Add support for Vector Search Endpoint (direct only)#4887
Merged
Conversation
janniklasrose
had a problem deploying
to
test-trigger-is
GitHub Actions
Failure
janniklasrose
changed the title
denik
reviewed
Apr 16, 2026
…date Co-authored-by: Jan Rose
denik
approved these changes
Apr 20, 2026
bernardo-rodriguez
pushed a commit
to bernardo-rodriguez/b-cli
that referenced
this pull request
Apr 21, 2026
…s#5046) ## Changes Address review nits on databricks#4887: - **`update/min_qps/script`**: drop redundant `--keep` + manual `rm` pair in `print_requests()`. `print_requests.py` already deletes `out.requests.txt` when `--keep` is omitted, so the pair was a no-op. ([thread](databricks#4887 (comment))) - **`drift/min_qps/script`**: record `bundle plan --output json` alongside the existing `contains.py` summary check, so the test pins down that `min_qps` is the *only* field detected as changed (old=1, new=1, remote=5), not just the overall count. ([thread](databricks#4887 (comment))) Not in this PR: the [`recreated_same_name` badness thread](databricks#4887 (comment)) — that requires real behavior change (storing `endpoint_uuid` in state and comparing it via `OverrideChangeDesc`, similar to `dashboards.go`'s etag pattern), so it'll get its own follow-up PR. ## Tests - `go test ./acceptance -run TestAccept/bundle/resources/vector_search_endpoints/update/min_qps` - `go test ./acceptance -run TestAccept/bundle/resources/vector_search_endpoints/drift/min_qps`
deco-sdk-tagging Bot
added a commit
that referenced
this pull request
Apr 22, 2026
## Release v0.298.0 ### CLI * Added `--limit` flag to all paginated list commands for client-side result capping ([#4984](#4984)). On `jobs list` and `jobs list-runs` the former API page-size flag was renamed to `--page-size` (hidden) to avoid collision. * Accept `yes` in addition to `y` for confirmation prompts, and show `[y/N]` to indicate that no is the default. * Cache `/.well-known/databricks-config` lookups under `~/.cache/databricks/<version>/host-metadata/` so repeat CLI invocations against the same host skip the ~700ms discovery round trip. * Deprecated `auth env`. The command is hidden from help listings and prints a deprecation warning to stderr; it will be removed in a future release. ### Bundles * Remove `experimental-jobs-as-code` template, superseded by `pydabs` ([#4999](#4999)). * Prompt before destroying or recreating Lakebase resources (database instances, synced database tables, postgres projects and branches) ([#5052](#5052)). * Treat deleted resources as not running in the `fail-on-active-runs` check ([#5044](#5044)). * engine/direct: Added support for Vector Search Endpoints ([#4887](#4887)). * engine/direct: Exclude deploy-only fields (e.g. `lifecycle`) from the Apps update mask so requests that change both `description` and `lifecycle.started` in the same deploy no longer fail with `INVALID_PARAMETER_VALUE` ([#5042](#5042), [#5051](#5051)). * engine/direct: Fix phantom diffs from `depends_on` reordering in job tasks ([#4990](#4990)). ### Dependency updates * Bump `github.com/databricks/databricks-sdk-go` from v0.126.0 to v0.128.0 ([#4984](#4984), [#5031](#5031)). * Bump Go toolchain to 1.25.9 ([#5004](#5004)).
2 tasks
shreyas-goenka
added a commit
that referenced
this pull request
May 3, 2026
…ting principal (#5151) ## Summary The invariant test config used \`user_name: viewer@example.com\`, which doesn't exist in the cloud workspaces. The Permissions Set API silently drops the unknown user, so a Read after deploy returns an ACL without that entry — the no_drift invariant then sees a phantom update and the test fails on aws-prod-ucws. Pre-existing bug from #4887, not caught earlier because deploy itself was failing on the 50-char endpoint name limit (#5108) before reaching the no_drift check. ### Failure shape (before this fix) \`\`\` "resources.vector_search_endpoints.bar.permissions": { "action": "update", "new_state": { "value": { "__embed__": [ { "level": "CAN_USE", "user_name": "viewer@example.com" }, { "level": "CAN_MANAGE", "service_principal_name": "[USERNAME]" } ] } }, "remote_state": { "__embed__": [ { "level": "CAN_MANAGE", "service_principal_name": "[USERNAME]" } ] }, ... } \`\`\` ### Change Use \`group_name: users\` (always present in every workspace) to match the pattern used by the other \`*_with_permissions\` invariant configs (\`job_with_permissions\`, \`model_with_permissions\`, \`secret_scope_with_permissions\`). ## Test plan - [x] Local: \`go test ./acceptance -run 'TestAccept/bundle/invariant/no_drift/DATABRICKS_BUNDLE_ENGINE=direct/INPUT_CONFIG=vector_search_endpoint'\` passes - [x] Cloud: same target passes on aws-prod-ucws This pull request was AI-assisted by Isaac.
denik
added a commit
that referenced
this pull request
May 20, 2026
## Changes
Adds `vector_search_endpoints` as a first-class resource type, using the
direct deployment engine (only, no TF support).
### New configuration surface
```yaml
resources:
vector_search_endpoints:
my_endpoint:
name: my-endpoint
endpoint_type: STANDARD
min_qps: 1
budget_policy_id: my-policy
permissions:
- level: CAN_USE
group_name: data-team
```
Required fields: `name`, `endpoint_type`. Optional: `min_qps`,
`budget_policy_id`, `permissions`.
## Key points to note
**State ID = endpoint name.** The CRUD API identifies endpoints by name;
the UUID
(`endpoint_uuid`) is stored separately in the refresh output for use by
the permissions API.
**`endpoint_type` is immutable.** Changing it triggers delete + recreate
(`resources.yml`).
**Two separate update APIs.** `DoUpdate` dispatches to:
- `UpdateEndpointBudgetPolicy` when `budget_policy_id` changes
- `PatchEndpoint` when `min_qps` changes
These can fire in the same deploy if both fields change.
**`budget_policy_id` drift is suppressed.** The API returns
`effective_budget_policy_id`
(which includes inherited workspace policies), not the user-set value.
Until the SDK
exposes `budget_policy_id` separately, remote changes to this field are
ignored
(`reason: effective_vs_requested` in `resources.yml`). See TODO in
`bundle/direct/dresources/vector_search_endpoint.go:53`.
**Permissions use UUID, not name.** The `PreparePermissionsInputConfig`
function uses
`${...endpoint_uuid}` as the object ID when constructing the permissions
API path for
vector search endpoints.
**Direct-only validation.** `ValidateDirectOnlyResources`
(`bundle/config/mutator/`) emits
an error at plan/deploy time if vector_search_endpoints are present in a
non-direct bundle.
Vector Search Endpoints have no Terraform provider.
**No dev-mode name prefix.** Like UC resources, vector search endpoint
names are NOT
prefixed with the dev user name in development mode.
## Tests
- Acceptance & Unit tests.
- Tested e2e with CLI build.
---------
Co-authored-by: Denis Bilenko <denis.bilenko@databricks.com>
denik
pushed a commit
that referenced
this pull request
May 20, 2026
## Changes Address review nits on #4887: - **`update/min_qps/script`**: drop redundant `--keep` + manual `rm` pair in `print_requests()`. `print_requests.py` already deletes `out.requests.txt` when `--keep` is omitted, so the pair was a no-op. ([thread](#4887 (comment))) - **`drift/min_qps/script`**: record `bundle plan --output json` alongside the existing `contains.py` summary check, so the test pins down that `min_qps` is the *only* field detected as changed (old=1, new=1, remote=5), not just the overall count. ([thread](#4887 (comment))) Not in this PR: the [`recreated_same_name` badness thread](#4887 (comment)) — that requires real behavior change (storing `endpoint_uuid` in state and comparing it via `OverrideChangeDesc`, similar to `dashboards.go`'s etag pattern), so it'll get its own follow-up PR. ## Tests - `go test ./acceptance -run TestAccept/bundle/resources/vector_search_endpoints/update/min_qps` - `go test ./acceptance -run TestAccept/bundle/resources/vector_search_endpoints/drift/min_qps`
denik
pushed a commit
that referenced
this pull request
May 20, 2026
## Release v0.298.0 ### CLI * Added `--limit` flag to all paginated list commands for client-side result capping ([#4984](#4984)). On `jobs list` and `jobs list-runs` the former API page-size flag was renamed to `--page-size` (hidden) to avoid collision. * Accept `yes` in addition to `y` for confirmation prompts, and show `[y/N]` to indicate that no is the default. * Cache `/.well-known/databricks-config` lookups under `~/.cache/databricks/<version>/host-metadata/` so repeat CLI invocations against the same host skip the ~700ms discovery round trip. * Deprecated `auth env`. The command is hidden from help listings and prints a deprecation warning to stderr; it will be removed in a future release. ### Bundles * Remove `experimental-jobs-as-code` template, superseded by `pydabs` ([#4999](#4999)). * Prompt before destroying or recreating Lakebase resources (database instances, synced database tables, postgres projects and branches) ([#5052](#5052)). * Treat deleted resources as not running in the `fail-on-active-runs` check ([#5044](#5044)). * engine/direct: Added support for Vector Search Endpoints ([#4887](#4887)). * engine/direct: Exclude deploy-only fields (e.g. `lifecycle`) from the Apps update mask so requests that change both `description` and `lifecycle.started` in the same deploy no longer fail with `INVALID_PARAMETER_VALUE` ([#5042](#5042), [#5051](#5051)). * engine/direct: Fix phantom diffs from `depends_on` reordering in job tasks ([#4990](#4990)). ### Dependency updates * Bump `github.com/databricks/databricks-sdk-go` from v0.126.0 to v0.128.0 ([#4984](#4984), [#5031](#5031)). * Bump Go toolchain to 1.25.9 ([#5004](#5004)).
denik
pushed a commit
that referenced
this pull request
May 20, 2026
…ting principal (#5151) ## Summary The invariant test config used \`user_name: viewer@example.com\`, which doesn't exist in the cloud workspaces. The Permissions Set API silently drops the unknown user, so a Read after deploy returns an ACL without that entry — the no_drift invariant then sees a phantom update and the test fails on aws-prod-ucws. Pre-existing bug from #4887, not caught earlier because deploy itself was failing on the 50-char endpoint name limit (#5108) before reaching the no_drift check. ### Failure shape (before this fix) \`\`\` "resources.vector_search_endpoints.bar.permissions": { "action": "update", "new_state": { "value": { "__embed__": [ { "level": "CAN_USE", "user_name": "viewer@example.com" }, { "level": "CAN_MANAGE", "service_principal_name": "[USERNAME]" } ] } }, "remote_state": { "__embed__": [ { "level": "CAN_MANAGE", "service_principal_name": "[USERNAME]" } ] }, ... } \`\`\` ### Change Use \`group_name: users\` (always present in every workspace) to match the pattern used by the other \`*_with_permissions\` invariant configs (\`job_with_permissions\`, \`model_with_permissions\`, \`secret_scope_with_permissions\`). ## Test plan - [x] Local: \`go test ./acceptance -run 'TestAccept/bundle/invariant/no_drift/DATABRICKS_BUNDLE_ENGINE=direct/INPUT_CONFIG=vector_search_endpoint'\` passes - [x] Cloud: same target passes on aws-prod-ucws This pull request was AI-assisted by Isaac.
TanishqDatabricks
pushed a commit
to TanishqDatabricks/cli
that referenced
this pull request
May 22, 2026
…ting principal (databricks#5151) ## Summary The invariant test config used \`user_name: viewer@example.com\`, which doesn't exist in the cloud workspaces. The Permissions Set API silently drops the unknown user, so a Read after deploy returns an ACL without that entry — the no_drift invariant then sees a phantom update and the test fails on aws-prod-ucws. Pre-existing bug from databricks#4887, not caught earlier because deploy itself was failing on the 50-char endpoint name limit (databricks#5108) before reaching the no_drift check. ### Failure shape (before this fix) \`\`\` "resources.vector_search_endpoints.bar.permissions": { "action": "update", "new_state": { "value": { "__embed__": [ { "level": "CAN_USE", "user_name": "viewer@example.com" }, { "level": "CAN_MANAGE", "service_principal_name": "[USERNAME]" } ] } }, "remote_state": { "__embed__": [ { "level": "CAN_MANAGE", "service_principal_name": "[USERNAME]" } ] }, ... } \`\`\` ### Change Use \`group_name: users\` (always present in every workspace) to match the pattern used by the other \`*_with_permissions\` invariant configs (\`job_with_permissions\`, \`model_with_permissions\`, \`secret_scope_with_permissions\`). ## Test plan - [x] Local: \`go test ./acceptance -run 'TestAccept/bundle/invariant/no_drift/DATABRICKS_BUNDLE_ENGINE=direct/INPUT_CONFIG=vector_search_endpoint'\` passes - [x] Cloud: same target passes on aws-prod-ucws This pull request was AI-assisted by Isaac.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes
Adds
vector_search_endpointsas a first-class resource type, using the direct deployment engine (only, no TF support).New configuration surface
Required fields:
name,endpoint_type. Optional:min_qps,budget_policy_id,permissions.Key points to note
State ID = endpoint name. The CRUD API identifies endpoints by name; the UUID
(
endpoint_uuid) is stored separately in the refresh output for use by the permissions API.endpoint_typeis immutable. Changing it triggers delete + recreate (resources.yml).Two separate update APIs.
DoUpdatedispatches to:UpdateEndpointBudgetPolicywhenbudget_policy_idchangesPatchEndpointwhenmin_qpschangesThese can fire in the same deploy if both fields change.
budget_policy_iddrift is suppressed. The API returnseffective_budget_policy_id(which includes inherited workspace policies), not the user-set value. Until the SDK
exposes
budget_policy_idseparately, remote changes to this field are ignored(
reason: effective_vs_requestedinresources.yml). See TODO inbundle/direct/dresources/vector_search_endpoint.go:53.Permissions use UUID, not name. The
PreparePermissionsInputConfigfunction uses${...endpoint_uuid}as the object ID when constructing the permissions API path forvector search endpoints.
Direct-only validation.
ValidateDirectOnlyResources(bundle/config/mutator/) emitsan error at plan/deploy time if vector_search_endpoints are present in a non-direct bundle.
Vector Search Endpoints have no Terraform provider.
No dev-mode name prefix. Like UC resources, vector search endpoint names are NOT
prefixed with the dev user name in development mode.
Tests