Emit permission overlap warnings instead of discarding them

[simonfaltum]

Why

Found during a full-repo review of the CLI. When a bundle defines top-level permissions and a resource already has its own permission entry for the same user, group, or service principal, the bundle-level grant is skipped for that resource. The warnings explaining why the grant was skipped were computed but never shown (a TODO that predates logdiag), so users had no way to tell why a permission they configured did not get applied.

Changes

Before, the overlap warnings built in bundle/config/mutator/resourcemutator/apply_bundle_permissions.go were discarded; now they are logged via logdiag and show up in command output, for example:

Warning: 'jobs' already has permissions set for 'overlap@example.com' user name

The skip behavior itself is unchanged, only the warning is now visible. The stale TODO is replaced by the actual logging, and the existing TestWarningOnOverlapPermission unit test now asserts the warning is emitted.

Test plan

• Extended TestWarningOnOverlapPermission to assert exactly one warning with the expected summary is emitted
• Added acceptance test acceptance/bundle/validate/permissions_overlap with overlapping top-level and resource permissions, covering both the warning and the resulting permissions (both engines)
• Ran go test ./bundle/config/mutator/resourcemutator ./bundle/tests
• Ran permission-related acceptance subtrees (bundle/validate, bundle/resources/permissions, bundle/run_as, bundle/migrate, bundle/apps/job_permissions) to confirm no existing outputs change
• ./task fmt-q, ./task lint-q, ./task checks

This pull request and its description were written by Isaac.

[github-actions]

Approval status: pending

/acceptance/bundle/ - needs approval

4 files changed
Suggested: @denik
Also eligible: @andrewnester, @janniklasrose, @pietern, @anton-107, @shreyas-goenka, @lennartkats-db

/bundle/ - needs approval

Files: bundle/config/mutator/resourcemutator/apply_bundle_permissions.go, bundle/config/mutator/resourcemutator/apply_bundle_permissions_test.go
Suggested: @denik
Also eligible: @andrewnester, @janniklasrose, @pietern, @anton-107, @shreyas-goenka, @lennartkats-db

_{Any maintainer (@andrewnester, @anton-107, @denik, @pietern, @shreyas-goenka, @renaudhartert-db) can approve all areas.
See OWNERS for ownership rules.}

[eng-dev-ecosystem-bot]

Commit: 5d900c3

Run: 27235494852

	Env	🟨​KNOWN	💚​RECOVERED	🙈​SKIP	✅​pass	🙈​skip	Time
🟨​	aws linux	7		15	261	929	8:19
🟨​	aws windows	7		15	263	927	16:27
💚​	aws-ucws linux		7	15	357	843	7:35
💚​	aws-ucws windows		7	15	359	841	10:50
💚​	azure linux		1	17	264	927	8:16
💚​	azure windows		1	17	266	925	12:02
💚​	azure-ucws linux		1	17	362	839	8:52
💚​	azure-ucws windows		1	17	364	837	12:03
💚​	gcp linux		1	17	260	930	8:51
💚​	gcp windows		1	17	262	928	11:01

22 interesting tests: 15 SKIP, 7 KNOWN

	Test Name	aws linux	aws windows	aws-ucws linux	aws-ucws windows	azure linux	azure windows	azure-ucws linux	azure-ucws windows	gcp linux	gcp windows
🟨​	TestAccept	🟨​K	🟨​K	💚​R	💚​R	💚​R	💚​R	💚​R	💚​R	💚​R	💚​R
🙈​	TestAccept/bundle/invariant/no_drift	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🙈​	TestAccept/bundle/resources/permissions	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🟨​	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions	🟨​K	🟨​K	💚​R	💚​R	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🟨​	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=direct	🟨​K	🟨​K	💚​R	💚​R
🟨​	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=terraform	🟨​K	🟨​K	💚​R	💚​R
🟨​	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions	🟨​K	🟨​K	💚​R	💚​R	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🟨​	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=direct	🟨​K	🟨​K	💚​R	💚​R
🟨​	TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=terraform	🟨​K	🟨​K	💚​R	💚​R
🙈​	TestAccept/bundle/resources/postgres_branches/basic	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🙈​	TestAccept/bundle/resources/postgres_branches/recreate	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🙈​	TestAccept/bundle/resources/postgres_branches/replace_existing	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🙈​	TestAccept/bundle/resources/postgres_branches/update_protected	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🙈​	TestAccept/bundle/resources/postgres_branches/without_branch_id	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🙈​	TestAccept/bundle/resources/postgres_endpoints/basic	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🙈​	TestAccept/bundle/resources/postgres_endpoints/recreate	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🙈​	TestAccept/bundle/resources/postgres_projects/update_display_name	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🙈​	TestAccept/bundle/resources/synced_database_tables/basic	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🙈​	TestAccept/bundle/resources/vector_search_endpoints/drift/recreated_same_name	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🙈​	TestAccept/bundle/resources/vector_search_indexes/basic	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🙈​	TestAccept/bundle/resources/vector_search_indexes/grants/select	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S
🙈​	TestAccept/ssh/connection	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S	🙈​S

Top 28 slowest tests (at least 2 minutes):

duration	env	testname
6:19	azure windows	TestAccept
6:01	azure-ucws windows	TestAccept
4:58	aws-ucws windows	TestAccept
4:57	gcp windows	TestAccept
4:33	gcp linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
4:29	gcp windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
4:25	gcp linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
4:22	azure linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
4:18	aws-ucws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
4:13	gcp windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:52	aws-ucws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:18	azure-ucws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:15	azure windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:14	aws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:08	azure-ucws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:01	aws-ucws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:00	aws-ucws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:59	aws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:55	azure windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:54	gcp linux	TestAccept
2:54	azure-ucws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:52	azure linux	TestAccept
2:49	aws-ucws linux	TestAccept
2:49	aws linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:45	azure-ucws linux	TestAccept
2:45	azure-ucws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:41	azure linux	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:30	aws windows	TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct