Move secret scope .permissions handling from migrate.go to ParseResourcesState

ParseResourcesState now creates .permissions entries for ALL secret scopes
(not just those with databricks_secret_acl), so the post-Apply fixup in
migrate.go is no longer needed.

Co-authored-by: Isaac

Author: denik

bundle/deploy/terraform/util.go

@@ -117,15 +117,20 @@ func parseResourcesState(ctx context.Context, path string) (ExportedResourcesMap
 		}
 	}
 
-	// Resolve secret scope permission IDs: use the scope name (which is the scope's ID)
-	// instead of the Terraform ACL ID. The direct engine expects the scope name.
-	for key := range result {
-		if !strings.HasPrefix(key, "resources.secret_scopes.") || !strings.HasSuffix(key, ".permissions") {
+	// Ensure every secret scope has a .permissions entry. The direct engine manages
+	// permissions as a sub-resource (SecretScopeFixups adds MANAGE for the current user).
+	// For scopes with databricks_secret_acl in state, resolve the ACL ID to the scope name.
+	// For scopes without ACLs, create a .permissions entry with the scope name as ID.
+	for key, entry := range result {
+		if !strings.HasPrefix(key, "resources.secret_scopes.") || strings.Contains(key, ".permissions") {
 			continue
 		}
-		scopeKey := strings.TrimSuffix(key, ".permissions")
-		if scopeEntry, ok := result[scopeKey]; ok {
-			result[key] = ResourceState{ID: scopeEntry.ID}
+		permKey := key + ".permissions"
+		if _, exists := result[permKey]; exists {
+			// Resolve ACL ID → scope name (the direct engine expects scope name as ID).
+			result[permKey] = ResourceState{ID: entry.ID}
+		} else {
+			result[permKey] = ResourceState{ID: entry.ID}
 		}
 	}
 

bundle/deploy/terraform/util_test.go

@@ -152,8 +152,10 @@ func TestParseResourcesStateSecretScopeWithoutAcls(t *testing.T) {
 	state, err := parseResourcesState(ctx, path)
 	require.NoError(t, err)
 
-	// No ACLs → no permissions entry; migrate.go fixup handles this case.
+	// Even without ACLs, a .permissions entry is created for every secret scope,
+	// so the direct engine doesn't plan a phantom "create" after migration.
 	assert.Equal(t, ExportedResourcesMap{
-		"resources.secret_scopes.my_scope": {ID: "my-scope-name"},
+		"resources.secret_scopes.my_scope":             {ID: "my-scope-name"},
+		"resources.secret_scopes.my_scope.permissions": {ID: "my-scope-name"},
 	}, state)
 }

cmd/bundle/deployment/migrate.go

@@ -281,37 +281,6 @@ To start using direct engine, set "engine: direct" under bundle in your databric
 			return root.ErrAlreadyPrinted
 		}
 
-		// Terraform manages secret scope permissions via databricks_secret_acl resources,
-		// which are not included in the migration state. The direct engine manages them as
-		// a sub-resource (secret_scopes.*.permissions). Add state entries so that the
-		// direct engine doesn't plan a "create" action for these after migration.
-		// This runs after Apply+Finalize, so we modify the in-memory state and re-save.
-		needsResave := false
-		for key := range deploymentBundle.StateDB.Data.State {
-			if !strings.HasPrefix(key, "resources.secret_scopes.") || strings.HasSuffix(key, ".permissions") {
-				continue
-			}
-			permKey := key + ".permissions"
-			if _, exists := deploymentBundle.StateDB.Data.State[permKey]; exists {
-				continue
-			}
-			entry := deploymentBundle.StateDB.Data.State[key]
-			deploymentBundle.StateDB.Data.State[permKey] = dstate.ResourceEntry{
-				ID:    entry.ID,
-				State: json.RawMessage("{}"),
-			}
-			needsResave = true
-		}
-		if needsResave {
-			data, err := json.MarshalIndent(deploymentBundle.StateDB.Data, "", " ")
-			if err != nil {
-				return fmt.Errorf("failed to serialize state: %w", err)
-			}
-			if err := os.WriteFile(tempStatePath, data, 0o600); err != nil {
-				return fmt.Errorf("failed to write state file: %w", err)
-			}
-		}
-
 		if err := os.Rename(tempStatePath, localPath); err != nil {
 			return fmt.Errorf("renaming %s to %s: %w", tempStatePath, localPath, err)
 		}