From f49c5223a9148009581c9c876df73ee27e3b9960 Mon Sep 17 00:00:00 2001 From: Jack Tracey <41163455+jtracey93@users.noreply.github.com> Date: Wed, 9 Mar 2022 13:05:21 +0000 Subject: [PATCH] Add Missing Databricks Default Policy Assignments to Corp MG to Match ALZ Accelerator Experience (#177) * add assignments * update policy assignment bicep inputs * update default assignments with databricks policies on corp * update ver * makes file pluralism match --- .../alzDefaultPolicyAssignments.bicep | 68 +++++++++++++++- .../_policyAssignmentsBicepInput.txt | 77 +++++++++++-------- ...ent_es_deny_databricks_public_ip.tmpl.json | 22 ++++++ ...ssignment_es_deny_databricks_sku.tmpl.json | 22 ++++++ ...signment_es_deny_databricks_vnet.tmpl.json | 22 ++++++ 5 files changed, 179 insertions(+), 32 deletions(-) create mode 100644 infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_public_ip.tmpl.json create mode 100644 infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_sku.tmpl.json create mode 100644 infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_vnet.tmpl.json diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index 340589f03..ddf473ab3 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -3,7 +3,7 @@ SUMMARY: This module deploys the default Azure Landing Zone Azure Policy Assignments to the Management Group Hierarchy and also assigns the relevant RBAC. DESCRIPTION: This module deploys the default Azure Landing Zone Azure Policy Assignments to the Management Group Hierarchy and also assigns the relevant RBAC for the system-assigned Managed Identities created for policies that require them (e.g DeployIfNotExist & Modify effect policies). AUTHOR/S: jtracey93 -VERSION: 1.0.2 +VERSION: 1.0.3 */ @@ -80,10 +80,28 @@ var varModuleDeploymentNames = { modPolicyAssignmentLZsDeploySQLThreat: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deploySQLThreat-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLZsDenyPublicEndpoints: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicEndpoints-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLZsDeployPrivateDNSZones: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployPrivateDNS-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDenyDataBPip: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyDataBPip-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDenyDataBSku: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyDataBSku-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDenyDataBVnet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyDataBVnet-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) } // Policy Assignments Modules Variables +var varPolicyAssignmentDenyDataBPip = { + definitionID: '${varTopLevelManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-NoPublicIp' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_public_ip.tmpl.json')) +} + +var varPolicyAssignmentDenyDataBSku = { + definitionID: '${varTopLevelManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_sku.tmpl.json')) +} + +var varPolicyAssignmentDenyDataBVnet = { + definitionID: '${varTopLevelManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-VirtualNetwork' + libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_vnet.tmpl.json')) +} + var varPolicyAssignmentEnforceAKSHTTPS = { definitionID: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' libDefinition: json(loadTextContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json')) @@ -771,3 +789,51 @@ module modPolicyAssignmentLZsDenyPublicIP '../../../policy/assignments/policyAss parTelemetryOptOut: parTelemetryOptOut } } + +// Module - Policy Assignment - Deny-DataB-Pip +module modPolicyAssignmentLZsDenyDataBPip '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZonesCorp) + name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyDataBPip + params: { + parPolicyAssignmentDefinitionID: varPolicyAssignmentDenyDataBPip.definitionID + parPolicyAssignmentName: varPolicyAssignmentDenyDataBPip.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyDataBPip.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyDataBPip.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyDataBPip.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyDataBPip.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyDataBPip.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-DataB-Sku +module modPolicyAssignmentLZsDenyDataBSku '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZonesCorp) + name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyDataBSku + params: { + parPolicyAssignmentDefinitionID: varPolicyAssignmentDenyDataBSku.definitionID + parPolicyAssignmentName: varPolicyAssignmentDenyDataBSku.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyDataBSku.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyDataBSku.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyDataBSku.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyDataBSku.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyDataBSku.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-DataB-Vnet +module modPolicyAssignmentLZsDenyDataBVnet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZonesCorp) + name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyDataBVnet + params: { + parPolicyAssignmentDefinitionID: varPolicyAssignmentDenyDataBVnet.definitionID + parPolicyAssignmentName: varPolicyAssignmentDenyDataBVnet.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyDataBVnet.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyDataBVnet.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyDataBVnet.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyDataBVnet.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: varPolicyAssignmentDenyDataBVnet.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt index 8b99da41f..35778ae06 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt @@ -2,154 +2,169 @@ var varPolicyAssignmentDenyAppGWWithoutWAF = { definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_appgw_without_waf.tmpl.json')) } - + +var varPolicyAssignmentDenyDataBPip = { + definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-NoPublicIp' + libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_public_ip.tmpl.json')) +} + +var varPolicyAssignmentDenyDataBSku = { + definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku' + libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_sku.tmpl.json')) +} + +var varPolicyAssignmentDenyDataBVnet = { + definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-VirtualNetwork' + libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_vnet.tmpl.json')) +} + var varPolicyAssignmentEnforceAKSHTTPS = { definitionID: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json')) } - + var varPolicyAssignmentDenyIPForwarding = { definitionID: '/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json')) } - + var varPolicyAssignmentDenyPrivContainersAKS = { definitionID: '/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_containers_aks.tmpl.json')) } - + var varPolicyAssignmentDenyPrivEscalationAKS = { definitionID: '/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_escalation_aks.tmpl.json')) } - + var varPolicyAssignmentDenyPublicEndpoints = { definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json')) } - + var varPolicyAssignmentDenyPublicIP = { definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json')) } - + var varPolicyAssignmentDenyRDPFromInternet = { definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json')) } - + var varPolicyAssignmentDenyResourceLocations = { definitionID: '/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_resource_locations.tmpl.json')) } - + var varPolicyAssignmentDenyResourceTypes = { definitionID: '/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_resource_types.tmpl.json')) } - + var varPolicyAssignmentDenyRSGLocations = { definitionID: '/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rsg_locations.tmpl.json')) } - + var varPolicyAssignmentDenyStoragehttp = { definitionID: '/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json')) } - + var varPolicyAssignmentDenySubnetWithoutNsg = { definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json')) } - + var varPolicyAssignmentDenySubnetWithoutUdr = { definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json')) } - + var varPolicyAssignmentDeployAKSPolicy = { definitionID: '/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json')) } - + var varPolicyAssignmentDeployASCMonitoring = { definitionID: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json')) } - + var varPolicyAssignmentDeployAzActivityLog = { definitionID: '/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_azactivity_log.tmpl.json')) } - + var varPolicyAssignmentDeployLogAnalytics = { definitionID: '/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json')) } - + var varPolicyAssignmentDeployLXArcMonitoring = { definitionID: '/providers/Microsoft.Authorization/policyDefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_lx_arc_monitoring.tmpl.json')) } - + var varPolicyAssignmentDeployMDFCConfig = { definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json')) } - + var varPolicyAssignmentDeployPrivateDNSZones = { definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json')) } - + var varPolicyAssignmentDeployResourceDiag = { definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json')) } - + var varPolicyAssignmentDeploySQLDBAuditing = { definitionID: '/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_db_auditing.tmpl.json')) } - + var varPolicyAssignmentDeploySQLSecurity = { definitionID: '/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_security.tmpl.json')) } - + var varPolicyAssignmentDeploySQLThreat = { definitionID: '/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json')) } - + var varPolicyAssignmentDeployVMBackup = { definitionID: '/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json')) } - + var varPolicyAssignmentDeployVMMonitoring = { definitionID: '/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json')) } - + var varPolicyAssignmentDeployVMSSMonitoring = { definitionID: '/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json')) } - + var varPolicyAssignmentDeployWSArcMonitoring = { definitionID: '/providers/Microsoft.Authorization/policyDefinitions/69af7d4a-7b18-4044-93a9-2651498ef203' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_ws_arc_monitoring.tmpl.json')) } - + var varPolicyAssignmentEnableDDoSVNET = { definitionID: '/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json')) } - + var varPolicyAssignmentEnforceTLSSSL = { definitionID: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit' libDefinition: json(loadTextContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json')) } - + diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_public_ip.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_public_ip.tmpl.json new file mode 100644 index 000000000..b42572af9 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_public_ip.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-DataB-Pip", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Prevent the deployment of Databricks workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.", + "displayName": "Prevent usage of Databricks with public IP", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + } + }, + "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-NoPublicIp", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_sku.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_sku.tmpl.json new file mode 100644 index 000000000..3feb3fa11 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_sku.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-DataB-Sku", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD.", + "displayName": "Enforces the use of Premium Databricks workspaces", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + } + }, + "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_vnet.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_vnet.tmpl.json new file mode 100644 index 000000000..ea59de248 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_vnet.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-DataB-Vnet", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Enforces the use of vnet injection for Databricks workspaces.", + "displayName": "Enforces the use of vnet injection for Databricks", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + } + }, + "policyDefinitionId": "${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-VirtualNetwork", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +}