Add a warning when resources with explicit permissions defined as app resources (#4876)

## Changes
Add a warning when resources with explicit permissions defined as app
resources

## Why
When an app has resources (jobs, SQL warehouses, serving endpoints,
experiments, Postgres projects, or UC securables) defined in its
resources section that reference bundle-configured resources with
explicit permissions, the app's service principal gets implicitly
granted access on first deploy. However, on subsequent deploys the
bundle overwrites the resource's permissions without the app's SP,
breaking the app's access.

This PR adds a warning during bundle validate when a referenced resource
has permissions set but doesn't include the app's service principal. The
warning recommends explicitly adding the SP to the resource's
permissions to prevent this silent permission override.

See #4309 for details.

Fixes #4309

## Tests
Added an acceptance test

<!-- If your PR needs to be included in the release notes for next
release,
add a separate entry in NEXT_CHANGELOG.md as part of your PR. -->

Author: andrewnester

acceptance/bundle/apps/job_permissions/output.txt

@@ -1,5 +1,19 @@
 
 >>> [CLI] bundle deploy
+Warning: app "my_app" references jobs "my_job" which has permissions set. To prevent permission override after deploying the app, please add the app service principal to the jobs permissions
+  at resources.apps.my_app
+  in databricks.yml:24:7
+
+Add the following section to the jobs permissions:
+
+  resources:
+    jobs:
+      my_job:
+        permissions:
+          - level: CAN_MANAGE_RUN
+            service_principal_name: ${resources.apps.my_app.service_principal_client_id}
+
+
 Uploading bundle files to /Workspace/Users/[USERNAME]/.bundle/test-bundle-[UNIQUE_NAME]/default/files...
 Deploying resources...
 Updating deployment state...
@@ -10,6 +24,20 @@ Deployment complete!
 
 === After second deploy
 >>> [CLI] bundle deploy
+Warning: app "my_app" references jobs "my_job" which has permissions set. To prevent permission override after deploying the app, please add the app service principal to the jobs permissions
+  at resources.apps.my_app
+  in databricks.yml:24:7
+
+Add the following section to the jobs permissions:
+
+  resources:
+    jobs:
+      my_job:
+        permissions:
+          - level: CAN_MANAGE_RUN
+            service_principal_name: ${resources.apps.my_app.service_principal_client_id}
+
+
 Uploading bundle files to /Workspace/Users/[USERNAME]/.bundle/test-bundle-[UNIQUE_NAME]/default/files...
 Deploying resources...
 Updating deployment state...

acceptance/bundle/apps/job_permissions_warning/app/app.py

@@ -0,0 +1 @@
+print("hello")

acceptance/bundle/apps/job_permissions_warning/databricks.yml

@@ -0,0 +1,28 @@
+bundle:
+  name: test-bundle
+
+resources:
+  jobs:
+    my_job:
+      name: my-job
+      permissions:
+        - level: CAN_MANAGE
+          user_name: ${workspace.current_user.userName}
+      tasks:
+        - task_key: hello
+          spark_python_task:
+            python_file: ./hello.py
+          new_cluster:
+            num_workers: 1
+            spark_version: 14.0.x-scala2.13
+            node_type_id: i3.xlarge
+
+  apps:
+    my_app:
+      name: myapp
+      source_code_path: ./app
+      resources:
+        - name: my-job
+          job:
+            id: ${resources.jobs.my_job.id}
+            permission: CAN_MANAGE_RUN

acceptance/bundle/apps/job_permissions_warning/hello.py

@@ -0,0 +1 @@
+print("hello")

acceptance/bundle/apps/job_permissions_warning/out.test.toml

@@ -0,0 +1,23 @@
+
+>>> [CLI] bundle validate
+Warning: app "my_app" references jobs "my_job" which has permissions set. To prevent permission override after deploying the app, please add the app service principal to the jobs permissions
+  at resources.apps.my_app
+  in databricks.yml:22:7
+
+Add the following section to the jobs permissions:
+
+  resources:
+    jobs:
+      my_job:
+        permissions:
+          - level: CAN_MANAGE_RUN
+            service_principal_name: ${resources.apps.my_app.service_principal_client_id}
+
+
+Name: test-bundle
+Target: default
+Workspace:
+  User: [USERNAME]
+  Path: /Workspace/Users/[USERNAME]/.bundle/test-bundle/default
+
+Found 1 warning

acceptance/bundle/apps/job_permissions_warning/output.txt

@@ -0,0 +1 @@
+trace $CLI bundle validate

acceptance/bundle/apps/job_permissions_warning/script

@@ -0,0 +1,5 @@
+RecordRequests = false
+
+Ignore = [
+    '.databricks',
+]

acceptance/bundle/apps/job_permissions_warning/test.toml

@@ -3,11 +3,18 @@ package apps
 import (
 	"context"
 	"fmt"
+	"regexp"
 
 	"github.com/databricks/cli/bundle"
+	"github.com/databricks/cli/bundle/config/resources"
 	"github.com/databricks/cli/libs/diag"
+	"github.com/databricks/cli/libs/dyn"
+	"github.com/databricks/databricks-sdk-go/service/apps"
 )
 
+// resourceReferencePattern matches ${resources.<type>.<key>.<field>} variable references.
+var resourceReferencePattern = regexp.MustCompile(`\$\{resources\.(\w+)\.([^.]+)\.\w+\}`)
+
 type validate struct{}
 
 func (v *validate) Apply(ctx context.Context, b *bundle.Bundle) diag.Diagnostics {
@@ -44,6 +51,130 @@ func (v *validate) Apply(ctx context.Context, b *bundle.Bundle) diag.Diagnostics
 			})
 		}
 		usedSourceCodePaths[app.SourceCodePath] = key
+
+		diags = diags.Extend(warnForAppResourcePermissions(b, key, app))
+	}
+
+	return diags
+}
+
+// appResourceRef extracts resource references from an app resource entry.
+// When resourceType is empty the reference matches any bundle resource type
+// extracted from the variable reference pattern.
+func appResourceRef(r apps.AppResource) (appResourceReference, bool) {
+	switch {
+	case r.Job != nil:
+		return appResourceReference{"jobs", r.Job.Id, string(r.Job.Permission)}, true
+	case r.SqlWarehouse != nil:
+		return appResourceReference{"sql_warehouses", r.SqlWarehouse.Id, string(r.SqlWarehouse.Permission)}, true
+	case r.ServingEndpoint != nil:
+		return appResourceReference{"model_serving_endpoints", r.ServingEndpoint.Name, string(r.ServingEndpoint.Permission)}, true
+	case r.Experiment != nil:
+		return appResourceReference{"experiments", r.Experiment.ExperimentId, string(r.Experiment.Permission)}, true
+	case r.Postgres != nil:
+		if r.Postgres.Branch != "" {
+			return appResourceReference{"postgres_projects", r.Postgres.Branch, string(r.Postgres.Permission)}, true
+		}
+		return appResourceReference{
+			"database_instances", r.Postgres.Database, string(r.Postgres.Permission),
+		}, true
+	case r.UcSecurable != nil:
+		return appResourceReference{string(r.UcSecurable.SecurableType), r.UcSecurable.SecurableFullName, string(r.UcSecurable.Permission)}, true
+	default:
+		return appResourceReference{}, false
+	}
+}
+
+type appResourceReference struct {
+	resourceType string
+	refValue     string
+	permission   string
+}
+
+// hasPermissions checks if a bundle resource at the given dyn path has a non-empty permissions list.
+func hasPermissions(b *bundle.Bundle, resourcePath string) bool {
+	pv, err := dyn.Get(b.Config.Value(), resourcePath+".permissions")
+	if err != nil {
+		return false
+	}
+	s, ok := pv.AsSequence()
+	return ok && len(s) > 0
+}
+
+// hasAppSPInPermissions checks if any permission entry for the given resource
+// references the app's service principal via variable interpolation.
+func hasAppSPInPermissions(b *bundle.Bundle, resourcePath, appKey string) bool {
+	appSPRef := fmt.Sprintf("${resources.apps.%s.service_principal_client_id}", appKey)
+	pv, err := dyn.Get(b.Config.Value(), resourcePath+".permissions")
+	if err != nil {
+		return false
+	}
+	s, ok := pv.AsSequence()
+	if !ok {
+		return false
+	}
+	for _, entry := range s {
+		spn, err := dyn.Get(entry, "service_principal_name")
+		if err != nil {
+			continue
+		}
+		if str, ok := spn.AsString(); ok && str == appSPRef {
+			return true
+		}
+	}
+	return false
+}
+
+// warnForAppResourcePermissions warns when an app references a bundle resource
+// that has explicit permissions but doesn't include the app's service principal.
+// Without the SP in the permission list, the second deploy will overwrite the
+// app-granted permission on the resource.
+// See https://github.com/databricks/cli/issues/4309
+func warnForAppResourcePermissions(b *bundle.Bundle, appKey string, app *resources.App) diag.Diagnostics {
+	var diags diag.Diagnostics
+
+	for _, ar := range app.Resources {
+		ref, ok := appResourceRef(ar)
+		if !ok {
+			continue
+		}
+
+		matches := resourceReferencePattern.FindStringSubmatch(ref.refValue)
+		if len(matches) < 3 {
+			continue
+		}
+		refType, resourceKey := matches[1], matches[2]
+
+		resourcePath := fmt.Sprintf("resources.%s.%s", refType, resourceKey)
+		if !hasPermissions(b, resourcePath) {
+			continue
+		}
+
+		if hasAppSPInPermissions(b, resourcePath, appKey) {
+			continue
+		}
+
+		appPath := "resources.apps." + appKey
+		diags = append(diags, diag.Diagnostic{
+			Severity: diag.Warning,
+			Summary:  fmt.Sprintf("app %q references %s %q which has permissions set. To prevent permission override after deploying the app, please add the app service principal to the %s permissions", appKey, refType, resourceKey, refType),
+			Detail: fmt.Sprintf(
+				"Add the following section to the %s permissions:\n\n"+
+					"  resources:\n"+
+					"    %s:\n"+
+					"      %s:\n"+
+					"        permissions:\n"+
+					"          - level: %s\n"+
+					"            service_principal_name: ${resources.apps.%s.service_principal_client_id}\n",
+				refType,
+				refType,
+				resourceKey,
+				ref.permission,
+				appKey,
+			),
+			Paths:     []dyn.Path{dyn.MustPathFromString(appPath)},
+			Locations: b.Config.GetLocations(appPath),
+		})
 	}
 
 	return diags