From c77db6d968500bd25d90b252087154876d84e8de Mon Sep 17 00:00:00 2001
From: Denis Bilenko <denis.bilenko@databricks.com>
Date: Thu, 22 Jan 2026 14:37:22 +0100
Subject: [PATCH 1/2] Add a test for deleting secret scopes + mgmt permissions

---
 .../delete_scope/databricks.yml.tmpl          | 14 ++++++++++++
 .../out.deploy.requests.direct.txt            |  9 ++++++++
 .../out.deploy.requests.terraform.txt         | 17 ++++++++++++++
 .../delete_scope/out.plan.direct.txt          |  6 +++++
 .../delete_scope/out.plan.terraform.txt       |  5 +++++
 .../secret_scopes/delete_scope/out.test.toml  |  5 +++++
 .../secret_scopes/delete_scope/output.txt     | 22 +++++++++++++++++++
 .../secret_scopes/delete_scope/script         | 18 +++++++++++++++
 .../secret_scopes/delete_scope/test.toml      |  4 ++++
 9 files changed, 100 insertions(+)
 create mode 100644 acceptance/bundle/resources/secret_scopes/delete_scope/databricks.yml.tmpl
 create mode 100644 acceptance/bundle/resources/secret_scopes/delete_scope/out.deploy.requests.direct.txt
 create mode 100644 acceptance/bundle/resources/secret_scopes/delete_scope/out.deploy.requests.terraform.txt
 create mode 100644 acceptance/bundle/resources/secret_scopes/delete_scope/out.plan.direct.txt
 create mode 100644 acceptance/bundle/resources/secret_scopes/delete_scope/out.plan.terraform.txt
 create mode 100644 acceptance/bundle/resources/secret_scopes/delete_scope/out.test.toml
 create mode 100644 acceptance/bundle/resources/secret_scopes/delete_scope/output.txt
 create mode 100755 acceptance/bundle/resources/secret_scopes/delete_scope/script
 create mode 100644 acceptance/bundle/resources/secret_scopes/delete_scope/test.toml

diff --git a/acceptance/bundle/resources/secret_scopes/delete_scope/databricks.yml.tmpl b/acceptance/bundle/resources/secret_scopes/delete_scope/databricks.yml.tmpl
new file mode 100644
index 0000000000..384e0a14ab
--- /dev/null
+++ b/acceptance/bundle/resources/secret_scopes/delete_scope/databricks.yml.tmpl
@@ -0,0 +1,14 @@
+bundle:
+  name: secret-scope-basic-$UNIQUE_NAME
+
+resources:
+  secret_scopes:
+    first:
+      name: test-scope-1-$UNIQUE_NAME
+      backend_type: "DATABRICKS"
+    second: # DELETE
+      name: test-scope-2-$UNIQUE_NAME # DELETE
+      backend_type: "DATABRICKS" # DELETE
+      permissions: # DELETE
+        - user_name: $CURRENT_USER_NAME # DELETE
+          level: MANAGE # DELETE
diff --git a/acceptance/bundle/resources/secret_scopes/delete_scope/out.deploy.requests.direct.txt b/acceptance/bundle/resources/secret_scopes/delete_scope/out.deploy.requests.direct.txt
new file mode 100644
index 0000000000..2d469e4abc
--- /dev/null
+++ b/acceptance/bundle/resources/secret_scopes/delete_scope/out.deploy.requests.direct.txt
@@ -0,0 +1,9 @@
+
+>>> print_requests.py ^//import-file/ ^//workspace/ ^//telemetry-ext
+{
+  "method": "POST",
+  "path": "/api/2.0/secrets/scopes/delete",
+  "body": {
+    "scope": "test-scope-2-[UNIQUE_NAME]"
+  }
+}
diff --git a/acceptance/bundle/resources/secret_scopes/delete_scope/out.deploy.requests.terraform.txt b/acceptance/bundle/resources/secret_scopes/delete_scope/out.deploy.requests.terraform.txt
new file mode 100644
index 0000000000..16a96810b8
--- /dev/null
+++ b/acceptance/bundle/resources/secret_scopes/delete_scope/out.deploy.requests.terraform.txt
@@ -0,0 +1,17 @@
+
+>>> print_requests.py ^//import-file/ ^//workspace/ ^//telemetry-ext
+{
+  "method": "POST",
+  "path": "/api/2.0/secrets/acls/delete",
+  "body": {
+    "principal": "[USERNAME]",
+    "scope": "test-scope-2-[UNIQUE_NAME]"
+  }
+}
+{
+  "method": "POST",
+  "path": "/api/2.0/secrets/scopes/delete",
+  "body": {
+    "scope": "test-scope-2-[UNIQUE_NAME]"
+  }
+}
diff --git a/acceptance/bundle/resources/secret_scopes/delete_scope/out.plan.direct.txt b/acceptance/bundle/resources/secret_scopes/delete_scope/out.plan.direct.txt
new file mode 100644
index 0000000000..6270ea89c0
--- /dev/null
+++ b/acceptance/bundle/resources/secret_scopes/delete_scope/out.plan.direct.txt
@@ -0,0 +1,6 @@
+
+>>> [CLI] bundle plan
+delete secret_scopes.second
+delete secret_scopes.second.permissions
+
+Plan: 0 to add, 0 to change, 2 to delete, 2 unchanged
diff --git a/acceptance/bundle/resources/secret_scopes/delete_scope/out.plan.terraform.txt b/acceptance/bundle/resources/secret_scopes/delete_scope/out.plan.terraform.txt
new file mode 100644
index 0000000000..989400461f
--- /dev/null
+++ b/acceptance/bundle/resources/secret_scopes/delete_scope/out.plan.terraform.txt
@@ -0,0 +1,5 @@
+
+>>> [CLI] bundle plan
+delete secret_scopes.second
+
+Plan: 0 to add, 0 to change, 1 to delete, 1 unchanged
diff --git a/acceptance/bundle/resources/secret_scopes/delete_scope/out.test.toml b/acceptance/bundle/resources/secret_scopes/delete_scope/out.test.toml
new file mode 100644
index 0000000000..01ed6822af
--- /dev/null
+++ b/acceptance/bundle/resources/secret_scopes/delete_scope/out.test.toml
@@ -0,0 +1,5 @@
+Local = true
+Cloud = true
+
+[EnvMatrix]
+  DATABRICKS_BUNDLE_ENGINE = ["terraform", "direct"]
diff --git a/acceptance/bundle/resources/secret_scopes/delete_scope/output.txt b/acceptance/bundle/resources/secret_scopes/delete_scope/output.txt
new file mode 100644
index 0000000000..18025f0a0f
--- /dev/null
+++ b/acceptance/bundle/resources/secret_scopes/delete_scope/output.txt
@@ -0,0 +1,22 @@
+
+=== create the secret scope
+>>> [CLI] bundle deploy
+Uploading bundle files to /Workspace/Users/[USERNAME]/.bundle/secret-scope-basic-[UNIQUE_NAME]/default/files...
+Deploying resources...
+Updating deployment state...
+Deployment complete!
+
+>>> [CLI] bundle deploy
+Uploading bundle files to /Workspace/Users/[USERNAME]/.bundle/secret-scope-basic-[UNIQUE_NAME]/default/files...
+Deploying resources...
+Updating deployment state...
+Deployment complete!
+
+>>> [CLI] bundle destroy --auto-approve
+The following resources will be deleted:
+  delete resources.secret_scopes.first
+
+All files and directories at the following location will be deleted: /Workspace/Users/[USERNAME]/.bundle/secret-scope-basic-[UNIQUE_NAME]/default
+
+Deleting files...
+Destroy complete!
diff --git a/acceptance/bundle/resources/secret_scopes/delete_scope/script b/acceptance/bundle/resources/secret_scopes/delete_scope/script
new file mode 100755
index 0000000000..d4a62f92d0
--- /dev/null
+++ b/acceptance/bundle/resources/secret_scopes/delete_scope/script
@@ -0,0 +1,18 @@
+envsubst < databricks.yml.tmpl > databricks.yml
+
+cleanup() {
+    trace $CLI bundle destroy --auto-approve
+    rm out.requests.txt
+}
+trap cleanup EXIT
+
+title "create the secret scope"
+trace $CLI bundle deploy
+
+grep -v DELETE < databricks.yml > databricks.yml.tmp && mv databricks.yml.tmp databricks.yml
+
+trace $CLI bundle plan &> out.plan.$DATABRICKS_BUNDLE_ENGINE.txt
+rm out.requests.txt
+
+trace $CLI bundle deploy
+trace print_requests.py '^//import-file/' '^//workspace/' '^//telemetry-ext' &> out.deploy.requests.$DATABRICKS_BUNDLE_ENGINE.txt
diff --git a/acceptance/bundle/resources/secret_scopes/delete_scope/test.toml b/acceptance/bundle/resources/secret_scopes/delete_scope/test.toml
new file mode 100644
index 0000000000..d76cbba068
--- /dev/null
+++ b/acceptance/bundle/resources/secret_scopes/delete_scope/test.toml
@@ -0,0 +1,4 @@
+Cloud = true
+Local = true
+RecordRequests = true
+IsServicePrincipal = true

From 483ba805487273852d17cb54574880ca94583652 Mon Sep 17 00:00:00 2001
From: Denis Bilenko <denis.bilenko@databricks.com>
Date: Thu, 22 Jan 2026 14:51:07 +0100
Subject: [PATCH 2/2] rm IsServicePrincipal - not needed

---
 acceptance/bundle/resources/secret_scopes/delete_scope/test.toml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/acceptance/bundle/resources/secret_scopes/delete_scope/test.toml b/acceptance/bundle/resources/secret_scopes/delete_scope/test.toml
index d76cbba068..3730eb79df 100644
--- a/acceptance/bundle/resources/secret_scopes/delete_scope/test.toml
+++ b/acceptance/bundle/resources/secret_scopes/delete_scope/test.toml
@@ -1,4 +1,3 @@
 Cloud = true
 Local = true
 RecordRequests = true
-IsServicePrincipal = true