bundle: Add postgres_roles resource

NEXT_CHANGELOG.md

@@ -18,6 +18,7 @@
 * engine/direct: Fix WAL corruption after two consecutive failed deploys ([#5606](https://github.com/databricks/cli/pull/5606)).
 * engine/direct: Don't open the deployment state WAL when a deploy's plan fails ([#5607](https://github.com/databricks/cli/pull/5607)).
 * Ignore unity catalog managed schema property defaults to avoid unnecessary drift ([#5195](https://github.com/databricks/cli/pull/5195)).
+* Add Postgres role as a bundle resource ([#5467](https://github.com/databricks/cli/pull/5467)).
 
 ### Dependency updates
 

acceptance/bundle/deployment/bind/postgres_role/databricks.yml

@@ -0,0 +1,9 @@
+bundle:
+  name: test-bundle
+
+resources:
+  postgres_roles:
+    role1:
+      parent: projects/test-project/branches/main
+      role_id: test-role
+      postgres_role: app_role

acceptance/bundle/deployment/bind/postgres_role/output.txt

@@ -0,0 +1,32 @@
+
+>>> [CLI] bundle deployment bind role1 projects/test-project/branches/main/roles/test-role --auto-approve
+Updating deployment state...
+Successfully bound postgres_role with an id 'projects/test-project/branches/main/roles/test-role'
+Run 'bundle deploy' to deploy changes to your workspace
+
+>>> [CLI] bundle summary
+Name: test-bundle
+Target: default
+Workspace:
+  User: [USERNAME]
+  Path: /Workspace/Users/[USERNAME]/.bundle/test-bundle/default
+Resources:
+  Postgres roles:
+    role1:
+      Name: 
+      URL:  (not deployed)
+
+>>> [CLI] bundle deployment unbind role1
+Updating deployment state...
+
+>>> [CLI] bundle summary
+Name: test-bundle
+Target: default
+Workspace:
+  User: [USERNAME]
+  Path: /Workspace/Users/[USERNAME]/.bundle/test-bundle/default
+Resources:
+  Postgres roles:
+    role1:
+      Name: 
+      URL:  (not deployed)

acceptance/bundle/deployment/bind/postgres_role/script

@@ -0,0 +1,6 @@
+ROLE_NAME="projects/test-project/branches/main/roles/test-role"
+trace $CLI bundle deployment bind role1 "${ROLE_NAME}" --auto-approve
+trace $CLI bundle summary
+
+trace $CLI bundle deployment unbind role1
+trace $CLI bundle summary

acceptance/bundle/deployment/bind/postgres_role/test.toml

@@ -0,0 +1,18 @@
+Local = true
+Cloud = false
+
+Ignore = [
+    ".databricks"
+]
+
+[[Server]]
+Pattern = "GET /api/2.0/postgres/projects/test-project/branches/main/roles/test-role"
+Response.Body = '''
+{
+  "name": "projects/test-project/branches/main/roles/test-role",
+  "parent": "projects/test-project/branches/main",
+  "status": {
+    "postgres_role": "app_role"
+  }
+}
+'''

acceptance/bundle/invariant/configs/postgres_role.yml.tmpl

@@ -0,0 +1,20 @@
+bundle:
+  name: test-bundle-$UNIQUE_NAME
+
+resources:
+  postgres_projects:
+    project:
+      project_id: test-pg-project-$UNIQUE_NAME
+      display_name: Test Postgres Project
+
+  postgres_branches:
+    branch:
+      parent: ${resources.postgres_projects.project.name}
+      branch_id: test-branch-$UNIQUE_NAME
+      no_expiry: true
+
+  postgres_roles:
+    foo:
+      parent: ${resources.postgres_branches.branch.name}
+      role_id: test-role-$UNIQUE_NAME
+      postgres_role: app_role

acceptance/bundle/invariant/test.toml

@@ -48,6 +48,7 @@ EnvMatrix.INPUT_CONFIG = [
     "postgres_catalog.yml.tmpl",
     "postgres_endpoint.yml.tmpl",
     "postgres_project.yml.tmpl",
+    "postgres_role.yml.tmpl",
     "postgres_synced_table.yml.tmpl",
     "registered_model.yml.tmpl",
     "schema.yml.tmpl",
@@ -75,6 +76,7 @@ no_postgres_branch_on_cloud = ["CONFIG_Cloud=true", "INPUT_CONFIG=postgres_branc
 no_postgres_endpoint_on_cloud = ["CONFIG_Cloud=true", "INPUT_CONFIG=postgres_endpoint.yml.tmpl"]
 no_postgres_catalog_on_cloud = ["CONFIG_Cloud=true", "INPUT_CONFIG=postgres_catalog.yml.tmpl"]
 no_postgres_synced_table_on_cloud = ["CONFIG_Cloud=true", "INPUT_CONFIG=postgres_synced_table.yml.tmpl"]
+no_postgres_role_on_cloud = ["CONFIG_Cloud=true", "INPUT_CONFIG=postgres_role.yml.tmpl"]
 
 # External locations require actual storage credentials with cloud IAM setup
 # which are environment-specific, so we only test locally with the mock server

acceptance/bundle/refschema/out.fields.txt

@@ -2977,6 +2977,36 @@ resources.postgres_projects.*.permissions[*].group_name	string	ALL
 resources.postgres_projects.*.permissions[*].level	iam.PermissionLevel	ALL
 resources.postgres_projects.*.permissions[*].service_principal_name	string	ALL
 resources.postgres_projects.*.permissions[*].user_name	string	ALL
+resources.postgres_roles.*.attributes	*postgres.RoleAttributes	ALL
+resources.postgres_roles.*.attributes.bypassrls	bool	ALL
+resources.postgres_roles.*.attributes.createdb	bool	ALL
+resources.postgres_roles.*.attributes.createrole	bool	ALL
+resources.postgres_roles.*.auth_method	postgres.RoleAuthMethod	ALL
+resources.postgres_roles.*.create_time	*time.Time	REMOTE
+resources.postgres_roles.*.id	string	INPUT
+resources.postgres_roles.*.identity_type	postgres.RoleIdentityType	ALL
+resources.postgres_roles.*.lifecycle	resources.Lifecycle	INPUT
+resources.postgres_roles.*.lifecycle.prevent_destroy	bool	INPUT
+resources.postgres_roles.*.membership_roles	[]postgres.RoleMembershipRole	ALL
+resources.postgres_roles.*.membership_roles[*]	postgres.RoleMembershipRole	ALL
+resources.postgres_roles.*.modified_status	string	INPUT
+resources.postgres_roles.*.name	string	REMOTE
+resources.postgres_roles.*.parent	string	ALL
+resources.postgres_roles.*.postgres_role	string	ALL
+resources.postgres_roles.*.role_id	string	ALL
+resources.postgres_roles.*.status	*postgres.RoleRoleStatus	REMOTE
+resources.postgres_roles.*.status.attributes	*postgres.RoleAttributes	REMOTE
+resources.postgres_roles.*.status.attributes.bypassrls	bool	REMOTE
+resources.postgres_roles.*.status.attributes.createdb	bool	REMOTE
+resources.postgres_roles.*.status.attributes.createrole	bool	REMOTE
+resources.postgres_roles.*.status.auth_method	postgres.RoleAuthMethod	REMOTE
+resources.postgres_roles.*.status.identity_type	postgres.RoleIdentityType	REMOTE
+resources.postgres_roles.*.status.membership_roles	[]postgres.RoleMembershipRole	REMOTE
+resources.postgres_roles.*.status.membership_roles[*]	postgres.RoleMembershipRole	REMOTE
+resources.postgres_roles.*.status.postgres_role	string	REMOTE
+resources.postgres_roles.*.status.role_id	string	REMOTE
+resources.postgres_roles.*.update_time	*time.Time	REMOTE
+resources.postgres_roles.*.url	string	INPUT
 resources.postgres_synced_tables.*.branch	string	ALL
 resources.postgres_synced_tables.*.create_database_objects_if_missing	bool	ALL
 resources.postgres_synced_tables.*.create_time	*time.Time	REMOTE

acceptance/bundle/resources/postgres_roles/basic/databricks.yml.tmpl

@@ -0,0 +1,27 @@
+bundle:
+  name: deploy-postgres-role-$UNIQUE_NAME
+
+sync:
+  paths: []
+
+resources:
+  postgres_projects:
+    my_project:
+      project_id: test-pg-proj-$UNIQUE_NAME
+      display_name: "Test Project for Role"
+      pg_version: 16
+      history_retention_duration: "604800s"
+
+  postgres_branches:
+    main:
+      parent: ${resources.postgres_projects.my_project.id}
+      branch_id: main
+      no_expiry: true
+
+  postgres_roles:
+    my_role:
+      parent: ${resources.postgres_branches.main.id}
+      role_id: test-role
+      postgres_role: app_role
+      attributes:
+        createdb: true

acceptance/bundle/resources/postgres_roles/basic/out.requests.direct.json

@@ -0,0 +1,45 @@
+{
+  "method": "POST",
+  "path": "/api/2.0/postgres/projects",
+  "q": {
+    "project_id": "test-pg-proj-[UNIQUE_NAME]"
+  },
+  "body": {
+    "spec": {
+      "display_name": "Test Project for Role",
+      "history_retention_duration": "604800s",
+      "pg_version": 16
+    }
+  }
+}
+{
+  "method": "POST",
+  "path": "/api/2.0/postgres/projects/test-pg-proj-[UNIQUE_NAME]/branches",
+  "q": {
+    "branch_id": "main"
+  },
+  "body": {
+    "spec": {
+      "no_expiry": true
+    }
+  }
+}
+{
+  "method": "POST",
+  "path": "/api/2.0/postgres/projects/test-pg-proj-[UNIQUE_NAME]/branches/main/roles",
+  "q": {
+    "role_id": "test-role"
+  },
+  "body": {
+    "spec": {
+      "attributes": {
+        "createdb": true
+      },
+      "postgres_role": "app_role"
+    }
+  }
+}
+{
+  "method": "GET",
+  "path": "/api/2.0/postgres/projects/test-pg-proj-[UNIQUE_NAME]/branches/main/roles/test-role"
+}

acceptance/bundle/resources/postgres_roles/basic/out.requests.terraform.json

@@ -0,0 +1,47 @@
+{
+  "method": "POST",
+  "path": "/api/2.0/postgres/projects",
+  "q": {
+    "project_id": "test-pg-proj-[UNIQUE_NAME]"
+  },
+  "body": {
+    "spec": {
+      "display_name": "Test Project for Role",
+      "history_retention_duration": "604800s",
+      "pg_version": 16
+    }
+  }
+}
+{
+  "method": "POST",
+  "path": "/api/2.0/postgres/projects/test-pg-proj-[UNIQUE_NAME]/branches",
+  "q": {
+    "branch_id": "main"
+  },
+  "body": {
+    "parent": "projects/test-pg-proj-[UNIQUE_NAME]",
+    "spec": {
+      "no_expiry": true
+    }
+  }
+}
+{
+  "method": "POST",
+  "path": "/api/2.0/postgres/projects/test-pg-proj-[UNIQUE_NAME]/branches/main/roles",
+  "q": {
+    "role_id": "test-role"
+  },
+  "body": {
+    "parent": "projects/test-pg-proj-[UNIQUE_NAME]/branches/main",
+    "spec": {
+      "attributes": {
+        "createdb": true
+      },
+      "postgres_role": "app_role"
+    }
+  }
+}
+{
+  "method": "GET",
+  "path": "/api/2.0/postgres/projects/test-pg-proj-[UNIQUE_NAME]/branches/main/roles/test-role"
+}