bundle/deploy/terraform/convert.go

@@ -2,7 +2,9 @@ package terraform
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
+	"sort"
 
 	"github.com/databricks/cli/bundle/config"
 	"github.com/databricks/cli/bundle/config/resources"
@@ -12,6 +14,244 @@ import (
 	tfjson "github.com/hashicorp/terraform-json"
 )
 
+func conv(from any, to any) {
+	buf, _ := json.Marshal(from)
+	json.Unmarshal(buf, &to)
+}
+
+func convPermissions(acl []resources.Permission) *schema.ResourcePermissions {
+	if len(acl) == 0 {
+		return nil
+	}
+
+	resource := schema.ResourcePermissions{}
+	for _, ac := range acl {
+		resource.AccessControl = append(resource.AccessControl, convPermission(ac))
+	}
+
+	return &resource
+}
+
+func convPermission(ac resources.Permission) schema.ResourcePermissionsAccessControl {
+	dst := schema.ResourcePermissionsAccessControl{
+		PermissionLevel: ac.Level,
+	}
+	if ac.UserName != "" {
+		dst.UserName = ac.UserName
+	}
+	if ac.GroupName != "" {
+		dst.GroupName = ac.GroupName
+	}
+	if ac.ServicePrincipalName != "" {
+		dst.ServicePrincipalName = ac.ServicePrincipalName
+	}
+	return dst
+}
+
+func convGrants(acl []resources.Grant) *schema.ResourceGrants {
+	if len(acl) == 0 {
+		return nil
+	}
+
+	resource := schema.ResourceGrants{}
+	for _, ac := range acl {
+		resource.Grant = append(resource.Grant, schema.ResourceGrantsGrant{
+			Privileges: ac.Privileges,
+			Principal:  ac.Principal,
+		})
+	}
+
+	return &resource
+}
+
+// BundleToTerraform converts resources in a bundle configuration
+// to the equivalent Terraform JSON representation.
+//
+// Note: This function is an older implementation of the conversion logic. It is
+// no longer used in any code paths. It is kept around to be used in tests.
+// New resources do not need to modify this function and can instead can define
+// the conversion login in the tfdyn package.
+func BundleToTerraform(config *config.Root) *schema.Root {
+	tfroot := schema.NewRoot()
+	tfroot.Provider = schema.NewProviders()
+	tfroot.Resource = schema.NewResources()
+	noResources := true
+
+	for k, src := range config.Resources.Jobs {
+		noResources = false
+		var dst schema.ResourceJob
+		conv(src, &dst)
+
+		if src.JobSettings != nil {
+			sort.Slice(src.JobSettings.Tasks, func(i, j int) bool {
+				return src.JobSettings.Tasks[i].TaskKey < src.JobSettings.Tasks[j].TaskKey
+			})
+
+			for _, v := range src.Tasks {
+				var t schema.ResourceJobTask
+				conv(v, &t)
+
+				for _, v_ := range v.Libraries {
+					var l schema.ResourceJobTaskLibrary
+					conv(v_, &l)
+					t.Library = append(t.Library, l)
+				}
+
+				// Convert for_each_task libraries
+				if v.ForEachTask != nil {
+					for _, v_ := range v.ForEachTask.Task.Libraries {
+						var l schema.ResourceJobTaskForEachTaskTaskLibrary
+						conv(v_, &l)
+						t.ForEachTask.Task.Library = append(t.ForEachTask.Task.Library, l)
+					}
+
+				}
+
+				dst.Task = append(dst.Task, t)
+			}
+
+			for _, v := range src.JobClusters {
+				var t schema.ResourceJobJobCluster
+				conv(v, &t)
+				dst.JobCluster = append(dst.JobCluster, t)
+			}
+
+			// Unblock downstream work. To be addressed more generally later.
+			if git := src.GitSource; git != nil {
+				dst.GitSource = &schema.ResourceJobGitSource{
+					Url:      git.GitUrl,
+					Branch:   git.GitBranch,
+					Commit:   git.GitCommit,
+					Provider: string(git.GitProvider),
+					Tag:      git.GitTag,
+				}
+			}
+
+			for _, v := range src.Parameters {
+				var t schema.ResourceJobParameter
+				conv(v, &t)
+				dst.Parameter = append(dst.Parameter, t)
+			}
+		}
+
+		tfroot.Resource.Job[k] = &dst
+
+		// Configure permissions for this resource.
+		if rp := convPermissions(src.Permissions); rp != nil {
+			rp.JobId = fmt.Sprintf("${databricks_job.%s.id}", k)
+			tfroot.Resource.Permissions["job_"+k] = rp
+		}
+	}
+
+	for k, src := range config.Resources.Pipelines {
+		noResources = false
+		var dst schema.ResourcePipeline
+		conv(src, &dst)
+
+		if src.PipelineSpec != nil {
+			for _, v := range src.Libraries {
+				var l schema.ResourcePipelineLibrary
+				conv(v, &l)
+				dst.Library = append(dst.Library, l)
+			}
+
+			for _, v := range src.Clusters {
+				var l schema.ResourcePipelineCluster
+				conv(v, &l)
+				dst.Cluster = append(dst.Cluster, l)
+			}
+
+			for _, v := range src.Notifications {
+				var l schema.ResourcePipelineNotification
+				conv(v, &l)
+				dst.Notification = append(dst.Notification, l)
+			}
+		}
+
+		tfroot.Resource.Pipeline[k] = &dst
+
+		// Configure permissions for this resource.
+		if rp := convPermissions(src.Permissions); rp != nil {
+			rp.PipelineId = fmt.Sprintf("${databricks_pipeline.%s.id}", k)
+			tfroot.Resource.Permissions["pipeline_"+k] = rp
+		}
+	}
+
+	for k, src := range config.Resources.Models {
+		noResources = false
+		var dst schema.ResourceMlflowModel
+		conv(src, &dst)
+		tfroot.Resource.MlflowModel[k] = &dst
+
+		// Configure permissions for this resource.
+		if rp := convPermissions(src.Permissions); rp != nil {
+			rp.RegisteredModelId = fmt.Sprintf("${databricks_mlflow_model.%s.registered_model_id}", k)
+			tfroot.Resource.Permissions["mlflow_model_"+k] = rp
+		}
+	}
+
+	for k, src := range config.Resources.Experiments {
+		noResources = false
+		var dst schema.ResourceMlflowExperiment
+		conv(src, &dst)
+		tfroot.Resource.MlflowExperiment[k] = &dst
+
+		// Configure permissions for this resource.
+		if rp := convPermissions(src.Permissions); rp != nil {
+			rp.ExperimentId = fmt.Sprintf("${databricks_mlflow_experiment.%s.id}", k)
+			tfroot.Resource.Permissions["mlflow_experiment_"+k] = rp
+		}
+	}
+
+	for k, src := range config.Resources.ModelServingEndpoints {
+		noResources = false
+		var dst schema.ResourceModelServing
+		conv(src, &dst)
+		tfroot.Resource.ModelServing[k] = &dst
+
+		// Configure permissions for this resource.
+		if rp := convPermissions(src.Permissions); rp != nil {
+			rp.ServingEndpointId = fmt.Sprintf("${databricks_model_serving.%s.serving_endpoint_id}", k)
+			tfroot.Resource.Permissions["model_serving_"+k] = rp
+		}
+	}
+
+	for k, src := range config.Resources.RegisteredModels {
+		noResources = false
+		var dst schema.ResourceRegisteredModel
+		conv(src, &dst)
+		tfroot.Resource.RegisteredModel[k] = &dst
+
+		// Configure permissions for this resource.
+		if rp := convGrants(src.Grants); rp != nil {
+			rp.Function = fmt.Sprintf("${databricks_registered_model.%s.id}", k)
+			tfroot.Resource.Grants["registered_model_"+k] = rp
+		}
+	}
+
+	for k, src := range config.Resources.QualityMonitors {
+		noResources = false
+		var dst schema.ResourceQualityMonitor
+		conv(src, &dst)
+		tfroot.Resource.QualityMonitor[k] = &dst
+	}
+
+	for k, src := range config.Resources.Clusters {
+		noResources = false
+		var dst schema.ResourceCluster
+		conv(src, &dst)
+		tfroot.Resource.Cluster[k] = &dst
+	}
+
+	// We explicitly set "resource" to nil to omit it from a JSON encoding.
+	// This is required because the terraform CLI requires >= 1 resources defined
+	// if the "resource" property is used in a .tf.json file.
+	if noResources {
+		tfroot.Resource = nil
+	}
+	return tfroot
+}
+
 // BundleToTerraformWithDynValue converts resources in a bundle configuration
 // to the equivalent Terraform JSON representation.
 func BundleToTerraformWithDynValue(ctx context.Context, root dyn.Value) (*schema.Root, error) {

bundle/deploy/terraform/convert_test.go

@@ -2,6 +2,7 @@ package terraform
 
 import (
 	"context"
+	"encoding/json"
 	"reflect"
 	"testing"
 
@@ -20,27 +21,6 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-func produceTerraformConfiguration(t *testing.T, config config.Root) *schema.Root {
-	vin, err := convert.FromTyped(config, dyn.NilValue)
-	require.NoError(t, err)
-	out, err := BundleToTerraformWithDynValue(context.Background(), vin)
-	require.NoError(t, err)
-	return out
-}
-
-func convertToResourceStruct[T any](t *testing.T, resource *T, data any) {
-	require.NotNil(t, resource)
-	require.NotNil(t, data)
-
-	// Convert data to a dyn.Value.
-	vin, err := convert.FromTyped(data, dyn.NilValue)
-	require.NoError(t, err)
-
-	// Convert the dyn.Value to a struct.
-	err = convert.ToTyped(resource, vin)
-	require.NoError(t, err)
-}
-
 func TestBundleToTerraformJob(t *testing.T) {
 	var src = resources.Job{
 		JobSettings: &jobs.JobSettings{
@@ -78,9 +58,8 @@ func TestBundleToTerraformJob(t *testing.T) {
 		},
 	}
 
-	var resource schema.ResourceJob
+	out := BundleToTerraform(&config)
-	out := produceTerraformConfiguration(t, config)
+	resource := out.Resource.Job["my_job"].(*schema.ResourceJob)
-	convertToResourceStruct(t, &resource, out.Resource.Job["my_job"])
 
 	assert.Equal(t, "my job", resource.Name)
 	assert.Len(t, resource.JobCluster, 1)
@@ -89,6 +68,8 @@ func TestBundleToTerraformJob(t *testing.T) {
 	assert.Equal(t, "param1", resource.Parameter[0].Name)
 	assert.Equal(t, "param2", resource.Parameter[1].Name)
 	assert.Nil(t, out.Data)
+
+	bundleToTerraformEquivalenceTest(t, &config)
 }
 
 func TestBundleToTerraformJobPermissions(t *testing.T) {
@@ -109,14 +90,15 @@ func TestBundleToTerraformJobPermissions(t *testing.T) {
 		},
 	}
 
-	var resource schema.ResourcePermissions
+	out := BundleToTerraform(&config)
-	out := produceTerraformConfiguration(t, config)
+	resource := out.Resource.Permissions["job_my_job"].(*schema.ResourcePermissions)
-	convertToResourceStruct(t, &resource, out.Resource.Permissions["job_my_job"])
 
 	assert.NotEmpty(t, resource.JobId)
 	assert.Len(t, resource.AccessControl, 1)
 	assert.Equal(t, "jane@doe.com", resource.AccessControl[0].UserName)
 	assert.Equal(t, "CAN_VIEW", resource.AccessControl[0].PermissionLevel)
+
+	bundleToTerraformEquivalenceTest(t, &config)
 }
 
 func TestBundleToTerraformJobTaskLibraries(t *testing.T) {
@@ -146,14 +128,15 @@ func TestBundleToTerraformJobTaskLibraries(t *testing.T) {
 		},
 	}
 
-	var resource schema.ResourceJob
+	out := BundleToTerraform(&config)
-	out := produceTerraformConfiguration(t, config)
+	resource := out.Resource.Job["my_job"].(*schema.ResourceJob)
-	convertToResourceStruct(t, &resource, out.Resource.Job["my_job"])
 
 	assert.Equal(t, "my job", resource.Name)
 	require.Len(t, resource.Task, 1)
 	require.Len(t, resource.Task[0].Library, 1)
 	assert.Equal(t, "mlflow", resource.Task[0].Library[0].Pypi.Package)
+
+	bundleToTerraformEquivalenceTest(t, &config)
 }
 
 func TestBundleToTerraformForEachTaskLibraries(t *testing.T) {
@@ -189,14 +172,15 @@ func TestBundleToTerraformForEachTaskLibraries(t *testing.T) {
 		},
 	}
 
-	var resource schema.ResourceJob
+	out := BundleToTerraform(&config)
-	out := produceTerraformConfiguration(t, config)
+	resource := out.Resource.Job["my_job"].(*schema.ResourceJob)
-	convertToResourceStruct(t, &resource, out.Resource.Job["my_job"])
 
 	assert.Equal(t, "my job", resource.Name)
 	require.Len(t, resource.Task, 1)
 	require.Len(t, resource.Task[0].ForEachTask.Task.Library, 1)
 	assert.Equal(t, "mlflow", resource.Task[0].ForEachTask.Task.Library[0].Pypi.Package)
+
+	bundleToTerraformEquivalenceTest(t, &config)
 }
 
 func TestBundleToTerraformPipeline(t *testing.T) {
@@ -246,9 +230,8 @@ func TestBundleToTerraformPipeline(t *testing.T) {
 		},
 	}
 
-	var resource schema.ResourcePipeline
+	out := BundleToTerraform(&config)
-	out := produceTerraformConfiguration(t, config)
+	resource := out.Resource.Pipeline["my_pipeline"].(*schema.ResourcePipeline)
-	convertToResourceStruct(t, &resource, out.Resource.Pipeline["my_pipeline"])
 
 	assert.Equal(t, "my pipeline", resource.Name)
 	assert.Len(t, resource.Library, 2)
@@ -258,6 +241,8 @@ func TestBundleToTerraformPipeline(t *testing.T) {
 	assert.Equal(t, resource.Notification[1].Alerts, []string{"on-update-failure", "on-flow-failure"})
 	assert.Equal(t, resource.Notification[1].EmailRecipients, []string{"jane@doe.com", "john@doe.com"})
 	assert.Nil(t, out.Data)
+
+	bundleToTerraformEquivalenceTest(t, &config)
 }
 
 func TestBundleToTerraformPipelinePermissions(t *testing.T) {
@@ -278,14 +263,15 @@ func TestBundleToTerraformPipelinePermissions(t *testing.T) {
 		},
 	}
 
-	var resource schema.ResourcePermissions
+	out := BundleToTerraform(&config)
-	out := produceTerraformConfiguration(t, config)
+	resource := out.Resource.Permissions["pipeline_my_pipeline"].(*schema.ResourcePermissions)
-	convertToResourceStruct(t, &resource, out.Resource.Permissions["pipeline_my_pipeline"])
 
 	assert.NotEmpty(t, resource.PipelineId)
 	assert.Len(t, resource.AccessControl, 1)
 	assert.Equal(t, "jane@doe.com", resource.AccessControl[0].UserName)
 	assert.Equal(t, "CAN_VIEW", resource.AccessControl[0].PermissionLevel)
+
+	bundleToTerraformEquivalenceTest(t, &config)
 }
 
 func TestBundleToTerraformModel(t *testing.T) {
@@ -314,9 +300,8 @@ func TestBundleToTerraformModel(t *testing.T) {
 		},
 	}
 
-	var resource schema.ResourceMlflowModel
+	out := BundleToTerraform(&config)
-	out := produceTerraformConfiguration(t, config)
+	resource := out.Resource.MlflowModel["my_model"].(*schema.ResourceMlflowModel)
-	convertToResourceStruct(t, &resource, out.Resource.MlflowModel["my_model"])
 
 	assert.Equal(t, "name", resource.Name)
 	assert.Equal(t, "description", resource.Description)
@@ -326,6 +311,8 @@ func TestBundleToTerraformModel(t *testing.T) {
 	assert.Equal(t, "k2", resource.Tags[1].Key)
 	assert.Equal(t, "v2", resource.Tags[1].Value)
 	assert.Nil(t, out.Data)
+
+	bundleToTerraformEquivalenceTest(t, &config)
 }
 
 func TestBundleToTerraformModelPermissions(t *testing.T) {
@@ -349,14 +336,15 @@ func TestBundleToTerraformModelPermissions(t *testing.T) {
 		},
 	}
 
-	var resource schema.ResourcePermissions
+	out := BundleToTerraform(&config)
-	out := produceTerraformConfiguration(t, config)
+	resource := out.Resource.Permissions["mlflow_model_my_model"].(*schema.ResourcePermissions)
-	convertToResourceStruct(t, &resource, out.Resource.Permissions["mlflow_model_my_model"])
 
 	assert.NotEmpty(t, resource.RegisteredModelId)
 	assert.Len(t, resource.AccessControl, 1)
 	assert.Equal(t, "jane@doe.com", resource.AccessControl[0].UserName)
 	assert.Equal(t, "CAN_READ", resource.AccessControl[0].PermissionLevel)
+
+	bundleToTerraformEquivalenceTest(t, &config)
 }
 
 func TestBundleToTerraformExperiment(t *testing.T) {
@@ -374,12 +362,13 @@ func TestBundleToTerraformExperiment(t *testing.T) {
 		},
 	}
 
-	var resource schema.ResourceMlflowExperiment
+	out := BundleToTerraform(&config)
-	out := produceTerraformConfiguration(t, config)
+	resource := out.Resource.MlflowExperiment["my_experiment"].(*schema.ResourceMlflowExperiment)
-	convertToResourceStruct(t, &resource, out.Resource.MlflowExperiment["my_experiment"])
 
 	assert.Equal(t, "name", resource.Name)
 	assert.Nil(t, out.Data)
+
+	bundleToTerraformEquivalenceTest(t, &config)
 }
 
 func TestBundleToTerraformExperimentPermissions(t *testing.T) {
@@ -403,14 +392,15 @@ func TestBundleToTerraformExperimentPermissions(t *testing.T) {
 		},
 	}
 
-	var resource schema.ResourcePermissions
+	out := BundleToTerraform(&config)
-	out := produceTerraformConfiguration(t, config)
+	resource := out.Resource.Permissions["mlflow_experiment_my_experiment"].(*schema.ResourcePermissions)
-	convertToResourceStruct(t, &resource, out.Resource.Permissions["mlflow_experiment_my_experiment"])
 
 	assert.NotEmpty(t, resource.ExperimentId)
 	assert.Len(t, resource.AccessControl, 1)
 	assert.Equal(t, "jane@doe.com", resource.AccessControl[0].UserName)
 	assert.Equal(t, "CAN_READ", resource.AccessControl[0].PermissionLevel)
+
+	bundleToTerraformEquivalenceTest(t, &config)
 }
 
 func TestBundleToTerraformModelServing(t *testing.T) {
@@ -446,9 +436,8 @@ func TestBundleToTerraformModelServing(t *testing.T) {
 		},
 	}
 
-	var resource schema.ResourceModelServing
+	out := BundleToTerraform(&config)
-	out := produceTerraformConfiguration(t, config)
+	resource := out.Resource.ModelServing["my_model_serving_endpoint"].(*schema.ResourceModelServing)
-	convertToResourceStruct(t, &resource, out.Resource.ModelServing["my_model_serving_endpoint"])
 
 	assert.Equal(t, "name", resource.Name)
 	assert.Equal(t, "model_name", resource.Config.ServedModels[0].ModelName)
@@ -458,6 +447,8 @@ func TestBundleToTerraformModelServing(t *testing.T) {
 	assert.Equal(t, "model_name-1", resource.Config.TrafficConfig.Routes[0].ServedModelName)
 	assert.Equal(t, 100, resource.Config.TrafficConfig.Routes[0].TrafficPercentage)
 	assert.Nil(t, out.Data)
+
+	bundleToTerraformEquivalenceTest(t, &config)
 }
 
 func TestBundleToTerraformModelServingPermissions(t *testing.T) {
@@ -499,14 +490,15 @@ func TestBundleToTerraformModelServingPermissions(t *testing.T) {
 		},
 	}
 
-	var resource schema.ResourcePermissions
+	out := BundleToTerraform(&config)
-	out := produceTerraformConfiguration(t, config)
+	resource := out.Resource.Permissions["model_serving_my_model_serving_endpoint"].(*schema.ResourcePermissions)
-	convertToResourceStruct(t, &resource, out.Resource.Permissions["model_serving_my_model_serving_endpoint"])
 
 	assert.NotEmpty(t, resource.ServingEndpointId)
 	assert.Len(t, resource.AccessControl, 1)
 	assert.Equal(t, "jane@doe.com", resource.AccessControl[0].UserName)
 	assert.Equal(t, "CAN_VIEW", resource.AccessControl[0].PermissionLevel)
+
+	bundleToTerraformEquivalenceTest(t, &config)
 }
 
 func TestBundleToTerraformRegisteredModel(t *testing.T) {
@@ -527,15 +519,16 @@ func TestBundleToTerraformRegisteredModel(t *testing.T) {
 		},
 	}
 
-	var resource schema.ResourceRegisteredModel
+	out := BundleToTerraform(&config)
-	out := produceTerraformConfiguration(t, config)
+	resource := out.Resource.RegisteredModel["my_registered_model"].(*schema.ResourceRegisteredModel)
-	convertToResourceStruct(t, &resource, out.Resource.RegisteredModel["my_registered_model"])
 
 	assert.Equal(t, "name", resource.Name)
 	assert.Equal(t, "catalog", resource.CatalogName)
 	assert.Equal(t, "schema", resource.SchemaName)
 	assert.Equal(t, "comment", resource.Comment)
 	assert.Nil(t, out.Data)
+
+	bundleToTerraformEquivalenceTest(t, &config)
 }
 
 func TestBundleToTerraformRegisteredModelGrants(t *testing.T) {
@@ -561,14 +554,15 @@ func TestBundleToTerraformRegisteredModelGrants(t *testing.T) {
 		},
 	}
 
-	var resource schema.ResourceGrants
+	out := BundleToTerraform(&config)
-	out := produceTerraformConfiguration(t, config)
+	resource := out.Resource.Grants["registered_model_my_registered_model"].(*schema.ResourceGrants)
-	convertToResourceStruct(t, &resource, out.Resource.Grants["registered_model_my_registered_model"])
 
 	assert.NotEmpty(t, resource.Function)
 	assert.Len(t, resource.Grant, 1)
 	assert.Equal(t, "jane@doe.com", resource.Grant[0].Principal)
 	assert.Equal(t, "EXECUTE", resource.Grant[0].Privileges[0])
+
+	bundleToTerraformEquivalenceTest(t, &config)
 }
 
 func TestBundleToTerraformDeletedResources(t *testing.T) {
@@ -1160,3 +1154,25 @@ func AssertFullResourceCoverage(t *testing.T, config *config.Root) {
 		}
 	}
 }
+
+func assertEqualTerraformRoot(t *testing.T, a, b *schema.Root) {
+	ba, err := json.Marshal(a)
+	require.NoError(t, err)
+	bb, err := json.Marshal(b)
+	require.NoError(t, err)
+	assert.JSONEq(t, string(ba), string(bb))
+}
+
+func bundleToTerraformEquivalenceTest(t *testing.T, config *config.Root) {
+	t.Run("dyn equivalence", func(t *testing.T) {
+		tf1 := BundleToTerraform(config)
+
+		vin, err := convert.FromTyped(config, dyn.NilValue)
+		require.NoError(t, err)
+		tf2, err := BundleToTerraformWithDynValue(context.Background(), vin)
+		require.NoError(t, err)
+
+		// Compare roots
+		assertEqualTerraformRoot(t, tf1, tf2)
+	})
+}

bundle/permissions/validate.go

@@ -1,56 +0,0 @@
-package permissions
-
-import (
-	"context"
-	"fmt"
-	"strings"
-
-	"github.com/databricks/cli/bundle"
-	"github.com/databricks/cli/libs/diag"
-)
-
-type validateSharedRootPermissions struct {
-}
-
-func ValidateSharedRootPermissions() bundle.Mutator {
-	return &validateSharedRootPermissions{}
-}
-
-func (*validateSharedRootPermissions) Name() string {
-	return "ValidateSharedRootPermissions"
-}
-
-func (*validateSharedRootPermissions) Apply(ctx context.Context, b *bundle.Bundle) diag.Diagnostics {
-	if isWorkspaceSharedRoot(b.Config.Workspace.RootPath) {
-		return isUsersGroupPermissionSet(b)
-	}
-
-	return nil
-}
-
-func isWorkspaceSharedRoot(path string) bool {
-	return strings.HasPrefix(path, "/Workspace/Shared/")
-}
-
-// isUsersGroupPermissionSet checks that top-level permissions set for bundle contain group_name: users with CAN_MANAGE permission.
-func isUsersGroupPermissionSet(b *bundle.Bundle) diag.Diagnostics {
-	var diags diag.Diagnostics
-
-	allUsers := false
-	for _, p := range b.Config.Permissions {
-		if p.GroupName == "users" && p.Level == CAN_MANAGE {
-			allUsers = true
-			break
-		}
-	}
-
-	if !allUsers {
-		diags = diags.Append(diag.Diagnostic{
-			Severity: diag.Warning,
-			Summary:  fmt.Sprintf("the bundle root path %s is writable by all workspace users", b.Config.Workspace.RootPath),
-			Detail:   "The bundle is configured to use /Workspace/Shared, which will give read/write access to all users. If this is intentional, add CAN_MANAGE for 'group_name: users' permission to your bundle configuration. If the deployment should be restricted, move it to a restricted folder such as /Workspace/Users/<username or principal name>.",
-		})
-	}
-
-	return diags
-}

bundle/permissions/validate_test.go

@@ -1,66 +0,0 @@
-package permissions
-
-import (
-	"context"
-	"testing"
-
-	"github.com/databricks/cli/bundle"
-	"github.com/databricks/cli/bundle/config"
-	"github.com/databricks/cli/bundle/config/resources"
-	"github.com/databricks/cli/libs/diag"
-	"github.com/databricks/databricks-sdk-go/experimental/mocks"
-	"github.com/databricks/databricks-sdk-go/service/jobs"
-	"github.com/stretchr/testify/require"
-)
-
-func TestValidateSharedRootPermissionsForShared(t *testing.T) {
-	b := &bundle.Bundle{
-		Config: config.Root{
-			Workspace: config.Workspace{
-				RootPath: "/Workspace/Shared/foo/bar",
-			},
-			Permissions: []resources.Permission{
-				{Level: CAN_MANAGE, GroupName: "users"},
-			},
-			Resources: config.Resources{
-				Jobs: map[string]*resources.Job{
-					"job_1": {JobSettings: &jobs.JobSettings{Name: "job_1"}},
-					"job_2": {JobSettings: &jobs.JobSettings{Name: "job_2"}},
-				},
-			},
-		},
-	}
-
-	m := mocks.NewMockWorkspaceClient(t)
-	b.SetWorkpaceClient(m.WorkspaceClient)
-
-	diags := bundle.Apply(context.Background(), b, bundle.Seq(ValidateSharedRootPermissions()))
-	require.Empty(t, diags)
-}
-
-func TestValidateSharedRootPermissionsForSharedError(t *testing.T) {
-	b := &bundle.Bundle{
-		Config: config.Root{
-			Workspace: config.Workspace{
-				RootPath: "/Workspace/Shared/foo/bar",
-			},
-			Permissions: []resources.Permission{
-				{Level: CAN_MANAGE, UserName: "foo@bar.com"},
-			},
-			Resources: config.Resources{
-				Jobs: map[string]*resources.Job{
-					"job_1": {JobSettings: &jobs.JobSettings{Name: "job_1"}},
-					"job_2": {JobSettings: &jobs.JobSettings{Name: "job_2"}},
-				},
-			},
-		},
-	}
-
-	m := mocks.NewMockWorkspaceClient(t)
-	b.SetWorkpaceClient(m.WorkspaceClient)
-
-	diags := bundle.Apply(context.Background(), b, bundle.Seq(ValidateSharedRootPermissions()))
-	require.Len(t, diags, 1)
-	require.Equal(t, "the bundle root path /Workspace/Shared/foo/bar is writable by all workspace users", diags[0].Summary)
-	require.Equal(t, diag.Warning, diags[0].Severity)
-}

bundle/permissions/workspace_root.go

@@ -16,10 +16,6 @@ func ApplyWorkspaceRootPermissions() bundle.Mutator {
 	return &workspaceRootPermissions{}
 }
 
-func (*workspaceRootPermissions) Name() string {
-	return "ApplyWorkspaceRootPermissions"
-}
-
 // Apply implements bundle.Mutator.
 func (*workspaceRootPermissions) Apply(ctx context.Context, b *bundle.Bundle) diag.Diagnostics {
 	err := giveAccessForWorkspaceRoot(ctx, b)
@@ -30,6 +26,10 @@ func (*workspaceRootPermissions) Apply(ctx context.Context, b *bundle.Bundle) di
 	return nil
 }
 
+func (*workspaceRootPermissions) Name() string {
+	return "ApplyWorkspaceRootPermissions"
+}
+
 func giveAccessForWorkspaceRoot(ctx context.Context, b *bundle.Bundle) error {
 	permissions := make([]workspace.WorkspaceObjectAccessControlRequest, 0)
 

bundle/permissions/workspace_root_test.go

@@ -69,6 +69,6 @@ func TestApplyWorkspaceRootPermissions(t *testing.T) {
 		WorkspaceObjectType: "directories",
 	}).Return(nil, nil)
 
-	diags := bundle.Apply(context.Background(), b, bundle.Seq(ValidateSharedRootPermissions(), ApplyWorkspaceRootPermissions()))
+	diags := bundle.Apply(context.Background(), b, ApplyWorkspaceRootPermissions())
-	require.Empty(t, diags)
+	require.NoError(t, diags.Error())
 }

bundle/phases/initialize.go

@@ -76,11 +76,8 @@ func Initialize() bundle.Mutator {
 
 			mutator.TranslatePaths(),
 			trampoline.WrapperWarning(),
-
-			permissions.ValidateSharedRootPermissions(),
 			permissions.ApplyBundlePermissions(),
 			permissions.FilterCurrentUser(),
-
 			metadata.AnnotateJobs(),
 			metadata.AnnotatePipelines(),
 			terraform.Initialize(),

internal/acc/workspace.go

@@ -2,14 +2,11 @@ package acc
 
 import (
 	"context"
-	"fmt"
 	"os"
 	"testing"
 
 	"github.com/databricks/databricks-sdk-go"
-	"github.com/databricks/databricks-sdk-go/apierr"
 	"github.com/databricks/databricks-sdk-go/service/compute"
-	"github.com/databricks/databricks-sdk-go/service/workspace"
 	"github.com/stretchr/testify/require"
 )
 
@@ -97,30 +94,3 @@ func (t *WorkspaceT) RunPython(code string) (string, error) {
 	require.True(t, ok, "unexpected type %T", results.Data)
 	return output, nil
 }
-
-func (t *WorkspaceT) TemporaryWorkspaceDir(name ...string) string {
-	ctx := context.Background()
-	me, err := t.W.CurrentUser.Me(ctx)
-	require.NoError(t, err)
-
-	basePath := fmt.Sprintf("/Users/%s/%s", me.UserName, RandomName(name...))
-
-	t.Logf("Creating %s", basePath)
-	err = t.W.Workspace.MkdirsByPath(ctx, basePath)
-	require.NoError(t, err)
-
-	// Remove test directory on test completion.
-	t.Cleanup(func() {
-		t.Logf("Removing %s", basePath)
-		err := t.W.Workspace.Delete(ctx, workspace.Delete{
-			Path:      basePath,
-			Recursive: true,
-		})
-		if err == nil || apierr.IsMissing(err) {
-			return
-		}
-		t.Logf("Unable to remove temporary workspace directory %s: %#v", basePath, err)
-	})
-
-	return basePath
-}

internal/dashboard_assumptions_test.go

@@ -1,110 +0,0 @@
-package internal
-
-import (
-	"encoding/base64"
-	"testing"
-
-	"github.com/databricks/cli/internal/acc"
-	"github.com/databricks/cli/libs/dyn"
-	"github.com/databricks/cli/libs/dyn/convert"
-	"github.com/databricks/cli/libs/dyn/merge"
-	"github.com/databricks/databricks-sdk-go/apierr"
-	"github.com/databricks/databricks-sdk-go/service/dashboards"
-	"github.com/databricks/databricks-sdk-go/service/workspace"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-// Verify that importing a dashboard through the Workspace API retains the identity of the underying resource,
-// as well as properties exclusively accessible through the dashboards API.
-func TestAccDashboardAssumptions_WorkspaceImport(t *testing.T) {
-	ctx, wt := acc.WorkspaceTest(t)
-
-	t.Parallel()
-
-	dashboardName := "New Dashboard"
-	dashboardPayload := []byte(`{"pages":[{"name":"2506f97a","displayName":"New Page"}]}`)
-	warehouseId := acc.GetEnvOrSkipTest(t, "TEST_DEFAULT_WAREHOUSE_ID")
-
-	dir := wt.TemporaryWorkspaceDir("dashboard-assumptions-")
-
-	dashboard, err := wt.W.Lakeview.Create(ctx, dashboards.CreateDashboardRequest{
-		DisplayName:         dashboardName,
-		ParentPath:          dir,
-		SerializedDashboard: string(dashboardPayload),
-		WarehouseId:         warehouseId,
-	})
-	require.NoError(t, err)
-	t.Logf("Dashboard ID (per Lakeview API): %s", dashboard.DashboardId)
-
-	// Overwrite the dashboard via the workspace API.
-	{
-		err := wt.W.Workspace.Import(ctx, workspace.Import{
-			Format:    workspace.ImportFormatAuto,
-			Path:      dashboard.Path,
-			Content:   base64.StdEncoding.EncodeToString(dashboardPayload),
-			Overwrite: true,
-		})
-		require.NoError(t, err)
-	}
-
-	// Cross-check consistency with the workspace object.
-	{
-		obj, err := wt.W.Workspace.GetStatusByPath(ctx, dashboard.Path)
-		require.NoError(t, err)
-
-		// Confirm that the resource ID included in the response is equal to the dashboard ID.
-		require.Equal(t, dashboard.DashboardId, obj.ResourceId)
-		t.Logf("Dashboard ID (per workspace object status): %s", obj.ResourceId)
-	}
-
-	// Try to overwrite the dashboard via the Lakeview API (and expect failure).
-	{
-		_, err := wt.W.Lakeview.Create(ctx, dashboards.CreateDashboardRequest{
-			DisplayName:         dashboardName,
-			ParentPath:          dir,
-			SerializedDashboard: string(dashboardPayload),
-		})
-		require.ErrorIs(t, err, apierr.ErrResourceAlreadyExists)
-	}
-
-	// Retrieve the dashboard object and confirm that only select fields were updated by the import.
-	{
-		previousDashboard := dashboard
-		currentDashboard, err := wt.W.Lakeview.Get(ctx, dashboards.GetDashboardRequest{
-			DashboardId: dashboard.DashboardId,
-		})
-		require.NoError(t, err)
-
-		// Convert the dashboard object to a [dyn.Value] to make comparison easier.
-		previous, err := convert.FromTyped(previousDashboard, dyn.NilValue)
-		require.NoError(t, err)
-		current, err := convert.FromTyped(currentDashboard, dyn.NilValue)
-		require.NoError(t, err)
-
-		// Collect updated paths.
-		var updatedFieldPaths []string
-		_, err = merge.Override(previous, current, merge.OverrideVisitor{
-			VisitDelete: func(basePath dyn.Path, left dyn.Value) error {
-				assert.Fail(t, "unexpected delete operation")
-				return nil
-			},
-			VisitInsert: func(basePath dyn.Path, right dyn.Value) (dyn.Value, error) {
-				assert.Fail(t, "unexpected insert operation")
-				return right, nil
-			},
-			VisitUpdate: func(basePath dyn.Path, left dyn.Value, right dyn.Value) (dyn.Value, error) {
-				updatedFieldPaths = append(updatedFieldPaths, basePath.String())
-				return right, nil
-			},
-		})
-		require.NoError(t, err)
-
-		// Confirm that only the expected fields have been updated.
-		assert.ElementsMatch(t, []string{
-			"etag",
-			"update_time",
-		}, updatedFieldPaths)
-	}
-}

libs/git/repository.go

@@ -23,20 +23,17 @@ type Repository struct {
 	// directory where we process .gitignore files.
 	real bool
 
-	// rootDir is the path to the root of the repository checkout.
+	// checkoutDir is the path to the root of the repository checkout.
-	// This can be either the main repository checkout or a worktree checkout.
+	// This can be either the main repository checkout or a worktree.
-	// For more information about worktrees, see: https://git-scm.com/docs/git-worktree#_description.
+	checkoutDir vfs.Path
-	rootDir vfs.Path
 
 	// gitDir is the equivalent of $GIT_DIR and points to the
-	// `.git` directory of a repository or a worktree directory.
+	// `.git` directory of a repository or a worktree.
-	// See https://git-scm.com/docs/git-worktree#_details for more information.
 	gitDir vfs.Path
 
 	// gitCommonDir is the equivalent of $GIT_COMMON_DIR and points to the
 	// `.git` directory of the main working tree (common between worktrees).
 	// This is equivalent to [gitDir] if this is the main working tree.
-	// See https://git-scm.com/docs/git-worktree#_details for more information.
 	gitCommonDir vfs.Path
 
 	// ignore contains a list of ignore patterns indexed by the
@@ -57,7 +54,7 @@ type Repository struct {
 
 // Root returns the absolute path to the repository root.
 func (r *Repository) Root() string {
-	return r.rootDir.Native()
+	return r.checkoutDir.Native()
 }
 
 func (r *Repository) CurrentBranch() (string, error) {
@@ -154,7 +151,7 @@ func (r *Repository) getIgnoreRules(prefix string) []ignoreRules {
 		return fs
 	}
 
-	r.ignore[prefix] = append(r.ignore[prefix], newIgnoreFile(r.rootDir, path.Join(prefix, gitIgnoreFileName)))
+	r.ignore[prefix] = append(r.ignore[prefix], newIgnoreFile(r.checkoutDir, path.Join(prefix, gitIgnoreFileName)))
 	return r.ignore[prefix]
 }
 
@@ -210,7 +207,7 @@ func (r *Repository) Ignore(relPath string) (bool, error) {
 
 func NewRepository(path vfs.Path) (*Repository, error) {
 	real := true
-	rootDir, err := vfs.FindLeafInTree(path, GitDirectoryName)
+	checkoutDir, err := vfs.FindLeafInTree(path, GitDirectoryName)
 	if err != nil {
 		if !errors.Is(err, fs.ErrNotExist) {
 			return nil, err
@@ -218,19 +215,19 @@ func NewRepository(path vfs.Path) (*Repository, error) {
 		// Cannot find `.git` directory.
 		// Treat the specified path as a potential repository root checkout.
 		real = false
-		rootDir = path
+		checkoutDir = path
 	}
 
 	// Derive $GIT_DIR and $GIT_COMMON_DIR paths if this is a real repository.
 	// If it isn't a real repository, they'll point to the (non-existent) `.git` directory.
-	gitDir, gitCommonDir, err := resolveGitDirs(rootDir)
+	gitDir, gitCommonDir, err := resolveGitDirs(checkoutDir)
 	if err != nil {
 		return nil, err
 	}
 
 	repo := &Repository{
 		real:         real,
-		rootDir:      rootDir,
+		checkoutDir:  checkoutDir,
 		gitDir:       gitDir,
 		gitCommonDir: gitCommonDir,
 		ignore:       make(map[string][]ignoreRules),
@@ -266,10 +263,10 @@ func NewRepository(path vfs.Path) (*Repository, error) {
 		newStringIgnoreRules([]string{
 			".git",
 		}),
-		// Load repository-wide exclude file.
+		// Load repository-wide excludes file.
-		newIgnoreFile(repo.gitCommonDir, "info/exclude"),
+		newIgnoreFile(repo.gitCommonDir, "info/excludes"),
 		// Load root gitignore file.
-		newIgnoreFile(repo.rootDir, ".gitignore"),
+		newIgnoreFile(repo.checkoutDir, ".gitignore"),
 	}
 
 	return repo, nil

libs/git/view.go

@@ -80,7 +80,7 @@ func NewView(root vfs.Path) (*View, error) {
 
 	// Target path must be relative to the repository root path.
 	target := root.Native()
-	prefix := repo.rootDir.Native()
+	prefix := repo.checkoutDir.Native()
 	if !strings.HasPrefix(target, prefix) {
 		return nil, fmt.Errorf("path %q is not within repository root %q", root.Native(), prefix)
 	}