Is there a way to exclude resource groups that contain the word databricks from policy assignment ?

Pookat, Sanal (MBHC 21) 26

Hi - We have a number of policies that check if diagnostic settings are created for resources. Since databricks uses a managed resource group, these policies always show non-compliant.
Is there a way i could use a '*' in the policy definition to exclude the resources groups that have databricks in the name ? This will help me a lot.

7 answers

Stanislav Zhelyazkov 24,766 Reputation points MVP

2022-01-26T09:14:52.067+00:00

Hi,
My advice is to use exclusions via the policy assignments or create exemptions. If you want the policy to exclude these from appearing in compliance results that will require cloning all these policy definitions where you want to do that, modify the rule within the definition and save them as new policy definitions and use those new policy definitions when you create policy assignments. Having custom definitions is something normal but for your case this is something that should be done via exclusions or exemptions rather modifying the rule.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.

1 person found this answer helpful.
Tim Webster 6 Reputation points

2022-06-29T09:28:32.28+00:00

It doesn't look like exemptions are an option, as there is some sort of system deny policy put in place by the Databricks deployment:

Error: creating/updating /subscriptions/<redacted>/resourceGroups/<redacted>/providers/Microsoft.Authorization/policyExemptions/ExemptCDPDatabricksStorage: policy.ExemptionsClient#CreateOrUpdate: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="DenyAssignmentAuthorizationFailed" Message="The client '125b5296-918c-4b89-8dd4-291495bfa4e2' with object id '125b5296-918c-4b89-8dd4-291495bfa4e2' has permission to perform action 'Microsoft.Authorization/policyExemptions/write' on scope '/subscriptions/<redacted>/resourceGroups/<redacted>/providers/Microsoft.Authorization/policyExemptions/ExemptCDPDatabricksStorage'; however, the access is denied because of the deny assignment with name 'System deny assignment created by Azure Databricks /subscriptions/<redacted>/resourceGroups/db-workspace-rg/providers/Microsoft.Databricks/workspaces/db-workspace' and Id '99108872b17c4f1480b77c82557d681b' at scope '/subscriptions/<redacted>/resourceGroups/<redacted>'."

Jake Linebaugh 15 Reputation points

2024-01-24T14:53:17.9366667+00:00

Issue with this some of these resources are created in a managed resource group that have a DENY assignment and you cant create an exemption. This is terrible design. There should be a safe, vetted circumvention to allow exclusions on MRGs. I have several subscriptions with several MRGs that contain resources that show non-compliant and I cant exempt them from the policies in the initiative I shouldnt have to go around the tree 10 times and indefinitely adding resource names to a list in all the policies. Who came up with this?
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Pookat, Sanal (MBHC 21) 26 Reputation points

2022-01-30T02:45:47.693+00:00

Hi - I ended up using a wildcard in the policy definition and it worked quite well.

policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/networkInterfaces"
},
{
"not": {
"value": "[resourceGroup().name]",
"like": "databricks-rg*"
}
}
]
}
Please sign in to rate this answer.

1 person found this answer helpful.
Stanislav Zhelyazkov 24,766 Reputation points MVP

2022-01-31T11:16:09.16+00:00

ok. good. It is your choice. Keep in mind that if someone manually creates a group that starts with databricks-rg will be able to pass by that policy. If possible please mark the reply as answer.

James A 1 Reputation point

2022-10-04T16:24:09.627+00:00

Really helpful thanks
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Pookat, Sanal (MBHC 21) 26 Reputation points

2022-01-26T16:44:18.203+00:00

Stan - Thanks for the response.
Ok so i can use exclusions via policy assignments but i will still need to use a wildcard as the databricks managed RG names we have are like this:
databricks-rg-xyzocessing-knprpqpjhrrww
databricks-rg-xyzprocessing01-p43vspm6u6sos

Is there are way to use a wildcard to exclude RGs that begin with databricks ?
Please sign in to rate this answer.
Stanislav Zhelyazkov 24,766 Reputation points MVP

2022-01-27T07:28:16.72+00:00

No,
Exclusions needs to refer to specific resource no matter if it is subscription, resource group or specific resource. I know that sounds like limitation but if you are able to make exclusions based on wildcards could present security risk thus also my advise to use exclusions rather modifying the policies. It is more work but it is the better way to setup this. Of course end decision is with you and you can always go to the route of modifying the policies. There via the rules capabilities you can use wildcards to filter to which resources the rules applies or does not applies.

Jake Linebaugh 15 Reputation points

2024-01-24T14:54:56.75+00:00

Terrible design
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Pookat, Sanal (MBHC 21) 26 Reputation points

2022-01-31T14:28:49.477+00:00

Understood. It would have helped if the databricks resource groups had some kind of msft generated tag like 'databricks-managed-rg" so we could probably do :

{
"not": {
"field": "tags[databricks-managed-rg]",
"exists": "true"
}
}
Please sign in to rate this answer.
Stanislav Zhelyazkov 24,766 Reputation points MVP

2022-02-01T07:38:26.25+00:00

One thing that can help but it is not available is managedBy proeprty on a resource group. That property will be available with the value of the data bricks resource ID if the resource group is created and managed by Data Bricks. As far as I know though that property is not available as policy alias. May be you can request it by logging issue here.

Stanislav Zhelyazkov 24,766 Reputation points MVP

2022-02-01T07:39:07.35+00:00

If possible please mark the initial reply as answer.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Pookat, Sanal (MBHC 21) 26 Reputation points

2022-02-04T19:23:54.223+00:00

Thank you Stan.
I am thinking of a different approach:
It seems that when a tag type="databricks" is applied to a databricks resource, it get applied automatically to the managed resource group.

on that basis, i am creating a modify policy to apply that tag to any databricks resources at the management group level and remediate existing resources
Once the tags are applied, i should be able to exclude databricks RGs based on that tag.

Sounds feasible ?
Please sign in to rate this answer.
Stanislav Zhelyazkov 24,766 Reputation points MVP

2022-02-07T08:10:25.8+00:00

To me it has the same problem like the previous approach as anyone can add the tag to the resource group and thus avoid the policy. As mentioned before it is up to you of what you are comfortable with.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Is there a way to exclude resource groups that contain the word databricks from policy assignment ?

7 answers

Your answer