databricks · alexott · Nov 13, 2024 · Nov 11, 2024 · Nov 11, 2024 · Nov 12, 2024
@@ -639,6 +639,35 @@ resource "databricks_permissions" "ml_serving_usage" {
 }
 ```
 
+## Mosaic AI Vector Search usage
+
+Valid permission levels for [databricks_vector_search_endpoint](vector_search_endpoint.md) are: `CAN_USE` and `CAN_MANAGE`.
+
+```hcl
+resource "databricks_vector_search_endpoint" "this" {
+  name          = "vector-search-test"
+  endpoint_type = "STANDARD"
+}
+
+resource "databricks_group" "eng" {
+  display_name = "Engineering"
+}
+
+resource "databricks_permissions" "vector_search_endpoint_usage" {
+  vector_search_endpoint_id = databricks_vector_search_endpoint.this.endpoint_id
+
+  access_control {
+    group_name       = "users"
+    permission_level = "CAN_USE"
+  }
+
+  access_control {
+    group_name       = databricks_group.eng.display_name
+    permission_level = "CAN_MANAGE"
+  }
+}
+```
+
 ## Passwords usage
 
 By default on AWS deployments, all admin users can sign in to Databricks using either SSO or their username and password, and all API users can authenticate to the Databricks REST APIs using their username and password. As an admin, you [can limit](https://docs.databricks.com/administration-guide/users-groups/single-sign-on/index.html#optional-configure-password-access-control) admin users’ and API users’ ability to authenticate with their username and password by configuring `CAN_USE` permissions using password access control.
@@ -895,6 +924,7 @@ Exactly one of the following arguments is required:
 - `experiment_id` - [MLflow experiment](mlflow_experiment.md) id
 - `registered_model_id` - [MLflow registered model](mlflow_model.md) id
 - `serving_endpoint_id` - [Model Serving](model_serving.md) endpoint id.
+- `vector_search_endpoint_id` - [Vector Search](vector_search_endpoint.md) endpoint id.
 - `authorization` - either [`tokens`](https://docs.databricks.com/administration-guide/access-control/tokens.html) or [`passwords`](https://docs.databricks.com/administration-guide/users-groups/single-sign-on/index.html#configure-password-permission).
 - `sql_endpoint_id` - [SQL warehouse](sql_endpoint.md) id
 - `sql_dashboard_id` - [SQL dashboard](sql_dashboard.md) id

@@ -866,6 +866,29 @@ func TestAccPermissions_ServingEndpoint(t *testing.T) {
 	})
 }
 
+// AlexOtt: Temporary disable as it takes too long to create a new vector search endpoint
+// Testing is done in the `vector_search_test.go`
+// func TestAccPermissions_VectorSearchEndpoint(t *testing.T) {
+// 	loadDebugEnvIfRunsFromIDE(t, "workspace")
+// 	if isGcp(t) {
+// 		skipf(t)("Vector Search endpoints are not supported on GCP")
+// 	}
+// 	endpointTemplate := `
+// 	resource "databricks_vector_search_endpoint" "endpoint" {
+// 		name = "{var.STICKY_RANDOM}"
+// 		endpoint_type = "STANDARD"
+// 	}
+// `
+// 	WorkspaceLevel(t, Step{
+// 		Template: endpointTemplate + makePermissionsTestStage("vector_search_endpoint_id", "databricks_vector_search_endpoint.endpoint.endpoint_id", groupPermissions("CAN_USE")),
+// 	}, Step{
+// 		Template: endpointTemplate + makePermissionsTestStage("vector_search_endpoint_id", "databricks_vector_search_endpoint.endpoint.endpoint_id", currentPrincipalPermission(t, "CAN_MANAGE"), groupPermissions("CAN_USE")),
+// 	}, Step{
+// 		Template:    endpointTemplate + makePermissionsTestStage("vector_search_endpoint_id", "databricks_vector_search_endpoint.endpoint.endpoint_id", currentPrincipalPermission(t, "CAN_USE"), groupPermissions("CAN_USE")),
+// 		ExpectError: regexp.MustCompile("cannot remove management permissions for the current user for mlflowExperiment, allowed levels: CAN_MANAGE"),
+// 	})
+// }
+
 func TestAccPermissions_Alert(t *testing.T) {
 	loadDebugEnvIfRunsFromIDE(t, "workspace")
 	alertTemplate := `

@@ -20,7 +20,16 @@ func TestUcAccVectorSearchEndpoint(t *testing.T) {
 			resource "databricks_vector_search_endpoint" "this" {
 				name          = "%s"
 				endpoint_type = "STANDARD"
-			  }
+			}
+
+			resource "databricks_permissions" "this" {
+				vector_search_endpoint_id = databricks_vector_search_endpoint.this.endpoint_id
+
+				access_control {
+					group_name = "users"
+					permission_level = "CAN_USE"
+				}
+			}
 			`, name),
 	},
 	)

@@ -732,5 +732,16 @@ func allResourcePermissions() []resourcePermissions {
 			updateAclCustomizers: []update.ACLCustomizer{update.AddCurrentUserAsManage},
 			deleteAclCustomizers: []update.ACLCustomizer{update.AddCurrentUserAsManage},
 		},
+		{
+			field:             "vector_search_endpoint_id",
+			objectType:        "vector-search-endpoints",
+			requestObjectType: "vector-search-endpoints",
+			allowedPermissionLevels: map[string]permissionLevelOptions{
+				"CAN_USE":    {isManagementPermission: false},
+				"CAN_MANAGE": {isManagementPermission: true},
+			},
+			updateAclCustomizers: []update.ACLCustomizer{update.AddCurrentUserAsManage},
+			deleteAclCustomizers: []update.ACLCustomizer{update.AddCurrentUserAsManage},
+		},
 	}
 }
@@ -593,7 +593,7 @@ func TestResourcePermissionsCreate_invalid(t *testing.T) {
 	qa.ResourceFixture{
 		Resource: ResourcePermissions(),
 		Create:   true,
-	}.ExpectError(t, "at least one type of resource identifier must be set; allowed fields: authorization, cluster_id, cluster_policy_id, dashboard_id, directory_id, directory_path, experiment_id, instance_pool_id, job_id, notebook_id, notebook_path, pipeline_id, registered_model_id, repo_id, repo_path, serving_endpoint_id, sql_alert_id, sql_dashboard_id, sql_endpoint_id, sql_query_id, workspace_file_id, workspace_file_path")
+	}.ExpectError(t, "at least one type of resource identifier must be set; allowed fields: authorization, cluster_id, cluster_policy_id, dashboard_id, directory_id, directory_path, experiment_id, instance_pool_id, job_id, notebook_id, notebook_path, pipeline_id, registered_model_id, repo_id, repo_path, serving_endpoint_id, sql_alert_id, sql_dashboard_id, sql_endpoint_id, sql_query_id, vector_search_endpoint_id, workspace_file_id, workspace_file_path")
 }
 
 func TestResourcePermissionsCreate_no_access_control(t *testing.T) {