[Feature] Update databricks_permissions resource to support vector-se…

…arch-endpoints (#4209)

## Changes
Databricks permissions API has been updated to support
`vector-search-endpoints`. This corresponding change to the
permissions_definitions would enable the use of the
`databricks_permissions` resource to manage ACLs for Vector Search
Endpoints leveraging the existing APIs under the hood.

Example CLI call confirming support: 
```
databricks permissions get vector-search-endpoints {endpoint-id} --debug
18:56:25  INFO start pid=77800 version=0.224.1 args="databricks, permissions, get, vector-search-endpoints, {endpoint-id}, --debug"
18:56:25  INFO Ignoring pat auth, because databricks-cli is preferred pid=77800 sdk=true
18:56:25  INFO Ignoring basic auth, because databricks-cli is preferred pid=77800 sdk=true
18:56:25  INFO Ignoring oauth-m2m auth, because databricks-cli is preferred pid=77800 sdk=true
18:56:25  INFO Refreshed OAuth token from Databricks CLI, expires on 2024-11-11 19:00:53.515729 -0500 EST pid=77800 sdk=true
18:56:25 DEBUG Using Databricks CLI authentication with Databricks OAuth tokens pid=77800 sdk=true
18:56:25  INFO Refreshed OAuth token from Databricks CLI, expires on 2024-11-11 19:00:53.515729 -0500 EST pid=77800 sdk=true
18:56:26 DEBUG GET /api/2.0/permissions/vector-search-endpoints/{endpoint-id}
< HTTP/2.0 200 OK
< {
<   "access_control_list": [
....
```

## Tests
<!-- 
How is this tested? Please see the checklist below and also describe any
other relevant tests
-->

- [X] `make test` run locally
- [X] relevant change in `docs/` folder
- [x] covered with integration tests in `internal/acceptance`
- [ ] relevant acceptance tests are passing
- [X] using Go SDK

---------

Co-authored-by: Alex Ott <[email protected]>

docs/resources/permissions.md

@@ -639,6 +639,35 @@ resource "databricks_permissions" "ml_serving_usage" {
 }
 ```
 
+## Mosaic AI Vector Search usage
+
+Valid permission levels for [databricks_vector_search_endpoint](vector_search_endpoint.md) are: `CAN_USE` and `CAN_MANAGE`.
+
+```hcl
+resource "databricks_vector_search_endpoint" "this" {
+  name          = "vector-search-test"
+  endpoint_type = "STANDARD"
+}
+
+resource "databricks_group" "eng" {
+  display_name = "Engineering"
+}
+
+resource "databricks_permissions" "vector_search_endpoint_usage" {
+  vector_search_endpoint_id = databricks_vector_search_endpoint.this.endpoint_id
+
+  access_control {
+    group_name       = "users"
+    permission_level = "CAN_USE"
+  }
+
+  access_control {
+    group_name       = databricks_group.eng.display_name
+    permission_level = "CAN_MANAGE"
+  }
+}
+```
+
 ## Passwords usage
 
 By default on AWS deployments, all admin users can sign in to Databricks using either SSO or their username and password, and all API users can authenticate to the Databricks REST APIs using their username and password. As an admin, you [can limit](https://docs.databricks.com/administration-guide/users-groups/single-sign-on/index.html#optional-configure-password-access-control) admin users’ and API users’ ability to authenticate with their username and password by configuring `CAN_USE` permissions using password access control.
@@ -895,6 +924,7 @@ Exactly one of the following arguments is required:
 - `experiment_id` - [MLflow experiment](mlflow_experiment.md) id
 - `registered_model_id` - [MLflow registered model](mlflow_model.md) id
 - `serving_endpoint_id` - [Model Serving](model_serving.md) endpoint id.
+- `vector_search_endpoint_id` - [Vector Search](vector_search_endpoint.md) endpoint id.
 - `authorization` - either [`tokens`](https://docs.databricks.com/administration-guide/access-control/tokens.html) or [`passwords`](https://docs.databricks.com/administration-guide/users-groups/single-sign-on/index.html#configure-password-permission).
 - `sql_endpoint_id` - [SQL warehouse](sql_endpoint.md) id
 - `sql_dashboard_id` - [SQL dashboard](sql_dashboard.md) id

internal/acceptance/permissions_test.go

@@ -866,6 +866,29 @@ func TestAccPermissions_ServingEndpoint(t *testing.T) {
 	})
 }
 
+// AlexOtt: Temporary disable as it takes too long to create a new vector search endpoint
+// Testing is done in the `vector_search_test.go`
+// func TestAccPermissions_VectorSearchEndpoint(t *testing.T) {
+// 	loadDebugEnvIfRunsFromIDE(t, "workspace")
+// 	if isGcp(t) {
+// 		skipf(t)("Vector Search endpoints are not supported on GCP")
+// 	}
+// 	endpointTemplate := `
+// 	resource "databricks_vector_search_endpoint" "endpoint" {
+// 		name = "{var.STICKY_RANDOM}"
+// 		endpoint_type = "STANDARD"
+// 	}
+// `
+// 	WorkspaceLevel(t, Step{
+// 		Template: endpointTemplate + makePermissionsTestStage("vector_search_endpoint_id", "databricks_vector_search_endpoint.endpoint.endpoint_id", groupPermissions("CAN_USE")),
+// 	}, Step{
+// 		Template: endpointTemplate + makePermissionsTestStage("vector_search_endpoint_id", "databricks_vector_search_endpoint.endpoint.endpoint_id", currentPrincipalPermission(t, "CAN_MANAGE"), groupPermissions("CAN_USE")),
+// 	}, Step{
+// 		Template:    endpointTemplate + makePermissionsTestStage("vector_search_endpoint_id", "databricks_vector_search_endpoint.endpoint.endpoint_id", currentPrincipalPermission(t, "CAN_USE"), groupPermissions("CAN_USE")),
+// 		ExpectError: regexp.MustCompile("cannot remove management permissions for the current user for mlflowExperiment, allowed levels: CAN_MANAGE"),
+// 	})
+// }
+
 func TestAccPermissions_Alert(t *testing.T) {
 	loadDebugEnvIfRunsFromIDE(t, "workspace")
 	alertTemplate := `

internal/acceptance/vector_search_test.go

@@ -20,7 +20,16 @@ func TestUcAccVectorSearchEndpoint(t *testing.T) {
 			resource "databricks_vector_search_endpoint" "this" {
 				name          = "%s"
 				endpoint_type = "STANDARD"
-			  }
+			}
+			
+			resource "databricks_permissions" "this" {
+				vector_search_endpoint_id = databricks_vector_search_endpoint.this.endpoint_id
+				
+				access_control {
+					group_name = "users"
+					permission_level = "CAN_USE"
+				}
+			}
 			`, name),
 	},
 	)

permissions/permission_definitions.go

@@ -732,5 +732,16 @@ func allResourcePermissions() []resourcePermissions {
 			updateAclCustomizers: []update.ACLCustomizer{update.AddCurrentUserAsManage},
 			deleteAclCustomizers: []update.ACLCustomizer{update.AddCurrentUserAsManage},
 		},
+		{
+			field:             "vector_search_endpoint_id",
+			objectType:        "vector-search-endpoints",
+			requestObjectType: "vector-search-endpoints",
+			allowedPermissionLevels: map[string]permissionLevelOptions{
+				"CAN_USE":    {isManagementPermission: false},
+				"CAN_MANAGE": {isManagementPermission: true},
+			},
+			updateAclCustomizers: []update.ACLCustomizer{update.AddCurrentUserAsManage},
+			deleteAclCustomizers: []update.ACLCustomizer{update.AddCurrentUserAsManage},
+		},
 	}
 }

permissions/resource_permissions_test.go

@@ -593,7 +593,7 @@ func TestResourcePermissionsCreate_invalid(t *testing.T) {
 	qa.ResourceFixture{
 		Resource: ResourcePermissions(),
 		Create:   true,
-	}.ExpectError(t, "at least one type of resource identifier must be set; allowed fields: authorization, cluster_id, cluster_policy_id, dashboard_id, directory_id, directory_path, experiment_id, instance_pool_id, job_id, notebook_id, notebook_path, pipeline_id, registered_model_id, repo_id, repo_path, serving_endpoint_id, sql_alert_id, sql_dashboard_id, sql_endpoint_id, sql_query_id, workspace_file_id, workspace_file_path")
+	}.ExpectError(t, "at least one type of resource identifier must be set; allowed fields: authorization, cluster_id, cluster_policy_id, dashboard_id, directory_id, directory_path, experiment_id, instance_pool_id, job_id, notebook_id, notebook_path, pipeline_id, registered_model_id, repo_id, repo_path, serving_endpoint_id, sql_alert_id, sql_dashboard_id, sql_endpoint_id, sql_query_id, vector_search_endpoint_id, workspace_file_id, workspace_file_path")
 }
 
 func TestResourcePermissionsCreate_no_access_control(t *testing.T) {