[Feature] Add databricks_app resource (#4099)

## Changes
- Added `databricks_app` resource

Resolves #4084

## Tests
<!-- 
How is this tested? Please see the checklist below and also describe any
other relevant tests
-->

- [x] `make test` run locally
- [x] relevant change in `docs/` folder
- [x] covered with integration tests in `internal/acceptance`
- [x] relevant acceptance tests are passing
- [x] using Go SDK

---------

Co-authored-by: Miles Yucht <[email protected]>

docs/data-sources/app.md

@@ -0,0 +1,80 @@
+---
+subcategory: "Apps"
+---
+# databricks_app Data Source
+
+-> This feature is in [Public Preview](https://docs.databricks.com/release-notes/release-types.html).
+
+[Databricks Apps](https://docs.databricks.com/en/dev-tools/databricks-apps/index.html) run directly on a customer’s Databricks instance, integrate with their data, use and extend Databricks services, and enable users to interact through single sign-on. This resource creates the application but does not handle app deployment, which should be handled separately as part of your CI/CD pipeline.
+
+This data source allows you to fetch information about a Databricks App.
+
+## Example Usage
+
+```hcl
+data "databricks_app" "this" {
+  name             = "my-custom-app"
+}
+```
+
+## Argument Reference
+
+The following arguments are required:
+
+* `name` - The name of the app.
+
+## Attribute Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `app` attribute
+  * `name` - The name of the app.
+  * `description` - The description of the app.
+  * `resources` - A list of resources that the app have access to.
+  * `compute_status` attribute
+    * `state` - State of the app compute.
+    * `message` - Compute status message
+  * `app_status` attribute
+    * `state` - State of the application.
+    * `message` - Application status message
+  * `url` - The URL of the app once it is deployed.
+  * `create_time` - The creation time of the app.
+  * `creator` - The email of the user that created the app.
+  * `update_time` - The update time of the app.
+  * `updater` - The email of the user that last updated the app.
+  * `service_principal_id` - id of the app service principal
+  * `service_principal_name` - name of the app service principal
+  * `default_source_code_path` - The default workspace file system path of the source code from which app deployment are created. This field tracks the workspace source code path of the last active deployment.
+
+### resources Attribute
+
+This attribute describes a resource used by the app.
+
+* `name` - The name of the resource.
+* `description` - The description of the resource.
+
+Exactly one of the following attributes will be provided:
+
+* `secret` attribute
+  * `scope` - Scope of the secret to grant permission on.
+  * `key` - Key of the secret to grant permission on.
+  * `permission` - Permission to grant on the secret scope. For secrets, only one permission is allowed. Permission must be one of: `READ`, `WRITE`, `MANAGE`.
+* `sql_warehouse` attribute
+  * `id` - Id of the SQL warehouse to grant permission on.
+  * `permission` - Permission to grant on the SQL warehouse. Supported permissions are: `CAN_MANAGE`, `CAN_USE`, `IS_OWNER`.
+* `serving_endpoint` attribute
+  * `name` - Name of the serving endpoint to grant permission on.
+  * `permission` - Permission to grant on the serving endpoint. Supported permissions are: `CAN_MANAGE`, `CAN_QUERY`, `CAN_VIEW`.
+* `job` attribute
+  * `id` - Id of the job to grant permission on.
+  * `permission` - Permissions to grant on the Job. Supported permissions are: `CAN_MANAGE`, `IS_OWNER`, `CAN_MANAGE_RUN`, `CAN_VIEW`.
+
+## Related Resources
+
+The following resources are used in the same context:
+
+* [databricks_app](../resources/app.md) to manage [Databricks Apps](https://docs.databricks.com/en/dev-tools/databricks-apps/index.html).
+* [databricks_sql_endpoint](sql_endpoint.md) to manage Databricks SQL [Endpoints](https://docs.databricks.com/sql/admin/sql-endpoints.html).
+* [databricks_model_serving](model_serving.md) to serve this model on a Databricks serving endpoint.
+* [databricks_secret](secret.md) to manage [secrets](https://docs.databricks.com/security/secrets/index.html#secrets-user-guide) in Databricks workspace.
+* [databricks_job](job.md) to manage [Databricks Jobs](https://docs.databricks.com/jobs.html) to run non-interactive code.

docs/data-sources/apps.md

@@ -0,0 +1,72 @@
+---
+subcategory: "Apps"
+---
+# databricks_apps Data Source
+
+-> This feature is in [Public Preview](https://docs.databricks.com/release-notes/release-types.html).
+
+[Databricks Apps](https://docs.databricks.com/en/dev-tools/databricks-apps/index.html) run directly on a customer’s Databricks instance, integrate with their data, use and extend Databricks services, and enable users to interact through single sign-on. This resource creates the application but does not handle app deployment, which should be handled separately as part of your CI/CD pipeline.
+
+This data source allows you to fetch information about all Databricks Apps within a workspace.
+
+## Example Usage
+
+```hcl
+data "databricks_apps" "all_apps" {}
+```
+
+## Attribute Reference
+
+The following attributes are exported:
+
+* `apps` - A list of [databricks_app](../resources/app.md) resources.
+  * `name` - The name of the app.
+  * `description` - The description of the app.
+  * `resources` - A list of resources that the app have access to.
+  * `compute_status` attribute
+    * `state` - State of the app compute.
+    * `message` - Compute status message
+  * `app_status` attribute
+    * `state` - State of the application.
+    * `message` - Application status message
+  * `url` - The URL of the app once it is deployed.
+  * `create_time` - The creation time of the app.
+  * `creator` - The email of the user that created the app.
+  * `update_time` - The update time of the app.
+  * `updater` - The email of the user that last updated the app.
+  * `service_principal_id` - id of the app service principal
+  * `service_principal_name` - name of the app service principal
+  * `default_source_code_path` - The default workspace file system path of the source code from which app deployment are created. This field tracks the workspace source code path of the last active deployment.
+
+### resources Attribute
+
+This attribute describes a resource used by the app.
+
+* `name` - The name of the resource.
+* `description` - The description of the resource.
+
+Exactly one of the following attributes will be provided:
+
+* `secret` attribute
+  * `scope` - Scope of the secret to grant permission on.
+  * `key` - Key of the secret to grant permission on.
+  * `permission` - Permission to grant on the secret scope. For secrets, only one permission is allowed. Permission must be one of: `READ`, `WRITE`, `MANAGE`.
+* `sql_warehouse` attribute
+  * `id` - Id of the SQL warehouse to grant permission on.
+  * `permission` - Permission to grant on the SQL warehouse. Supported permissions are: `CAN_MANAGE`, `CAN_USE`, `IS_OWNER`.
+* `serving_endpoint` attribute
+  * `name` - Name of the serving endpoint to grant permission on.
+  * `permission` - Permission to grant on the serving endpoint. Supported permissions are: `CAN_MANAGE`, `CAN_QUERY`, `CAN_VIEW`.
+* `job` attribute
+  * `id` - Id of the job to grant permission on.
+  * `permission` - Permissions to grant on the Job. Supported permissions are: `CAN_MANAGE`, `IS_OWNER`, `CAN_MANAGE_RUN`, `CAN_VIEW`.
+
+## Related Resources
+
+The following resources are used in the same context:
+
+* [databricks_app](../resources/app.md) to manage [Databricks Apps](https://docs.databricks.com/en/dev-tools/databricks-apps/index.html).
+* [databricks_sql_endpoint](sql_endpoint.md) to manage Databricks SQL [Endpoints](https://docs.databricks.com/sql/admin/sql-endpoints.html).
+* [databricks_model_serving](model_serving.md) to serve this model on a Databricks serving endpoint.
+* [databricks_secret](secret.md) to manage [secrets](https://docs.databricks.com/security/secrets/index.html#secrets-user-guide) in Databricks workspace.
+* [databricks_job](job.md) to manage [Databricks Jobs](https://docs.databricks.com/jobs.html) to run non-interactive code.

docs/resources/app.md

@@ -0,0 +1,114 @@
+---
+subcategory: "Apps"
+---
+# databricks_app Resource
+
+-> This feature is in [Public Preview](https://docs.databricks.com/release-notes/release-types.html).
+
+[Databricks Apps](https://docs.databricks.com/en/dev-tools/databricks-apps/index.html) run directly on a customer’s Databricks instance, integrate with their data, use and extend Databricks services, and enable users to interact through single sign-on. This resource creates the application but does not handle app deployment, which should be handled separately as part of your CI/CD pipeline.
+
+## Example Usage
+
+```hcl
+resource "databricks_app" "this" {
+  name             = "my-custom-app"
+  description      = "My app"
+  resources = [{
+    name = "sql-warehouse"
+    sql_warehouse = {
+      id = "e9ca293f79a74b5c"
+      permission = "CAN_MANAGE"
+    }
+  },
+  {
+    name = "serving-endpoint"
+    serving_endpoint = {
+      name = "databricks-meta-llama-3-1-70b-instruct"
+      permission = "CAN_MANAGE"
+    }
+  },
+  {
+    name = "job"
+    job = {
+      id = "1234"
+      permission = "CAN_MANAGE"
+    }
+  }]
+}
+```
+
+## Argument Reference
+
+The following arguments are required:
+
+* `name` - (Required) The name of the app. The name must contain only lowercase alphanumeric characters and hyphens. It must be unique within the workspace.
+* `description` - (Optional) The description of the app.
+* `resources` - (Optional) A list of resources that the app have access to.
+
+### resources Configuration Attribute
+
+This attribute describes a resource used by the app.
+
+* `name` - (Required) The name of the resource.
+* `description` - (Optional) The description of the resource.
+
+Exactly one of the following attributes must be provided:
+
+* `secret` attribute
+  * `scope` - Scope of the secret to grant permission on.
+  * `key` - Key of the secret to grant permission on.
+  * `permission` - Permission to grant on the secret scope. For secrets, only one permission is allowed. Permission must be one of: `READ`, `WRITE`, `MANAGE`.
+* `sql_warehouse` attribute
+  * `id` - Id of the SQL warehouse to grant permission on.
+  * `permission` - Permission to grant on the SQL warehouse. Supported permissions are: `CAN_MANAGE`, `CAN_USE`, `IS_OWNER`.
+* `serving_endpoint` attribute
+  * `name` - Name of the serving endpoint to grant permission on.
+  * `permission` - Permission to grant on the serving endpoint. Supported permissions are: `CAN_MANAGE`, `CAN_QUERY`, `CAN_VIEW`.
+* `job` attribute
+  * `id` - Id of the job to grant permission on.
+  * `permission` - Permissions to grant on the Job. Supported permissions are: `CAN_MANAGE`, `IS_OWNER`, `CAN_MANAGE_RUN`, `CAN_VIEW`.
+
+## Attribute Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `compute_status` attribute
+  * `state` - State of the app compute.
+  * `message` - Compute status message
+* `app_status` attribute
+  * `state` - State of the application.
+  * `message` - Application status message
+* `url` - The URL of the app once it is deployed.
+* `create_time` - The creation time of the app.
+* `creator` - The email of the user that created the app.
+* `update_time` - The update time of the app.
+* `updater` - The email of the user that last updated the app.
+* `service_principal_id` - id of the app service principal
+* `service_principal_name` - name of the app service principal
+* `default_source_code_path` - The default workspace file system path of the source code from which app deployment are created. This field tracks the workspace source code path of the last active deployment.
+
+## Import
+
+This resource can be imported by name:
+
+```hcl
+import {
+  to = databricks_app.this
+  id = "<app_name>"
+}
+```
+
+or using the `terraform` CLI:
+
+```bash
+terraform import databricks_app.this <app_name>
+```
+
+## Related Resources
+
+The following resources are used in the same context:
+
+* [databricks_sql_endpoint](sql_endpoint.md) to manage Databricks SQL [Endpoints](https://docs.databricks.com/sql/admin/sql-endpoints.html).
+* [databricks_model_serving](model_serving.md) to serve this model on a Databricks serving endpoint.
+* [databricks_secret](secret.md) to manage [secrets](https://docs.databricks.com/security/secrets/index.html#secrets-user-guide) in Databricks workspace.
+* [databricks_job](job.md) to manage [Databricks Jobs](https://docs.databricks.com/jobs.html) to run non-interactive code.

docs/resources/permissions.md

@@ -423,7 +423,6 @@ Valid [permission levels](https://docs.databricks.com/security/access-control/wo
 
 A folder could be specified by using either `directory_path` or `directory_id` attribute.  The value for the `directory_id` is the object ID of the resource in the Databricks Workspace that is exposed as `object_id` attribute of the `databricks_directory` resource as shown below.
 
-
 ```hcl
 resource "databricks_group" "auto" {
   display_name = "Automation"
@@ -912,6 +911,7 @@ One type argument and at least one access control block argument are required.
 
 Exactly one of the following arguments is required:
 
+- `app_name` - [app](app.md) name
 - `cluster_id` - [cluster](cluster.md) id
 - `cluster_policy_id` - [cluster policy](cluster_policy.md) id
 - `instance_pool_id` - [instance pool](instance_pool.md) id

internal/acceptance/permissions_test.go

@@ -947,3 +947,25 @@ func TestAccPermissions_Query(t *testing.T) {
 		ExpectError: regexp.MustCompile("cannot remove management permissions for the current user for query, allowed levels: CAN_MANAGE"),
 	})
 }
+
+func TestAccPermissions_App(t *testing.T) {
+	loadDebugEnvIfRunsFromIDE(t, "workspace")
+	if IsGcp(t) {
+		Skipf(t)("not available on GCP")
+	}
+	queryTemplate := `
+		resource "databricks_app" "this" {
+			name = "{var.RANDOM}"
+			description = "Test app"
+		}`
+	WorkspaceLevel(t, Step{
+		Template: queryTemplate + makePermissionsTestStage("app_name", "databricks_app.this.name", groupPermissions("CAN_USE")),
+	}, Step{
+		Template: queryTemplate + makePermissionsTestStage("app_name", "databricks_app.this.name",
+			currentPrincipalPermission(t, "CAN_MANAGE"), groupPermissions("CAN_USE", "CAN_MANAGE")),
+	}, Step{
+		Template: queryTemplate + makePermissionsTestStage("app_name", "databricks_app.this.name",
+			currentPrincipalPermission(t, "CAN_USE"), groupPermissions("CAN_USE", "CAN_MANAGE")),
+		ExpectError: regexp.MustCompile("cannot remove management permissions for the current user for apps, allowed levels: CAN_MANAGE"),
+	})
+}

internal/providers/pluginfw/pluginfw_rollout_utils.go

@@ -12,6 +12,7 @@ import (
 	"slices"
 	"strings"
 
+	"github.com/databricks/terraform-provider-databricks/internal/providers/pluginfw/products/app"
 	"github.com/databricks/terraform-provider-databricks/internal/providers/pluginfw/products/catalog"
 	"github.com/databricks/terraform-provider-databricks/internal/providers/pluginfw/products/cluster"
 	"github.com/databricks/terraform-provider-databricks/internal/providers/pluginfw/products/library"
@@ -26,29 +27,35 @@ import (
 )
 
 // List of resources that have been migrated from SDK V2 to plugin framework
+// Keep this list sorted.
 var migratedResources = []func() resource.Resource{
-	qualitymonitor.ResourceQualityMonitor,
 	library.ResourceLibrary,
+	qualitymonitor.ResourceQualityMonitor,
 }
 
 // List of data sources that have been migrated from SDK V2 to plugin framework
+// Keep this list sorted.
 var migratedDataSources = []func() datasource.DataSource{
 	volume.DataSourceVolumes,
 }
 
 // List of resources that have been onboarded to the plugin framework - not migrated from sdkv2.
+// Keep this list sorted.
 var pluginFwOnlyResources = []func() resource.Resource{
-	// TODO Add resources here
-	sharing.ResourceShare, // Using the staging name (with pluginframework suffix)
+	app.ResourceApp,
+	sharing.ResourceShare,
 }
 
 // List of data sources that have been onboarded to the plugin framework - not migrated from sdkv2.
+// Keep this list sorted.
 var pluginFwOnlyDataSources = []func() datasource.DataSource{
-	serving.DataSourceServingEndpoints,
+	app.DataSourceApp,
+	app.DataSourceApps,
+	catalog.DataSourceFunctions,
+	notificationdestinations.DataSourceNotificationDestinations,
 	registered_model.DataSourceRegisteredModel,
 	registered_model.DataSourceRegisteredModelVersions,
-	notificationdestinations.DataSourceNotificationDestinations,
-	catalog.DataSourceFunctions,
+	serving.DataSourceServingEndpoints,
 	// TODO: Add DataSourceCluster into migratedDataSources after fixing unit tests.
 	cluster.DataSourceCluster, // Using the staging name (with pluginframework suffix)
 	sharing.DataSourceShare,   // Using the staging name (with pluginframework suffix)