Add vector_search_indexes resource (direct engine)

[janniklasrose]

Changes

Adds vector_search_indexes as a first-class DABs resource on the direct engine, alongside the existing vector_search_endpoints. Direct engine only — vector search has no Terraform provider.

resources:
  vector_search_endpoints:
    my_endpoint:
      name: my-endpoint
      endpoint_type: STANDARD
  vector_search_indexes:
    my_index:
      name: main.default.my_index
      endpoint_name: ${resources.vector_search_endpoints.my_endpoint.name}
      primary_key: id
      index_type: DELTA_SYNC
      delta_sync_index_spec:
        source_table: main.default.source
        pipeline_type: TRIGGERED
      grants:
        - principal: data-engineers
          privileges: [SELECT]

What's included:

• Resource model in bundle/config/resources/vector_search_index.go (with grants) and bundle/direct/dresources/vector_search_index.go (state, lifecycle, drift classification). RemapState round-trips index_subtype so a populated remote subtype isn't classified as drift on the next plan.
• UC grants wired through the generic grants path with securable type table.
• recreate_on_changes for immutable spec fields (name, endpoint_name, index_type, index_subtype, primary_key, delta_sync_index_spec, direct_access_index_spec); delta_sync_index_spec.columns_to_sync marked ignore_remote_changes (request-only field — see follow-up note below). The index API has no rename or update path, so any config-side change has to round-trip through delete + create.
• Index orphaning detection: index state persists the endpoint_uuid of the endpoint it was created against. DoRead looks up the current endpoint UUID by name; if the endpoint was deleted out-of-band the lookup returns "" and OverrideChangeDesc classifies the saved-vs-remote mismatch as Recreate. Builds on the endpoint UUID persistence merged in Persist endpoint UUID for vector_search_endpoints drift detection #5127.
• Async delete handling: new optional WaitAfterDelete adapter method (sibling to WaitAfterCreate / WaitAfterUpdate). For VS indexes it polls GetIndex until 404 (15-minute cap). apply.Recreate runs DoDelete → DeleteState → WaitAfterDelete → DoCreate → SaveState → WaitAfterCreate, so a wait-time failure leaves the bundle consistent. Replaces the prior SaveState("", nil, nil) placeholder that produced invalid state: empty id planning failures on partial recreate.
• Destructive-action prompt for VS indexes in bundle/phases/. The message intentionally covers both Delta Sync ("re-runs the embedding pipeline") and Direct Access ("upserted vectors lost") in one paragraph — picking a type-specific message from the bundle config would be wrong on type changes (DELTA_SYNC → DIRECT_ACCESS recreates would describe the destination type while the actual teardown is of the source type).
• Dev-mode name prefixing for indexes prefixes only the leaf component of catalog.schema.name, since catalog and schema are external references (the previous behavior produced invalid names like dev_jan_main.default.my_index). The mutator skips names that still carry literal ${...} tokens, since the leaf split would otherwise inject the prefix inside the trailing ref expression itself.
• Testserver enforces endpoint existence on index create. Index status returns Ready: true immediately, matching the convention used by every other slow resource the testserver fakes (endpoints → ONLINE, database instances → AVAILABLE, apps → RUNNING).

index_type / spec-block consistency is intentionally not validated client-side — the CreateIndex API rejects mismatched combinations at deploy time, and replicating that check in DABs would just duplicate backend logic.

Why

The direct engine recently gained vector_search_endpoints (#4887). This PR extends the support to indexes, which were the missing half. Along the way it surfaces and fixes a number of issues:

• Without persisted endpoint UUIDs, identity drift was undetectable. An index pointing at a deleted-and-recreated endpoint would appear live by name but its backing endpoint was gone, leading to confusing "index already exists" errors on subsequent deploys. Persist endpoint UUID for vector_search_endpoints drift detection #5127 added the same UUID tracking on the endpoint side; this PR mirrors it on the index side so the orphan is caught.
• The async deletion model isn't documented in the SDK, but recreate deploys hit it every time. Without a wait, every recreate failed on the immediate Create.
• apply.Recreate was writing a malformed empty-ID state entry as its "delete state" step, which then poisoned the next plan with invalid state: empty id.
• Recreating a VS index is genuinely expensive — Delta Sync re-runs the full embedding pipeline; Direct Access loses every upserted vector. The destructive-action prompt now reflects that.

Follow-ups

• delta_sync_index_spec.columns_to_sync is request-only in the SDK today: the field is accepted on Create but the Get response doesn't echo it back, which is why we mark it ignore_remote_changes here. There's an open backend PR to expose columns_to_sync on the read path; once the SDK is regenerated against that, we can drop the ignore_remote_changes entry and let normal drift detection handle the field.
• vector_search_endpoints.budget_policy_id drift (effective vs. requested) and the SDK doc-comment for vector_search_endpoints.usage_policy_id are intentionally not in this PR — both will be addressed by the next SDK bump and the corresponding ./task generate-schema regen.

Tests

• ./task fmt, ./task checks, ./task lint — all clean.
• ./task test — unit tests green across bundle/....
• New unit test TestVectorSearchIndexNameWithUnresolvedRefsLeftAlone in apply_target_mode_test.go exercises the leaf-prefix skip on ${var.catalog}.${var.schema}.${var.index}.
• New acceptance directories under acceptance/bundle/resources/vector_search_indexes/: basic, drift/columns_to_sync, drift/deleted_remotely, drift/orphaned_endpoint, recreate/index_type, recreate/mixed_types, grants/select.
• The recreate request log (recreate/index_type/out.requests.recreate.direct.json) captures GET → DELETE → GET → POST with --get enabled in print_requests.py. The middle GET is the WaitAfterDelete poll; if a future change drops the wait the regenerated capture loses that line and the test fails.
• acceptance/bundle/validate/presets_name_prefix covers the leaf-only name prefix on a 3-part index name.
• acceptance/bundle/invariant/configs/vector_search_index.yml.tmpl exercises the resource through the invariant matrix; the testserver enforces endpoint existence on index create.
• Live tested with --profile tmp against staging across initial deploy / drift / recreate / destroy.

This PR was written by Claude Code.

[github-actions]

Approval status: pending

/acceptance/bundle/ - needs approval

64 files changed
Suggested: @denik
Also eligible: @andrewnester, @shreyas-goenka, @pietern, @anton-107, @lennartkats-db

/bundle/ - needs approval

31 files changed
Suggested: @denik
Also eligible: @andrewnester, @shreyas-goenka, @pietern, @anton-107, @lennartkats-db

General files (require maintainer)

4 files changed
Based on git history:

• @denik -- recent work in bundle/direct/dresources/, bundle/direct/, libs/testserver/

_{Any maintainer (@andrewnester, @anton-107, @denik, @pietern, @shreyas-goenka, @simonfaltum, @renaudhartert-db) can approve all areas.
See OWNERS for ownership rules.}

[janniklasrose]

I made a PR (under review by VS team) to return this field

[janniklasrose]

update reference after databricks/terraform-provider-databricks#5598 is merged

[andrewnester]

Could you create it as part of the same bundle and refer to it in the index?

[janniklasrose]

no strong feeling either way.

• pro: they are strongly coupled so should be declared together
• con: precedent is to have resources/RESOURCE/*/databricks.yml.tmpl only contain the resource

[andrewnester]

precedent is to have resources/RESOURCE/*/databricks.yml.tmpl only contain the resource

I don't think we are strict about it, we have already resources combining both (see catalogs or database_catalogs for example).

Having them together helps us to test the actual use case users will have + cleaning up is a bit easier too

[andrewnester]

This can be a very long operation, right? Shall we maybe not wait for index to be ready and then later introduce support for lifecycle.started here which will wait?

[janniklasrose]

This is following terraform's 75min timeout (see databricks/terraform-provider-databricks#5598 that I made by request from VS team). Don't we always wait for creation for every resource? We can also keep WaitAfterCreate but make it opt-in (maybe use an experimental flag)?

[andrewnester]

We don't for clusters and sql warehouses for example (in both direct and TF mode) and we now make it opt in with lifecycle.started option #5150

My concern with waiting is that if it's a very long operation users don't have a way out of it right now
But implementation wise I'm fine with both to be honest, we can iterate on it any time

[andrewnester]

What will happen if the new field is added but it can be updatable, how do we not leave it unnoticed?