databricks_permissions Overwrites Existing Grants Without Showing Removal in Diff #5010
Description
We recently had an issue where SQL warehouse permission was removed unexpectedly with an Terraform deployment.
The impacted SQL warehouse had a grant for a service principal. We added a new grant for another service principal. In the DiffViewer as well as Terraform diff (like the following), the change only shows the new grant, but after the deployment the old grant was removed.
# databricks_permissions.usage_graph_account_sql_warehouse_usage will be created
+ resource "databricks_permissions" "usage_graph_account_sql_warehouse_usage" {
+ id = (known after apply)
+ object_type = (known after apply)
+ sql_endpoint_id = "47b16ecd124cece4"
+ access_control {
+ permission_level = "CAN_USE"
+ service_principal_name = "0584562b-aca0-452c-b392-c5719d973ca3"
}
}
It turns out that Terraform only allows one permission assignment per resource, so the second overwrote the first. However, it's very difficult to detect such issues during code review and deployment because the diff only shows the addition of the new grant not the removal of the old grant. Similar issues have happened in various occasions within our team. Is this a known issue? Is there any suggestion on how to prevent it?