Fix secret scope permissions migration from Terraform to Direct engine (#4866)

## Summary
- Fix `bundle deployment migrate` for bundles with secret scopes to
prevent phantom drift on `secret_scopes.*.permissions` after migration
from Terraform to Direct engine.
- Handle `databricks_secret_acl` in `ParseResourcesState`: multiple ACL
resources per scope are mapped to a single `.permissions` state entry
with the scope name as ID, similar to how `databricks_permissions` and
`databricks_grants` are handled.
- Expose resources.secret_scopes.foo.permissions as a separate entry in
terraform JSON plan as well to match direct engine.

## Test plan
- Re-enable the previously excluded secret scope migration acceptance
tests.
- New invariant test config for secret scope with ACLs.

Author: denik

NEXT_CHANGELOG.md

@@ -14,6 +14,7 @@
 * engine/direct: Fix unwanted recreation of secret scopes when scope_backend_type is not set ([#4834](https://github.com/databricks/cli/pull/4834))
 * engine/direct: Fix bind and unbind for non-Terraform resources ([#4850](https://github.com/databricks/cli/pull/4850))
 * engine/direct: Fix deploying removed principals ([#4824](https://github.com/databricks/cli/pull/4824))
+* engine/direct: Fix secret scope permissions migration from Terraform to Direct engine ([#4866](https://github.com/databricks/cli/pull/4866))
 
 ### Dependency updates
 

acceptance/bundle/invariant/configs/secret_scope_with_permissions.yml.tmpl

@@ -0,0 +1,13 @@
+bundle:
+  name: test-bundle-$UNIQUE_NAME
+
+resources:
+  secret_scopes:
+    foo:
+      name: test-scope-$UNIQUE_NAME
+      backend_type: DATABRICKS
+      permissions:
+        - level: READ
+          group_name: users
+        - level: WRITE
+          group_name: admins

acceptance/bundle/invariant/continue_293/out.test.toml

@@ -2,10 +2,6 @@
 EnvMatrixExclude.no_catalog = ["INPUT_CONFIG=catalog.yml.tmpl"]
 EnvMatrixExclude.no_external_location = ["INPUT_CONFIG=external_location.yml.tmpl"]
 
-# Unexpected action='create' for resources.secret_scopes.foo.permissions
-EnvMatrixExclude.no_secret_scope = ["INPUT_CONFIG=secret_scope.yml.tmpl"]
-EnvMatrixExclude.no_secret_scope2 = ["INPUT_CONFIG=secret_scope_default_backend_type.yml.tmpl"]
-
 # Cross-resource permission references (e.g. ${resources.jobs.job_b.permissions[0].level})
 # don't work in terraform mode: the terraform interpolator converts the path to
 # ${databricks_job.job_b.permissions[0].level}, but Terraform's databricks_job resource

acceptance/bundle/invariant/migrate/out.test.toml

@@ -49,6 +49,7 @@ EnvMatrix.INPUT_CONFIG = [
     "schema_with_grants.yml.tmpl",
     "secret_scope.yml.tmpl",
     "secret_scope_default_backend_type.yml.tmpl",
+    "secret_scope_with_permissions.yml.tmpl",
     "synced_database_table.yml.tmpl",
     "volume.yml.tmpl",
 ]

acceptance/bundle/invariant/migrate/test.toml

@@ -3,6 +3,9 @@
   "plan": {
     "resources.secret_scopes.my_scope": {
       "action": "create"
+    },
+    "resources.secret_scopes.my_scope.permissions": {
+      "action": "create"
     }
   }
 }

acceptance/bundle/invariant/no_drift/out.test.toml

@@ -3,6 +3,9 @@
   "plan": {
     "resources.secret_scopes.my_scope": {
       "action": "recreate"
+    },
+    "resources.secret_scopes.my_scope.permissions": {
+      "action": "recreate"
     }
   }
 }

acceptance/bundle/invariant/test.toml

@@ -3,6 +3,9 @@
   "plan": {
     "resources.secret_scopes.my_scope": {
       "action": "skip"
+    },
+    "resources.secret_scopes.my_scope.permissions": {
+      "action": "skip"
     }
   }
 }