databricks · shreyas-goenka · Nov 5, 2025 · Nov 5, 2025 · Nov 5, 2025 · Nov 5, 2025
@@ -145,6 +145,19 @@ func TestInprocessMode(t *testing.T) {
 	require.Equal(t, 1, testAccept(t, true, "selftest/server"))
 }
 
+// Configure replacements for environment variables we read from test environments.
+func setReplsForTestEnvVars(t *testing.T, repls *testdiff.ReplacementsContext) {
+	envVars := []string{
+		"TEST_DEFAULT_WAREHOUSE_ID",
+		"TEST_INSTANCE_POOL_ID",
+	}
+	for _, envVar := range envVars {
+		if value := os.Getenv(envVar); value != "" {
+			repls.Set(value, "["+envVar+"]")
+		}
+	}
+}
+
 func testAccept(t *testing.T, inprocessMode bool, singleTest string) int {
 	repls := testdiff.ReplacementsContext{}
 	cwd, err := os.Getwd()
@@ -232,17 +245,14 @@ func testAccept(t *testing.T, inprocessMode bool, singleTest string) int {
 		}
 	}
 
+	setReplsForTestEnvVars(t, &repls)
+
 	if cloudEnv != "" && UseVersion == "" {
 		// Create linux release artifacts, to be used by the cloud-only ssh tunnel tests
 		releasesDir := CreateReleaseArtifacts(t, cwd, coverDir, "linux")
 		t.Setenv("CLI_RELEASES_DIR", releasesDir)
 	}
 
-	testDefaultWarehouseId := os.Getenv("TEST_DEFAULT_WAREHOUSE_ID")
-	if testDefaultWarehouseId != "" {
-		repls.Set(testDefaultWarehouseId, "[TEST_DEFAULT_WAREHOUSE_ID]")
-	}
-
 	terraformrcPath := filepath.Join(terraformDir, ".terraformrc")
 	t.Setenv("TF_CLI_CONFIG_FILE", terraformrcPath)
 	t.Setenv("DATABRICKS_TF_CLI_CONFIG_FILE", terraformrcPath)
@@ -256,8 +266,6 @@ func testAccept(t *testing.T, inprocessMode bool, singleTest string) int {
 	// do it last so that full paths match first:
 	repls.SetPath(buildDir, "[BUILD_DIR]")
 
-	repls.Set(os.Getenv("TEST_INSTANCE_POOL_ID"), "[TEST_INSTANCE_POOL_ID]")
-
 	testdiff.PrepareReplacementsDevVersion(t, &repls)
 	testdiff.PrepareReplacementSdkVersion(t, &repls)
 	testdiff.PrepareReplacementsGoVersion(t, &repls)

@@ -439,6 +439,13 @@ resources.dashboards.*.serialized_dashboard	string	ALL
 resources.dashboards.*.update_time	string	ALL
 resources.dashboards.*.url	string	INPUT
 resources.dashboards.*.warehouse_id	string	ALL
+resources.dashboards.*.permissions.object_id	string	ALL
+resources.dashboards.*.permissions.permissions	[]iam.AccessControlRequest	ALL
+resources.dashboards.*.permissions.permissions[*]	iam.AccessControlRequest	ALL
+resources.dashboards.*.permissions.permissions[*].group_name	string	ALL
+resources.dashboards.*.permissions.permissions[*].permission_level	iam.PermissionLevel	ALL
+resources.dashboards.*.permissions.permissions[*].service_principal_name	string	ALL
+resources.dashboards.*.permissions.permissions[*].user_name	string	ALL
 resources.database_catalogs.*.create_database_if_not_exists	bool	ALL
 resources.database_catalogs.*.database_instance_name	string	ALL
 resources.database_catalogs.*.database_name	string	ALL

@@ -0,0 +1,13 @@
+bundle:
+  name: dashboard-perm-$UNIQUE_NAME
+
+resources:
+  dashboards:
+    foo:
+      display_name: test-dashboard-$UNIQUE_NAME
+      warehouse_id: $TEST_DEFAULT_WAREHOUSE_ID
+      parent_path: /Users/$CURRENT_USER_NAME/folder1
+      serialized_dashboard: '{"pages":[{"name":"page1","displayName":"Page 1"}]}'
+      permissions:
+        - level: CAN_READ
+          user_name: $TEST_USER_EMAIL
@@ -0,0 +1,41 @@
+{
+  "plan": {
+    "resources.dashboards.foo": {
+      "action": "create",
+      "new_state": {
+        "value": {
+          "display_name": "test-dashboard-[UNIQUE_NAME]",
+          "parent_path": "/Users/[USERNAME]/folder1",
+          "warehouse_id": "[TEST_DEFAULT_WAREHOUSE_ID]"
+        }
+      }
+    },
+    "resources.dashboards.foo.permissions": {
+      "depends_on": [
+        {
+          "node": "resources.dashboards.foo",
+          "label": "${resources.dashboards.foo.id}"
+        }
+      ],
+      "action": "create",
+      "new_state": {
+        "value": {
+          "object_id": "",
+          "permissions": [
+            {
+              "permission_level": "CAN_READ",
+              "user_name": "deco-test-user@databricks.com"
+            },
+            {
+              "permission_level": "CAN_MANAGE",
+              "service_principal_name": "[USERNAME]"
+            }
+          ]
+        },
+        "vars": {
+          "object_id": "/dashboards/${resources.dashboards.foo.id}"
+        }
+      }
+    }
+  }
+}
@@ -0,0 +1,10 @@
+{
+  "plan": {
+    "resources.dashboards.foo": {
+      "action": "create"
+    },
+    "resources.dashboards.foo.permissions": {
+      "action": "create"
+    }
+  }
+}
@@ -0,0 +1,16 @@
+{
+  "method": "PUT",
+  "path": "/api/2.0/permissions/dashboards/[DASHBOARD_ID]",
+  "body": {
+    "access_control_list": [
+      {
+        "permission_level": "CAN_READ",
+        "user_name": "deco-test-user@databricks.com"
+      },
+      {
+        "permission_level": "CAN_MANAGE",
+        "service_principal_name": "[USERNAME]"
+      }
+    ]
+  }
+}
@@ -0,0 +1,16 @@
+{
+  "method": "PUT",
+  "path": "/api/2.0/permissions/dashboards/[DASHBOARD_ID]",
+  "body": {
+    "access_control_list": [
+      {
+        "permission_level": "CAN_MANAGE",
+        "service_principal_name": "[USERNAME]"
+      },
+      {
+        "permission_level": "CAN_READ",
+        "user_name": "deco-test-user@databricks.com"
+      }
+    ]
+  }
+}
@@ -0,0 +1,5 @@
+{
+  "method": "PUT",
+  "path": "/api/2.0/permissions/dashboards/[DASHBOARD_ID]",
+  "body": {}
+}
@@ -0,0 +1,27 @@
+
+>>> [CLI] bundle validate -o json
+[
+  {
+    "level": "CAN_READ",
+    "user_name": "deco-test-user@databricks.com"
+  },
+  {
+    "level": "CAN_MANAGE",
+    "service_principal_name": "[USERNAME]"
+  }
+]
+
+>>> [CLI] bundle deploy
+Uploading bundle files to /Workspace/Users/[USERNAME]/.bundle/dashboard-perm-[UNIQUE_NAME]/default/files...
+Deploying resources...
+Updating deployment state...
+Deployment complete!
+
+>>> [CLI] bundle destroy --auto-approve
+The following resources will be deleted:
+  delete resources.dashboards.foo
+
+All files and directories at the following location will be deleted: /Workspace/Users/[USERNAME]/.bundle/dashboard-perm-[UNIQUE_NAME]/default
+
+Deleting files...
+Destroy complete!
@@ -0,0 +1,21 @@
+if [ -z "$CLOUD_ENV" ]; then
+    export TEST_USER_EMAIL="deco-test-user@databricks.com"
+fi
+
+envsubst < databricks.yml.tmpl > databricks.yml
+
+trace $CLI bundle validate -o json | jq .resources.dashboards.foo.permissions
+rm out.requests.txt
+
+$CLI bundle plan --output json > out.plan.$DATABRICKS_BUNDLE_ENGINE.json
+
+rm out.requests.txt
+trace $CLI bundle deploy
+
+dashboard_id=$($CLI bundle summary --output json | jq -r '.resources.dashboards.foo.id')
+echo "$dashboard_id:DASHBOARD_ID" >> ACC_REPLS
+
+print_requests.py //permissions > out.requests.deploy.$DATABRICKS_BUNDLE_ENGINE.json
+
+trace $CLI bundle destroy --auto-approve
+print_requests.py //permissions > out.requests.destroy.$DATABRICKS_BUNDLE_ENGINE.json
@@ -0,0 +1,3 @@
+Local = false
+RequiresWarehouse = true
+Cloud = true
@@ -56,6 +56,18 @@ DIFF  clusters/current_can_manage/out.requests.destroy.direct.json
 +  }
 +]
 MATCH clusters/target/out.requests.direct.json
+MATCH dashboards/create/out.requests.deploy.direct.json
+DIFF  dashboards/create/out.requests.destroy.direct.json
+--- dashboards/create/out.requests.destroy.direct.json
++++ dashboards/create/out.requests.destroy.terraform.json
+@@ -1 +1,7 @@
+-[]+[
++  {
++    "body": {},
++    "method": "PUT",
++    "path": "/api/2.0/permissions/dashboards/[DASHBOARD_ID]"
++  }
++]
 MATCH database_instances/current_can_manage/out.requests.deploy.direct.json
 DIFF  database_instances/current_can_manage/out.requests.destroy.direct.json
 --- database_instances/current_can_manage/out.requests.destroy.direct.json

@@ -34,6 +34,7 @@ var SupportedResources = map[string]any{
 	"models.permissions":                  (*ResourcePermissions)(nil),
 	"sql_warehouses.permissions":          (*ResourcePermissions)(nil),
 	"model_serving_endpoints.permissions": (*ResourcePermissions)(nil),
+	"dashboards.permissions":              (*ResourcePermissions)(nil),
 
 	// Grants
 	"schemas.grants":           (*ResourceGrants)(nil),

@@ -19,6 +19,7 @@ import (
 	"github.com/databricks/databricks-sdk-go"
 	"github.com/databricks/databricks-sdk-go/service/apps"
 	"github.com/databricks/databricks-sdk-go/service/catalog"
+	"github.com/databricks/databricks-sdk-go/service/dashboards"
 	"github.com/databricks/databricks-sdk-go/service/database"
 	"github.com/databricks/databricks-sdk-go/service/iam"
 	"github.com/databricks/databricks-sdk-go/service/jobs"
@@ -298,6 +299,36 @@ var testDeps = map[string]prepareWorkspace{
 		}, nil
 	},
 
+	"dashboards.permissions": func(client *databricks.WorkspaceClient) (any, error) {
+		ctx := context.Background()
+		parentPath := "/Workspace/Users/user@example.com"
+
+		// Create parent directory if it doesn't exist
+		err := client.Workspace.MkdirsByPath(ctx, parentPath)
+		if err != nil {
+			return nil, err
+		}
+
+		resp, err := client.Lakeview.Create(ctx, dashboards.CreateDashboardRequest{
+			Dashboard: dashboards.Dashboard{
+				DisplayName:         "dashboard-permissions",
+				ParentPath:          parentPath,
+				SerializedDashboard: `{"pages":[{"name":"page1","displayName":"Page 1"}]}`,
+			},
+		})
+		if err != nil {
+			return nil, err
+		}
+
+		return &PermissionsState{
+			ObjectID: "/dashboards/" + resp.DashboardId,
+			Permissions: []iam.AccessControlRequest{{
+				PermissionLevel: "CAN_MANAGE",
+				UserName:        "user@example.com",
+			}},
+		}, nil
+	},
+
 	"model_serving_endpoints.permissions": func(client *databricks.WorkspaceClient) (any, error) {
 		waiter, err := client.ServingEndpoints.Create(context.Background(), serving.CreateServingEndpoint{
 			Name: "endpoint-permissions",