Added preview for GCP PSC workspace (#2090)

docs/resources/mws_workspaces.md

@@ -257,6 +257,8 @@ output "databricks_token" {
 }
 ```
 
+In order to create a [Databricks Workspace that leverages GCP Private Service Connect](https://docs.gcp.databricks.com/administration-guide/cloud-configurations/gcp/private-service-connect.html) please ensure that you have read and understood the [Enable Private Service Connect](https://docs.gcp.databricks.com/administration-guide/cloud-configurations/gcp/private-service-connect.html) documentation and then customise the example above with the relevant examples from [mws_vpc_endpoint](mws_vpc_endpoint.md), [mws_private_access_settings](mws_private_access_settings.md) and [mws_networks](mws_networks.md).
+
 #### Creating a Databricks on GCP workspace with Databricks-Managed VPC
 
 ![VPCs](https://docs.databricks.com/_images/customer-managed-vpc.png)
@@ -302,24 +304,25 @@ output "databricks_token" {
 
 ## Argument Reference
 
--> **Note** All workspaces would be verified to get into runnable state or deleted upon failure. You can only update `credentials_id`, `network_id`, and `storage_customer_managed_key_id` on a running workspace.
+-> **Note** All workspaces would be verified to get into runnable state or deleted upon failure. You can only update `credentials_id`, `network_id`, and `storage_customer_managed_key_id`, `private_access_settings_id` on a running workspace.
 
-The following arguments are available and cannot be changed after workspace is created:
+The following arguments are available:
 
 * `account_id` - Account Id that could be found in the bottom left corner of [Accounts Console](https://accounts.cloud.databricks.com/).
 * `deployment_name` - (Optional) part of URL as in `https://<prefix>-<deployment-name>.cloud.databricks.com`. Deployment name cannot be used until a deployment name prefix is defined. Please contact your Databricks representative. Once a new deployment prefix is added/updated, it only will affect the new workspaces created.
-* `workspace_name` - name of the workspace, will appear on UI
+* `workspace_name` - name of the workspace, will appear on UI.
 * `network_id` - (Optional) `network_id` from [networks](mws_networks.md).
-* `aws_region` - (AWS only) region of VPC
-* `storage_configuration_id` - (AWS only)`storage_configuration_id` from [storage configuration](mws_storage_configurations.md)
+* `aws_region` - (AWS only) region of VPC.
+* `storage_configuration_id` - (AWS only)`storage_configuration_id` from [storage configuration](mws_storage_configurations.md).
 * `managed_services_customer_managed_key_id` - (Optional, AWS only) `customer_managed_key_id` from [customer managed keys](mws_customer_managed_keys.md) with `use_cases` set to `MANAGED_SERVICES`. This is used to encrypt the workspace's notebook and secret data in the control plane.
-* `location` - (GCP only) region of the subnet
+* `location` - (GCP only) region of the subnet.
 * `cloud_resource_container` - (GCP only) A block that specifies GCP workspace configurations, consisting of following blocks:
   * `gcp` - A block that consists of the following field:
     * `project_id` - The Google Cloud project ID, which the workspace uses to instantiate cloud resources for your workspace.
-* `gke_config` - A block that specifies GKE configuration for the Databricks workspace:
-  * `connectivity_type`: Specifies the network connectivity types for the GKE nodes and the GKE master network. Possible values are: `PRIVATE_NODE_PUBLIC_MASTER`, `PUBLIC_NODE_PUBLIC_MASTER`
+* `gke_config` - (GCP only) A block that specifies GKE configuration for the Databricks workspace:
+  * `connectivity_type`: Specifies the network connectivity types for the GKE nodes and the GKE master network. Possible values are: `PRIVATE_NODE_PUBLIC_MASTER`, `PUBLIC_NODE_PUBLIC_MASTER`.
   * `master_ip_range`: The IP range from which to allocate GKE cluster master resources. This field will be ignored if GKE private cluster is not enabled. It must be exactly as big as `/28`.
+* `private_access_settings_id` - (Optional) Canonical unique identifier of [databricks_mws_private_access_settings](mws_private_access_settings.md) in Databricks Account.
 
 ## token block
 
@@ -384,3 +387,4 @@ The following resources are used in the same context:
 * [databricks_mws_log_delivery](mws_log_delivery.md) to configure delivery of [billable usage logs](https://docs.databricks.com/administration-guide/account-settings/billable-usage-delivery.html) and [audit logs](https://docs.databricks.com/administration-guide/account-settings/audit-logs.html).
 * [databricks_mws_networks](mws_networks.md) to [configure VPC](https://docs.databricks.com/administration-guide/cloud-configurations/aws/customer-managed-vpc.html) & subnets for new workspaces within AWS.
 * [databricks_mws_storage_configurations](mws_storage_configurations.md) to configure root bucket new workspaces within AWS.
+* [databricks_mws_private_access_settings](mws_private_access_settings.md) to create a [Private Access Setting](https://docs.databricks.com/administration-guide/cloud-configurations/aws/privatelink.html#step-5-create-a-private-access-settings-configuration-using-the-databricks-account-api) that can be used as part of a [databricks_mws_workspaces](mws_workspaces.md) resource to create a [Databricks Workspace that leverages AWS PrivateLink](https://docs.databricks.com/administration-guide/cloud-configurations/aws/privatelink.html).

internal/acceptance/mws_workspaces_test.go

@@ -109,3 +109,49 @@ func TestMwsAccGcpByovpcWorkspaces(t *testing.T) {
 		}`,
 	})
 }
+
+func TestMwsAccGcpPscWorkspaces(t *testing.T) {
+	accountLevel(t, step{
+		Template: `
+		resource "databricks_mws_networks" "this" {
+			account_id   = "{env.DATABRICKS_ACCOUNT_ID}"
+			network_name = "{env.TEST_PREFIX}-network-{var.RANDOM}"
+			gcp_network_info {
+				network_project_id = "{env.GOOGLE_PROJECT}"
+				vpc_id = "{env.VPC_NETWORK_ID}"
+				subnet_id = "{env.SUBNET_ID}"
+				subnet_region = "{env.GOOGLE_REGION}"
+				pod_ip_range_name = "{env.POD_IP_RANGE_NAME}"
+				service_ip_range_name = "{env.SVC_IP_RANGE_NAME}"
+			}
+		}
+
+		resource "databricks_mws_private_access_settings" "this" {
+			account_id = "{env.DATABRICKS_ACCOUNT_ID}"
+			private_access_settings_name = "tf-pas-{var.RANDOM}"
+			region = "{env.GOOGLE_REGION}"
+			public_access_enabled = true
+			private_access_level = "ACCOUNT"
+		}
+		
+		resource "databricks_mws_workspaces" "this" {
+			account_id      = "{env.DATABRICKS_ACCOUNT_ID}"
+			workspace_name  = "{env.TEST_PREFIX}-{var.RANDOM}"
+			location        = "{env.GOOGLE_REGION}"
+	
+			cloud_resource_container {
+				gcp {
+					project_id = "{env.GOOGLE_PROJECT}"
+				}
+			}
+            
+            private_access_settings_id = databricks_mws_private_access_settings.this.private_access_settings_id
+			network_id = databricks_mws_networks.this.network_id
+			
+			gke_config {
+				connectivity_type = "PRIVATE_NODE_PUBLIC_MASTER"
+				master_ip_range = "10.3.0.0/28"
+			}
+		}`,
+	})
+}

mws/resource_mws_workspaces.go

@@ -122,6 +122,9 @@ func (w *Workspace) MarshalJSON() ([]byte, error) {
 	if w.NetworkID != "" {
 		workspaceCreationRequest["network_id"] = w.NetworkID
 	}
+	if w.PrivateAccessSettingsID != "" {
+		workspaceCreationRequest["private_access_settings_id"] = w.PrivateAccessSettingsID
+	}
 	if w.GkeConfig != nil {
 		workspaceCreationRequest["gke_config"] = w.GkeConfig
 	}

mws/resource_mws_workspaces_test.go

@@ -152,6 +152,83 @@ func TestResourceWorkspaceCreateGcp(t *testing.T) {
 	}.ApplyNoError(t)
 }
 
+func TestResourceWorkspaceCreateGcpPsc(t *testing.T) {
+	qa.ResourceFixture{
+		Fixtures: []qa.HTTPFixture{
+			{
+				Method:   "POST",
+				Resource: "/api/2.0/accounts/abc/workspaces",
+				// retreating to raw JSON, as certain fields don't work well together
+				ExpectedRequest: map[string]any{
+					"account_id": "abc",
+					"cloud":      "gcp",
+					"cloud_resource_container": map[string]any{
+						"gcp": map[string]any{
+							"project_id": "def",
+						},
+					},
+					"location":                   "bcd",
+					"private_access_settings_id": "pas_id_a",
+					"network_id":                 "net_id_a",
+					"gke_config": map[string]any{
+						"master_ip_range":   "e",
+						"connectivity_type": "PRIVATE_NODE_PUBLIC_MASTER",
+					},
+					"gcp_managed_network_config": map[string]any{
+						"gke_cluster_pod_ip_range":     "b",
+						"gke_cluster_service_ip_range": "c",
+						"subnet_cidr":                  "a",
+					},
+					"workspace_name": "labdata",
+				},
+				Response: Workspace{
+					WorkspaceID:    1234,
+					AccountID:      "abc",
+					DeploymentName: "900150983cd24fb0",
+					WorkspaceName:  "labdata",
+				},
+			},
+			{
+				Method:       "GET",
+				ReuseRequest: true,
+				Resource:     "/api/2.0/accounts/abc/workspaces/1234",
+				Response: Workspace{
+					AccountID:       "abc",
+					WorkspaceID:     1234,
+					WorkspaceStatus: WorkspaceStatusRunning,
+					DeploymentName:  "900150983cd24fb0",
+					WorkspaceName:   "labdata",
+				},
+			},
+		},
+		Resource: ResourceMwsWorkspaces(),
+		HCL: `
+		account_id      = "abc"
+		workspace_name  = "labdata"
+		deployment_name = "900150983cd24fb0"
+		location        = "bcd"
+		cloud_resource_container {
+			gcp {
+				project_id = "def"
+			}
+		}
+		private_access_settings_id = "pas_id_a"
+		network_id = "net_id_a"
+		gcp_managed_network_config {
+			subnet_cidr = "a"
+			gke_cluster_pod_ip_range = "b"
+			gke_cluster_service_ip_range = "c"
+		}
+		gke_config {
+			connectivity_type = "PRIVATE_NODE_PUBLIC_MASTER"
+			master_ip_range = "e"
+		}
+		`,
+		Gcp:    true,
+		Create: true,
+	}.ApplyNoError(t)
+}
+
 func TestResourceWorkspaceCreateWithIsNoPublicIPEnabledFalse(t *testing.T) {
 	d, err := qa.ResourceFixture{
 		Fixtures: []qa.HTTPFixture{