Allow assigning GCP SA in databricks_sql_global_config resource

docs/resources/sql_global_config.md

@@ -47,6 +47,7 @@ The following arguments are supported (see [documentation](https://docs.databric
 * `security_policy` (Optional, String) - The policy for controlling access to datasets. Default value: `DATA_ACCESS_CONTROL`, consult documentation for list of possible values
 * `data_access_config` (Optional, Map) - Data access configuration for [databricks_sql_endpoint](sql_endpoint.md), such as configuration for an external Hive metastore, Hadoop Filesystem configuration, etc.  Please note that the list of supported configuration properties is limited, so refer to the [documentation](https://docs.databricks.com/sql/admin/data-access-configuration.html#supported-properties) for a full list.  Apply will fail if you're specifying not permitted configuration.
 * `instance_profile_arn` (Optional, String) - [databricks_instance_profile](instance_profile.md) used to access storage from [databricks_sql_endpoint](sql_endpoint.md). Please note that this parameter is only for AWS, and will generate an error if used on other clouds. 
+* `google_service_account` (Optional, String) - used to access GCP services, such as Cloud Storage, from [databricks_sql_endpoint](sql_endpoint.md). Please note that this parameter is only for GCP, and will generate an error if used on other clouds. 
 * `sql_config_params` (Optional, Map) - SQL Configuration Parameters let you override the default behavior for all sessions with all endpoints.
 
 ## Import

sql/resource_sql_global_config.go

@@ -27,6 +27,7 @@ type GlobalConfig struct {
 	SecurityPolicy          string            `json:"security_policy,omitempty" tf:"default:DATA_ACCESS_CONTROL"`
 	DataAccessConfig        map[string]string `json:"data_access_config,omitempty"`
 	InstanceProfileARN      string            `json:"instance_profile_arn,omitempty"`
+	GoogleServiceAccount    string            `json:"google_service_account,omitempty"`
 	EnableServerlessCompute bool              `json:"enable_serverless_compute,omitempty" tf:"default:false"`
 	SqlConfigParams         map[string]string `json:"sql_config_params,omitempty"`
 }
@@ -36,6 +37,7 @@ type GlobalConfigForRead struct {
 	SecurityPolicy             string                     `json:"security_policy"`
 	DataAccessConfig           []confPair                 `json:"data_access_config"`
 	InstanceProfileARN         string                     `json:"instance_profile_arn,omitempty"`
+	GoogleServiceAccount       string                     `json:"google_service_account,omitempty"`
 	EnableServerlessCompute    bool                       `json:"enable_serverless_compute"`
 	SqlConfigurationParameters *repeatedEndpointConfPairs `json:"sql_configuration_parameters,omitempty"`
 }
@@ -67,6 +69,13 @@ func (a globalConfigAPI) Set(gc GlobalConfig) error {
 			return fmt.Errorf("can't use instance_profile_arn outside of AWS")
 		}
 	}
+	if gc.GoogleServiceAccount != "" {
+		if a.client.IsGcp() {
+			data["google_service_account"] = gc.GoogleServiceAccount
+		} else {
+			return fmt.Errorf("can't use google_service_account outside of GCP")
+		}
+	}
 	cfg := make([]confPair, 0, len(gc.DataAccessConfig))
 	for k, v := range gc.DataAccessConfig {
 		cfg = append(cfg, confPair{Key: k, Value: v})
@@ -91,6 +100,7 @@ func (a globalConfigAPI) Get() (GlobalConfig, error) {
 		return gc, err
 	}
 	gc.InstanceProfileARN = gcr.InstanceProfileARN
+	gc.GoogleServiceAccount = gcr.GoogleServiceAccount
 	gc.SecurityPolicy = gcr.SecurityPolicy
 	gc.EnableServerlessCompute = gcr.EnableServerlessCompute
 	gc.DataAccessConfig = make(map[string]string, len(gcr.DataAccessConfig))

sql/resource_sql_global_config_test.go

@@ -137,3 +137,54 @@ func TestResourceSQLGlobalConfigCreateError(t *testing.T) {
 	}.Apply(t)
 	qa.AssertErrorStartsWith(t, err, "can't use instance_profile_arn outside of AWS")
 }
+
+func TestResourceSQLGlobalConfigCreateWithDataGCP(t *testing.T) {
+	d, err := qa.ResourceFixture{
+		Fixtures: []qa.HTTPFixture{
+			{
+				Method:   "PUT",
+				Resource: "/api/2.0/sql/config/warehouses",
+				ExpectedRequest: GlobalConfigForRead{
+					DataAccessConfig:           []confPair{{Key: "spark.sql.session.timeZone", Value: "UTC"}},
+					SqlConfigurationParameters: &repeatedEndpointConfPairs{ConfigPairs: []confPair{{Key: "ANSI_MODE", Value: "true"}}},
+					EnableServerlessCompute:    false,
+					SecurityPolicy:             "DATA_ACCESS_CONTROL",
+					GoogleServiceAccount:       "poc@databricks.iam.gserviceaccount.com",
+				},
+			},
+			{
+				Method:       "GET",
+				Resource:     "/api/2.0/sql/config/warehouses",
+				ReuseRequest: true,
+				Response: GlobalConfigForRead{
+					SecurityPolicy: "DATA_ACCESS_CONTROL",
+					DataAccessConfig: []confPair{
+						{Key: "spark.sql.session.timeZone", Value: "UTC"},
+					},
+					GoogleServiceAccount: "poc@databricks.iam.gserviceaccount.com",
+					SqlConfigurationParameters: &repeatedEndpointConfPairs{
+						ConfigPairs: []confPair{
+							{Key: "ANSI_MODE", Value: "true"},
+						},
+					},
+				},
+			},
+		},
+		Resource: ResourceSqlGlobalConfig(),
+		Create:   true,
+		Gcp:      true,
+		State: map[string]any{
+			"security_policy":        "DATA_ACCESS_CONTROL",
+			"google_service_account": "poc@databricks.iam.gserviceaccount.com",
+			"data_access_config": map[string]any{
+				"spark.sql.session.timeZone": "UTC",
+			},
+			"sql_config_params": map[string]any{
+				"ANSI_MODE": "true",
+			},
+		},
+	}.Apply(t)
+	require.NoError(t, err)
+	assert.Equal(t, "global", d.Id(), "Id should not be empty")
+	assert.Equal(t, "DATA_ACCESS_CONTROL", d.Get("security_policy"))
+}