validate permission levels relative to the object

[psg2]

Hi, folks.

This change is so we can validate during the plan relation between different resource attributes which is yet not possible on Terraform other than ConflictsWith.

The idea here is to block resources like:

resource "databricks_permissions" "cluster_permissions" {
  cluster_id = "0000"

  access_control {
    user_name = "me"

    permission_level = "CAN_USE"
  }
}

With an error like this one:

Error: permission_level CAN_USE is not supported with cluster_id objects

  on main.tf line 10, in resource "databricks_permissions" "cluster_permissions":
  10: resource "databricks_permissions" "cluster_permissions" {

References:

• ValidateFunc should support validation of two fields dependent on each other that are defined in resource schema hashicorp/terraform-plugin-sdk#354
• Multi-attribute validation hashicorp/terraform-plugin-sdk#233

[codecov]

Codecov Report

Merging #706 (2b35aa5) into master (841eaea) will decrease coverage by 0.03%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##           master     #706      +/-   ##
==========================================
- Coverage   83.48%   83.44%   -0.04%     
==========================================
  Files          87       87              
  Lines        7980     7991      +11     
==========================================
+ Hits         6662     6668       +6     
- Misses        840      842       +2     
- Partials      478      481       +3     

Impacted Files	Coverage Δ
access/resource_permissions.go	72.24% <100.00%> (-1.49%)	⬇️
sqlanalytics/resource_widget.go	83.58% <0.00%> (+0.74%)	⬆️

[nfx]

@psg2 , great addition. Please see the comment

[nfx]

Please incorporate with generic permissions mapping:

https://github.com/databrickslabs/terraform-provider-databricks/blob/993bc17c22cd32569fb3f65d071956c9722386a7/access/resource_permissions.go#L230

And perhaps fetch permission levels from API, so that provider won't have to be changed once new permissions are added on the platform

[psg2]

Good idea, forgot that we had those on the API. Will do the improvement.

[psg2]

However, one question just saw that the API to get cluster permissions for instance requires a cluster_id. I'm thinking if this won't be a problem, since that the CustomizeDiff runs during the plan if I understood correctly there might be the case that the cluster_id is still unresolved and we won't be able to call the API. What are your thoughts here? The same is valid for the other object types apparently.

[nfx]

@psg2 you're right. let's then keep them hardcoded. but in permissionsResourceIDFields

[psg2]

Done.

[nfx]

And we need to incorporate custom diff to couple of other resources, thanks for taking the first step

[psg2]

And we need to incorporate custom diff to couple of other resources, thanks for taking the first step

Do we have issues with those? I can take some others as well.

[nfx]

Code looks good. Have to double check permissions mapping next week