bundle: reject genie_space permissions during plan

Databricks workspaces do not expose a permissions endpoint for Genie
Spaces (PUT /permissions/genie/spaces/<id> returns 404
ENDPOINT_NOT_FOUND). Without an upfront check the deploy creates the
space first and then errors when applying permissions, leaving partial
state behind.

Add ValidateGenieSpacePermissions to the PreDeployChecks pipeline so
both per-resource permissions and bundle-level permissions propagated
by ApplyBundlePermissions surface a clear validation error before any
API call is made.

Co-authored-by: Isaac

Author: janniklasrose

acceptance/bundle/validate/genie_space_permissions_unsupported/databricks.yml

@@ -0,0 +1,21 @@
+bundle:
+  name: genie-space-permissions-unsupported
+
+resources:
+  genie_spaces:
+    inline_perms:
+      title: "Inline Perms"
+      warehouse_id: "test-warehouse-id"
+      serialized_space: "{}"
+      permissions:
+        - level: CAN_MANAGE
+          user_name: someone@example.com
+
+    bundle_perms:
+      title: "Bundle Perms"
+      warehouse_id: "test-warehouse-id"
+      serialized_space: "{}"
+
+permissions:
+  - level: CAN_MANAGE
+    user_name: someone@example.com

acceptance/bundle/validate/genie_space_permissions_unsupported/out.test.toml

@@ -0,0 +1,22 @@
+Recommendation: permissions section should explicitly include the current deployment identity '[USERNAME]' or one of its groups
+If it is not included, CAN_MANAGE permissions are only applied if the present identity is used to deploy.
+
+Consider using a adding a top-level permissions section such as the following:
+
+  permissions:
+    - user_name: [USERNAME]
+      level: CAN_MANAGE
+
+See https://docs.databricks.com/dev-tools/bundles/permissions.html to learn more about permission configuration.
+  in databricks.yml:20:3
+
+Error: Genie Space permissions are not supported
+
+Databricks workspaces do not expose a permissions endpoint for Genie Spaces, so a deploy with permissions configured would create the space and then fail. Remove the permissions block, or remove the Genie Space from any bundle-level permissions, until the API adds support.
+
+Error: Genie Space permissions are not supported
+
+Databricks workspaces do not expose a permissions endpoint for Genie Spaces, so a deploy with permissions configured would create the space and then fail. Remove the permissions block, or remove the Genie Space from any bundle-level permissions, until the API adds support.
+
+
+Exit code: 1

acceptance/bundle/validate/genie_space_permissions_unsupported/output.txt

@@ -0,0 +1 @@
+$CLI bundle plan

acceptance/bundle/validate/genie_space_permissions_unsupported/script

@@ -0,0 +1,8 @@
+Local = true
+Cloud = false
+
+Ignore = [".databricks"]
+
+# Genie spaces only support direct deployment engine.
+[EnvMatrix]
+  DATABRICKS_BUNDLE_ENGINE = ["direct"]

acceptance/bundle/validate/genie_space_permissions_unsupported/test.toml

@@ -0,0 +1,44 @@
+package mutator
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/databricks/cli/bundle"
+	"github.com/databricks/cli/libs/diag"
+)
+
+type validateGenieSpacePermissions struct{}
+
+// ValidateGenieSpacePermissions errors if any genie_space resource has
+// permissions configured. The Databricks workspace API does not expose
+// PUT /permissions/genie/spaces/<id>, so the deploy would create the
+// space and then fail when applying permissions, leaving partial state.
+// Bundle-level permissions are propagated to genie_spaces by
+// ApplyBundlePermissions and are caught here as well.
+func ValidateGenieSpacePermissions() bundle.Mutator {
+	return &validateGenieSpacePermissions{}
+}
+
+func (m *validateGenieSpacePermissions) Name() string {
+	return "ValidateGenieSpacePermissions"
+}
+
+func (m *validateGenieSpacePermissions) Apply(_ context.Context, b *bundle.Bundle) diag.Diagnostics {
+	var diags diag.Diagnostics
+
+	for key, space := range b.Config.Resources.GenieSpaces {
+		if space == nil || len(space.Permissions) == 0 {
+			continue
+		}
+
+		diags = diags.Append(diag.Diagnostic{
+			Severity:  diag.Error,
+			Summary:   "Genie Space permissions are not supported",
+			Detail:    "Databricks workspaces do not expose a permissions endpoint for Genie Spaces, so a deploy with permissions configured would create the space and then fail. Remove the permissions block, or remove the Genie Space from any bundle-level permissions, until the API adds support.",
+			Locations: b.Config.GetLocations(fmt.Sprintf("resources.genie_spaces.%s.permissions", key)),
+		})
+	}
+
+	return diags
+}

bundle/config/mutator/validate_genie_space_permissions.go

@@ -0,0 +1,54 @@
+package mutator_test
+
+import (
+	"testing"
+
+	"github.com/databricks/cli/bundle"
+	"github.com/databricks/cli/bundle/config"
+	"github.com/databricks/cli/bundle/config/mutator"
+	"github.com/databricks/cli/bundle/config/resources"
+	"github.com/databricks/databricks-sdk-go/service/iam"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestValidateGenieSpacePermissions_NoPermissions(t *testing.T) {
+	b := &bundle.Bundle{
+		Config: config.Root{
+			Resources: config.Resources{
+				GenieSpaces: map[string]*resources.GenieSpace{
+					"my_space": {
+						GenieSpaceConfig: resources.GenieSpaceConfig{
+							Title: "My Space",
+						},
+					},
+				},
+			},
+		},
+	}
+
+	diags := bundle.Apply(t.Context(), b, mutator.ValidateGenieSpacePermissions())
+	assert.Empty(t, diags)
+}
+
+func TestValidateGenieSpacePermissions_WithPermissionsErrors(t *testing.T) {
+	b := &bundle.Bundle{
+		Config: config.Root{
+			Resources: config.Resources{
+				GenieSpaces: map[string]*resources.GenieSpace{
+					"my_space": {
+						GenieSpaceConfig: resources.GenieSpaceConfig{
+							Title: "My Space",
+						},
+						Permissions: []resources.Permission{
+							{Level: iam.PermissionLevel("CAN_MANAGE"), UserName: "user@example.com"},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	diags := bundle.Apply(t.Context(), b, mutator.ValidateGenieSpacePermissions())
+	assert.Len(t, diags, 1)
+	assert.Equal(t, "Genie Space permissions are not supported", diags[0].Summary)
+}

bundle/config/mutator/validate_genie_space_permissions_test.go

@@ -25,6 +25,7 @@ func PreDeployChecks(ctx context.Context, b *bundle.Bundle, isPlan bool, engine
 		deploy.StatePull(),
 		mutator.ValidateGitDetails(),
 		mutator.ValidateDirectOnlyResources(engine),
+		mutator.ValidateGenieSpacePermissions(),
 		mutator.ValidateLifecycleStarted(engine),
 		statemgmt.CheckRunningResource(engine),
 	)