Bump Terraform provider to v1.115.0

[simonfaltum]

Why

Keep the CLI's Terraform schema in sync with the latest provider release (v1.115.0, published 2026-05-11).

Changes

Bumps the provider version from 1.113.0 to 1.115.0 and regenerates the Go schema types using go run . in bundle/internal/tf/codegen.

Also bumps hc-install in the codegen module from 0.9.2 to 0.9.4 so codegen can verify the Terraform download checksum signature on current toolchains.

New resources (added in v1.114.0, still present in v1.115.0):

• databricks_disaster_recovery_failover_group
• databricks_disaster_recovery_stable_url
• databricks_secret_uc
• databricks_supervisor_agent
• databricks_supervisor_agent_tool

New data sources for each of the above (singular and plural).

Acceptance test outputs that capture the provider user-agent string or terraform state shape were regenerated:

• bundle/user_agent, bundle/state/state_present
• bundle/migrate/{basic,dashboards,default-python,grants,permissions,runas}
• bundle/resources/jobs/update
• bundle/resources/postgres_projects/update_display_name
• bundle/deployment/bind/{dashboard/recreation,pipelines/recreate,pipelines/update}

The schema-driven changes are: a populated provider_config.workspace_id on jobs and pipelines, and update_mask: initial_endpoint_spec,spec on postgres project PATCH requests.

Test plan

• ./task checks passes
• go build ./... passes
• Affected acceptance tests regenerated locally
• CI passes on the PR

[simonfaltum]

Most of this PR is mechanical: a version.go bump and the regenerated bundle/internal/tf/schema/*.go files. Four things are not routine and worth a closer look — flagged inline below.

1. Embedded HashiCorp pubkey (new file bundle/internal/tf/codegen/schema/pubkey.go) — required to make codegen run at all on current toolchains.
2. provider_config.workspace_id now populated on many state fixtures — schema-driven, not a CLI behavior change.
3. Postgres update_mask gained initial_endpoint_spec on PATCH requests — schema-driven, may want backend confirmation.
4. Version jump skips v1.114.x entirely (1.113.0 → 1.115.0). Three patch releases plus v1.115.0 shipped since the previous bump on 2026-04-16.

[simonfaltum]

Please double-check this file. New embedded HashiCorp pubkey, needed because the key block bundled in hc-install v0.9.4 has a UserID self-signature that expired on 2026-04-18 — codegen otherwise fails with openpgp: key expired (releases.hashicorp.com/...SHA256SUMS.72D7468F.sig).

The armored block here was copied verbatim from hc-install#355 (the second -----BEGIN PGP PUBLIC KEY BLOCK----- block, refreshed 2026-02-19, expiration extended ~2035). We can't just rely on the upstream fix because go-crypto v1 only reads the first armored block and keeps one SelfSignature per Identity, so the refreshed second block is a no-op when read via the bundled pubkey.Read.

This duplicates the same key that lives in bundle/deploy/terraform/install.go (added in #5021 for the runtime install path). The codegen module has its own go.mod, so we can't import the runtime copy. Worth confirming you're OK with the duplication — alternative is to factor the key into a shared module, but that's a bigger refactor.

Reviewer checklist:

• Source link points to the right upstream block.
• Key fingerprint matches 34365D9472D7468F (HashiCorp Security).
• The duplication vs. bundle/deploy/terraform/install.go is acceptable.

[pietern]

Can you bump to hc install 0.9.4 instead?

[pietern]

I'm updating this.

[simonfaltum]

This is the line that actually wires in the refreshed key from pubkey.go. Without ArmoredPublicKey set, releases.ExactVersion falls back to the (now-expired) key embedded inside hc-install — see comment on pubkey.go for the full story.

[simonfaltum]

Schema-driven change from v1.115 (technically already in v1.114): provider_config is no longer an empty list for jobs and pipelines — it now contains { workspace_id: ... }. Appears across many state fixtures in this PR (all acceptance/bundle/migrate/* state files, bundle/resources/jobs/update/out.state.terraform.json, and the deployment/bind/* outputs).

Not a CLI behavior change; the provider is just emitting the field now. Flagging so you don't have to chase down where it came from.

[simonfaltum]

Schema-driven change: v1.115 sends update_mask: "initial_endpoint_spec,spec" for databricks_postgres_project PATCH instead of just "spec". New provider behavior — worth confirming the backend accepts the expanded mask on a display_name-only update (this test only changes the display name; initial_endpoint_spec is unchanged but now included in the mask).

[pietern]

Confirmed this is not an issue.

[tanmay-db]

In Terraform, provider_config and workspace_id are made as optional+computed so every workspace resource in terraform will now have this set in the state.

I don't have context on the dabs side, does something similar need to happen here?

Would users see this diff when deploying bundles?

How are schemas/diff which are customized in terraform get translated in dabs?

Also does something needs to be done for direct mode?

[pietern]

Can you bump to hc install 0.9.4 instead?

[pietern]

Are these additional calls expected?

[pietern]

For reference, the previous SDK bump removed them (the short circuit), so it makes sense they come back now that the short circuit is gone again: https://github.com/databricks/cli/pull/5031/changes

Similar comment thread in #5237.

[pietern]

Confirmed this is not an issue.