Add app_spaces as a DABs resource type (direct mode only)

[bernardo-rodriguez]

Changes

Adds support for declaring Databricks App Spaces in bundle YAML via the app_spaces resource type. Spaces are containers for apps that provide shared resources, OAuth scopes, and a service principal.

Implements direct mode CRUD with async operation waiting, a merge mutator for the space resources array, run_as validation, and test server handlers for the fake workspace.

Why

App spaces are are in private preview, we want to add support for the developer ecosystem.

Tests

Tested with local CLI build.

Test databricks.yml file:

resources:
  app_spaces:
    space_with_resources:
      name: test-space-with-resources
      description: "A space with shared resources"
      resources:
        - name: my-serving-endpoint
          serving_endpoint:
            name: databricks-meta-llama-3-3-70b-instruct
            permission: CAN_QUERY
        - name: my-warehouse                                                                                                        
          sql_warehouse:                                                                                                            
            id: 668e77c7ff1fce2d                          
            permission: CAN_USE
  apps:
    my_app:
      name: app-in-space
      space: ${resources.app_spaces.space_with_resources.name}
      source_code_path: ./my-app
      lifecycle:                                                                                                                    
        started: true
      config:
        command:
          - python
          - app.py
        env:
          - name: APP_ENV
            value: staging

Commands:

DATABRICKS_BUNDLE_ENGINE=direct ../cli/databricks bundle deploy
Uploading bundle files to /Workspace/Users/bernardo.rodriguez@databricks.com/.bundle/test-app-spaces/dev/files...
Deploying resources...
Updating deployment state...
Deployment complete!

New app space:

databricks apps get-space test-space-with-resources
{
  "create_time":"2026-04-16T01:40:18Z",
  "creator":"bernardo.rodriguez@databricks.com",
  "description":"A space with shared resources",
  "name":"test-space-with-resources",
  "resources": [
    {
      "name":"my-serving-endpoint",
      "serving_endpoint": {
        "name":"databricks-meta-llama-3-3-70b-instruct",
        "permission":"CAN_QUERY"
      }
    },
    {
      "name":"my-warehouse",
      "sql_warehouse": {
        "id":"668e77c7ff1fce2d",
        "permission":"CAN_USE"
      }
    }
  ],
  "status": {
    "message":"Space is ready.",
    "state":"SPACE_ACTIVE"
  },
  ...
}

New App:

databricks apps get app-in-space
{
  "app_status": {
    "message":"App has status: App has not been deployed yet. Run your app by deploying source code",
    "state":"UNAVAILABLE"
  },
  "compute_size":"LIQUID",
  "compute_status": {
    "message":"App compute is running.",
    "state":"ACTIVE"
  },
  "create_time":"2026-04-16T01:40:25Z",
  "creator":"bernardo.rodriguez@databricks.com",
  "description":"",
  "effective_user_api_scopes": [
    "iam.current-user:read",
    "iam.access-control:read"
  ],
  "name":"app-in-space",
  "space":"test-space-with-resources",
  "update_time":"2026-04-16T01:41:22Z",
  "updater":"bernardo.rodriguez@databricks.com",
  "url":"https://app-in-space-4119111590058294.0.staging.azure.databricksapps.com",
   ....
}

• Test updating the app spaces with new resource and running bundle deploy makes desired updates
• Test removing the app spaces from the yml file and deploying deletes the app spaces
• Test bundle destroy deletes the app spaces
• Unit tests

[andrewnester]

Could you please add acceptance test for the new resource, see for example

https://github.com/databricks/cli/tree/main/acceptance/bundle/resources/apps/update

[denik]

Static list is fine, but I'm curious, is * not working for this endpoint?

[bernardo-rodriguez]

no, the server explicitly allowlists fields, using * fails with a server side validation error

[denik]

Please look into adding invariant tests as well - you need one config in acceptance/bundle/invariant/configs.

Does this resource support permissions?

[bernardo-rodriguez]

Yes, thanks for calling this out!

App Spaces support 3 different permissions levels (CAN_USE, CAN_CREATE, CAN_MANAGE) via /api/2.0/permissions/app-spaces/{space-name}. I added a new AppSpacePermission type to handle this.

Also, added that invariant config.

[janniklasrose]

Please address:

• test failures
• auto-gen relevant files
• add additional acceptance tests (definitely invariant, drift, also bind/unbind if relevant)
• opt out of terraform in bundle/config/mutator/validate_direct_only_resources.go
• add entry to NEXT_CHANGELOG.md

[janniklasrose]

nit: same as recreate

[bernardo-rodriguez]

true. leaving for now as they have a different event sequence, but I can remove the rename state from the update test if you prefer a cleaner separation

[janniklasrose]

just confirming that recreating app_spaces is safe (no data loss)

[bernardo-rodriguez]

Yea that is fine, they are just metadata and store no customer data

[pietern]

What happens if you delete an app space that has >0 apps attached?

[bernardo-rodriguez]

@pietern the server blocks deletion with 400 BAD_REQUEST: Cannot delete space <name> because it contains N app

[pietern]

Is this not modeled after a long running operation?

[bernardo-rodriguez]

yes, I updated to match other examples of LRO, by using the waiter returned by the Create and Update method.

[pietern]

What happens if you delete an app space that has >0 apps attached?

[github-actions]

An authorized user can trigger integration tests manually by following the instructions below:

Trigger:
go/deco-tests-run/cli

Inputs:

• PR number: 4982
• Commit SHA: dd092e04a68df4e05efd1022ea07835f3a26591d

Checks will be approved automatically on success.