[ISSUE] Issue with databricks_grants resource and "MANAGE ALLOWLIST"

[tlecomte]

Configuration

resource "databricks_grants" "allowlist_grant" {
  provider  = databricks.workspace
  metastore = databricks_metastore.primary.id
  grant {
    principal  = "TheGroup"
    privileges = ["MANAGE ALLOWLIST"]
  }
}

Expected Behavior

Terraform should create the grants successfully.

Actual Behavior

First time Terraform fails with:

Error: cannot create grants: permissions for metastore-******* are &{[{TheGroup [MANAGE_ALLOWLIST] [Principal]}]}, but have to be {[{TheGroup [MANAGE ALLOWLIST] []}]}

And on further retries, Terraform fails with:

Error: cannot create grants: Duplicate privileges to add and delete.

Steps to Reproduce

1. terraform apply

Terraform and provider versions

• Terraform 1.6.6
• Provider 1.41 (cannot try 1.42 due to [ISSUE] Issue with databricks_cluster resource #3553)

Is it a regression?

No, it's the 1st time we are trying.

Debug Output

(We don't have it right now, but we could adjust our CI to provide it if needed)

Important Factoids

This is preventing us from applying fine-grained permissions to look at the artifact allowlist. In the meantime, we'll have to grant metastore owner permissions.

Would you like to implement a fix?

Sorry, not at this point.

[nkvuong]

@tlecomte could you specify the permission as MANAGE_ALLOWLIST (with underscore, not space)

[tlecomte]

Thanks @nkvuong, you're right, it does work correctly with MANAGE_ALLOWLIST with an underscore.

Maybe the error message could be improved?

[nkvuong]

@tlecomte we're trying to resolve it in this PR #3292