Skip to content

Make databricks_entitlements forward-compatible with new entitlements #4763

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 12 commits into
base: main
Choose a base branch
from
Open

Make databricks_entitlements forward-compatible with new entitlements #4763

wants to merge 12 commits into from

Conversation

mgyucht
Copy link
Contributor

@mgyucht mgyucht commented Jun 2, 2025

Changes

The current implementation of databricks_entitlements crashes if an unexpected entitlement is returned from the API. This makes it impossible for new entitlements to be introduced and available by default. This is different from how most resources behave, where if new fields are added to resources in the API response, they are simply dropped rather than causing the provider to crash.

This PR is a clean-up of the handling of entitlements in the provider, both in the databricks_entitlements resource and the user, group and SP resources and data sources that expose entitlements. The entitlements are defined as a single entitlements structure which can be embedded in every SCIM structure. This makes it possible to use the standard StructToSchema, DataToStructPointer and StructToData methods that are ubiquitous throughout the SCIM API.

I removed the entitlements type alias and just use []ComplexValue in all places where that is used to minimize confusion with the new entitlements type. The methods on that type are no longer needed because the corresponding interactions are handled by the aforementioned methods.

As part of this cleanup, I have also ported the extra fields for the User, SP, Group and Entitlements resources to the struct definition, relying on StructToSchema to handle the transformation. This keeps the treatment of these APIs more uniform w.r.t. other resources on the plugin framework.

Tests

This should be a no-op change, so no new tests are needed.

The schema of the provider should not change as a result of this PR.

@mgyucht mgyucht requested review from a team as code owners June 2, 2025 12:48
@mgyucht mgyucht requested review from tanmay-db and removed request for a team June 2, 2025 12:48
@mgyucht mgyucht temporarily deployed to test-trigger-is June 2, 2025 12:48 — with GitHub Actions Inactive
@mgyucht mgyucht temporarily deployed to test-trigger-is June 2, 2025 12:48 — with GitHub Actions Inactive
alexott
alexott approved these changes Jun 2, 2025
View reviewed changes
Copy link
Contributor

@alexott alexott left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in general, lgtm. just small comments

scim/resource_user.go
Comment on lines -26 to -30
func setCommonUserFields(d *schema.ResourceData, user User, username string) {
d.Set("display_name", user.DisplayName)
d.Set("active", user.Active)
d.Set("external_id", user.ExternalID)
d.Set("home", fmt.Sprintf("/Users/%s", username))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to make sure that all these fields are set in both user and SP. I recently fixed the problem in exporter that was caused by missing external_id when you import the resource

scim/entitlements.go Outdated
case "workspace-access":
e.WorkspaceAccess = true
default:
tflog.Info(ctx, fmt.Sprintf("Ignoring unknown entitlement: %s", c.Value))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should it be warning?

@alexott alexott temporarily deployed to test-trigger-is August 19, 2025 13:04 — with GitHub Actions Inactive
@alexott alexott temporarily deployed to test-trigger-is August 19, 2025 13:05 — with GitHub Actions Inactive
@alexott alexott temporarily deployed to test-trigger-is August 19, 2025 14:23 — with GitHub Actions Inactive
@alexott alexott temporarily deployed to test-trigger-is August 19, 2025 14:24 — with GitHub Actions Inactive
@alexott alexott temporarily deployed to test-trigger-is August 19, 2025 15:23 — with GitHub Actions Inactive
@alexott alexott temporarily deployed to test-trigger-is August 19, 2025 15:24 — with GitHub Actions Inactive
@alexott alexott temporarily deployed to test-trigger-is August 19, 2025 15:29 — with GitHub Actions Inactive
@alexott alexott temporarily deployed to test-trigger-is August 19, 2025 15:30 — with GitHub Actions Inactive
@alexott alexott temporarily deployed to test-trigger-is August 28, 2025 15:01 — with GitHub Actions Inactive
@alexott
Copy link
Contributor

alexott commented Aug 28, 2025

@mgyucht can you look with my changes?

@alexott alexott temporarily deployed to test-trigger-is August 28, 2025 15:01 — with GitHub Actions Inactive
@alexott alexott requested a review from rauchy September 10, 2025 17:27
@github-actions GitHub Actions
Copy link

If integration tests don't run automatically, an authorized user can run them manually by following the instructions below:

Trigger:
go/deco-tests-run/terraform

Inputs:

  • PR number: 4763
  • Commit SHA: c0ebac37625fea32926b6ffb6484be59dc45029d

Checks will be approved automatically on success.

@alexott alexott requested a review from Copilot September 18, 2025 10:54
Copilot
Copilot AI reviewed Sep 18, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR refactors the entitlements handling system to be forward-compatible with new entitlements by preventing provider crashes when unknown entitlements are returned from the API. Instead of using hardcoded mappings and type aliases, it introduces a structured approach using embedded structs and standard schema transformation methods.

  • Removes hardcoded entitlements handling that crashed on unknown values
  • Introduces a new entitlements struct that can be embedded in SCIM resources
  • Refactors User, Group, ServicePrincipal, and Entitlements resources to use the new pattern

Reviewed Changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
scim/scim.go Removes legacy entitlements type alias and hardcoded mappings
scim/entitlements.go Adds new entitlements struct with forward-compatible handling
scim/resource_user.go Refactors to use embedded entitlements struct and StructToSchema pattern
scim/resource_service_principal.go Refactors to use embedded entitlements struct and StructToSchema pattern
scim/resource_group.go Refactors to use embedded entitlements struct and StructToSchema pattern
scim/resource_entitlement.go Updates to use new entitlements handling
scim/data_group.go Updates data source to use new entitlements pattern
scim/groups.go Updates function signature for new entitlements type
scim/resource_*_test.go Updates test cases to use []ComplexValue instead of entitlements type
NEXT_CHANGELOG.md Documents the change

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

scim/resource_group.go
Entitlements: readEntitlementsFromData(d),
ExternalID: d.Get("external_id").(string),
DisplayName: groupResource.DisplayName,
Entitlements: groupResource.toComplexValueList(),
Copy link
Preview

Copilot AI Sep 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The method call should be groupResource.entitlements.toComplexValueList() to access the embedded entitlements field, not called directly on groupResource.

Suggested change
Entitlements: groupResource.toComplexValueList(),
Entitlements: groupResource.entitlements.toComplexValueList(),

Copilot uses AI. Check for mistakes.

scim/resource_entitlement.go
spnId := e.SpnId
noEntitlementMessage := "invalidPath No such attribute with the name : entitlements in the current resource"
entitlements := readEntitlementsFromData(d)
entitlements := e.toComplexValueList()
Copy link
Preview

Copilot AI Sep 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The method call should be e.entitlements.toComplexValueList() to access the embedded entitlements field, not called directly on the entitlementsResource struct.

Suggested change
entitlements := e.toComplexValueList()
entitlements := e.entitlements.toComplexValueList()

Copilot uses AI. Check for mistakes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@alexott alexott alexott approved these changes

@tanmay-db tanmay-db Awaiting requested review from tanmay-db tanmay-db is a code owner automatically assigned from databricks/eng-plat-auto-exp-reviewers

@rauchy rauchy Awaiting requested review from rauchy

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mgyucht @alexott