Is there a way to exclude resource groups that contain the word databricks from policy assignment ?

Pookat, Sanal (MBHC 21) 26 Reputation points
2022-01-25T18:55:43.17+00:00

Hi - We have a number of policies that check if diagnostic settings are created for resources. Since databricks uses a managed resource group, these policies always show non-compliant.
Is there a way i could use a '*' in the policy definition to exclude the resources groups that have databricks in the name ? This will help me a lot.

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
792 questions
0 comments No comments
{count} votes

7 answers

Sort by: Most helpful
  1. Stanislav Zhelyazkov 21,101 Reputation points MVP
    2022-01-26T09:14:52.067+00:00

    Hi,
    My advice is to use exclusions via the policy assignments or create exemptions. If you want the policy to exclude these from appearing in compliance results that will require cloning all these policy definitions where you want to do that, modify the rule within the definition and save them as new policy definitions and use those new policy definitions when you create policy assignments. Having custom definitions is something normal but for your case this is something that should be done via exclusions or exemptions rather modifying the rule.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

  2. Pookat, Sanal (MBHC 21) 26 Reputation points
    2022-01-30T02:45:47.693+00:00

    Hi - I ended up using a wildcard in the policy definition and it worked quite well.

    policyRule": {
    "if": {
    "allOf": [
    {
    "field": "type",
    "equals": "Microsoft.Network/networkInterfaces"
    },
    {
    "not": {
    "value": "[resourceGroup().name]",
    "like": "databricks-rg*"
    }
    }
    ]
    }

    1 person found this answer helpful.

  3. Pookat, Sanal (MBHC 21) 26 Reputation points
    2022-01-26T16:44:18.203+00:00

    Stan - Thanks for the response.
    Ok so i can use exclusions via policy assignments but i will still need to use a wildcard as the databricks managed RG names we have are like this:
    databricks-rg-xyzocessing-knprpqpjhrrww
    databricks-rg-xyzprocessing01-p43vspm6u6sos

    Is there are way to use a wildcard to exclude RGs that begin with databricks ?


  4. Pookat, Sanal (MBHC 21) 26 Reputation points
    2022-01-31T14:28:49.477+00:00

    Understood. It would have helped if the databricks resource groups had some kind of msft generated tag like 'databricks-managed-rg" so we could probably do :

    {
    "not": {
    "field": "tags[databricks-managed-rg]",
    "exists": "true"
    }
    }


  5. Pookat, Sanal (MBHC 21) 26 Reputation points
    2022-02-04T19:23:54.223+00:00

    Thank you Stan.
    I am thinking of a different approach:
    It seems that when a tag type="databricks" is applied to a databricks resource, it get applied automatically to the managed resource group.

    on that basis, i am creating a modify policy to apply that tag to any databricks resources at the management group level and remediate existing resources
    Once the tags are applied, i should be able to exclude databricks RGs based on that tag.

    Sounds feasible ?