Skip to content

Commit 9767900

Browse files
denikclaude
denik
and
claude
authored
direct: Fix permissions state path to match input config schema (#4703)
## Changes - Add `EmbeddedSlice` field name convention to struct walkers in `libs/structs/` — when a struct field is named `EmbeddedSlice`, walkers treat it as transparent (no path segment added), so its elements appear directly at the parent path - Apply this to `PermissionsState`: rename `Permissions` field to `EmbeddedSlice`, making state paths like `resources.jobs.foo.permissions[0]` match input config paths (previously `resources.jobs.foo.permissions.permissions[0]`) - Change state file version to 2 and introduce automatic migration from 0 & 1 to 2. ## Why The direct deployment engine's permissions state used a wrapper struct that added an extra `permissions` segment to paths. This caused a mismatch with input config paths, preventing dependency tracking between permissions and their parent resources. With this fix, state and config paths are consistent. ## Tests - New acceptance & invariant tests for references from/to permissions. - New invariant test that checks that bundle deployed with previous fixed version (0.293.0) does not have drift when CLI is upgraded to latest. --------- Co-authored-by: Claude Opus 4.6 <[email protected]>
1 parent c745805 commit 9767900

File tree

123 files changed

+1599
-610
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

123 files changed

+1599
-610
lines changed

NEXT_CHANGELOG.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@
1010

1111
### Bundles
1212
* engine/direct: Fix permanent drift on experiment name field ([#4627](https://github.com/databricks/cli/pull/4627))
13+
* engine/direct: Fix permissions state path to match input config schema ([#4703](https://github.com/databricks/cli/pull/4703))
1314

1415
### Dependency updates
1516

acceptance/acceptance_test.go

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -209,6 +209,12 @@ func testAccept(t *testing.T, inprocessMode bool, singleTest string) int {
209209
t.Setenv("CLI", execPath)
210210
repls.SetPath(execPath, "[CLI]")
211211

212+
if !inprocessMode {
213+
cli293Path := DownloadCLI(t, buildDir, "0.293.0")
214+
t.Setenv("CLI_293", cli293Path)
215+
repls.SetPath(cli293Path, "[CLI_293]")
216+
}
217+
212218
paths := []string{
213219
// Make helper scripts available
214220
filepath.Join(cwd, "bin"),

acceptance/bundle/apps/job_permissions/out.after_first_deploy.terraform.txt

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
true

acceptance/bundle/apps/job_permissions/out.test.toml

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

acceptance/bundle/apps/job_permissions/output.txt

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,6 @@ Deployment complete!
77

88
=== After first deploy
99
>>> has_manage_run
10-
true
1110

1211
=== After second deploy
1312
>>> [CLI] bundle deploy

acceptance/bundle/apps/job_permissions/script

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,18 @@ has_manage_run() {
1212
}
1313

1414
title "After first deploy"
15-
trace has_manage_run
15+
trace has_manage_run > out.after_first_deploy.$DATABRICKS_BUNDLE_ENGINE.txt
16+
# This is flaky on direct, because there are (at least) two ways to complete deployment:
17+
# sequence 1:
18+
# job is deployed
19+
# job permissions are deployed
20+
# app is deployed
21+
# sequence 2:
22+
# job is deployed
23+
# app is deployed, updates job permissions
24+
# job permissions are deployed
25+
# (It does not appear flaky on TF, maybe there is enough delay in one of the resources)
26+
rm -f out.after_first_deploy.direct.txt
1627

1728
title "After second deploy"
1829
trace $CLI bundle deploy

acceptance/bundle/apps/job_permissions/test.toml

Lines changed: 1 addition & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,5 @@
1-
# Direct engine error: cannot plan resources.jobs.my_job.permissions: cannot update
2-
# [0].service_principal_name: failed to navigate to parent [0]: [0]: cannot index struct.
3-
# This is a bug in structaccess.Set() where it fails to index into a struct when
4-
# setting permissions with service_principal_name.
5-
# See https://github.com/databricks/cli/pull/4644
6-
Badness = "Direct engine fails to plan permissions with service_principal_name on jobs"
71
Cloud = true
82
RecordRequests = false
93

104
[EnvMatrix]
11-
DATABRICKS_BUNDLE_ENGINE = ["terraform"]
5+
DATABRICKS_BUNDLE_ENGINE = ["terraform", "direct"]

acceptance/bundle/deployment/bind/dashboard/recreation/out.state_after_bind.direct.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
{
2-
"state_version": 1,
2+
"state_version": 2,
33
"cli_version": "[DEV_VERSION]",
44
"lineage": "[UUID]",
55
"serial": 2,

acceptance/bundle/invariant/configs/job_cross_resource_ref.yml.tmpl

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
bundle:
2+
name: test-bundle-$UNIQUE_NAME
3+
4+
resources:
5+
jobs:
6+
# job_src defines permissions and a tag value used as references by other resources
7+
job_src:
8+
name: test-job-src-$UNIQUE_NAME
9+
tags:
10+
perm_group: users
11+
permissions:
12+
- level: CAN_VIEW
13+
group_name: users
14+
15+
# job_perm_ref uses permission fields from job_src as its permission values
16+
job_perm_ref:
17+
name: test-job-perm-ref-$UNIQUE_NAME
18+
permissions:
19+
- level: ${resources.jobs.job_src.permissions[0].level}
20+
group_name: ${resources.jobs.job_src.permissions[0].group_name}
21+
22+
# job_tag_ref uses a job tag from job_src as a permission group_name
23+
job_tag_ref:
24+
name: test-job-tag-ref-$UNIQUE_NAME
25+
permissions:
26+
- level: CAN_VIEW
27+
group_name: ${resources.jobs.job_src.tags.perm_group}

acceptance/bundle/invariant/configs/job_permission_ref.yml.tmpl

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
bundle:
2+
name: test-bundle-$UNIQUE_NAME
3+
4+
resources:
5+
jobs:
6+
job_b:
7+
name: test-job-b-$UNIQUE_NAME
8+
permissions:
9+
- level: CAN_VIEW
10+
group_name: users
11+
- level: CAN_MANAGE
12+
group_name: admins
13+
14+
job_a:
15+
name: test-job-a-$UNIQUE_NAME
16+
permissions:
17+
# Reference level and group_name from job_b by index
18+
- level: ${resources.jobs.job_b.permissions[0].level}
19+
group_name: ${resources.jobs.job_b.permissions[0].group_name}
20+
- level: ${resources.jobs.job_b.permissions[1].level}
21+
group_name: ${resources.jobs.job_b.permissions[1].group_name}

0 commit comments

Comments
 (0)