Vector Search endpoint support (direct only)

[janniklasrose]

Changes

Adds vector_search_endpoints as a first-class resource type, using the direct deployment engine (only, no TF support).

New configuration surface

resources:
  vector_search_endpoints:
    my_endpoint:
      name: my-endpoint
      endpoint_type: STANDARD
      min_qps: 1
      budget_policy_id: my-policy
      permissions:
        - level: CAN_USE
          group_name: data-team

Required fields: name, endpoint_type. Optional: min_qps, budget_policy_id, permissions.

Key points to note

State ID = endpoint name. The CRUD API identifies endpoints by name; the UUID
(endpoint_uuid) is stored separately in the refresh output for use by the permissions API.

endpoint_type is immutable. Changing it triggers delete + recreate (resources.yml).

Two separate update APIs. DoUpdate dispatches to:

• UpdateEndpointBudgetPolicy when budget_policy_id changes
• PatchEndpoint when min_qps changes

These can fire in the same deploy if both fields change.

budget_policy_id drift is suppressed. The API returns effective_budget_policy_id
(which includes inherited workspace policies), not the user-set value. Until the SDK
exposes budget_policy_id separately, remote changes to this field are ignored
(reason: effective_vs_requested in resources.yml). See TODO in
bundle/direct/dresources/vector_search_endpoint.go:53.

Permissions use UUID, not name. The PreparePermissionsInputConfig function uses
${...endpoint_uuid} as the object ID when constructing the permissions API path for
vector search endpoints.

Direct-only validation. ValidateDirectOnlyResources (bundle/config/mutator/) emits
an error at plan/deploy time if vector_search_endpoints are present in a non-direct bundle.
Vector Search Endpoints have no Terraform provider.

No dev-mode name prefix. Like UC resources, vector search endpoint names are NOT
prefixed with the dev user name in development mode.

Tests

• Acceptance & Unit tests.
• Tested e2e with CLI build.

[andrewnester]

Could you please add tests for bind / unbind for this resources before merging?
https://github.com/databricks/cli/tree/main/acceptance/bundle/deployment/bind

[andrewnester]

Why this TODO though? Shouldn't we alway use EffectiveBudgetPolicyId anyway?

[andrewnester]

Did you consider sending these two requests in parallel in separate goroutines? pros / cons

[janniklasrose]

Don't expect this to be much of a bottleneck, but they're independent so we could. There's precedent in model_serving_endpoint.go to make them sequential on purpose (though granted it's following Terraform there, which only does 1 call for vector search since they're missing the min_qps path).

[janniklasrose]

I will double-check with the VS team if the APIs are safe to call in parallel and update in a follow-up.