databricks
diff --git a/‎acceptance/bundle/invariant/configs/schema_grant_ref.yml.tmpl‎
Lines changed: 28 additions & 0 deletions b/‎acceptance/bundle/invariant/configs/schema_grant_ref.yml.tmpl‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎acceptance/bundle/invariant/configs/schema_with_grants.yml.tmpl‎
Lines changed: 12 additions & 0 deletions b/‎acceptance/bundle/invariant/configs/schema_with_grants.yml.tmpl‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎acceptance/bundle/invariant/continue_293/out.test.toml‎
Lines changed: 1 addition & 1 deletion b/‎acceptance/bundle/invariant/continue_293/out.test.toml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎acceptance/bundle/invariant/continue_293/test.toml‎
Lines changed: 2 additions & 2 deletions b/‎acceptance/bundle/invariant/continue_293/test.toml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎acceptance/bundle/invariant/migrate/out.test.toml‎
Lines changed: 1 addition & 1 deletion b/‎acceptance/bundle/invariant/migrate/out.test.toml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎acceptance/bundle/invariant/migrate/test.toml‎
Lines changed: 3 additions & 0 deletions b/‎acceptance/bundle/invariant/migrate/test.toml‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎acceptance/bundle/invariant/no_drift/out.test.toml‎
Lines changed: 1 addition & 1 deletion b/‎acceptance/bundle/invariant/no_drift/out.test.toml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎acceptance/bundle/invariant/test.toml‎
Lines changed: 2 additions & 0 deletions b/‎acceptance/bundle/invariant/test.toml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎acceptance/bundle/migrate/grants/out.new_state.json‎
Lines changed: 3 additions & 3 deletions b/‎acceptance/bundle/migrate/grants/out.new_state.json‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎acceptance/bundle/refschema/out.fields.txt‎
Lines changed: 20 additions & 0 deletions b/‎acceptance/bundle/refschema/out.fields.txt‎
Lines changed: 20 additions & 0 deletions
@@ -0,0 +1,28 @@
+bundle:
+  name: test-bundle-$UNIQUE_NAME
+
+resources:
+  schemas:
+    schema_b:
+      catalog_name: main
+      name: test-schema-b-$UNIQUE_NAME
+      grants:
+        - principal: account users
+          privileges:
+            - USE_SCHEMA
+        - principal: admins
+          privileges:
+            - CREATE_TABLE
+            - USE_SCHEMA
+
+    schema_a:
+      catalog_name: main
+      name: test-schema-a-$UNIQUE_NAME
+      grants:
+        # Reference principal and privileges from schema_b by index
+        - principal: ${resources.schemas.schema_b.grants[0].principal}
+          privileges:
+            - USE_SCHEMA
+        - principal: ${resources.schemas.schema_b.grants[1].principal}
+          privileges:
+            - CREATE_TABLE
@@ -0,0 +1,12 @@
+bundle:
+  name: test-bundle-$UNIQUE_NAME
+
+resources:
+  schemas:
+    foo:
+      catalog_name: main
+      name: test-schema-$UNIQUE_NAME
+      grants:
+        - principal: account users
+          privileges:
+            - USE_SCHEMA
@@ -1,7 +1,7 @@
 Cloud = false
 Slow = true
 
-# Cross-resource permission references (${resources.jobs.X.permissions[N].field}) require
-# permissions to be part of the job schema, which was added after v0.293.0.
+# $resources references to permissions and grants are not supported on v0.293.0
 EnvMatrixExclude.no_permission_ref = ["INPUT_CONFIG=job_permission_ref.yml.tmpl"]
 EnvMatrixExclude.no_cross_resource_ref = ["INPUT_CONFIG=job_cross_resource_ref.yml.tmpl"]
+EnvMatrixExclude.no_grant_ref = ["INPUT_CONFIG=schema_grant_ref.yml.tmpl"]
@@ -13,3 +13,6 @@ EnvMatrixExclude.no_secret_scope = ["INPUT_CONFIG=secret_scope.yml.tmpl"]
 # ends up as the permission level value.
 EnvMatrixExclude.no_permission_ref = ["INPUT_CONFIG=job_permission_ref.yml.tmpl"]
 EnvMatrixExclude.no_cross_resource_ref = ["INPUT_CONFIG=job_cross_resource_ref.yml.tmpl"]
+
+# Grant cross-references require the EmbeddedSlice pattern not present in terraform mode.
+EnvMatrixExclude.no_grant_ref = ["INPUT_CONFIG=schema_grant_ref.yml.tmpl"]
@@ -45,6 +45,8 @@ EnvMatrix.INPUT_CONFIG = [
     "postgres_project.yml.tmpl",
     "registered_model.yml.tmpl",
     "schema.yml.tmpl",
+    "schema_grant_ref.yml.tmpl",
+    "schema_with_grants.yml.tmpl",
     "secret_scope.yml.tmpl",
     "synced_database_table.yml.tmpl",
     "volume.yml.tmpl",
 
@@ -24,7 +24,7 @@
    "state": {
     "securable_type": "function",
     "full_name": "main.schema_grants.mymodel",
-    "grants": [
+    "__embed__": [
      {
       "principal": "[email protected]",
       "privileges": [
@@ -52,7 +52,7 @@
    "state": {
     "securable_type": "schema",
     "full_name": "main.schema_grants",
-    "grants": [
+    "__embed__": [
      {
       "principal": "[email protected]",
       "privileges": [
@@ -89,7 +89,7 @@
    "state": {
     "securable_type": "volume",
     "full_name": "main.schema_grants.volume_name",
-    "grants": [
+    "__embed__": [
      {
       "principal": "[email protected]",
       "privileges": [
 
@@ -253,6 +253,10 @@ resources.catalogs.*.updated_by	string	REMOTE
 resources.catalogs.*.url	string	INPUT
 resources.catalogs.*.grants.full_name	string	ALL
 resources.catalogs.*.grants.securable_type	string	ALL
+resources.catalogs.*.grants[*]	catalog.PrivilegeAssignment	ALL
+resources.catalogs.*.grants[*].principal	string	ALL
+resources.catalogs.*.grants[*].privileges	[]catalog.Privilege	ALL
+resources.catalogs.*.grants[*].privileges[*]	catalog.Privilege	ALL
 resources.clusters.*.apply_policy_default_values	bool	INPUT	STATE
 resources.clusters.*.autoscale	*compute.AutoScale	ALL
 resources.clusters.*.autoscale.max_workers	int	ALL
@@ -683,6 +687,10 @@ resources.external_locations.*.updated_by	string	REMOTE
 resources.external_locations.*.url	string	ALL
 resources.external_locations.*.grants.full_name	string	ALL
 resources.external_locations.*.grants.securable_type	string	ALL
+resources.external_locations.*.grants[*]	catalog.PrivilegeAssignment	ALL
+resources.external_locations.*.grants[*].principal	string	ALL
+resources.external_locations.*.grants[*].privileges	[]catalog.Privilege	ALL
+resources.external_locations.*.grants[*].privileges[*]	catalog.Privilege	ALL
 resources.jobs.*.budget_policy_id	string	ALL
 resources.jobs.*.continuous	*jobs.Continuous	ALL
 resources.jobs.*.continuous.pause_status	jobs.PauseStatus	ALL
@@ -2680,6 +2688,10 @@ resources.registered_models.*.updated_by	string	ALL
 resources.registered_models.*.url	string	INPUT
 resources.registered_models.*.grants.full_name	string	ALL
 resources.registered_models.*.grants.securable_type	string	ALL
+resources.registered_models.*.grants[*]	catalog.PrivilegeAssignment	ALL
+resources.registered_models.*.grants[*].principal	string	ALL
+resources.registered_models.*.grants[*].privileges	[]catalog.Privilege	ALL
+resources.registered_models.*.grants[*].privileges[*]	catalog.Privilege	ALL
 resources.schemas.*.browse_only	bool	REMOTE
 resources.schemas.*.catalog_name	string	ALL
 resources.schemas.*.catalog_type	catalog.CatalogType	REMOTE
@@ -2709,6 +2721,10 @@ resources.schemas.*.updated_by	string	REMOTE
 resources.schemas.*.url	string	INPUT
 resources.schemas.*.grants.full_name	string	ALL
 resources.schemas.*.grants.securable_type	string	ALL
+resources.schemas.*.grants[*]	catalog.PrivilegeAssignment	ALL
+resources.schemas.*.grants[*].principal	string	ALL
+resources.schemas.*.grants[*].privileges	[]catalog.Privilege	ALL
+resources.schemas.*.grants[*].privileges[*]	catalog.Privilege	ALL
 resources.secret_scopes.*.backend_azure_keyvault	*workspace.AzureKeyVaultSecretScopeMetadata	STATE
 resources.secret_scopes.*.backend_azure_keyvault.dns_name	string	STATE
 resources.secret_scopes.*.backend_azure_keyvault.resource_id	string	STATE
@@ -2871,3 +2887,7 @@ resources.volumes.*.volume_id	string	REMOTE
 resources.volumes.*.volume_type	catalog.VolumeType	ALL
 resources.volumes.*.grants.full_name	string	ALL
 resources.volumes.*.grants.securable_type	string	ALL
+resources.volumes.*.grants[*]	catalog.PrivilegeAssignment	ALL
+resources.volumes.*.grants[*].principal	string	ALL
+resources.volumes.*.grants[*].privileges	[]catalog.Privilege	ALL
+resources.volumes.*.grants[*].privileges[*]	catalog.Privilege	ALL