing.T) {
@@ -152,8 +152,9 @@ func TestRunAsErrorForModelServing(t *testing.T) {
 	diags := bundle.Apply(ctx, b, mutator.SetRunAs())
 	err := diags.Error()
 
-	configPath := filepath.FromSlash("run_as/not_allowed/model_serving/databricks.yml")
+	assert.ErrorContains(t, err, "model_serving_endpoints do not support a setting a run_as user that is different from the owner.\n"+
-	assert.EqualError(t, err, fmt.Sprintf("model_serving_endpoints are not supported when the current deployment user is different from the bundle's run_as identity. Please deploy as the run_as identity. Please refer to the documentation at https://docs.databricks.com/dev-tools/bundles/run-as.html for more details. Location of the unsupported resource: %s:14:5. Current identity: jane@doe.com. Run as identity: my_service_principal", configPath))
+		"Current identity: jane@doe.com. Run as identity: my_service_principal.\n"+
+		"See https://docs")
 }
 
 func TestRunAsNoErrorForModelServingEndpoints(t *testing.T) {
@@ -191,8 +192,7 @@ func TestRunAsErrorWhenBothUserAndSpSpecified(t *testing.T) {
 	diags := bundle.Apply(ctx, b, mutator.SetRunAs())
 	err := diags.Error()
 
-	configPath := filepath.FromSlash("run_as/not_allowed/both_sp_and_user/databricks.yml")
+	assert.ErrorContains(t, err, "run_as section cannot specify both user_name and service_principal_name")
-	assert.EqualError(t, err, fmt.Sprintf("run_as section must specify exactly one identity. A service_principal_name \"my_service_principal\" is specified at %s:6:27. A user_name \"my_user_name\" is defined at %s:7:14", configPath, configPath))
 }
 
 func TestRunAsErrorNeitherUserOrSpSpecified(t *testing.T) {
@@ -202,19 +202,19 @@ func TestRunAsErrorNeitherUserOrSpSpecified(t *testing.T) {
 	}{
 		{
 			name: "empty_run_as",
-			err:  fmt.Sprintf("run_as section must specify exactly one identity. Neither service_principal_name nor user_name is specified at %s:4:8", filepath.FromSlash("run_as/not_allowed/neither_sp_nor_user/empty_run_as/databricks.yml")),
+			err:  "run_as section must specify exactly one identity. Neither service_principal_name nor user_name is specified",
 		},
 		{
 			name: "empty_sp",
-			err:  fmt.Sprintf("run_as section must specify exactly one identity. Neither service_principal_name nor user_name is specified at %s:5:3", filepath.FromSlash("run_as/not_allowed/neither_sp_nor_user/empty_sp/databricks.yml")),
+			err:  "run_as section must specify exactly one identity. Neither service_principal_name nor user_name is specified",
 		},
 		{
 			name: "empty_user",
-			err:  fmt.Sprintf("run_as section must specify exactly one identity. Neither service_principal_name nor user_name is specified at %s:5:3", filepath.FromSlash("run_as/not_allowed/neither_sp_nor_user/empty_user/databricks.yml")),
+			err:  "run_as section must specify exactly one identity. Neither service_principal_name nor user_name is specified",
 		},
 		{
 			name: "empty_user_and_sp",
-			err:  fmt.Sprintf("run_as section must specify exactly one identity. Neither service_principal_name nor user_name is specified at %s:5:3", filepath.FromSlash("run_as/not_allowed/neither_sp_nor_user/empty_user_and_sp/databricks.yml")),
+			err:  "run_as section must specify exactly one identity. Neither service_principal_name nor user_name is specified",
 		},
 	}
 
@@ -257,8 +257,7 @@ func TestRunAsErrorNeitherUserOrSpSpecifiedAtTargetOverride(t *testing.T) {
 	diags := bundle.Apply(ctx, b, mutator.SetRunAs())
 	err := diags.Error()
 
-	configPath := filepath.FromSlash("run_as/not_allowed/neither_sp_nor_user/override/override.yml")
+	assert.EqualError(t, err, "run_as section must specify exactly one identity. Neither service_principal_name nor user_name is specified")
-	assert.EqualError(t, err, fmt.Sprintf("run_as section must specify exactly one identity. Neither service_principal_name nor user_name is specified at %s:4:12", configPath))
 }
 
 func TestLegacyRunAs(t *testing.T) {

cmd/account/access-control/access-control.go

@@ -205,10 +205,16 @@ func newUpdateRuleSet() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateRuleSetJson.Unmarshal(&updateRuleSetReq)
+			diags := updateRuleSetJson.Unmarshal(&updateRuleSetReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}

cmd/account/budgets/budgets.go

@@ -78,10 +78,16 @@ func newCreate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}
@@ -316,10 +322,16 @@ func newUpdate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}

cmd/account/credentials/credentials.go

@@ -90,10 +90,16 @@ func newCreate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}

cmd/account/csp-enablement-account/csp-enablement-account.go

@@ -129,10 +129,16 @@ func newUpdate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}

cmd/account/custom-app-integration/custom-app-integration.go

@@ -88,11 +88,17 @@ func newCreate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 
 		response, err := a.CustomAppIntegration.Create(ctx, createReq)
 		if err != nil {
@@ -320,11 +326,17 @@ func newUpdate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		updateReq.IntegrationId = args[0]
 
 		err = a.CustomAppIntegration.Update(ctx, updateReq)

cmd/account/disable-legacy-features/disable-legacy-features.go

@@ -185,10 +185,16 @@ func newUpdate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}

cmd/account/encryption-keys/encryption-keys.go

@@ -107,10 +107,16 @@ func newCreate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}

cmd/account/esm-enablement-account/esm-enablement-account.go

@@ -127,10 +127,16 @@ func newUpdate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}

cmd/account/groups/groups.go

@@ -97,11 +97,17 @@ func newCreate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 
 		response, err := a.Groups.Create(ctx, createReq)
 		if err != nil {
@@ -358,11 +364,17 @@ func newPatch() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = patchJson.Unmarshal(&patchReq)
+			diags := patchJson.Unmarshal(&patchReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if len(args) == 0 {
 			promptSpinner := cmdio.Spinner(ctx)
 			promptSpinner <- "No ID argument specified. Loading names for Account Groups drop-down."
@@ -446,11 +458,17 @@ func newUpdate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if len(args) == 0 {
 			promptSpinner := cmdio.Spinner(ctx)
 			promptSpinner <- "No ID argument specified. Loading names for Account Groups drop-down."

cmd/account/ip-access-lists/ip-access-lists.go

@@ -132,11 +132,17 @@ func newCreate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			createReq.Label = args[0]
 		}
@@ -411,11 +417,17 @@ func newReplace() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = replaceJson.Unmarshal(&replaceReq)
+			diags := replaceJson.Unmarshal(&replaceReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		replaceReq.IpAccessListId = args[0]
 		if !cmd.Flags().Changed("json") {
 			replaceReq.Label = args[1]
@@ -505,11 +517,17 @@ func newUpdate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if len(args) == 0 {
 			promptSpinner := cmdio.Spinner(ctx)
 			promptSpinner <- "No IP_ACCESS_LIST_ID argument specified. Loading names for Account Ip Access Lists drop-down."

cmd/account/log-delivery/log-delivery.go

@@ -162,11 +162,17 @@ func newCreate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 
 		response, err := a.LogDelivery.Create(ctx, createReq)
 		if err != nil {
@@ -369,11 +375,17 @@ func newPatchStatus() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = patchStatusJson.Unmarshal(&patchStatusReq)
+			diags := patchStatusJson.Unmarshal(&patchStatusReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		patchStatusReq.LogDeliveryConfigurationId = args[0]
 		if !cmd.Flags().Changed("json") {
 			_, err = fmt.Sscan(args[1], &patchStatusReq.Status)

cmd/account/metastore-assignments/metastore-assignments.go

@@ -85,11 +85,17 @@ func newCreate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		_, err = fmt.Sscan(args[0], &createReq.WorkspaceId)
 		if err != nil {
 			return fmt.Errorf("invalid WORKSPACE_ID: %s", args[0])
@@ -343,11 +349,17 @@ func newUpdate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		_, err = fmt.Sscan(args[0], &updateReq.WorkspaceId)
 		if err != nil {
 			return fmt.Errorf("invalid WORKSPACE_ID: %s", args[0])

cmd/account/metastores/metastores.go

@@ -80,11 +80,17 @@ func newCreate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 
 		response, err := a.Metastores.Create(ctx, createReq)
 		if err != nil {
@@ -304,11 +310,17 @@ func newUpdate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		updateReq.MetastoreId = args[0]
 
 		response, err := a.Metastores.Update(ctx, updateReq)

cmd/account/network-connectivity/network-connectivity.go

@@ -96,11 +96,17 @@ func newCreateNetworkConnectivityConfiguration() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createNetworkConnectivityConfigurationJson.Unmarshal(&createNetworkConnectivityConfigurationReq)
+			diags := createNetworkConnectivityConfigurationJson.Unmarshal(&createNetworkConnectivityConfigurationReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			createNetworkConnectivityConfigurationReq.Name = args[0]
 		}
@@ -187,11 +193,17 @@ func newCreatePrivateEndpointRule() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createPrivateEndpointRuleJson.Unmarshal(&createPrivateEndpointRuleReq)
+			diags := createPrivateEndpointRuleJson.Unmarshal(&createPrivateEndpointRuleReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		createPrivateEndpointRuleReq.NetworkConnectivityConfigId = args[0]
 		if !cmd.Flags().Changed("json") {
 			createPrivateEndpointRuleReq.ResourceId = args[1]

cmd/account/networks/networks.go

@@ -97,11 +97,17 @@ func newCreate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			createReq.NetworkName = args[0]
 		}

cmd/account/personal-compute/personal-compute.go

@@ -189,10 +189,16 @@ func newUpdate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}

cmd/account/private-access/private-access.go

@@ -109,11 +109,17 @@ func newCreate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			createReq.PrivateAccessSettingsName = args[0]
 		}
@@ -411,11 +417,17 @@ func newReplace() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = replaceJson.Unmarshal(&replaceReq)
+			diags := replaceJson.Unmarshal(&replaceReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		replaceReq.PrivateAccessSettingsId = args[0]
 		if !cmd.Flags().Changed("json") {
 			replaceReq.PrivateAccessSettingsName = args[1]

cmd/account/published-app-integration/published-app-integration.go

@@ -85,11 +85,17 @@ func newCreate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 
 		response, err := a.PublishedAppIntegration.Create(ctx, createReq)
 		if err != nil {
@@ -315,11 +321,17 @@ func newUpdate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		updateReq.IntegrationId = args[0]
 
 		err = a.PublishedAppIntegration.Update(ctx, updateReq)

cmd/account/service-principals/service-principals.go

@@ -95,11 +95,17 @@ func newCreate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 
 		response, err := a.ServicePrincipals.Create(ctx, createReq)
 		if err != nil {
@@ -358,11 +364,17 @@ func newPatch() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = patchJson.Unmarshal(&patchReq)
+			diags := patchJson.Unmarshal(&patchReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if len(args) == 0 {
 			promptSpinner := cmdio.Spinner(ctx)
 			promptSpinner <- "No ID argument specified. Loading names for Account Service Principals drop-down."
@@ -448,11 +460,17 @@ func newUpdate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if len(args) == 0 {
 			promptSpinner := cmdio.Spinner(ctx)
 			promptSpinner <- "No ID argument specified. Loading names for Account Service Principals drop-down."

cmd/account/storage-credentials/storage-credentials.go

@@ -88,11 +88,17 @@ func newCreate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		createReq.MetastoreId = args[0]
 
 		response, err := a.StorageCredentials.Create(ctx, createReq)
@@ -340,11 +346,17 @@ func newUpdate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		updateReq.MetastoreId = args[0]
 		updateReq.StorageCredentialName = args[1]
 

cmd/account/storage/storage.go

@@ -87,10 +87,16 @@ func newCreate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}

cmd/account/usage-dashboards/usage-dashboards.go

@@ -80,11 +80,17 @@ func newCreate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 
 		response, err := a.UsageDashboards.Create(ctx, createReq)
 		if err != nil {

cmd/account/users/users.go

@@ -103,11 +103,17 @@ func newCreate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 
 		response, err := a.Users.Create(ctx, createReq)
 		if err != nil {
@@ -374,11 +380,17 @@ func newPatch() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = patchJson.Unmarshal(&patchReq)
+			diags := patchJson.Unmarshal(&patchReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if len(args) == 0 {
 			promptSpinner := cmdio.Spinner(ctx)
 			promptSpinner <- "No ID argument specified. Loading names for Account Users drop-down."
@@ -465,11 +477,17 @@ func newUpdate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if len(args) == 0 {
 			promptSpinner := cmdio.Spinner(ctx)
 			promptSpinner <- "No ID argument specified. Loading names for Account Users drop-down."

cmd/account/vpc-endpoints/vpc-endpoints.go

@@ -104,11 +104,17 @@ func newCreate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			createReq.VpcEndpointName = args[0]
 		}

cmd/account/workspace-assignment/workspace-assignment.go

@@ -273,11 +273,17 @@ func newUpdate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		_, err = fmt.Sscan(args[0], &updateReq.WorkspaceId)
 		if err != nil {
 			return fmt.Errorf("invalid WORKSPACE_ID: %s", args[0])

cmd/account/workspaces/workspaces.go

@@ -133,11 +133,17 @@ func newCreate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			createReq.WorkspaceName = args[0]
 		}
@@ -551,11 +557,17 @@ func newUpdate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if len(args) == 0 {
 			promptSpinner := cmdio.Spinner(ctx)
 			promptSpinner <- "No WORKSPACE_ID argument specified. Loading names for Workspaces drop-down."

cmd/api/api.go

@@ -42,9 +42,9 @@ func makeCommand(method string) *cobra.Command {
 			var path = args[0]
 
 			var request any
-			err := payload.Unmarshal(&request)
+			diags := payload.Unmarshal(&request)
-			if err != nil {
+			if diags.HasError() {
-				return err
+				return diags.Error()
 			}
 
 			cfg := &config.Config{}

cmd/workspace/alerts-legacy/alerts-legacy.go

@@ -93,10 +93,16 @@ func newCreate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}
@@ -357,10 +363,16 @@ func newUpdate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}

cmd/workspace/alerts/alerts.go

@@ -85,11 +85,17 @@ func newCreate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 
 		response, err := w.Alerts.Create(ctx, createReq)
 		if err != nil {
@@ -354,11 +360,17 @@ func newUpdate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		updateReq.Id = args[0]
 		if !cmd.Flags().Changed("json") {
 			updateReq.UpdateMask = args[1]

cmd/workspace/apps/apps.go

@@ -81,6 +81,7 @@ func newCreate() *cobra.Command {
 	cmd.Flags().Var(&createJson, "json", `either inline JSON string or @path/to/file.json with request body`)
 
 	cmd.Flags().StringVar(&createReq.Description, "description", createReq.Description, `The description of the app.`)
+	// TODO: array: resources
 
 	cmd.Use = "create NAME"
 	cmd.Short = `Create an app.`
@@ -112,11 +113,17 @@ func newCreate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			createReq.Name = args[0]
 		}
@@ -266,11 +273,17 @@ func newDeploy() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = deployJson.Unmarshal(&deployReq)
+			diags := deployJson.Unmarshal(&deployReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		deployReq.AppName = args[0]
 
 		wait, err := w.Apps.Deploy(ctx, deployReq)
@@ -701,11 +714,17 @@ func newSetPermissions() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = setPermissionsJson.Unmarshal(&setPermissionsReq)
+			diags := setPermissionsJson.Unmarshal(&setPermissionsReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		setPermissionsReq.AppName = args[0]
 
 		response, err := w.Apps.SetPermissions(ctx, setPermissionsReq)
@@ -910,6 +929,7 @@ func newUpdate() *cobra.Command {
 	cmd.Flags().Var(&updateJson, "json", `either inline JSON string or @path/to/file.json with request body`)
 
 	cmd.Flags().StringVar(&updateReq.Description, "description", updateReq.Description, `The description of the app.`)
+	// TODO: array: resources
 
 	cmd.Use = "update NAME"
 	cmd.Short = `Update an app.`
@@ -934,11 +954,17 @@ func newUpdate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		updateReq.Name = args[0]
 
 		response, err := w.Apps.Update(ctx, updateReq)
@@ -1003,11 +1029,17 @@ func newUpdatePermissions() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updatePermissionsJson.Unmarshal(&updatePermissionsReq)
+			diags := updatePermissionsJson.Unmarshal(&updatePermissionsReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		updatePermissionsReq.AppName = args[0]
 
 		response, err := w.Apps.UpdatePermissions(ctx, updatePermissionsReq)

cmd/workspace/artifact-allowlists/artifact-allowlists.go

@@ -145,10 +145,16 @@ func newUpdate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}

cmd/workspace/automatic-cluster-update/automatic-cluster-update.go

@@ -127,10 +127,16 @@ func newUpdate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}

cmd/workspace/catalogs/catalogs.go

@@ -105,11 +105,17 @@ func newCreate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			createReq.Name = args[0]
 		}
@@ -363,11 +369,17 @@ func newUpdate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		updateReq.Name = args[0]
 
 		response, err := w.Catalogs.Update(ctx, updateReq)

cmd/workspace/clean-rooms/clean-rooms.go

@@ -85,10 +85,16 @@ func newCreate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}
@@ -344,11 +350,17 @@ func newUpdate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		updateReq.Name = args[0]
 
 		response, err := w.CleanRooms.Update(ctx, updateReq)

cmd/workspace/cluster-policies/cluster-policies.go

@@ -113,11 +113,17 @@ func newCreate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 
 		response, err := w.ClusterPolicies.Create(ctx, createReq)
 		if err != nil {
@@ -185,10 +191,16 @@ func newDelete() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = deleteJson.Unmarshal(&deleteReq)
+			diags := deleteJson.Unmarshal(&deleteReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			if len(args) == 0 {
 				promptSpinner := cmdio.Spinner(ctx)
@@ -284,10 +296,16 @@ func newEdit() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = editJson.Unmarshal(&editReq)
+			diags := editJson.Unmarshal(&editReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			if len(args) == 0 {
 				promptSpinner := cmdio.Spinner(ctx)
@@ -630,11 +648,17 @@ func newSetPermissions() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = setPermissionsJson.Unmarshal(&setPermissionsReq)
+			diags := setPermissionsJson.Unmarshal(&setPermissionsReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if len(args) == 0 {
 			promptSpinner := cmdio.Spinner(ctx)
 			promptSpinner <- "No CLUSTER_POLICY_ID argument specified. Loading names for Cluster Policies drop-down."
@@ -711,11 +735,17 @@ func newUpdatePermissions() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updatePermissionsJson.Unmarshal(&updatePermissionsReq)
+			diags := updatePermissionsJson.Unmarshal(&updatePermissionsReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if len(args) == 0 {
 			promptSpinner := cmdio.Spinner(ctx)
 			promptSpinner <- "No CLUSTER_POLICY_ID argument specified. Loading names for Cluster Policies drop-down."

cmd/workspace/clusters/clusters.go

@@ -134,11 +134,17 @@ func newChangeOwner() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = changeOwnerJson.Unmarshal(&changeOwnerReq)
+			diags := changeOwnerJson.Unmarshal(&changeOwnerReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			changeOwnerReq.ClusterId = args[0]
 		}
@@ -268,11 +274,17 @@ func newCreate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			createReq.SparkVersion = args[0]
 		}
@@ -362,10 +374,16 @@ func newDelete() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = deleteJson.Unmarshal(&deleteReq)
+			diags := deleteJson.Unmarshal(&deleteReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			if len(args) == 0 {
 				promptSpinner := cmdio.Spinner(ctx)
@@ -519,11 +537,17 @@ func newEdit() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = editJson.Unmarshal(&editReq)
+			diags := editJson.Unmarshal(&editReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			editReq.ClusterId = args[0]
 		}
@@ -617,10 +641,16 @@ func newEvents() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = eventsJson.Unmarshal(&eventsReq)
+			diags := eventsJson.Unmarshal(&eventsReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			if len(args) == 0 {
 				promptSpinner := cmdio.Spinner(ctx)
@@ -1069,10 +1099,16 @@ func newPermanentDelete() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = permanentDeleteJson.Unmarshal(&permanentDeleteReq)
+			diags := permanentDeleteJson.Unmarshal(&permanentDeleteReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			if len(args) == 0 {
 				promptSpinner := cmdio.Spinner(ctx)
@@ -1161,10 +1197,16 @@ func newPin() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = pinJson.Unmarshal(&pinReq)
+			diags := pinJson.Unmarshal(&pinReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			if len(args) == 0 {
 				promptSpinner := cmdio.Spinner(ctx)
@@ -1260,10 +1302,16 @@ func newResize() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = resizeJson.Unmarshal(&resizeReq)
+			diags := resizeJson.Unmarshal(&resizeReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			if len(args) == 0 {
 				promptSpinner := cmdio.Spinner(ctx)
@@ -1370,10 +1418,16 @@ func newRestart() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = restartJson.Unmarshal(&restartReq)
+			diags := restartJson.Unmarshal(&restartReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			if len(args) == 0 {
 				promptSpinner := cmdio.Spinner(ctx)
@@ -1464,11 +1518,17 @@ func newSetPermissions() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = setPermissionsJson.Unmarshal(&setPermissionsReq)
+			diags := setPermissionsJson.Unmarshal(&setPermissionsReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if len(args) == 0 {
 			promptSpinner := cmdio.Spinner(ctx)
 			promptSpinner <- "No CLUSTER_ID argument specified. Loading names for Clusters drop-down."
@@ -1608,10 +1668,16 @@ func newStart() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = startJson.Unmarshal(&startReq)
+			diags := startJson.Unmarshal(&startReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			if len(args) == 0 {
 				promptSpinner := cmdio.Spinner(ctx)
@@ -1712,10 +1778,16 @@ func newUnpin() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = unpinJson.Unmarshal(&unpinReq)
+			diags := unpinJson.Unmarshal(&unpinReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			if len(args) == 0 {
 				promptSpinner := cmdio.Spinner(ctx)
@@ -1824,11 +1896,17 @@ func newUpdate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			updateReq.ClusterId = args[0]
 		}
@@ -1905,11 +1983,17 @@ func newUpdatePermissions() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updatePermissionsJson.Unmarshal(&updatePermissionsReq)
+			diags := updatePermissionsJson.Unmarshal(&updatePermissionsReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if len(args) == 0 {
 			promptSpinner := cmdio.Spinner(ctx)
 			promptSpinner <- "No CLUSTER_ID argument specified. Loading names for Clusters drop-down."

cmd/workspace/compliance-security-profile/compliance-security-profile.go

@@ -130,10 +130,16 @@ func newUpdate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}