Problem

When trying to manage SQL Warehouse permissions through Terraform, you encounter the following error.

“Error: cannot delete permissions: PUT requests for warehouse <warehouse-ID> with no existing owner must provide a new owner.”

Your SQL warehouses were initially created without an owner through Terraform, and you’re trying to assign the IS_OWNER property to the deployment principal or a user during the deployment process.  

Cause

A change was introduced in version v1.14.0 of the Databricks Terraform provider, which automatically adds the CAN_MANAGE permission on databricks_sql_endpoint for the calling user. 

This creates a conflict where the deployment principal or user is being assigned both IS_OWNER and CAN_MANAGE permissions, which leads to only the CAN_MANAGE permission being added. This behavior is due to how the PUT /api/2.0/permissions/sql/warehouses API handles permission assignments.

Solution

Ensure the user or principal being granted the IS_OWNER permission is not the same entity acting as the deployment principal used for the Terraform deployment.

Example

Check that the service_principal_name is pointing to a different service principal user than the one you are using for the Terraform apply operation.

resource "databricks_permissions" "dbx_genie_sql_warehouse" {
provider = <databricks.workspace>
sql_endpoint_id = <databricks-sql-endpoint>.dbx_genie_sql_warehouse.id
access_control {
service_principal_name = data.<databricks-service-principal>.<terraform-deployment-sp>.<application-id>
permission_level = "IS_OWNER"