move test

## Changes
Added JSON input validation for CLI commands. Now when invalid JSON
passed as a payload to CLI commands, CLI performs input normalisation
and detects if there are any mismatches such as incorrect types, unknown
fields and etc.

This diagnostic information is printed in standard error output and does
not block command execution, so the change is backward compatible.

Fixes #1769 #1764 #1625 #1560


## Tests
Added unit tests

```
andrew.nester@HFW9Y94129 ~ % databricks jobs create --json '{"seeti}'
Error: error decoding JSON at (inline):1:2: unexpected EOF


andrew.nester@HFW9Y94129 ~ % databricks jobs create --json '{"seeti": true}'
Warning: unknown field: seeti
  in (inline):1:9

Error: Job settings must be specified.
```

---------

Co-authored-by: Pieter Noordhuis <pieter.noordhuis@databricks.com>

.codegen/_openapi_sha

@@ -1 +1 @@
-6f6b1371e640f2dfeba72d365ac566368656f6b6
+0c86ea6dbd9a730c24ff0d4e509603e476955ac5

.codegen/service.go.tmpl

@@ -5,6 +5,7 @@ package {{(.TrimPrefix "account").SnakeName}}
 import (
     "github.com/databricks/cli/libs/cmdio"
     "github.com/databricks/cli/libs/flags"
+	"github.com/databricks/cli/libs/diag"
 	"github.com/databricks/cli/cmd/root"
 	"github.com/databricks/databricks-sdk-go/service/{{.Package.Name}}"
 	"github.com/spf13/cobra"
@@ -231,10 +232,16 @@ func new{{.PascalName}}() *cobra.Command {
 		{{- if .Request }}
 			{{ if .CanUseJson }}
 			if cmd.Flags().Changed("json") {
-					err = {{.CamelName}}Json.Unmarshal(&{{.CamelName}}Req)
+					diags := {{.CamelName}}Json.Unmarshal(&{{.CamelName}}Req)
+					if diags.HasError() {
+						return diags.Error()
+					}
+					if len(diags) > 0 {
+						err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 						if err != nil {
 							return err
 						}
+					}
 			}{{end}}{{ if .MustUseJson }}else {
 				return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 			}{{- end}}

CHANGELOG.md

@@ -1,5 +1,33 @@
 # Version changelog
 
+## [Release] Release v0.230.0
+
+Notable changes for Databricks Asset Bundles:
+
+Workspace paths are automatically prefixed with `/Workspace`. In addition, all usage of path strings such as `/Workspace/${workspace.root_path}/...` in bundle configuration is automatically replaced with `${workspace.root_path}/...` and generates a warning as part of bundle validate.
+
+More details can be found here: https://docs.databricks.com/en/release-notes/dev-tools/bundles.html#workspace-paths
+
+Bundles:
+ * Add an error if state files grow bigger than the export limit ([#1795](https://github.com/databricks/cli/pull/1795)).
+ * Always prepend bundle remote paths with /Workspace ([#1724](https://github.com/databricks/cli/pull/1724)).
+ * Add resource path field to bundle workspace configuration ([#1800](https://github.com/databricks/cli/pull/1800)).
+ * Add validation for files with a `.(resource-name).yml` extension ([#1780](https://github.com/databricks/cli/pull/1780)).
+
+Internal:
+ * Remove deprecated or readonly fields from the bundle schema ([#1809](https://github.com/databricks/cli/pull/1809)).
+
+API Changes:
+ * Changed `databricks git-credentials create`, `databricks git-credentials delete`, `databricks git-credentials get`, `databricks git-credentials list`, `databricks git-credentials update` commands .
+ * Changed `databricks repos create`, `databricks repos delete`, `databricks repos get`, `databricks repos update`  command .
+
+OpenAPI commit 0c86ea6dbd9a730c24ff0d4e509603e476955ac5 (2024-10-02)
+Dependency updates:
+ * Upgrade TF provider to 1.53.0 ([#1815](https://github.com/databricks/cli/pull/1815)).
+ * Bump golang.org/x/term from 0.24.0 to 0.25.0 ([#1811](https://github.com/databricks/cli/pull/1811)).
+ * Bump golang.org/x/text from 0.18.0 to 0.19.0 ([#1812](https://github.com/databricks/cli/pull/1812)).
+ * Bump github.com/databricks/databricks-sdk-go from 0.47.0 to 0.48.0 ([#1810](https://github.com/databricks/cli/pull/1810)).
+
 ## [Release] Release v0.229.0
 
 Bundles:

bundle/config/mutator/populate_current_user.go

@@ -5,8 +5,8 @@ import (
 
 	"github.com/databricks/cli/bundle"
 	"github.com/databricks/cli/bundle/config"
-	"github.com/databricks/cli/libs/auth"
 	"github.com/databricks/cli/libs/diag"
+	"github.com/databricks/cli/libs/iamutil"
 	"github.com/databricks/cli/libs/tags"
 )
 
@@ -33,7 +33,7 @@ func (m *populateCurrentUser) Apply(ctx context.Context, b *bundle.Bundle) diag.
 	}
 
 	b.Config.Workspace.CurrentUser = &config.User{
-		ShortName: auth.GetShortUserName(me),
+		ShortName: iamutil.GetShortUserName(me),
 		User:      me,
 	}
 

bundle/config/mutator/process_target_mode.go

@@ -6,9 +6,9 @@ import (
 
 	"github.com/databricks/cli/bundle"
 	"github.com/databricks/cli/bundle/config"
-	"github.com/databricks/cli/libs/auth"
 	"github.com/databricks/cli/libs/diag"
 	"github.com/databricks/cli/libs/dyn"
+	"github.com/databricks/cli/libs/iamutil"
 	"github.com/databricks/cli/libs/log"
 )
 
@@ -174,7 +174,7 @@ func (m *processTargetMode) Apply(ctx context.Context, b *bundle.Bundle) diag.Di
 		transformDevelopmentMode(ctx, b)
 		return diags
 	case config.Production:
-		isPrincipal := auth.IsServicePrincipal(b.Config.Workspace.CurrentUser.UserName)
+		isPrincipal := iamutil.IsServicePrincipal(b.Config.Workspace.CurrentUser.User)
 		return validateProductionMode(ctx, b, isPrincipal)
 	case "":
 		// No action

bundle/config/mutator/run_as.go

@@ -30,50 +30,44 @@ func (m *setRunAs) Name() string {
 	return "SetRunAs"
 }
 
-type errUnsupportedResourceTypeForRunAs struct {
-	resourceType     string
-	resourceLocation dyn.Location
-	currentUser      string
-	runAsUser        string
+func reportRunAsNotSupported(resourceType string, location dyn.Location, currentUser string, runAsUser string) diag.Diagnostics {
+	return diag.Diagnostics{{
+		Summary: fmt.Sprintf("%s do not support a setting a run_as user that is different from the owner.\n"+
+			"Current identity: %s. Run as identity: %s.\n"+
+			"See https://docs.databricks.com/dev-tools/bundles/run-as.html to learn more about the run_as property.", resourceType, currentUser, runAsUser),
+		Locations: []dyn.Location{location},
+		Severity:  diag.Error,
+	}}
 }
 
-func (e errUnsupportedResourceTypeForRunAs) Error() string {
-	return fmt.Sprintf("%s are not supported when the current deployment user is different from the bundle's run_as identity. Please deploy as the run_as identity. Please refer to the documentation at https://docs.databricks.com/dev-tools/bundles/run-as.html for more details. Location of the unsupported resource: %s. Current identity: %s. Run as identity: %s", e.resourceType, e.resourceLocation, e.currentUser, e.runAsUser)
-}
+func validateRunAs(b *bundle.Bundle) diag.Diagnostics {
+	diags := diag.Diagnostics{}
 
-type errBothSpAndUserSpecified struct {
-	spName   string
-	spLoc    dyn.Location
-	userName string
-	userLoc  dyn.Location
-}
+	neitherSpecifiedErr := diag.Diagnostics{{
+		Summary:   "run_as section must specify exactly one identity. Neither service_principal_name nor user_name is specified",
+		Locations: []dyn.Location{b.Config.GetLocation("run_as")},
+		Severity:  diag.Error,
+	}}
 
-func (e errBothSpAndUserSpecified) Error() string {
-	return fmt.Sprintf("run_as section must specify exactly one identity. A service_principal_name %q is specified at %s. A user_name %q is defined at %s", e.spName, e.spLoc, e.userName, e.userLoc)
-}
-
-func validateRunAs(b *bundle.Bundle) error {
-	neitherSpecifiedErr := fmt.Errorf("run_as section must specify exactly one identity. Neither service_principal_name nor user_name is specified at %s", b.Config.GetLocation("run_as"))
-	// Error if neither service_principal_name nor user_name are specified, but the
+	// Fail fast if neither service_principal_name nor user_name are specified, but the
 	// run_as section is present.
 	if b.Config.Value().Get("run_as").Kind() == dyn.KindNil {
 		return neitherSpecifiedErr
 	}
-	// Error if one or both of service_principal_name and user_name are specified,
+
+	// Fail fast if one or both of service_principal_name and user_name are specified,
 	// but with empty values.
-	if b.Config.RunAs.ServicePrincipalName == "" && b.Config.RunAs.UserName == "" {
+	runAs := b.Config.RunAs
+	if runAs.ServicePrincipalName == "" && runAs.UserName == "" {
 		return neitherSpecifiedErr
 	}
 
-	// Error if both service_principal_name and user_name are specified
-	runAs := b.Config.RunAs
 	if runAs.UserName != "" && runAs.ServicePrincipalName != "" {
-		return errBothSpAndUserSpecified{
-			spName:   runAs.ServicePrincipalName,
-			userName: runAs.UserName,
-			spLoc:    b.Config.GetLocation("run_as.service_principal_name"),
-			userLoc:  b.Config.GetLocation("run_as.user_name"),
-		}
+		diags = diags.Extend(diag.Diagnostics{{
+			Summary:   "run_as section cannot specify both user_name and service_principal_name",
+			Locations: []dyn.Location{b.Config.GetLocation("run_as")},
+			Severity:  diag.Error,
+		}})
 	}
 
 	identity := runAs.ServicePrincipalName
@@ -83,40 +77,40 @@ func validateRunAs(b *bundle.Bundle) error {
 
 	// All resources are supported if the run_as identity is the same as the current deployment identity.
 	if identity == b.Config.Workspace.CurrentUser.UserName {
-		return nil
+		return diags
 	}
 
 	// DLT pipelines do not support run_as in the API.
 	if len(b.Config.Resources.Pipelines) > 0 {
-		return errUnsupportedResourceTypeForRunAs{
-			resourceType:     "pipelines",
-			resourceLocation: b.Config.GetLocation("resources.pipelines"),
-			currentUser:      b.Config.Workspace.CurrentUser.UserName,
-			runAsUser:        identity,
-		}
+		diags = diags.Extend(reportRunAsNotSupported(
+			"pipelines",
+			b.Config.GetLocation("resources.pipelines"),
+			b.Config.Workspace.CurrentUser.UserName,
+			identity,
+		))
 	}
 
 	// Model serving endpoints do not support run_as in the API.
 	if len(b.Config.Resources.ModelServingEndpoints) > 0 {
-		return errUnsupportedResourceTypeForRunAs{
-			resourceType:     "model_serving_endpoints",
-			resourceLocation: b.Config.GetLocation("resources.model_serving_endpoints"),
-			currentUser:      b.Config.Workspace.CurrentUser.UserName,
-			runAsUser:        identity,
-		}
+		diags = diags.Extend(reportRunAsNotSupported(
+			"model_serving_endpoints",
+			b.Config.GetLocation("resources.model_serving_endpoints"),
+			b.Config.Workspace.CurrentUser.UserName,
+			identity,
+		))
 	}
 
 	// Monitors do not support run_as in the API.
 	if len(b.Config.Resources.QualityMonitors) > 0 {
-		return errUnsupportedResourceTypeForRunAs{
-			resourceType:     "quality_monitors",
-			resourceLocation: b.Config.GetLocation("resources.quality_monitors"),
-			currentUser:      b.Config.Workspace.CurrentUser.UserName,
-			runAsUser:        identity,
-		}
+		diags = diags.Extend(reportRunAsNotSupported(
+			"quality_monitors",
+			b.Config.GetLocation("resources.quality_monitors"),
+			b.Config.Workspace.CurrentUser.UserName,
+			identity,
+		))
 	}
 
-	return nil
+	return diags
 }
 
 func setRunAsForJobs(b *bundle.Bundle) {
@@ -187,8 +181,9 @@ func (m *setRunAs) Apply(_ context.Context, b *bundle.Bundle) diag.Diagnostics {
 	}
 
 	// Assert the run_as configuration is valid in the context of the bundle
-	if err := validateRunAs(b); err != nil {
-		return diag.FromErr(err)
+	diags := validateRunAs(b)
+	if diags.HasError() {
+		return diags
 	}
 
 	setRunAsForJobs(b)

bundle/config/mutator/run_as_test.go

@@ -188,11 +188,8 @@ func TestRunAsErrorForUnsupportedResources(t *testing.T) {
 			Config: *r,
 		}
 		diags := bundle.Apply(context.Background(), b, SetRunAs())
-		assert.Equal(t, diags.Error().Error(), errUnsupportedResourceTypeForRunAs{
-			resourceType:     rt,
-			resourceLocation: dyn.Location{},
-			currentUser:      "alice",
-			runAsUser:        "bob",
-		}.Error(), "expected run_as with a different identity than the current deployment user to not supported for resources of type: %s", rt)
+		assert.Contains(t, diags.Error().Error(), "do not support a setting a run_as user that is different from the owner.\n"+
+			"Current identity: alice. Run as identity: bob.\n"+
+			"See https://docs.databricks.com/dev-tools/bundles/run-as.html to learn more about the run_as property.", rt)
 	}
 }

bundle/deploy/files/upload.go

@@ -2,9 +2,12 @@ package files
 
 import (
 	"context"
+	"errors"
 	"fmt"
+	"io/fs"
 
 	"github.com/databricks/cli/bundle"
+	"github.com/databricks/cli/bundle/permissions"
 	"github.com/databricks/cli/libs/cmdio"
 	"github.com/databricks/cli/libs/diag"
 	"github.com/databricks/cli/libs/log"
@@ -35,6 +38,9 @@ func (m *upload) Apply(ctx context.Context, b *bundle.Bundle) diag.Diagnostics {
 
 	b.Files, err = sync.RunOnce(ctx)
 	if err != nil {
+		if errors.Is(err, fs.ErrPermission) {
+			return permissions.ReportPossiblePermissionDenied(ctx, b, b.Config.Workspace.FilePath)
+		}
 		return diag.FromErr(err)
 	}
 

bundle/deploy/lock/acquire.go

@@ -3,8 +3,10 @@ package lock
 import (
 	"context"
 	"errors"
+	"io/fs"
 
 	"github.com/databricks/cli/bundle"
+	"github.com/databricks/cli/bundle/permissions"
 	"github.com/databricks/cli/libs/diag"
 	"github.com/databricks/cli/libs/filer"
 	"github.com/databricks/cli/libs/locker"
@@ -51,12 +53,17 @@ func (m *acquire) Apply(ctx context.Context, b *bundle.Bundle) diag.Diagnostics
 	if err != nil {
 		log.Errorf(ctx, "Failed to acquire deployment lock: %v", err)
 
+		if errors.Is(err, fs.ErrPermission) {
+			return permissions.ReportPossiblePermissionDenied(ctx, b, b.Config.Workspace.StatePath)
+		}
+
 		notExistsError := filer.NoSuchDirectoryError{}
 		if errors.As(err, &notExistsError) {
 			// If we get a "doesn't exist" error from the API this indicates
 			// we either don't have permissions or the path is invalid.
-			return diag.Errorf("cannot write to deployment root (this can indicate a previous deploy was done with a different identity): %s", b.Config.Workspace.RootPath)
+			return permissions.ReportPossiblePermissionDenied(ctx, b, b.Config.Workspace.StatePath)
 		}
+
 		return diag.FromErr(err)
 	}
 

bundle/deploy/terraform/apply.go

@@ -4,6 +4,7 @@ import (
 	"context"
 
 	"github.com/databricks/cli/bundle"
+	"github.com/databricks/cli/bundle/permissions"
 	"github.com/databricks/cli/libs/diag"
 	"github.com/databricks/cli/libs/log"
 	"github.com/hashicorp/terraform-exec/tfexec"
@@ -34,6 +35,10 @@ func (w *apply) Apply(ctx context.Context, b *bundle.Bundle) diag.Diagnostics {
 	// Apply terraform according to the computed plan
 	err := tf.Apply(ctx, tfexec.DirOrPlan(b.Plan.Path))
 	if err != nil {
+		diags := permissions.TryExtendTerraformPermissionError(ctx, b, err)
+		if diags != nil {
+			return diags
+		}
 		return diag.Errorf("terraform apply: %v", err)
 	}
 

bundle/deploy/terraform/tfdyn/convert_cluster.go

@@ -40,7 +40,7 @@ func (clusterConverter) Convert(ctx context.Context, key string, vin dyn.Value,
 
 	// Configure permissions for this resource.
 	if permissions := convertPermissionsResource(ctx, vin); permissions != nil {
-		permissions.JobId = fmt.Sprintf("${databricks_cluster.%s.id}", key)
+		permissions.ClusterId = fmt.Sprintf("${databricks_cluster.%s.id}", key)
 		out.Permissions["cluster_"+key] = permissions
 	}
 

bundle/deploy/terraform/tfdyn/convert_cluster_test.go

@@ -81,7 +81,7 @@ func TestConvertCluster(t *testing.T) {
 
 	// Assert equality on the permissions
 	assert.Equal(t, &schema.ResourcePermissions{
-		JobId: "${databricks_cluster.my_cluster.id}",
+		ClusterId: "${databricks_cluster.my_cluster.id}",
 		AccessControl: []schema.ResourcePermissionsAccessControl{
 			{
 				PermissionLevel: "CAN_RUN",

bundle/internal/schema/main.go

@@ -8,8 +8,10 @@ import (
 	"reflect"
 
 	"github.com/databricks/cli/bundle/config"
+	"github.com/databricks/cli/bundle/config/resources"
 	"github.com/databricks/cli/bundle/config/variable"
 	"github.com/databricks/cli/libs/jsonschema"
+	"github.com/databricks/databricks-sdk-go/service/jobs"
 )
 
 func interpolationPattern(s string) string {
@@ -66,6 +68,31 @@ func addInterpolationPatterns(typ reflect.Type, s jsonschema.Schema) jsonschema.
 	}
 }
 
+func removeJobsFields(typ reflect.Type, s jsonschema.Schema) jsonschema.Schema {
+	switch typ {
+	case reflect.TypeOf(resources.Job{}):
+		// This field has been deprecated in jobs API v2.1 and is always set to
+		// "MULTI_TASK" in the backend. We should not expose it to the user.
+		delete(s.Properties, "format")
+
+		// These fields are only meant to be set by the DABs client (ie the CLI)
+		// and thus should not be exposed to the user. These are used to annotate
+		// jobs that were created by DABs.
+		delete(s.Properties, "deployment")
+		delete(s.Properties, "edit_mode")
+
+	case reflect.TypeOf(jobs.GitSource{}):
+		// These fields are readonly and are not meant to be set by the user.
+		delete(s.Properties, "job_source")
+		delete(s.Properties, "git_snapshot")
+
+	default:
+		// Do nothing
+	}
+
+	return s
+}
+
 func main() {
 	if len(os.Args) != 2 {
 		fmt.Println("Usage: go run main.go <output-file>")
@@ -90,6 +117,7 @@ func main() {
 	s, err := jsonschema.FromType(reflect.TypeOf(config.Root{}), []func(reflect.Type, jsonschema.Schema) jsonschema.Schema{
 		p.addDescriptions,
 		p.addEnums,
+		removeJobsFields,
 		addInterpolationPatterns,
 	})
 	if err != nil {

bundle/internal/schema/testdata/fail/deprecated_job_field_format.yml

@@ -0,0 +1,4 @@
+resources:
+  jobs:
+    foo:
+      format: SINGLE_TASK

bundle/internal/schema/testdata/fail/hidden_job_field_deployment.yml

@@ -0,0 +1,6 @@
+resources:
+  jobs:
+    foo:
+      deployment:
+        kind: BUNDLE
+        metadata_file_path: /a/b/c

bundle/internal/schema/testdata/fail/hidden_job_field_edit_mode.yml

@@ -0,0 +1,6 @@
+targets:
+  foo:
+    resources:
+      jobs:
+        bar:
+          edit_mode: whatever

bundle/internal/schema/testdata/fail/readonly_job_field_git_snapshot.yml

@@ -0,0 +1,8 @@
+resources:
+  jobs:
+    foo:
+      git_source:
+        git_provider: GITHUB
+        git_url: www.whatever.com
+        git_snapshot:
+          used_commit: abcdef

bundle/internal/schema/testdata/fail/readonly_job_field_job_source.yml

@@ -0,0 +1,9 @@
+resources:
+  jobs:
+    foo:
+      git_source:
+        git_provider: GITHUB
+        git_url: www.whatever.com
+        job_source:
+          import_from_git_branch: master
+          job_config_path: def

bundle/internal/schema/testdata/pass/job.yml

@@ -32,7 +32,6 @@ resources:
       name: myjob
       continuous:
         pause_status: PAUSED
-      edit_mode: EDITABLE
       max_concurrent_runs: 10
       description: "my job description"
       email_notifications:
@@ -43,10 +42,12 @@ resources:
             dependencies:
               - python=3.7
             client: "myclient"
-      format: MULTI_TASK
       tags:
         foo: bar
         bar: baz
+      git_source:
+        git_provider: gitHub
+        git_url: www.github.com/a/b
       tasks:
         - task_key: mytask
           notebook_task:

bundle/internal/tf/codegen/schema/version.go

@@ -1,3 +1,3 @@
 package schema
 
-const ProviderVersion = "1.52.0"
+const ProviderVersion = "1.53.0"

bundle/internal/tf/schema/data_source_current_metastore.go

@@ -10,6 +10,7 @@ type DataSourceCurrentMetastoreMetastoreInfo struct {
 	DeltaSharingOrganizationName                string `json:"delta_sharing_organization_name,omitempty"`
 	DeltaSharingRecipientTokenLifetimeInSeconds int    `json:"delta_sharing_recipient_token_lifetime_in_seconds,omitempty"`
 	DeltaSharingScope                           string `json:"delta_sharing_scope,omitempty"`
+	ExternalAccessEnabled                       bool   `json:"external_access_enabled,omitempty"`
 	GlobalMetastoreId                           string `json:"global_metastore_id,omitempty"`
 	MetastoreId                                 string `json:"metastore_id,omitempty"`
 	Name                                        string `json:"name,omitempty"`

bundle/internal/tf/schema/data_source_metastore.go

@@ -10,6 +10,7 @@ type DataSourceMetastoreMetastoreInfo struct {
 	DeltaSharingOrganizationName                string `json:"delta_sharing_organization_name,omitempty"`
 	DeltaSharingRecipientTokenLifetimeInSeconds int    `json:"delta_sharing_recipient_token_lifetime_in_seconds,omitempty"`
 	DeltaSharingScope                           string `json:"delta_sharing_scope,omitempty"`
+	ExternalAccessEnabled                       bool   `json:"external_access_enabled,omitempty"`
 	GlobalMetastoreId                           string `json:"global_metastore_id,omitempty"`
 	MetastoreId                                 string `json:"metastore_id,omitempty"`
 	Name                                        string `json:"name,omitempty"`

bundle/internal/tf/schema/data_source_mlflow_models.go

@@ -0,0 +1,8 @@
+// Generated from Databricks Terraform provider schema. DO NOT EDIT.
+
+package schema
+
+type DataSourceMlflowModels struct {
+	Id    string   `json:"id,omitempty"`
+	Names []string `json:"names,omitempty"`
+}

bundle/internal/tf/schema/data_sources.go

@@ -30,6 +30,7 @@ type DataSources struct {
 	Metastores                      map[string]any `json:"databricks_metastores,omitempty"`
 	MlflowExperiment                map[string]any `json:"databricks_mlflow_experiment,omitempty"`
 	MlflowModel                     map[string]any `json:"databricks_mlflow_model,omitempty"`
+	MlflowModels                    map[string]any `json:"databricks_mlflow_models,omitempty"`
 	MwsCredentials                  map[string]any `json:"databricks_mws_credentials,omitempty"`
 	MwsWorkspaces                   map[string]any `json:"databricks_mws_workspaces,omitempty"`
 	NodeType                        map[string]any `json:"databricks_node_type,omitempty"`
@@ -85,6 +86,7 @@ func NewDataSources() *DataSources {
 		Metastores:                      make(map[string]any),
 		MlflowExperiment:                make(map[string]any),
 		MlflowModel:                     make(map[string]any),
+		MlflowModels:                    make(map[string]any),
 		MwsCredentials:                  make(map[string]any),
 		MwsWorkspaces:                   make(map[string]any),
 		NodeType:                        make(map[string]any),

bundle/internal/tf/schema/resource_budget.go

@@ -0,0 +1,49 @@
+// Generated from Databricks Terraform provider schema. DO NOT EDIT.
+
+package schema
+
+type ResourceBudgetAlertConfigurationsActionConfigurations struct {
+	ActionConfigurationId string `json:"action_configuration_id,omitempty"`
+	ActionType            string `json:"action_type,omitempty"`
+	Target                string `json:"target,omitempty"`
+}
+
+type ResourceBudgetAlertConfigurations struct {
+	AlertConfigurationId string                                                  `json:"alert_configuration_id,omitempty"`
+	QuantityThreshold    string                                                  `json:"quantity_threshold,omitempty"`
+	QuantityType         string                                                  `json:"quantity_type,omitempty"`
+	TimePeriod           string                                                  `json:"time_period,omitempty"`
+	TriggerType          string                                                  `json:"trigger_type,omitempty"`
+	ActionConfigurations []ResourceBudgetAlertConfigurationsActionConfigurations `json:"action_configurations,omitempty"`
+}
+
+type ResourceBudgetFilterTagsValue struct {
+	Operator string   `json:"operator,omitempty"`
+	Values   []string `json:"values,omitempty"`
+}
+
+type ResourceBudgetFilterTags struct {
+	Key   string                         `json:"key,omitempty"`
+	Value *ResourceBudgetFilterTagsValue `json:"value,omitempty"`
+}
+
+type ResourceBudgetFilterWorkspaceId struct {
+	Operator string `json:"operator,omitempty"`
+	Values   []int  `json:"values,omitempty"`
+}
+
+type ResourceBudgetFilter struct {
+	Tags        []ResourceBudgetFilterTags       `json:"tags,omitempty"`
+	WorkspaceId *ResourceBudgetFilterWorkspaceId `json:"workspace_id,omitempty"`
+}
+
+type ResourceBudget struct {
+	AccountId             string                              `json:"account_id,omitempty"`
+	BudgetConfigurationId string                              `json:"budget_configuration_id,omitempty"`
+	CreateTime            int                                 `json:"create_time,omitempty"`
+	DisplayName           string                              `json:"display_name,omitempty"`
+	Id                    string                              `json:"id,omitempty"`
+	UpdateTime            int                                 `json:"update_time,omitempty"`
+	AlertConfigurations   []ResourceBudgetAlertConfigurations `json:"alert_configurations,omitempty"`
+	Filter                *ResourceBudgetFilter               `json:"filter,omitempty"`
+}

bundle/internal/tf/schema/resource_model_serving.go

@@ -2,6 +2,57 @@
 
 package schema
 
+type ResourceModelServingAiGatewayGuardrailsInputPii struct {
+	Behavior string `json:"behavior"`
+}
+
+type ResourceModelServingAiGatewayGuardrailsInput struct {
+	InvalidKeywords []string                                         `json:"invalid_keywords,omitempty"`
+	Safety          bool                                             `json:"safety,omitempty"`
+	ValidTopics     []string                                         `json:"valid_topics,omitempty"`
+	Pii             *ResourceModelServingAiGatewayGuardrailsInputPii `json:"pii,omitempty"`
+}
+
+type ResourceModelServingAiGatewayGuardrailsOutputPii struct {
+	Behavior string `json:"behavior"`
+}
+
+type ResourceModelServingAiGatewayGuardrailsOutput struct {
+	InvalidKeywords []string                                          `json:"invalid_keywords,omitempty"`
+	Safety          bool                                              `json:"safety,omitempty"`
+	ValidTopics     []string                                          `json:"valid_topics,omitempty"`
+	Pii             *ResourceModelServingAiGatewayGuardrailsOutputPii `json:"pii,omitempty"`
+}
+
+type ResourceModelServingAiGatewayGuardrails struct {
+	Input  *ResourceModelServingAiGatewayGuardrailsInput  `json:"input,omitempty"`
+	Output *ResourceModelServingAiGatewayGuardrailsOutput `json:"output,omitempty"`
+}
+
+type ResourceModelServingAiGatewayInferenceTableConfig struct {
+	CatalogName     string `json:"catalog_name,omitempty"`
+	Enabled         bool   `json:"enabled,omitempty"`
+	SchemaName      string `json:"schema_name,omitempty"`
+	TableNamePrefix string `json:"table_name_prefix,omitempty"`
+}
+
+type ResourceModelServingAiGatewayRateLimits struct {
+	Calls         int    `json:"calls"`
+	Key           string `json:"key,omitempty"`
+	RenewalPeriod string `json:"renewal_period"`
+}
+
+type ResourceModelServingAiGatewayUsageTrackingConfig struct {
+	Enabled bool `json:"enabled,omitempty"`
+}
+
+type ResourceModelServingAiGateway struct {
+	Guardrails           *ResourceModelServingAiGatewayGuardrails           `json:"guardrails,omitempty"`
+	InferenceTableConfig *ResourceModelServingAiGatewayInferenceTableConfig `json:"inference_table_config,omitempty"`
+	RateLimits           []ResourceModelServingAiGatewayRateLimits          `json:"rate_limits,omitempty"`
+	UsageTrackingConfig  *ResourceModelServingAiGatewayUsageTrackingConfig  `json:"usage_tracking_config,omitempty"`
+}
+
 type ResourceModelServingConfigAutoCaptureConfig struct {
 	CatalogName     string `json:"catalog_name,omitempty"`
 	Enabled         bool   `json:"enabled,omitempty"`
@@ -139,6 +190,7 @@ type ResourceModelServing struct {
 	Name              string                           `json:"name"`
 	RouteOptimized    bool                             `json:"route_optimized,omitempty"`
 	ServingEndpointId string                           `json:"serving_endpoint_id,omitempty"`
+	AiGateway         *ResourceModelServingAiGateway   `json:"ai_gateway,omitempty"`
 	Config            *ResourceModelServingConfig      `json:"config,omitempty"`
 	RateLimits        []ResourceModelServingRateLimits `json:"rate_limits,omitempty"`
 	Tags              []ResourceModelServingTags       `json:"tags,omitempty"`

bundle/internal/tf/schema/resource_permissions.go

@@ -4,7 +4,7 @@ package schema
 
 type ResourcePermissionsAccessControl struct {
 	GroupName            string `json:"group_name,omitempty"`
-	PermissionLevel      string `json:"permission_level"`
+	PermissionLevel      string `json:"permission_level,omitempty"`
 	ServicePrincipalName string `json:"service_principal_name,omitempty"`
 	UserName             string `json:"user_name,omitempty"`
 }

bundle/internal/tf/schema/resource_pipeline.go

@@ -238,6 +238,7 @@ type ResourcePipelineTrigger struct {
 
 type ResourcePipeline struct {
 	AllowDuplicateNames  bool                                 `json:"allow_duplicate_names,omitempty"`
+	BudgetPolicyId       string                               `json:"budget_policy_id,omitempty"`
 	Catalog              string                               `json:"catalog,omitempty"`
 	Cause                string                               `json:"cause,omitempty"`
 	Channel              string                               `json:"channel,omitempty"`
@@ -254,6 +255,7 @@ type ResourcePipeline struct {
 	Name                 string                               `json:"name,omitempty"`
 	Photon               bool                                 `json:"photon,omitempty"`
 	RunAsUserName        string                               `json:"run_as_user_name,omitempty"`
+	Schema               string                               `json:"schema,omitempty"`
 	Serverless           bool                                 `json:"serverless,omitempty"`
 	State                string                               `json:"state,omitempty"`
 	Storage              string                               `json:"storage,omitempty"`

bundle/internal/tf/schema/resource_sql_table.go

@@ -4,9 +4,11 @@ package schema
 
 type ResourceSqlTableColumn struct {
 	Comment  string `json:"comment,omitempty"`
+	Identity string `json:"identity,omitempty"`
 	Name     string `json:"name"`
 	Nullable bool   `json:"nullable,omitempty"`
 	Type     string `json:"type,omitempty"`
+	TypeJson string `json:"type_json,omitempty"`
 }
 
 type ResourceSqlTable struct {

bundle/internal/tf/schema/resources.go

@@ -10,6 +10,7 @@ type Resources struct {
 	AzureAdlsGen1Mount                         map[string]any `json:"databricks_azure_adls_gen1_mount,omitempty"`
 	AzureAdlsGen2Mount                         map[string]any `json:"databricks_azure_adls_gen2_mount,omitempty"`
 	AzureBlobMount                             map[string]any `json:"databricks_azure_blob_mount,omitempty"`
+	Budget                                     map[string]any `json:"databricks_budget,omitempty"`
 	Catalog                                    map[string]any `json:"databricks_catalog,omitempty"`
 	CatalogWorkspaceBinding                    map[string]any `json:"databricks_catalog_workspace_binding,omitempty"`
 	Cluster                                    map[string]any `json:"databricks_cluster,omitempty"`
@@ -112,6 +113,7 @@ func NewResources() *Resources {
 		AzureAdlsGen1Mount:                     make(map[string]any),
 		AzureAdlsGen2Mount:                     make(map[string]any),
 		AzureBlobMount:                         make(map[string]any),
+		Budget:                                 make(map[string]any),
 		Catalog:                                make(map[string]any),
 		CatalogWorkspaceBinding:                make(map[string]any),
 		Cluster:                                make(map[string]any),

bundle/internal/tf/schema/root.go

@@ -21,7 +21,7 @@ type Root struct {
 
 const ProviderHost = "registry.terraform.io"
 const ProviderSource = "databricks/databricks"
-const ProviderVersion = "1.52.0"
+const ProviderVersion = "1.53.0"
 
 func NewRoot() *Root {
 	return &Root{

bundle/permissions/permission_diagnostics.go

@@ -0,0 +1,110 @@
+package permissions
+
+import (
+	"context"
+	"fmt"
+	"sort"
+	"strings"
+
+	"github.com/databricks/cli/bundle"
+	"github.com/databricks/cli/libs/diag"
+	"github.com/databricks/cli/libs/dyn"
+	"github.com/databricks/cli/libs/set"
+)
+
+type permissionDiagnostics struct{}
+
+func PermissionDiagnostics() bundle.Mutator {
+	return &permissionDiagnostics{}
+}
+
+func (m *permissionDiagnostics) Name() string {
+	return "CheckPermissions"
+}
+
+func (m *permissionDiagnostics) Apply(ctx context.Context, b *bundle.Bundle) diag.Diagnostics {
+	if len(b.Config.Permissions) == 0 {
+		// Only warn if there is an explicit top-level permissions section
+		return nil
+	}
+
+	canManageBundle, _ := analyzeBundlePermissions(b)
+	if canManageBundle {
+		return nil
+	}
+
+	return diag.Diagnostics{{
+		Severity:  diag.Warning,
+		Summary:   fmt.Sprintf("permissions section should include %s or one of their groups with CAN_MANAGE permissions", b.Config.Workspace.CurrentUser.UserName),
+		Locations: []dyn.Location{b.Config.GetLocation("permissions")},
+		ID:        diag.PermissionNotIncluded,
+	}}
+}
+
+// analyzeBundlePermissions analyzes the top-level permissions of the bundle.
+// This permission set is important since it determines the permissions of the
+// target workspace folder.
+//
+// Returns:
+// - isManager: true if the current user is can manage the bundle resources.
+// - assistance: advice on who to contact as to manage this project
+func analyzeBundlePermissions(b *bundle.Bundle) (bool, string) {
+	canManageBundle := false
+	otherManagers := set.NewSet[string]()
+	if b.Config.RunAs != nil && b.Config.RunAs.UserName != "" && b.Config.RunAs.UserName != b.Config.Workspace.CurrentUser.UserName {
+		// The run_as user is another human that could be contacted
+		// about this bundle.
+		otherManagers.Add(b.Config.RunAs.UserName)
+	}
+
+	currentUser := b.Config.Workspace.CurrentUser.UserName
+	targetPermissions := b.Config.Permissions
+	for _, p := range targetPermissions {
+		if p.Level != CAN_MANAGE {
+			continue
+		}
+
+		if p.UserName == currentUser || p.ServicePrincipalName == currentUser {
+			canManageBundle = true
+			continue
+		}
+
+		if isGroupOfCurrentUser(b, p.GroupName) {
+			canManageBundle = true
+			continue
+		}
+
+		// Permission doesn't apply to current user; add to otherManagers
+		otherManager := p.UserName
+		if otherManager == "" {
+			otherManager = p.GroupName
+		}
+		if otherManager == "" {
+			// Skip service principals
+			continue
+		}
+		otherManagers.Add(otherManager)
+	}
+
+	assistance := "For assistance, contact the owners of this project."
+	if otherManagers.Size() > 0 {
+		list := otherManagers.Values()
+		sort.Strings(list)
+		assistance = fmt.Sprintf(
+			"For assistance, users or groups with appropriate permissions may include: %s.",
+			strings.Join(list, ", "),
+		)
+	}
+	return canManageBundle, assistance
+}
+
+func isGroupOfCurrentUser(b *bundle.Bundle, groupName string) bool {
+	currentUserGroups := b.Config.Workspace.CurrentUser.User.Groups
+
+	for _, g := range currentUserGroups {
+		if g.Display == groupName {
+			return true
+		}
+	}
+	return false
+}

bundle/permissions/permission_diagnostics_test.go

@@ -0,0 +1,52 @@
+package permissions_test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/databricks/cli/bundle"
+	"github.com/databricks/cli/bundle/config"
+	"github.com/databricks/cli/bundle/config/resources"
+	"github.com/databricks/cli/bundle/permissions"
+	"github.com/databricks/cli/libs/diag"
+	"github.com/databricks/databricks-sdk-go/service/iam"
+	"github.com/stretchr/testify/require"
+)
+
+func TestPermissionDiagnosticsApplySuccess(t *testing.T) {
+	b := mockBundle([]resources.Permission{
+		{Level: "CAN_MANAGE", UserName: "testuser@databricks.com"},
+	})
+
+	diags := permissions.PermissionDiagnostics().Apply(context.Background(), b)
+	require.NoError(t, diags.Error())
+}
+
+func TestPermissionDiagnosticsApplyFail(t *testing.T) {
+	b := mockBundle([]resources.Permission{
+		{Level: "CAN_VIEW", UserName: "testuser@databricks.com"},
+	})
+
+	diags := permissions.PermissionDiagnostics().Apply(context.Background(), b)
+	require.Equal(t, diags[0].Severity, diag.Warning)
+	require.Contains(t, diags[0].Summary, "permissions section should include testuser@databricks.com or one of their groups with CAN_MANAGE permissions")
+}
+
+func mockBundle(permissions []resources.Permission) *bundle.Bundle {
+	return &bundle.Bundle{
+		Config: config.Root{
+			Workspace: config.Workspace{
+				CurrentUser: &config.User{
+					User: &iam.User{
+						UserName:    "testuser@databricks.com",
+						DisplayName: "Test User",
+						Groups: []iam.ComplexValue{
+							{Display: "testgroup"},
+						},
+					},
+				},
+			},
+			Permissions: permissions,
+		},
+	}
+}

bundle/permissions/permission_report.go

@@ -0,0 +1,52 @@
+package permissions
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/databricks/cli/bundle"
+	"github.com/databricks/cli/libs/diag"
+	"github.com/databricks/cli/libs/iamutil"
+	"github.com/databricks/cli/libs/log"
+)
+
+// ReportPossiblePermissionDenied generates a diagnostic message when a permission denied error is encountered.
+//
+// Note that since the workspace API doesn't always distinguish between permission denied and path errors,
+// we must treat this as a "possible permission error". See acquire.go for more about this.
+func ReportPossiblePermissionDenied(ctx context.Context, b *bundle.Bundle, path string) diag.Diagnostics {
+	log.Errorf(ctx, "Failed to update, encountered possible permission error: %v", path)
+
+	me := b.Config.Workspace.CurrentUser.User
+	userName := me.UserName
+	if iamutil.IsServicePrincipal(me) {
+		userName = me.DisplayName
+	}
+	canManageBundle, assistance := analyzeBundlePermissions(b)
+
+	if !canManageBundle {
+		return diag.Diagnostics{{
+			Summary: fmt.Sprintf("unable to deploy to %s as %s.\n"+
+				"Please make sure the current user or one of their groups is listed under the permissions of this bundle.\n"+
+				"%s\n"+
+				"They may need to redeploy the bundle to apply the new permissions.\n"+
+				"Please refer to https://docs.databricks.com/dev-tools/bundles/permissions.html for more on managing permissions.",
+				path, userName, assistance),
+			Severity: diag.Error,
+			ID:       diag.PathPermissionDenied,
+		}}
+	}
+
+	// According databricks.yml, the current user has the right permissions.
+	// But we're still seeing permission errors. So someone else will need
+	// to redeploy the bundle with the right set of permissions.
+	return diag.Diagnostics{{
+		Summary: fmt.Sprintf("unable to deploy to %s as %s. Cannot apply local deployment permissions.\n"+
+			"%s\n"+
+			"They can redeploy the project to apply the latest set of permissions.\n"+
+			"Please refer to https://docs.databricks.com/dev-tools/bundles/permissions.html for more on managing permissions.",
+			path, userName, assistance),
+		Severity: diag.Error,
+		ID:       diag.CannotChangePathPermissions,
+	}}
+}

bundle/permissions/permission_report_test.go

@@ -0,0 +1,76 @@
+package permissions_test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/databricks/cli/bundle/config/resources"
+	"github.com/databricks/cli/bundle/permissions"
+	"github.com/stretchr/testify/require"
+)
+
+func TestPermissionsReportPermissionDeniedWithGroup(t *testing.T) {
+	b := mockBundle([]resources.Permission{
+		{Level: "CAN_MANAGE", GroupName: "testgroup"},
+	})
+
+	diags := permissions.ReportPossiblePermissionDenied(context.Background(), b, "testpath")
+	expected := "EPERM3: unable to deploy to testpath as testuser@databricks.com. Cannot apply local deployment permissions.\n" +
+		"For assistance, contact the owners of this project.\n" +
+		"They can redeploy the project to apply the latest set of permissions.\n" +
+		"Please refer to https://docs.databricks.com/dev-tools/bundles/permissions.html for more on managing permissions."
+	require.ErrorContains(t, diags.Error(), expected)
+}
+
+func TestPermissionsReportPermissionDeniedWithOtherGroup(t *testing.T) {
+	b := mockBundle([]resources.Permission{
+		{Level: "CAN_MANAGE", GroupName: "othergroup"},
+	})
+
+	diags := permissions.ReportPossiblePermissionDenied(context.Background(), b, "testpath")
+	expected := "EPERM1: unable to deploy to testpath as testuser@databricks.com.\n" +
+		"Please make sure the current user or one of their groups is listed under the permissions of this bundle.\n" +
+		"For assistance, users or groups with appropriate permissions may include: othergroup.\n" +
+		"They may need to redeploy the bundle to apply the new permissions.\n" +
+		"Please refer to https://docs.databricks.com/dev-tools/bundles/permissions.html for more on managing permissions."
+	require.ErrorContains(t, diags.Error(), expected)
+}
+
+func TestPermissionsReportPermissionDeniedWithoutPermission(t *testing.T) {
+	b := mockBundle([]resources.Permission{
+		{Level: "CAN_VIEW", UserName: "testuser@databricks.com"},
+	})
+
+	diags := permissions.ReportPossiblePermissionDenied(context.Background(), b, "testpath")
+	expected := "EPERM1: unable to deploy to testpath as testuser@databricks.com.\n" +
+		"Please make sure the current user or one of their groups is listed under the permissions of this bundle.\n" +
+		"For assistance, contact the owners of this project.\n" +
+		"They may need to redeploy the bundle to apply the new permissions.\n" +
+		"Please refer to https://docs.databricks.com/dev-tools/bundles/permissions.html for more on managing permissions."
+	require.ErrorContains(t, diags.Error(), expected)
+}
+
+func TestPermissionsReportPermissionDeniedNilPermission(t *testing.T) {
+	b := mockBundle(nil)
+
+	diags := permissions.ReportPossiblePermissionDenied(context.Background(), b, "testpath")
+	expected := "EPERM1: unable to deploy to testpath as testuser@databricks.com.\n" +
+		"Please make sure the current user or one of their groups is listed under the permissions of this bundle.\n" +
+		"For assistance, contact the owners of this project.\n" +
+		"They may need to redeploy the bundle to apply the new permissions.\n" +
+		"Please refer to https://docs.databricks.com/dev-tools/bundles/permissions.html for more on managing permissions"
+	require.ErrorContains(t, diags.Error(), expected)
+}
+
+func TestPermissionsReportFindOtherOwners(t *testing.T) {
+	b := mockBundle([]resources.Permission{
+		{Level: "CAN_MANAGE", GroupName: "testgroup"},
+		{Level: "CAN_MANAGE", UserName: "alice@databricks.com"},
+	})
+
+	diags := permissions.ReportPossiblePermissionDenied(context.Background(), b, "testpath")
+	require.ErrorContains(t, diags.Error(), "EPERM3: unable to deploy to testpath as testuser@databricks.com. Cannot apply local deployment permissions.\n"+
+		"For assistance, users or groups with appropriate permissions may include: alice@databricks.com.\n"+
+		"They can redeploy the project to apply the latest set of permissions.\n"+
+		"Please refer to https://docs.databricks.com/dev-tools/bundles/permissions.html for more on managing permissions.")
+}

bundle/permissions/terraform_errors.go

@@ -0,0 +1,47 @@
+package permissions
+
+import (
+	"context"
+	"fmt"
+	"regexp"
+	"strings"
+
+	"github.com/databricks/cli/bundle"
+	"github.com/databricks/cli/libs/diag"
+	"github.com/databricks/cli/libs/log"
+)
+
+func TryExtendTerraformPermissionError(ctx context.Context, b *bundle.Bundle, err error) diag.Diagnostics {
+	_, assistance := analyzeBundlePermissions(b)
+
+	// In a best-effort attempt to provide actionable error messages, we match
+	// against a few specific error messages that come from the Jobs and Pipelines API.
+	// For matching errors we provide a more specific error message that includes
+	// details on how to resolve the issue.
+	if !strings.Contains(err.Error(), "cannot update permissions") &&
+		!strings.Contains(err.Error(), "permissions on pipeline") &&
+		!strings.Contains(err.Error(), "cannot read permissions") &&
+		!strings.Contains(err.Error(), "cannot set run_as to user") {
+		return nil
+	}
+
+	log.Errorf(ctx, "Terraform error during deployment: %v", err.Error())
+
+	// Best-effort attempt to extract the resource name from the error message.
+	re := regexp.MustCompile(`databricks_(\w*)\.(\w*)`)
+	match := re.FindStringSubmatch(err.Error())
+	resource := "resource"
+	if len(match) > 1 {
+		resource = match[2]
+	}
+
+	return diag.Diagnostics{{
+		Summary: fmt.Sprintf("permission denied creating or updating %s.\n"+
+			"%s\n"+
+			"They can redeploy the project to apply the latest set of permissions.\n"+
+			"Please refer to https://docs.databricks.com/dev-tools/bundles/permissions.html for more on managing permissions.",
+			resource, assistance),
+		Severity: diag.Error,
+		ID:       diag.ResourcePermissionDenied,
+	}}
+}

bundle/permissions/terraform_errors_test.go

@@ -0,0 +1,97 @@
+package permissions_test
+
+import (
+	"context"
+	"errors"
+	"testing"
+
+	"github.com/databricks/cli/bundle/config/resources"
+	"github.com/databricks/cli/bundle/permissions"
+	"github.com/databricks/databricks-sdk-go/service/jobs"
+	"github.com/stretchr/testify/require"
+)
+
+func TestTryExtendTerraformPermissionError1(t *testing.T) {
+	ctx := context.Background()
+	b := mockBundle([]resources.Permission{
+		{Level: "CAN_MANAGE", UserName: "alice@databricks.com"},
+	})
+	err := permissions.TryExtendTerraformPermissionError(ctx, b, errors.New("Error: terraform apply: exit status 1\n"+
+		"\n"+
+		"Error: cannot update permissions: ...\n"+
+		"\n"+
+		"	with databricks_pipeline.my_project_pipeline,\n"+
+		"	on bundle.tf.json line 39, in resource.databricks_pipeline.my_project_pipeline:\n"+
+		"	39:       }")).Error()
+
+	expected := "EPERM2: permission denied creating or updating my_project_pipeline.\n" +
+		"For assistance, users or groups with appropriate permissions may include: alice@databricks.com.\n" +
+		"They can redeploy the project to apply the latest set of permissions.\n" +
+		"Please refer to https://docs.databricks.com/dev-tools/bundles/permissions.html for more on managing permissions"
+
+	require.ErrorContains(t, err, expected)
+}
+
+func TestTryExtendTerraformPermissionError2(t *testing.T) {
+	ctx := context.Background()
+	b := mockBundle([]resources.Permission{
+		{Level: "CAN_MANAGE", UserName: "alice@databricks.com"},
+		{Level: "CAN_MANAGE", UserName: "bob@databricks.com"},
+	})
+	err := permissions.TryExtendTerraformPermissionError(ctx, b, errors.New("Error: terraform apply: exit status 1\n"+
+		"\n"+
+		"Error: cannot read pipeline: User xyz does not have View permissions on pipeline 4521dbb6-42aa-418c-b94d-b5f4859a3454.\n"+
+		"\n"+
+		"	with databricks_pipeline.my_project_pipeline,\n"+
+		"	on bundle.tf.json line 39, in resource.databricks_pipeline.my_project_pipeline:\n"+
+		"	39:       }")).Error()
+
+	expected := "EPERM2: permission denied creating or updating my_project_pipeline.\n" +
+		"For assistance, users or groups with appropriate permissions may include: alice@databricks.com, bob@databricks.com.\n" +
+		"They can redeploy the project to apply the latest set of permissions.\n" +
+		"Please refer to https://docs.databricks.com/dev-tools/bundles/permissions.html for more on managing permissions."
+	require.ErrorContains(t, err, expected)
+}
+
+func TestTryExtendTerraformPermissionError3(t *testing.T) {
+	ctx := context.Background()
+	b := mockBundle([]resources.Permission{
+		{Level: "CAN_MANAGE", UserName: "testuser@databricks.com"},
+	})
+	err := permissions.TryExtendTerraformPermissionError(ctx, b, errors.New("Error: terraform apply: exit status 1\n"+
+		"\n"+
+		"Error: cannot read permissions: 1706906c-c0a2-4c25-9f57-3a7aa3cb8b90 does not have Owner permissions on Job with ID: ElasticJobId(28263044278868). Please contact the owner or an administrator for access.\n"+
+		"\n"+
+		"	with databricks_pipeline.my_project_pipeline,\n"+
+		"	on bundle.tf.json line 39, in resource.databricks_pipeline.my_project_pipeline:\n"+
+		"	39:       }")).Error()
+
+	expected := "EPERM2: permission denied creating or updating my_project_pipeline.\n" +
+		"For assistance, contact the owners of this project.\n" +
+		"They can redeploy the project to apply the latest set of permissions.\n" +
+		"Please refer to https://docs.databricks.com/dev-tools/bundles/permissions.html for more on managing permissions."
+	require.ErrorContains(t, err, expected)
+}
+
+func TestTryExtendTerraformPermissionErrorNotOwner(t *testing.T) {
+	ctx := context.Background()
+	b := mockBundle([]resources.Permission{
+		{Level: "CAN_MANAGE", GroupName: "data_team@databricks.com"},
+	})
+	b.Config.RunAs = &jobs.JobRunAs{
+		UserName: "testuser@databricks.com",
+	}
+	err := permissions.TryExtendTerraformPermissionError(ctx, b, errors.New("Error: terraform apply: exit status 1\n"+
+		"\n"+
+		"Error: cannot read pipeline: User xyz does not have View permissions on pipeline 4521dbb6-42aa-418c-b94d-b5f4859a3454.\n"+
+		"\n"+
+		"	with databricks_pipeline.my_project_pipeline,\n"+
+		"	on bundle.tf.json line 39, in resource.databricks_pipeline.my_project_pipeline:\n"+
+		"	39:       }")).Error()
+
+	expected := "EPERM2: permission denied creating or updating my_project_pipeline.\n" +
+		"For assistance, users or groups with appropriate permissions may include: data_team@databricks.com.\n" +
+		"They can redeploy the project to apply the latest set of permissions.\n" +
+		"Please refer to https://docs.databricks.com/dev-tools/bundles/permissions.html for more on managing permissions."
+	require.ErrorContains(t, err, expected)
+}

bundle/phases/initialize.go

@@ -62,6 +62,8 @@ func Initialize() bundle.Mutator {
 				"workspace",
 				"variables",
 			),
+			// Provide permission config errors & warnings after initializing all variables
+			permissions.PermissionDiagnostics(),
 			mutator.SetRunAs(),
 			mutator.OverrideCompute(),
 			mutator.ProcessTargetMode(),

bundle/render/render_text_output.go

@@ -8,6 +8,7 @@ import (
 	"text/template"
 
 	"github.com/databricks/cli/bundle"
+	"github.com/databricks/cli/libs/cmdio"
 	"github.com/databricks/cli/libs/diag"
 	"github.com/databricks/databricks-sdk-go/service/iam"
 	"github.com/fatih/color"
@@ -28,48 +29,6 @@ var renderFuncMap = template.FuncMap{
 	},
 }
 
-const errorTemplate = `{{ "Error" | red }}: {{ .Summary }}
-{{- range $index, $element := .Paths }}
-  {{ if eq $index 0 }}at {{else}}   {{ end}}{{ $element.String | green }}
-{{- end }}
-{{- range $index, $element := .Locations }}
-  {{ if eq $index 0 }}in {{else}}   {{ end}}{{ $element.String | cyan }}
-{{- end }}
-{{- if .Detail }}
-
-{{ .Detail }}
-{{- end }}
-
-`
-
-const warningTemplate = `{{ "Warning" | yellow }}: {{ .Summary }}
-{{- range $index, $element := .Paths }}
-  {{ if eq $index 0 }}at {{else}}   {{ end}}{{ $element.String | green }}
-{{- end }}
-{{- range $index, $element := .Locations }}
-  {{ if eq $index 0 }}in {{else}}   {{ end}}{{ $element.String | cyan }}
-{{- end }}
-{{- if .Detail }}
-
-{{ .Detail }}
-{{- end }}
-
-`
-
-const recommendationTemplate = `{{ "Recommendation" | blue }}: {{ .Summary }}
-{{- range $index, $element := .Paths }}
-  {{ if eq $index 0 }}at {{else}}   {{ end}}{{ $element.String | green }}
-{{- end }}
-{{- range $index, $element := .Locations }}
-  {{ if eq $index 0 }}in {{else}}   {{ end}}{{ $element.String | cyan }}
-{{- end }}
-{{- if .Detail }}
-
-{{ .Detail }}
-{{- end }}
-
-`
-
 const summaryTemplate = `{{- if .Name -}}
 Name: {{ .Name | bold }}
 {{- if .Target }}
@@ -153,22 +112,7 @@ func renderSummaryTemplate(out io.Writer, b *bundle.Bundle, diags diag.Diagnosti
 }
 
 func renderDiagnostics(out io.Writer, b *bundle.Bundle, diags diag.Diagnostics) error {
-	errorT := template.Must(template.New("error").Funcs(renderFuncMap).Parse(errorTemplate))
-	warningT := template.Must(template.New("warning").Funcs(renderFuncMap).Parse(warningTemplate))
-	recommendationT := template.Must(template.New("recommendation").Funcs(renderFuncMap).Parse(recommendationTemplate))
-
-	// Print errors and warnings.
 	for _, d := range diags {
-		var t *template.Template
-		switch d.Severity {
-		case diag.Error:
-			t = errorT
-		case diag.Warning:
-			t = warningT
-		case diag.Recommendation:
-			t = recommendationT
-		}
-
 		for i := range d.Locations {
 			if b == nil {
 				break
@@ -183,15 +127,9 @@ func renderDiagnostics(out io.Writer, b *bundle.Bundle, diags diag.Diagnostics)
 				}
 			}
 		}
-
-		// Render the diagnostic with the appropriate template.
-		err := t.Execute(out, d)
-		if err != nil {
-			return fmt.Errorf("failed to render template: %w", err)
-		}
 	}
 
-	return nil
+	return cmdio.RenderDiagnostics(out, diags)
 }
 
 // RenderOptions contains options for rendering diagnostics.

bundle/schema/embed_test.go

@@ -39,7 +39,7 @@ func TestJsonSchema(t *testing.T) {
 
 	// Assert job fields have their descriptions loaded.
 	resourceJob := walk(s.Definitions, "github.com", "databricks", "cli", "bundle", "config", "resources.Job")
-	fields := []string{"name", "continuous", "deployment", "tasks", "trigger"}
+	fields := []string{"name", "continuous", "tasks", "trigger"}
 	for _, field := range fields {
 		assert.NotEmpty(t, resourceJob.AnyOf[0].Properties[field].Description)
 	}
@@ -53,7 +53,7 @@ func TestJsonSchema(t *testing.T) {
 
 	// Assert descriptions are loaded for pipelines
 	pipeline := walk(s.Definitions, "github.com", "databricks", "cli", "bundle", "config", "resources.Pipeline")
-	fields = []string{"name", "catalog", "clusters", "channel", "continuous", "deployment", "development"}
+	fields = []string{"name", "catalog", "clusters", "channel", "continuous", "development"}
 	for _, field := range fields {
 		assert.NotEmpty(t, pipeline.AnyOf[0].Properties[field].Description)
 	}

bundle/schema/jsonschema.json

@@ -213,18 +213,10 @@
                         "description": "An optional continuous property for this job. The continuous property will ensure that there is always one run executing. Only one of `schedule` and `continuous` can be used.",
                         "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/jobs.Continuous"
                       },
-                      "deployment": {
-                        "description": "Deployment information for jobs managed by external sources.",
-                        "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/jobs.JobDeployment"
-                      },
                       "description": {
                         "description": "An optional description for the job. The maximum length is 27700 characters in UTF-8 encoding.",
                         "$ref": "#/$defs/string"
                       },
-                      "edit_mode": {
-                        "description": "Edit mode of the job.\n\n* `UI_LOCKED`: The job is in a locked UI state and cannot be modified.\n* `EDITABLE`: The job is in an editable state and can be modified.",
-                        "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/jobs.JobEditMode"
-                      },
                       "email_notifications": {
                         "description": "An optional set of email addresses that is notified when runs of this job begin or complete as well as when this job is deleted.",
                         "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/jobs.JobEmailNotifications"
@@ -233,10 +225,6 @@
                         "description": "A list of task execution environment specifications that can be referenced by serverless tasks of this job.\nAn environment is required to be present for serverless tasks.\nFor serverless notebook tasks, the environment is accessible in the notebook environment panel.\nFor other serverless tasks, the task environment is required to be specified using environment_key in the task settings.",
                         "$ref": "#/$defs/slice/github.com/databricks/databricks-sdk-go/service/jobs.JobEnvironment"
                       },
-                      "format": {
-                        "description": "Used to tell what is the format of the job. This field is ignored in Create/Update/Reset calls. When using the Jobs API 2.1 this value is always set to `\"MULTI_TASK\"`.",
-                        "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/jobs.Format"
-                      },
                       "git_source": {
                         "description": "An optional specification for a remote Git repository containing the source code used by tasks. Version-controlled source code is supported by notebook, dbt, Python script, and SQL File tasks.\n\nIf `git_source` is set, these tasks retrieve the file from the remote repository by default. However, this behavior can be overridden by setting `source` to `WORKSPACE` on the task.\n\nNote: dbt and SQL File tasks support only version-controlled sources. If dbt or SQL File tasks are used, `git_source` must be defined on the job.",
                         "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/jobs.GitSource"
@@ -402,6 +390,10 @@
                   {
                     "type": "object",
                     "properties": {
+                      "ai_gateway": {
+                        "description": "The AI Gateway configuration for the serving endpoint. NOTE: only external model endpoints are supported as of now.",
+                        "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/serving.AiGatewayConfig"
+                      },
                       "config": {
                         "description": "The core config of the serving endpoint.",
                         "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/serving.EndpointCoreConfigInput"
@@ -472,6 +464,10 @@
                   {
                     "type": "object",
                     "properties": {
+                      "budget_policy_id": {
+                        "description": "Budget policy of this pipeline.",
+                        "$ref": "#/$defs/string"
+                      },
                       "catalog": {
                         "description": "A catalog in Unity Catalog to publish data from this pipeline to. If `target` is specified, tables in this pipeline are published to a `target` schema inside `catalog` (for example, `catalog`.`target`.`table`). If `target` is not specified, no data is published to Unity Catalog.",
                         "$ref": "#/$defs/string"
@@ -539,6 +535,10 @@
                         "description": "Whether Photon is enabled for this pipeline.",
                         "$ref": "#/$defs/bool"
                       },
+                      "schema": {
+                        "description": "The default schema (database) where tables are read from or published to. The presence of this field implies that the pipeline is in direct publishing mode.",
+                        "$ref": "#/$defs/string"
+                      },
                       "serverless": {
                         "description": "Whether serverless compute is enabled for this pipeline.",
                         "$ref": "#/$defs/bool"
@@ -1206,6 +1206,9 @@
                     "profile": {
                       "$ref": "#/$defs/string"
                     },
+                    "resource_path": {
+                      "$ref": "#/$defs/string"
+                    },
                     "root_path": {
                       "$ref": "#/$defs/string"
                     },
@@ -2532,9 +2535,6 @@
                       "description": "Unique identifier of the service used to host the Git repository. The value is case insensitive.",
                       "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/jobs.GitProvider"
                     },
-                    "git_snapshot": {
-                      "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/jobs.GitSnapshot"
-                    },
                     "git_tag": {
                       "description": "Name of the tag to be checked out and used by this job. This field cannot be specified in conjunction with git_branch or git_commit.",
                       "$ref": "#/$defs/string"
@@ -2542,10 +2542,6 @@
                     "git_url": {
                       "description": "URL of the repository to be cloned by this job.",
                       "$ref": "#/$defs/string"
-                    },
-                    "job_source": {
-                      "description": "The source of the job specification in the remote repository when the job is source controlled.",
-                      "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/jobs.JobSource"
                     }
                   },
                   "additionalProperties": false,
@@ -2632,7 +2628,7 @@
                   "type": "object",
                   "properties": {
                     "no_alert_for_skipped_runs": {
-                      "description": "If true, do not send email to recipients specified in `on_failure` if the run is skipped.",
+                      "description": "If true, do not send email to recipients specified in `on_failure` if the run is skipped.\nThis field is `deprecated`. Please use the `notification_settings.no_alert_for_skipped_runs` field.",
                       "$ref": "#/$defs/bool"
                     },
                     "on_duration_warning_threshold_exceeded": {
@@ -3073,6 +3069,7 @@
                       "$ref": "#/$defs/map/string"
                     },
                     "pipeline_params": {
+                      "description": "Controls whether the pipeline should perform a full refresh",
                       "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/jobs.PipelineParams"
                     },
                     "python_named_params": {
@@ -3547,7 +3544,7 @@
                   "type": "object",
                   "properties": {
                     "no_alert_for_skipped_runs": {
-                      "description": "If true, do not send email to recipients specified in `on_failure` if the run is skipped.",
+                      "description": "If true, do not send email to recipients specified in `on_failure` if the run is skipped.\nThis field is `deprecated`. Please use the `notification_settings.no_alert_for_skipped_runs` field.",
                       "$ref": "#/$defs/bool"
                     },
                     "on_duration_warning_threshold_exceeded": {
@@ -4365,6 +4362,207 @@
                 }
               ]
             },
+            "serving.AiGatewayConfig": {
+              "anyOf": [
+                {
+                  "type": "object",
+                  "properties": {
+                    "guardrails": {
+                      "description": "Configuration for AI Guardrails to prevent unwanted data and unsafe data in requests and responses.",
+                      "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/serving.AiGatewayGuardrails"
+                    },
+                    "inference_table_config": {
+                      "description": "Configuration for payload logging using inference tables. Use these tables to monitor and audit data being sent to and received from model APIs and to improve model quality.",
+                      "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/serving.AiGatewayInferenceTableConfig"
+                    },
+                    "rate_limits": {
+                      "description": "Configuration for rate limits which can be set to limit endpoint traffic.",
+                      "$ref": "#/$defs/slice/github.com/databricks/databricks-sdk-go/service/serving.AiGatewayRateLimit"
+                    },
+                    "usage_tracking_config": {
+                      "description": "Configuration to enable usage tracking using system tables. These tables allow you to monitor operational usage on endpoints and their associated costs.",
+                      "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/serving.AiGatewayUsageTrackingConfig"
+                    }
+                  },
+                  "additionalProperties": false
+                },
+                {
+                  "type": "string",
+                  "pattern": "\\$\\{(var(\\.[a-zA-Z]+([-_]?[a-zA-Z0-9]+)*(\\[[0-9]+\\])*)+)\\}"
+                }
+              ]
+            },
+            "serving.AiGatewayGuardrailParameters": {
+              "anyOf": [
+                {
+                  "type": "object",
+                  "properties": {
+                    "invalid_keywords": {
+                      "description": "List of invalid keywords. AI guardrail uses keyword or string matching to decide if the keyword exists in the request or response content.",
+                      "$ref": "#/$defs/slice/string"
+                    },
+                    "pii": {
+                      "description": "Configuration for guardrail PII filter.",
+                      "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/serving.AiGatewayGuardrailPiiBehavior"
+                    },
+                    "safety": {
+                      "description": "Indicates whether the safety filter is enabled.",
+                      "$ref": "#/$defs/bool"
+                    },
+                    "valid_topics": {
+                      "description": "The list of allowed topics. Given a chat request, this guardrail flags the request if its topic is not in the allowed topics.",
+                      "$ref": "#/$defs/slice/string"
+                    }
+                  },
+                  "additionalProperties": false
+                },
+                {
+                  "type": "string",
+                  "pattern": "\\$\\{(var(\\.[a-zA-Z]+([-_]?[a-zA-Z0-9]+)*(\\[[0-9]+\\])*)+)\\}"
+                }
+              ]
+            },
+            "serving.AiGatewayGuardrailPiiBehavior": {
+              "anyOf": [
+                {
+                  "type": "object",
+                  "properties": {
+                    "behavior": {
+                      "description": "Behavior for PII filter. Currently only 'BLOCK' is supported. If 'BLOCK' is set for the input guardrail and the request contains PII, the request is not sent to the model server and 400 status code is returned; if 'BLOCK' is set for the output guardrail and the model response contains PII, the PII info in the response is redacted and 400 status code is returned.",
+                      "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/serving.AiGatewayGuardrailPiiBehaviorBehavior",
+                      "enum": [
+                        "NONE",
+                        "BLOCK"
+                      ]
+                    }
+                  },
+                  "additionalProperties": false,
+                  "required": [
+                    "behavior"
+                  ]
+                },
+                {
+                  "type": "string",
+                  "pattern": "\\$\\{(var(\\.[a-zA-Z]+([-_]?[a-zA-Z0-9]+)*(\\[[0-9]+\\])*)+)\\}"
+                }
+              ]
+            },
+            "serving.AiGatewayGuardrailPiiBehaviorBehavior": {
+              "type": "string"
+            },
+            "serving.AiGatewayGuardrails": {
+              "anyOf": [
+                {
+                  "type": "object",
+                  "properties": {
+                    "input": {
+                      "description": "Configuration for input guardrail filters.",
+                      "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/serving.AiGatewayGuardrailParameters"
+                    },
+                    "output": {
+                      "description": "Configuration for output guardrail filters.",
+                      "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/serving.AiGatewayGuardrailParameters"
+                    }
+                  },
+                  "additionalProperties": false
+                },
+                {
+                  "type": "string",
+                  "pattern": "\\$\\{(var(\\.[a-zA-Z]+([-_]?[a-zA-Z0-9]+)*(\\[[0-9]+\\])*)+)\\}"
+                }
+              ]
+            },
+            "serving.AiGatewayInferenceTableConfig": {
+              "anyOf": [
+                {
+                  "type": "object",
+                  "properties": {
+                    "catalog_name": {
+                      "description": "The name of the catalog in Unity Catalog. Required when enabling inference tables. NOTE: On update, you have to disable inference table first in order to change the catalog name.",
+                      "$ref": "#/$defs/string"
+                    },
+                    "enabled": {
+                      "description": "Indicates whether the inference table is enabled.",
+                      "$ref": "#/$defs/bool"
+                    },
+                    "schema_name": {
+                      "description": "The name of the schema in Unity Catalog. Required when enabling inference tables. NOTE: On update, you have to disable inference table first in order to change the schema name.",
+                      "$ref": "#/$defs/string"
+                    },
+                    "table_name_prefix": {
+                      "description": "The prefix of the table in Unity Catalog. NOTE: On update, you have to disable inference table first in order to change the prefix name.",
+                      "$ref": "#/$defs/string"
+                    }
+                  },
+                  "additionalProperties": false
+                },
+                {
+                  "type": "string",
+                  "pattern": "\\$\\{(var(\\.[a-zA-Z]+([-_]?[a-zA-Z0-9]+)*(\\[[0-9]+\\])*)+)\\}"
+                }
+              ]
+            },
+            "serving.AiGatewayRateLimit": {
+              "anyOf": [
+                {
+                  "type": "object",
+                  "properties": {
+                    "calls": {
+                      "description": "Used to specify how many calls are allowed for a key within the renewal_period.",
+                      "$ref": "#/$defs/int"
+                    },
+                    "key": {
+                      "description": "Key field for a rate limit. Currently, only 'user' and 'endpoint' are supported, with 'endpoint' being the default if not specified.",
+                      "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/serving.AiGatewayRateLimitKey",
+                      "enum": [
+                        "user",
+                        "endpoint"
+                      ]
+                    },
+                    "renewal_period": {
+                      "description": "Renewal period field for a rate limit. Currently, only 'minute' is supported.",
+                      "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/serving.AiGatewayRateLimitRenewalPeriod",
+                      "enum": [
+                        "minute"
+                      ]
+                    }
+                  },
+                  "additionalProperties": false,
+                  "required": [
+                    "calls",
+                    "renewal_period"
+                  ]
+                },
+                {
+                  "type": "string",
+                  "pattern": "\\$\\{(var(\\.[a-zA-Z]+([-_]?[a-zA-Z0-9]+)*(\\[[0-9]+\\])*)+)\\}"
+                }
+              ]
+            },
+            "serving.AiGatewayRateLimitKey": {
+              "type": "string"
+            },
+            "serving.AiGatewayRateLimitRenewalPeriod": {
+              "type": "string"
+            },
+            "serving.AiGatewayUsageTrackingConfig": {
+              "anyOf": [
+                {
+                  "type": "object",
+                  "properties": {
+                    "enabled": {
+                      "description": "Whether to enable usage tracking.",
+                      "$ref": "#/$defs/bool"
+                    }
+                  },
+                  "additionalProperties": false
+                },
+                {
+                  "type": "string",
+                  "pattern": "\\$\\{(var(\\.[a-zA-Z]+([-_]?[a-zA-Z0-9]+)*(\\[[0-9]+\\])*)+)\\}"
+                }
+              ]
+            },
             "serving.AmazonBedrockConfig": {
               "anyOf": [
                 {
@@ -5569,6 +5767,20 @@
                   }
                 ]
               },
+              "serving.AiGatewayRateLimit": {
+                "anyOf": [
+                  {
+                    "type": "array",
+                    "items": {
+                      "$ref": "#/$defs/github.com/databricks/databricks-sdk-go/service/serving.AiGatewayRateLimit"
+                    }
+                  },
+                  {
+                    "type": "string",
+                    "pattern": "\\$\\{(var(\\.[a-zA-Z]+([-_]?[a-zA-Z0-9]+)*(\\[[0-9]+\\])*)+)\\}"
+                  }
+                ]
+              },
               "serving.EndpointTag": {
                 "anyOf": [
                   {

bundle/tests/run_as_test.go

@@ -3,7 +3,6 @@ package config_tests
 import (
 	"context"
 	"fmt"
-	"path/filepath"
 	"testing"
 
 	"github.com/databricks/cli/bundle"
@@ -113,8 +112,9 @@ func TestRunAsErrorForPipelines(t *testing.T) {
 	diags := bundle.Apply(ctx, b, mutator.SetRunAs())
 	err := diags.Error()
 
-	configPath := filepath.FromSlash("run_as/not_allowed/pipelines/databricks.yml")
-	assert.EqualError(t, err, fmt.Sprintf("pipelines are not supported when the current deployment user is different from the bundle's run_as identity. Please deploy as the run_as identity. Please refer to the documentation at https://docs.databricks.com/dev-tools/bundles/run-as.html for more details. Location of the unsupported resource: %s:14:5. Current identity: jane@doe.com. Run as identity: my_service_principal", configPath))
+	assert.ErrorContains(t, err, "pipelines do not support a setting a run_as user that is different from the owner.\n"+
+		"Current identity: jane@doe.com. Run as identity: my_service_principal.\n"+
+		"See https://docs")
 }
 
 func TestRunAsNoErrorForPipelines(t *testing.T) {
@@ -152,8 +152,9 @@ func TestRunAsErrorForModelServing(t *testing.T) {
 	diags := bundle.Apply(ctx, b, mutator.SetRunAs())
 	err := diags.Error()
 
-	configPath := filepath.FromSlash("run_as/not_allowed/model_serving/databricks.yml")
-	assert.EqualError(t, err, fmt.Sprintf("model_serving_endpoints are not supported when the current deployment user is different from the bundle's run_as identity. Please deploy as the run_as identity. Please refer to the documentation at https://docs.databricks.com/dev-tools/bundles/run-as.html for more details. Location of the unsupported resource: %s:14:5. Current identity: jane@doe.com. Run as identity: my_service_principal", configPath))
+	assert.ErrorContains(t, err, "model_serving_endpoints do not support a setting a run_as user that is different from the owner.\n"+
+		"Current identity: jane@doe.com. Run as identity: my_service_principal.\n"+
+		"See https://docs")
 }
 
 func TestRunAsNoErrorForModelServingEndpoints(t *testing.T) {
@@ -191,8 +192,7 @@ func TestRunAsErrorWhenBothUserAndSpSpecified(t *testing.T) {
 	diags := bundle.Apply(ctx, b, mutator.SetRunAs())
 	err := diags.Error()
 
-	configPath := filepath.FromSlash("run_as/not_allowed/both_sp_and_user/databricks.yml")
-	assert.EqualError(t, err, fmt.Sprintf("run_as section must specify exactly one identity. A service_principal_name \"my_service_principal\" is specified at %s:6:27. A user_name \"my_user_name\" is defined at %s:7:14", configPath, configPath))
+	assert.ErrorContains(t, err, "run_as section cannot specify both user_name and service_principal_name")
 }
 
 func TestRunAsErrorNeitherUserOrSpSpecified(t *testing.T) {
@@ -202,19 +202,19 @@ func TestRunAsErrorNeitherUserOrSpSpecified(t *testing.T) {
 	}{
 		{
 			name: "empty_run_as",
-			err:  fmt.Sprintf("run_as section must specify exactly one identity. Neither service_principal_name nor user_name is specified at %s:4:8", filepath.FromSlash("run_as/not_allowed/neither_sp_nor_user/empty_run_as/databricks.yml")),
+			err:  "run_as section must specify exactly one identity. Neither service_principal_name nor user_name is specified",
 		},
 		{
 			name: "empty_sp",
-			err:  fmt.Sprintf("run_as section must specify exactly one identity. Neither service_principal_name nor user_name is specified at %s:5:3", filepath.FromSlash("run_as/not_allowed/neither_sp_nor_user/empty_sp/databricks.yml")),
+			err:  "run_as section must specify exactly one identity. Neither service_principal_name nor user_name is specified",
 		},
 		{
 			name: "empty_user",
-			err:  fmt.Sprintf("run_as section must specify exactly one identity. Neither service_principal_name nor user_name is specified at %s:5:3", filepath.FromSlash("run_as/not_allowed/neither_sp_nor_user/empty_user/databricks.yml")),
+			err:  "run_as section must specify exactly one identity. Neither service_principal_name nor user_name is specified",
 		},
 		{
 			name: "empty_user_and_sp",
-			err:  fmt.Sprintf("run_as section must specify exactly one identity. Neither service_principal_name nor user_name is specified at %s:5:3", filepath.FromSlash("run_as/not_allowed/neither_sp_nor_user/empty_user_and_sp/databricks.yml")),
+			err:  "run_as section must specify exactly one identity. Neither service_principal_name nor user_name is specified",
 		},
 	}
 
@@ -257,8 +257,7 @@ func TestRunAsErrorNeitherUserOrSpSpecifiedAtTargetOverride(t *testing.T) {
 	diags := bundle.Apply(ctx, b, mutator.SetRunAs())
 	err := diags.Error()
 
-	configPath := filepath.FromSlash("run_as/not_allowed/neither_sp_nor_user/override/override.yml")
-	assert.EqualError(t, err, fmt.Sprintf("run_as section must specify exactly one identity. Neither service_principal_name nor user_name is specified at %s:4:12", configPath))
+	assert.EqualError(t, err, "run_as section must specify exactly one identity. Neither service_principal_name nor user_name is specified")
 }
 
 func TestLegacyRunAs(t *testing.T) {

cmd/account/access-control/access-control.go

@@ -205,10 +205,16 @@ func newUpdateRuleSet() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateRuleSetJson.Unmarshal(&updateRuleSetReq)
+			diags := updateRuleSetJson.Unmarshal(&updateRuleSetReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}

cmd/account/budgets/budgets.go

@@ -78,10 +78,16 @@ func newCreate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}
@@ -316,10 +322,16 @@ func newUpdate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}

cmd/account/credentials/credentials.go

@@ -90,10 +90,16 @@ func newCreate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}

cmd/account/csp-enablement-account/csp-enablement-account.go

@@ -129,10 +129,16 @@ func newUpdate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}

cmd/account/custom-app-integration/custom-app-integration.go

@@ -88,11 +88,17 @@ func newCreate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 
 		response, err := a.CustomAppIntegration.Create(ctx, createReq)
 		if err != nil {
@@ -320,11 +326,17 @@ func newUpdate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		updateReq.IntegrationId = args[0]
 
 		err = a.CustomAppIntegration.Update(ctx, updateReq)

cmd/account/disable-legacy-features/disable-legacy-features.go

@@ -185,10 +185,16 @@ func newUpdate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}

cmd/account/encryption-keys/encryption-keys.go

@@ -107,10 +107,16 @@ func newCreate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}

cmd/account/esm-enablement-account/esm-enablement-account.go

@@ -127,10 +127,16 @@ func newUpdate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}

cmd/account/groups/groups.go

@@ -97,11 +97,17 @@ func newCreate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 
 		response, err := a.Groups.Create(ctx, createReq)
 		if err != nil {
@@ -358,11 +364,17 @@ func newPatch() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = patchJson.Unmarshal(&patchReq)
+			diags := patchJson.Unmarshal(&patchReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if len(args) == 0 {
 			promptSpinner := cmdio.Spinner(ctx)
 			promptSpinner <- "No ID argument specified. Loading names for Account Groups drop-down."
@@ -446,11 +458,17 @@ func newUpdate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if len(args) == 0 {
 			promptSpinner := cmdio.Spinner(ctx)
 			promptSpinner <- "No ID argument specified. Loading names for Account Groups drop-down."

cmd/account/ip-access-lists/ip-access-lists.go

@@ -132,11 +132,17 @@ func newCreate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			createReq.Label = args[0]
 		}
@@ -411,11 +417,17 @@ func newReplace() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = replaceJson.Unmarshal(&replaceReq)
+			diags := replaceJson.Unmarshal(&replaceReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		replaceReq.IpAccessListId = args[0]
 		if !cmd.Flags().Changed("json") {
 			replaceReq.Label = args[1]
@@ -505,11 +517,17 @@ func newUpdate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if len(args) == 0 {
 			promptSpinner := cmdio.Spinner(ctx)
 			promptSpinner <- "No IP_ACCESS_LIST_ID argument specified. Loading names for Account Ip Access Lists drop-down."

cmd/account/log-delivery/log-delivery.go

@@ -162,11 +162,17 @@ func newCreate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 
 		response, err := a.LogDelivery.Create(ctx, createReq)
 		if err != nil {
@@ -369,11 +375,17 @@ func newPatchStatus() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = patchStatusJson.Unmarshal(&patchStatusReq)
+			diags := patchStatusJson.Unmarshal(&patchStatusReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		patchStatusReq.LogDeliveryConfigurationId = args[0]
 		if !cmd.Flags().Changed("json") {
 			_, err = fmt.Sscan(args[1], &patchStatusReq.Status)

cmd/account/metastore-assignments/metastore-assignments.go

@@ -85,11 +85,17 @@ func newCreate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		_, err = fmt.Sscan(args[0], &createReq.WorkspaceId)
 		if err != nil {
 			return fmt.Errorf("invalid WORKSPACE_ID: %s", args[0])
@@ -343,11 +349,17 @@ func newUpdate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		_, err = fmt.Sscan(args[0], &updateReq.WorkspaceId)
 		if err != nil {
 			return fmt.Errorf("invalid WORKSPACE_ID: %s", args[0])

cmd/account/metastores/metastores.go

@@ -80,11 +80,17 @@ func newCreate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 
 		response, err := a.Metastores.Create(ctx, createReq)
 		if err != nil {
@@ -304,11 +310,17 @@ func newUpdate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		updateReq.MetastoreId = args[0]
 
 		response, err := a.Metastores.Update(ctx, updateReq)

cmd/account/network-connectivity/network-connectivity.go

@@ -96,11 +96,17 @@ func newCreateNetworkConnectivityConfiguration() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createNetworkConnectivityConfigurationJson.Unmarshal(&createNetworkConnectivityConfigurationReq)
+			diags := createNetworkConnectivityConfigurationJson.Unmarshal(&createNetworkConnectivityConfigurationReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			createNetworkConnectivityConfigurationReq.Name = args[0]
 		}
@@ -187,11 +193,17 @@ func newCreatePrivateEndpointRule() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createPrivateEndpointRuleJson.Unmarshal(&createPrivateEndpointRuleReq)
+			diags := createPrivateEndpointRuleJson.Unmarshal(&createPrivateEndpointRuleReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		createPrivateEndpointRuleReq.NetworkConnectivityConfigId = args[0]
 		if !cmd.Flags().Changed("json") {
 			createPrivateEndpointRuleReq.ResourceId = args[1]

cmd/account/networks/networks.go

@@ -97,11 +97,17 @@ func newCreate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			createReq.NetworkName = args[0]
 		}

cmd/account/personal-compute/personal-compute.go

@@ -189,10 +189,16 @@ func newUpdate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}

cmd/account/private-access/private-access.go

@@ -109,11 +109,17 @@ func newCreate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			createReq.PrivateAccessSettingsName = args[0]
 		}
@@ -411,11 +417,17 @@ func newReplace() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = replaceJson.Unmarshal(&replaceReq)
+			diags := replaceJson.Unmarshal(&replaceReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		replaceReq.PrivateAccessSettingsId = args[0]
 		if !cmd.Flags().Changed("json") {
 			replaceReq.PrivateAccessSettingsName = args[1]

cmd/account/published-app-integration/published-app-integration.go

@@ -85,11 +85,17 @@ func newCreate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 
 		response, err := a.PublishedAppIntegration.Create(ctx, createReq)
 		if err != nil {
@@ -315,11 +321,17 @@ func newUpdate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		updateReq.IntegrationId = args[0]
 
 		err = a.PublishedAppIntegration.Update(ctx, updateReq)

cmd/account/service-principals/service-principals.go

@@ -95,11 +95,17 @@ func newCreate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 
 		response, err := a.ServicePrincipals.Create(ctx, createReq)
 		if err != nil {
@@ -358,11 +364,17 @@ func newPatch() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = patchJson.Unmarshal(&patchReq)
+			diags := patchJson.Unmarshal(&patchReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if len(args) == 0 {
 			promptSpinner := cmdio.Spinner(ctx)
 			promptSpinner <- "No ID argument specified. Loading names for Account Service Principals drop-down."
@@ -448,11 +460,17 @@ func newUpdate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if len(args) == 0 {
 			promptSpinner := cmdio.Spinner(ctx)
 			promptSpinner <- "No ID argument specified. Loading names for Account Service Principals drop-down."

cmd/account/storage-credentials/storage-credentials.go

@@ -88,11 +88,17 @@ func newCreate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		createReq.MetastoreId = args[0]
 
 		response, err := a.StorageCredentials.Create(ctx, createReq)
@@ -340,11 +346,17 @@ func newUpdate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		updateReq.MetastoreId = args[0]
 		updateReq.StorageCredentialName = args[1]
 

cmd/account/storage/storage.go

@@ -87,10 +87,16 @@ func newCreate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}

cmd/account/usage-dashboards/usage-dashboards.go

@@ -80,11 +80,17 @@ func newCreate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 
 		response, err := a.UsageDashboards.Create(ctx, createReq)
 		if err != nil {

cmd/account/users/users.go

@@ -103,11 +103,17 @@ func newCreate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 
 		response, err := a.Users.Create(ctx, createReq)
 		if err != nil {
@@ -374,11 +380,17 @@ func newPatch() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = patchJson.Unmarshal(&patchReq)
+			diags := patchJson.Unmarshal(&patchReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if len(args) == 0 {
 			promptSpinner := cmdio.Spinner(ctx)
 			promptSpinner <- "No ID argument specified. Loading names for Account Users drop-down."
@@ -465,11 +477,17 @@ func newUpdate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if len(args) == 0 {
 			promptSpinner := cmdio.Spinner(ctx)
 			promptSpinner <- "No ID argument specified. Loading names for Account Users drop-down."

cmd/account/vpc-endpoints/vpc-endpoints.go

@@ -104,11 +104,17 @@ func newCreate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			createReq.VpcEndpointName = args[0]
 		}

cmd/account/workspace-assignment/workspace-assignment.go

@@ -273,11 +273,17 @@ func newUpdate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		_, err = fmt.Sscan(args[0], &updateReq.WorkspaceId)
 		if err != nil {
 			return fmt.Errorf("invalid WORKSPACE_ID: %s", args[0])

cmd/account/workspaces/workspaces.go

@@ -133,11 +133,17 @@ func newCreate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			createReq.WorkspaceName = args[0]
 		}
@@ -551,11 +557,17 @@ func newUpdate() *cobra.Command {
 		a := root.AccountClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if len(args) == 0 {
 			promptSpinner := cmdio.Spinner(ctx)
 			promptSpinner <- "No WORKSPACE_ID argument specified. Loading names for Workspaces drop-down."

cmd/api/api.go

@@ -42,9 +42,9 @@ func makeCommand(method string) *cobra.Command {
 			var path = args[0]
 
 			var request any
-			err := payload.Unmarshal(&request)
-			if err != nil {
-				return err
+			diags := payload.Unmarshal(&request)
+			if diags.HasError() {
+				return diags.Error()
 			}
 
 			cfg := &config.Config{}

cmd/workspace/alerts-legacy/alerts-legacy.go

@@ -93,10 +93,16 @@ func newCreate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}
@@ -357,10 +363,16 @@ func newUpdate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}

cmd/workspace/alerts/alerts.go

@@ -85,11 +85,17 @@ func newCreate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 
 		response, err := w.Alerts.Create(ctx, createReq)
 		if err != nil {
@@ -354,11 +360,17 @@ func newUpdate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		updateReq.Id = args[0]
 		if !cmd.Flags().Changed("json") {
 			updateReq.UpdateMask = args[1]

cmd/workspace/apps/apps.go

@@ -81,6 +81,7 @@ func newCreate() *cobra.Command {
 	cmd.Flags().Var(&createJson, "json", `either inline JSON string or @path/to/file.json with request body`)
 
 	cmd.Flags().StringVar(&createReq.Description, "description", createReq.Description, `The description of the app.`)
+	// TODO: array: resources
 
 	cmd.Use = "create NAME"
 	cmd.Short = `Create an app.`
@@ -112,11 +113,17 @@ func newCreate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			createReq.Name = args[0]
 		}
@@ -266,11 +273,17 @@ func newDeploy() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = deployJson.Unmarshal(&deployReq)
+			diags := deployJson.Unmarshal(&deployReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		deployReq.AppName = args[0]
 
 		wait, err := w.Apps.Deploy(ctx, deployReq)
@@ -701,11 +714,17 @@ func newSetPermissions() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = setPermissionsJson.Unmarshal(&setPermissionsReq)
+			diags := setPermissionsJson.Unmarshal(&setPermissionsReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		setPermissionsReq.AppName = args[0]
 
 		response, err := w.Apps.SetPermissions(ctx, setPermissionsReq)
@@ -910,6 +929,7 @@ func newUpdate() *cobra.Command {
 	cmd.Flags().Var(&updateJson, "json", `either inline JSON string or @path/to/file.json with request body`)
 
 	cmd.Flags().StringVar(&updateReq.Description, "description", updateReq.Description, `The description of the app.`)
+	// TODO: array: resources
 
 	cmd.Use = "update NAME"
 	cmd.Short = `Update an app.`
@@ -934,11 +954,17 @@ func newUpdate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		updateReq.Name = args[0]
 
 		response, err := w.Apps.Update(ctx, updateReq)
@@ -1003,11 +1029,17 @@ func newUpdatePermissions() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updatePermissionsJson.Unmarshal(&updatePermissionsReq)
+			diags := updatePermissionsJson.Unmarshal(&updatePermissionsReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		updatePermissionsReq.AppName = args[0]
 
 		response, err := w.Apps.UpdatePermissions(ctx, updatePermissionsReq)

cmd/workspace/artifact-allowlists/artifact-allowlists.go

@@ -145,10 +145,16 @@ func newUpdate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}

cmd/workspace/automatic-cluster-update/automatic-cluster-update.go

@@ -127,10 +127,16 @@ func newUpdate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}

cmd/workspace/catalogs/catalogs.go

@@ -105,11 +105,17 @@ func newCreate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			createReq.Name = args[0]
 		}
@@ -363,11 +369,17 @@ func newUpdate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		updateReq.Name = args[0]
 
 		response, err := w.Catalogs.Update(ctx, updateReq)

cmd/workspace/clean-rooms/clean-rooms.go

@@ -85,10 +85,16 @@ func newCreate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}
@@ -344,11 +350,17 @@ func newUpdate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		updateReq.Name = args[0]
 
 		response, err := w.CleanRooms.Update(ctx, updateReq)

cmd/workspace/cluster-policies/cluster-policies.go

@@ -113,11 +113,17 @@ func newCreate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 
 		response, err := w.ClusterPolicies.Create(ctx, createReq)
 		if err != nil {
@@ -185,10 +191,16 @@ func newDelete() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = deleteJson.Unmarshal(&deleteReq)
+			diags := deleteJson.Unmarshal(&deleteReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			if len(args) == 0 {
 				promptSpinner := cmdio.Spinner(ctx)
@@ -284,10 +296,16 @@ func newEdit() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = editJson.Unmarshal(&editReq)
+			diags := editJson.Unmarshal(&editReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			if len(args) == 0 {
 				promptSpinner := cmdio.Spinner(ctx)
@@ -630,11 +648,17 @@ func newSetPermissions() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = setPermissionsJson.Unmarshal(&setPermissionsReq)
+			diags := setPermissionsJson.Unmarshal(&setPermissionsReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if len(args) == 0 {
 			promptSpinner := cmdio.Spinner(ctx)
 			promptSpinner <- "No CLUSTER_POLICY_ID argument specified. Loading names for Cluster Policies drop-down."
@@ -711,11 +735,17 @@ func newUpdatePermissions() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updatePermissionsJson.Unmarshal(&updatePermissionsReq)
+			diags := updatePermissionsJson.Unmarshal(&updatePermissionsReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if len(args) == 0 {
 			promptSpinner := cmdio.Spinner(ctx)
 			promptSpinner <- "No CLUSTER_POLICY_ID argument specified. Loading names for Cluster Policies drop-down."

cmd/workspace/clusters/clusters.go

@@ -134,11 +134,17 @@ func newChangeOwner() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = changeOwnerJson.Unmarshal(&changeOwnerReq)
+			diags := changeOwnerJson.Unmarshal(&changeOwnerReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			changeOwnerReq.ClusterId = args[0]
 		}
@@ -268,11 +274,17 @@ func newCreate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			createReq.SparkVersion = args[0]
 		}
@@ -362,10 +374,16 @@ func newDelete() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = deleteJson.Unmarshal(&deleteReq)
+			diags := deleteJson.Unmarshal(&deleteReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			if len(args) == 0 {
 				promptSpinner := cmdio.Spinner(ctx)
@@ -519,11 +537,17 @@ func newEdit() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = editJson.Unmarshal(&editReq)
+			diags := editJson.Unmarshal(&editReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			editReq.ClusterId = args[0]
 		}
@@ -617,10 +641,16 @@ func newEvents() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = eventsJson.Unmarshal(&eventsReq)
+			diags := eventsJson.Unmarshal(&eventsReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			if len(args) == 0 {
 				promptSpinner := cmdio.Spinner(ctx)
@@ -1069,10 +1099,16 @@ func newPermanentDelete() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = permanentDeleteJson.Unmarshal(&permanentDeleteReq)
+			diags := permanentDeleteJson.Unmarshal(&permanentDeleteReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			if len(args) == 0 {
 				promptSpinner := cmdio.Spinner(ctx)
@@ -1161,10 +1197,16 @@ func newPin() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = pinJson.Unmarshal(&pinReq)
+			diags := pinJson.Unmarshal(&pinReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			if len(args) == 0 {
 				promptSpinner := cmdio.Spinner(ctx)
@@ -1260,10 +1302,16 @@ func newResize() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = resizeJson.Unmarshal(&resizeReq)
+			diags := resizeJson.Unmarshal(&resizeReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			if len(args) == 0 {
 				promptSpinner := cmdio.Spinner(ctx)
@@ -1370,10 +1418,16 @@ func newRestart() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = restartJson.Unmarshal(&restartReq)
+			diags := restartJson.Unmarshal(&restartReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			if len(args) == 0 {
 				promptSpinner := cmdio.Spinner(ctx)
@@ -1464,11 +1518,17 @@ func newSetPermissions() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = setPermissionsJson.Unmarshal(&setPermissionsReq)
+			diags := setPermissionsJson.Unmarshal(&setPermissionsReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if len(args) == 0 {
 			promptSpinner := cmdio.Spinner(ctx)
 			promptSpinner <- "No CLUSTER_ID argument specified. Loading names for Clusters drop-down."
@@ -1608,10 +1668,16 @@ func newStart() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = startJson.Unmarshal(&startReq)
+			diags := startJson.Unmarshal(&startReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			if len(args) == 0 {
 				promptSpinner := cmdio.Spinner(ctx)
@@ -1712,10 +1778,16 @@ func newUnpin() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = unpinJson.Unmarshal(&unpinReq)
+			diags := unpinJson.Unmarshal(&unpinReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			if len(args) == 0 {
 				promptSpinner := cmdio.Spinner(ctx)
@@ -1824,11 +1896,17 @@ func newUpdate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			updateReq.ClusterId = args[0]
 		}
@@ -1905,11 +1983,17 @@ func newUpdatePermissions() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updatePermissionsJson.Unmarshal(&updatePermissionsReq)
+			diags := updatePermissionsJson.Unmarshal(&updatePermissionsReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if len(args) == 0 {
 			promptSpinner := cmdio.Spinner(ctx)
 			promptSpinner <- "No CLUSTER_ID argument specified. Loading names for Clusters drop-down."

cmd/workspace/compliance-security-profile/compliance-security-profile.go

@@ -130,10 +130,16 @@ func newUpdate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}

cmd/workspace/connections/connections.go

@@ -92,10 +92,16 @@ func newCreate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}
@@ -355,10 +361,16 @@ func newUpdate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}

cmd/workspace/consumer-installations/consumer-installations.go

@@ -86,11 +86,17 @@ func newCreate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		createReq.ListingId = args[0]
 
 		response, err := w.ConsumerInstallations.Create(ctx, createReq)
@@ -319,10 +325,16 @@ func newUpdate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}

cmd/workspace/consumer-personalization-requests/consumer-personalization-requests.go

@@ -85,10 +85,16 @@ func newCreate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}

cmd/workspace/credentials-manager/credentials-manager.go

@@ -75,10 +75,16 @@ func newExchangeToken() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = exchangeTokenJson.Unmarshal(&exchangeTokenReq)
+			diags := exchangeTokenJson.Unmarshal(&exchangeTokenReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}

cmd/workspace/dashboard-widgets/dashboard-widgets.go

@@ -75,10 +75,16 @@ func newCreate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}
@@ -196,10 +202,16 @@ func newUpdate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}

cmd/workspace/dashboards/dashboards.go

@@ -78,10 +78,16 @@ func newCreate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}
@@ -405,11 +411,17 @@ func newUpdate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if len(args) == 0 {
 			promptSpinner := cmdio.Spinner(ctx)
 			promptSpinner <- "No DASHBOARD_ID argument specified. Loading names for Dashboards drop-down."

cmd/workspace/default-namespace/default-namespace.go

@@ -199,10 +199,16 @@ func newUpdate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}

cmd/workspace/disable-legacy-access/disable-legacy-access.go

@@ -187,10 +187,16 @@ func newUpdate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}

cmd/workspace/enhanced-security-monitoring/enhanced-security-monitoring.go

@@ -132,10 +132,16 @@ func newUpdate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}

cmd/workspace/experiments/experiments.go

@@ -130,11 +130,17 @@ func newCreateExperiment() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createExperimentJson.Unmarshal(&createExperimentReq)
+			diags := createExperimentJson.Unmarshal(&createExperimentReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			createExperimentReq.Name = args[0]
 		}
@@ -203,11 +209,17 @@ func newCreateRun() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createRunJson.Unmarshal(&createRunReq)
+			diags := createRunJson.Unmarshal(&createRunReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 
 		response, err := w.Experiments.CreateRun(ctx, createRunReq)
 		if err != nil {
@@ -277,11 +289,17 @@ func newDeleteExperiment() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = deleteExperimentJson.Unmarshal(&deleteExperimentReq)
+			diags := deleteExperimentJson.Unmarshal(&deleteExperimentReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			deleteExperimentReq.ExperimentId = args[0]
 		}
@@ -352,11 +370,17 @@ func newDeleteRun() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = deleteRunJson.Unmarshal(&deleteRunReq)
+			diags := deleteRunJson.Unmarshal(&deleteRunReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			deleteRunReq.RunId = args[0]
 		}
@@ -435,11 +459,17 @@ func newDeleteRuns() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = deleteRunsJson.Unmarshal(&deleteRunsReq)
+			diags := deleteRunsJson.Unmarshal(&deleteRunsReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			deleteRunsReq.ExperimentId = args[0]
 		}
@@ -518,11 +548,17 @@ func newDeleteTag() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = deleteTagJson.Unmarshal(&deleteTagReq)
+			diags := deleteTagJson.Unmarshal(&deleteTagReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			deleteTagReq.RunId = args[0]
 		}
@@ -1108,11 +1144,17 @@ func newLogBatch() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = logBatchJson.Unmarshal(&logBatchReq)
+			diags := logBatchJson.Unmarshal(&logBatchReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 
 		err = w.Experiments.LogBatch(ctx, logBatchReq)
 		if err != nil {
@@ -1174,11 +1216,17 @@ func newLogInputs() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = logInputsJson.Unmarshal(&logInputsReq)
+			diags := logInputsJson.Unmarshal(&logInputsReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 
 		err = w.Experiments.LogInputs(ctx, logInputsReq)
 		if err != nil {
@@ -1254,11 +1302,17 @@ func newLogMetric() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = logMetricJson.Unmarshal(&logMetricReq)
+			diags := logMetricJson.Unmarshal(&logMetricReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			logMetricReq.Key = args[0]
 		}
@@ -1335,11 +1389,17 @@ func newLogModel() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = logModelJson.Unmarshal(&logModelReq)
+			diags := logModelJson.Unmarshal(&logModelReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 
 		err = w.Experiments.LogModel(ctx, logModelReq)
 		if err != nil {
@@ -1414,11 +1474,17 @@ func newLogParam() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = logParamJson.Unmarshal(&logParamReq)
+			diags := logParamJson.Unmarshal(&logParamReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			logParamReq.Key = args[0]
 		}
@@ -1497,11 +1563,17 @@ func newRestoreExperiment() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = restoreExperimentJson.Unmarshal(&restoreExperimentReq)
+			diags := restoreExperimentJson.Unmarshal(&restoreExperimentReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			restoreExperimentReq.ExperimentId = args[0]
 		}
@@ -1572,11 +1644,17 @@ func newRestoreRun() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = restoreRunJson.Unmarshal(&restoreRunReq)
+			diags := restoreRunJson.Unmarshal(&restoreRunReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			restoreRunReq.RunId = args[0]
 		}
@@ -1655,11 +1733,17 @@ func newRestoreRuns() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = restoreRunsJson.Unmarshal(&restoreRunsReq)
+			diags := restoreRunsJson.Unmarshal(&restoreRunsReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			restoreRunsReq.ExperimentId = args[0]
 		}
@@ -1732,11 +1816,17 @@ func newSearchExperiments() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = searchExperimentsJson.Unmarshal(&searchExperimentsReq)
+			diags := searchExperimentsJson.Unmarshal(&searchExperimentsReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 
 		response := w.Experiments.SearchExperiments(ctx, searchExperimentsReq)
 		return cmdio.RenderIterator(ctx, response)
@@ -1800,11 +1890,17 @@ func newSearchRuns() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = searchRunsJson.Unmarshal(&searchRunsReq)
+			diags := searchRunsJson.Unmarshal(&searchRunsReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 
 		response := w.Experiments.SearchRuns(ctx, searchRunsReq)
 		return cmdio.RenderIterator(ctx, response)
@@ -1874,11 +1970,17 @@ func newSetExperimentTag() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = setExperimentTagJson.Unmarshal(&setExperimentTagReq)
+			diags := setExperimentTagJson.Unmarshal(&setExperimentTagReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			setExperimentTagReq.ExperimentId = args[0]
 		}
@@ -1951,11 +2053,17 @@ func newSetPermissions() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = setPermissionsJson.Unmarshal(&setPermissionsReq)
+			diags := setPermissionsJson.Unmarshal(&setPermissionsReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		setPermissionsReq.ExperimentId = args[0]
 
 		response, err := w.Experiments.SetPermissions(ctx, setPermissionsReq)
@@ -2032,11 +2140,17 @@ func newSetTag() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = setTagJson.Unmarshal(&setTagReq)
+			diags := setTagJson.Unmarshal(&setTagReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			setTagReq.Key = args[0]
 		}
@@ -2112,11 +2226,17 @@ func newUpdateExperiment() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateExperimentJson.Unmarshal(&updateExperimentReq)
+			diags := updateExperimentJson.Unmarshal(&updateExperimentReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			updateExperimentReq.ExperimentId = args[0]
 		}
@@ -2183,11 +2303,17 @@ func newUpdatePermissions() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updatePermissionsJson.Unmarshal(&updatePermissionsReq)
+			diags := updatePermissionsJson.Unmarshal(&updatePermissionsReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		updatePermissionsReq.ExperimentId = args[0]
 
 		response, err := w.Experiments.UpdatePermissions(ctx, updatePermissionsReq)
@@ -2251,11 +2377,17 @@ func newUpdateRun() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateRunJson.Unmarshal(&updateRunReq)
+			diags := updateRunJson.Unmarshal(&updateRunReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 
 		response, err := w.Experiments.UpdateRun(ctx, updateRunReq)
 		if err != nil {

cmd/workspace/external-locations/external-locations.go

@@ -112,11 +112,17 @@ func newCreate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			createReq.Name = args[0]
 		}
@@ -381,11 +387,17 @@ func newUpdate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		updateReq.Name = args[0]
 
 		response, err := w.ExternalLocations.Update(ctx, updateReq)

cmd/workspace/functions/functions.go

@@ -85,10 +85,16 @@ func newCreate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}
@@ -381,11 +387,17 @@ func newUpdate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if len(args) == 0 {
 			promptSpinner := cmdio.Spinner(ctx)
 			promptSpinner <- "No NAME argument specified. Loading names for Functions drop-down."

cmd/workspace/genie/genie.go

@@ -105,11 +105,17 @@ func newCreateMessage() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createMessageJson.Unmarshal(&createMessageReq)
+			diags := createMessageJson.Unmarshal(&createMessageReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		createMessageReq.SpaceId = args[0]
 		createMessageReq.ConversationId = args[1]
 		if !cmd.Flags().Changed("json") {
@@ -392,11 +398,17 @@ func newStartConversation() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = startConversationJson.Unmarshal(&startConversationReq)
+			diags := startConversationJson.Unmarshal(&startConversationReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		startConversationReq.SpaceId = args[0]
 		if !cmd.Flags().Changed("json") {
 			startConversationReq.Content = args[1]

cmd/workspace/git-credentials/git-credentials.go

@@ -53,13 +53,13 @@ func New() *cobra.Command {
 // Functions can be added from the `init()` function in manually curated files in this directory.
 var createOverrides []func(
 	*cobra.Command,
-	*workspace.CreateCredentials,
+	*workspace.CreateCredentialsRequest,
 )
 
 func newCreate() *cobra.Command {
 	cmd := &cobra.Command{}
 
-	var createReq workspace.CreateCredentials
+	var createReq workspace.CreateCredentialsRequest
 	var createJson flags.JsonFlag
 
 	// TODO: short flags
@@ -79,8 +79,9 @@ func newCreate() *cobra.Command {
 
   Arguments:
     GIT_PROVIDER: Git provider. This field is case-insensitive. The available Git providers
-      are gitHub, bitbucketCloud, gitLab, azureDevOpsServices, gitHubEnterprise,
-      bitbucketServer, gitLabEnterpriseEdition and awsCodeCommit.`
+      are gitHub, bitbucketCloud, gitLab, azureDevOpsServices,
+      gitHubEnterprise, bitbucketServer, gitLabEnterpriseEdition and
+      awsCodeCommit.`
 
 	cmd.Annotations = make(map[string]string)
 
@@ -102,11 +103,17 @@ func newCreate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			createReq.GitProvider = args[0]
 		}
@@ -136,13 +143,13 @@ func newCreate() *cobra.Command {
 // Functions can be added from the `init()` function in manually curated files in this directory.
 var deleteOverrides []func(
 	*cobra.Command,
-	*workspace.DeleteGitCredentialRequest,
+	*workspace.DeleteCredentialsRequest,
 )
 
 func newDelete() *cobra.Command {
 	cmd := &cobra.Command{}
 
-	var deleteReq workspace.DeleteGitCredentialRequest
+	var deleteReq workspace.DeleteCredentialsRequest
 
 	// TODO: short flags
 
@@ -209,13 +216,13 @@ func newDelete() *cobra.Command {
 // Functions can be added from the `init()` function in manually curated files in this directory.
 var getOverrides []func(
 	*cobra.Command,
-	*workspace.GetGitCredentialRequest,
+	*workspace.GetCredentialsRequest,
 )
 
 func newGet() *cobra.Command {
 	cmd := &cobra.Command{}
 
-	var getReq workspace.GetGitCredentialRequest
+	var getReq workspace.GetCredentialsRequest
 
 	// TODO: short flags
 
@@ -322,65 +329,72 @@ func newList() *cobra.Command {
 // Functions can be added from the `init()` function in manually curated files in this directory.
 var updateOverrides []func(
 	*cobra.Command,
-	*workspace.UpdateCredentials,
+	*workspace.UpdateCredentialsRequest,
 )
 
 func newUpdate() *cobra.Command {
 	cmd := &cobra.Command{}
 
-	var updateReq workspace.UpdateCredentials
+	var updateReq workspace.UpdateCredentialsRequest
 	var updateJson flags.JsonFlag
 
 	// TODO: short flags
 	cmd.Flags().Var(&updateJson, "json", `either inline JSON string or @path/to/file.json with request body`)
 
-	cmd.Flags().StringVar(&updateReq.GitProvider, "git-provider", updateReq.GitProvider, `Git provider.`)
 	cmd.Flags().StringVar(&updateReq.GitUsername, "git-username", updateReq.GitUsername, `The username or email provided with your Git provider account, depending on which provider you are using.`)
 	cmd.Flags().StringVar(&updateReq.PersonalAccessToken, "personal-access-token", updateReq.PersonalAccessToken, `The personal access token used to authenticate to the corresponding Git provider.`)
 
-	cmd.Use = "update CREDENTIAL_ID"
+	cmd.Use = "update CREDENTIAL_ID GIT_PROVIDER"
 	cmd.Short = `Update a credential.`
 	cmd.Long = `Update a credential.
   
   Updates the specified Git credential.
 
   Arguments:
-    CREDENTIAL_ID: The ID for the corresponding credential to access.`
+    CREDENTIAL_ID: The ID for the corresponding credential to access.
+    GIT_PROVIDER: Git provider. This field is case-insensitive. The available Git providers
+      are gitHub, bitbucketCloud, gitLab, azureDevOpsServices,
+      gitHubEnterprise, bitbucketServer, gitLabEnterpriseEdition and
+      awsCodeCommit.`
 
 	cmd.Annotations = make(map[string]string)
 
+	cmd.Args = func(cmd *cobra.Command, args []string) error {
+		if cmd.Flags().Changed("json") {
+			err := root.ExactArgs(1)(cmd, args)
+			if err != nil {
+				return fmt.Errorf("when --json flag is specified, provide only CREDENTIAL_ID as positional arguments. Provide 'git_provider' in your JSON input")
+			}
+			return nil
+		}
+		check := root.ExactArgs(2)
+		return check(cmd, args)
+	}
+
 	cmd.PreRunE = root.MustWorkspaceClient
 	cmd.RunE = func(cmd *cobra.Command, args []string) (err error) {
 		ctx := cmd.Context()
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
-		if len(args) == 0 {
-			promptSpinner := cmdio.Spinner(ctx)
-			promptSpinner <- "No CREDENTIAL_ID argument specified. Loading names for Git Credentials drop-down."
-			names, err := w.GitCredentials.CredentialInfoGitProviderToCredentialIdMap(ctx)
-			close(promptSpinner)
-			if err != nil {
-				return fmt.Errorf("failed to load names for Git Credentials drop-down. Please manually specify required arguments. Original error: %w", err)
-			}
-			id, err := cmdio.Select(ctx, names, "The ID for the corresponding credential to access")
-			if err != nil {
-				return err
-			}
-			args = append(args, id)
-		}
-		if len(args) != 1 {
-			return fmt.Errorf("expected to have the id for the corresponding credential to access")
 		}
 		_, err = fmt.Sscan(args[0], &updateReq.CredentialId)
 		if err != nil {
 			return fmt.Errorf("invalid CREDENTIAL_ID: %s", args[0])
 		}
+		if !cmd.Flags().Changed("json") {
+			updateReq.GitProvider = args[1]
+		}
 
 		err = w.GitCredentials.Update(ctx, updateReq)
 		if err != nil {

cmd/workspace/global-init-scripts/global-init-scripts.go

@@ -101,11 +101,17 @@ func newCreate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			createReq.Name = args[0]
 		}
@@ -367,11 +373,17 @@ func newUpdate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		updateReq.ScriptId = args[0]
 		if !cmd.Flags().Changed("json") {
 			updateReq.Name = args[1]

cmd/workspace/grants/grants.go

@@ -223,11 +223,17 @@ func newUpdate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		_, err = fmt.Sscan(args[0], &updateReq.SecurableType)
 		if err != nil {
 			return fmt.Errorf("invalid SECURABLE_TYPE: %s", args[0])

cmd/workspace/groups/groups.go

@@ -97,11 +97,17 @@ func newCreate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 
 		response, err := w.Groups.Create(ctx, createReq)
 		if err != nil {
@@ -358,11 +364,17 @@ func newPatch() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = patchJson.Unmarshal(&patchReq)
+			diags := patchJson.Unmarshal(&patchReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if len(args) == 0 {
 			promptSpinner := cmdio.Spinner(ctx)
 			promptSpinner <- "No ID argument specified. Loading names for Groups drop-down."
@@ -446,11 +458,17 @@ func newUpdate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if len(args) == 0 {
 			promptSpinner := cmdio.Spinner(ctx)
 			promptSpinner <- "No ID argument specified. Loading names for Groups drop-down."

cmd/workspace/instance-pools/instance-pools.go

@@ -128,11 +128,17 @@ func newCreate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			createReq.InstancePoolName = args[0]
 		}
@@ -206,10 +212,16 @@ func newDelete() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = deleteJson.Unmarshal(&deleteReq)
+			diags := deleteJson.Unmarshal(&deleteReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			if len(args) == 0 {
 				promptSpinner := cmdio.Spinner(ctx)
@@ -309,11 +321,17 @@ func newEdit() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = editJson.Unmarshal(&editReq)
+			diags := editJson.Unmarshal(&editReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			editReq.InstancePoolId = args[0]
 		}
@@ -631,11 +649,17 @@ func newSetPermissions() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = setPermissionsJson.Unmarshal(&setPermissionsReq)
+			diags := setPermissionsJson.Unmarshal(&setPermissionsReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if len(args) == 0 {
 			promptSpinner := cmdio.Spinner(ctx)
 			promptSpinner <- "No INSTANCE_POOL_ID argument specified. Loading names for Instance Pools drop-down."
@@ -712,11 +736,17 @@ func newUpdatePermissions() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updatePermissionsJson.Unmarshal(&updatePermissionsReq)
+			diags := updatePermissionsJson.Unmarshal(&updatePermissionsReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if len(args) == 0 {
 			promptSpinner := cmdio.Spinner(ctx)
 			promptSpinner <- "No INSTANCE_POOL_ID argument specified. Loading names for Instance Pools drop-down."

cmd/workspace/instance-profiles/instance-profiles.go

@@ -99,11 +99,17 @@ func newAdd() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = addJson.Unmarshal(&addReq)
+			diags := addJson.Unmarshal(&addReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			addReq.InstanceProfileArn = args[0]
 		}
@@ -192,11 +198,17 @@ func newEdit() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = editJson.Unmarshal(&editReq)
+			diags := editJson.Unmarshal(&editReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			editReq.InstanceProfileArn = args[0]
 		}
@@ -311,11 +323,17 @@ func newRemove() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = removeJson.Unmarshal(&removeReq)
+			diags := removeJson.Unmarshal(&removeReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			removeReq.InstanceProfileArn = args[0]
 		}

cmd/workspace/ip-access-lists/ip-access-lists.go

@@ -133,11 +133,17 @@ func newCreate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if !cmd.Flags().Changed("json") {
 			createReq.Label = args[0]
 		}
@@ -414,11 +420,17 @@ func newReplace() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = replaceJson.Unmarshal(&replaceReq)
+			diags := replaceJson.Unmarshal(&replaceReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		replaceReq.IpAccessListId = args[0]
 		if !cmd.Flags().Changed("json") {
 			replaceReq.Label = args[1]
@@ -510,11 +522,17 @@ func newUpdate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if len(args) == 0 {
 			promptSpinner := cmdio.Spinner(ctx)
 			promptSpinner <- "No IP_ACCESS_LIST_ID argument specified. Loading names for Ip Access Lists drop-down."

cmd/workspace/jobs/jobs.go

@@ -116,11 +116,17 @@ func newCancelAllRuns() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = cancelAllRunsJson.Unmarshal(&cancelAllRunsReq)
+			diags := cancelAllRunsJson.Unmarshal(&cancelAllRunsReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 
 		err = w.Jobs.CancelAllRuns(ctx, cancelAllRunsReq)
 		if err != nil {
@@ -193,10 +199,16 @@ func newCancelRun() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = cancelRunJson.Unmarshal(&cancelRunReq)
+			diags := cancelRunJson.Unmarshal(&cancelRunReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			if len(args) == 0 {
 				promptSpinner := cmdio.Spinner(ctx)
@@ -291,10 +303,16 @@ func newCreate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = createJson.Unmarshal(&createReq)
+			diags := createJson.Unmarshal(&createReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}
@@ -364,10 +382,16 @@ func newDelete() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = deleteJson.Unmarshal(&deleteReq)
+			diags := deleteJson.Unmarshal(&deleteReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			if len(args) == 0 {
 				promptSpinner := cmdio.Spinner(ctx)
@@ -457,10 +481,16 @@ func newDeleteRun() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = deleteRunJson.Unmarshal(&deleteRunReq)
+			diags := deleteRunJson.Unmarshal(&deleteRunReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			if len(args) == 0 {
 				promptSpinner := cmdio.Spinner(ctx)
@@ -1143,10 +1173,16 @@ func newRepairRun() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = repairRunJson.Unmarshal(&repairRunReq)
+			diags := repairRunJson.Unmarshal(&repairRunReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			if len(args) == 0 {
 				promptSpinner := cmdio.Spinner(ctx)
@@ -1242,10 +1278,16 @@ func newReset() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = resetJson.Unmarshal(&resetReq)
+			diags := resetJson.Unmarshal(&resetReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			return fmt.Errorf("please provide command input in JSON format by specifying the --json flag")
 		}
@@ -1332,10 +1374,16 @@ func newRunNow() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = runNowJson.Unmarshal(&runNowReq)
+			diags := runNowJson.Unmarshal(&runNowReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			if len(args) == 0 {
 				promptSpinner := cmdio.Spinner(ctx)
@@ -1436,11 +1484,17 @@ func newSetPermissions() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = setPermissionsJson.Unmarshal(&setPermissionsReq)
+			diags := setPermissionsJson.Unmarshal(&setPermissionsReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if len(args) == 0 {
 			promptSpinner := cmdio.Spinner(ctx)
 			promptSpinner <- "No JOB_ID argument specified. Loading names for Jobs drop-down."
@@ -1538,11 +1592,17 @@ func newSubmit() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = submitJson.Unmarshal(&submitReq)
+			diags := submitJson.Unmarshal(&submitReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 
 		wait, err := w.Jobs.Submit(ctx, submitReq)
 		if err != nil {
@@ -1632,10 +1692,16 @@ func newUpdate() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updateJson.Unmarshal(&updateReq)
+			diags := updateJson.Unmarshal(&updateReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
+			}
 		} else {
 			if len(args) == 0 {
 				promptSpinner := cmdio.Spinner(ctx)
@@ -1717,11 +1783,17 @@ func newUpdatePermissions() *cobra.Command {
 		w := root.WorkspaceClient(ctx)
 
 		if cmd.Flags().Changed("json") {
-			err = updatePermissionsJson.Unmarshal(&updatePermissionsReq)
+			diags := updatePermissionsJson.Unmarshal(&updatePermissionsReq)
+			if diags.HasError() {
+				return diags.Error()
+			}
+			if len(diags) > 0 {
+				err := cmdio.RenderDiagnosticsToErrorOut(ctx, diags)
 				if err != nil {
 					return err
 				}
 			}
+		}
 		if len(args) == 0 {
 			promptSpinner := cmdio.Spinner(ctx)
 			promptSpinner <- "No JOB_ID argument specified. Loading names for Jobs drop-down."