From 3f58228c70e285584b3c2e416bad98f4e2bdf15e Mon Sep 17 00:00:00 2001 From: Bernie White Date: Wed, 17 Jan 2024 11:04:50 +1000 Subject: [PATCH] Update to docs and change log (#2647) --- docs/CHANGELOG-v1.md | 6 ++++ .../en/rules/Azure.Databricks.PublicAccess.md | 21 ++++++++++-- docs/en/rules/Azure.Databricks.SKU.md | 33 +++++++++++++++---- .../Azure.Databricks.SecureConnectivity.md | 12 +++++-- docs/examples-databricks.bicep | 4 +++ docs/examples-databricks.json | 25 ++++++-------- .../rules/Azure.Databricks.Rule.yaml | 4 +-- 7 files changed, 77 insertions(+), 28 deletions(-) diff --git a/docs/CHANGELOG-v1.md b/docs/CHANGELOG-v1.md index be04b2f0a38..b7e0cb9ba67 100644 --- a/docs/CHANGELOG-v1.md +++ b/docs/CHANGELOG-v1.md @@ -34,6 +34,12 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers What's changed since pre-release v1.33.0-B0023: +- New rules: + - Databricks: + - Check that Databricks workspaces use a non-trial SKU by @batemansogq. + [#2646](https://github.com/Azure/PSRule.Rules.Azure/issues/2646) + - Check that Databricks workspaces require use of private endpoints by @batemansogq. + [#2646](https://github.com/Azure/PSRule.Rules.Azure/issues/2646) - Engineering: - Bump xunit to v2.6.6. [#2645](https://github.com/Azure/PSRule.Rules.Azure/pull/2645) diff --git a/docs/en/rules/Azure.Databricks.PublicAccess.md b/docs/en/rules/Azure.Databricks.PublicAccess.md index ac2e1e7b21b..1933a4e3bc8 100644 --- a/docs/en/rules/Azure.Databricks.PublicAccess.md +++ b/docs/en/rules/Azure.Databricks.PublicAccess.md @@ -15,7 +15,8 @@ Azure Databricks workspaces should disable public network access. ## DESCRIPTION -Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can control exposure of your resources by creating private endpoints instead. +Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. +You can control exposure of your resources by creating private endpoints instead. ## RECOMMENDATION @@ -37,9 +38,17 @@ For example: "apiVersion": "2023-02-01", "name": "[parameters('name')]", "location": "[parameters('location')]", + "sku": { + "name": "standard" + }, "properties": { "managedResourceGroupId": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', 'example-mg')]", - "publicNetworkAccess": "Disabled" + "publicNetworkAccess": "Disabled", + "parameters": { + "enableNoPublicIp": { + "value": true + } + } } } ``` @@ -56,10 +65,18 @@ For example: resource databricks 'Microsoft.Databricks/workspaces@2023-02-01' = { name: name location: location + sku: { + name: 'standard' + } properties: { managedResourceGroupId: managedRg.id publicNetworkAccess: 'Disabled' + parameters: { + enableNoPublicIp: { + value: true + } } + } } ``` diff --git a/docs/en/rules/Azure.Databricks.SKU.md b/docs/en/rules/Azure.Databricks.SKU.md index 978f353c2f2..ced1ee12765 100644 --- a/docs/en/rules/Azure.Databricks.SKU.md +++ b/docs/en/rules/Azure.Databricks.SKU.md @@ -7,7 +7,7 @@ resource: Databricks online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Databricks.SKU/ --- -# Ensure Databricks workspaces are non-trial SKUs for production workloads +# Ensure Databricks workspaces are non-trial SKUs for production workloads ## SYNOPSIS @@ -18,11 +18,12 @@ Ensure Databricks workspaces are non-trial SKUs for production workloads. An Azure Databricks workspace has three available SKU types to support the compute demands of a workspace. The Trial SKU is a time-bound offer which has feature and compute limitations, making it unsuitable for production workloads. -*NB* - The Trial SKU is a strong candidate for non-production or innovation workloads which can accept the tiers constraints. +*NB* - The Trial SKU is a strong candidate for non-production or innovation workloads which can accept the tiers constraints. ## RECOMMENDATION -Consider configuring Databricks workspaces to use either Standard or Premium tiers, dependant on the workload demands non-functional requirements (NFRs). +Consider configuring Databricks workspaces to use either Standard or Premium tiers, +dependant on the workload demands and non-functional requirements (NFRs). ## EXAMPLES @@ -30,7 +31,7 @@ Consider configuring Databricks workspaces to use either Standard or Premium tie To deploy workspaces that pass this rule: -- Set the `sku.name` to a a non-trial tier, i.e. standard. +- Set the `sku.name` to a a non-trial tier, i.e. `standard`. For example: @@ -42,6 +43,15 @@ For example: "location": "[parameters('location')]", "sku": { "name": "standard" + }, + "properties": { + "managedResourceGroupId": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', 'example-mg')]", + "publicNetworkAccess": "Disabled", + "parameters": { + "enableNoPublicIp": { + "value": true + } + } } } ``` @@ -50,7 +60,7 @@ For example: To deploy workspaces that pass this rule: -- Set the `sku.name` to a a non-trial tier, i.e. standard. +- Set the `sku.name` to a a non-trial tier, i.e. `standard`. For example: @@ -59,7 +69,16 @@ resource databricks 'Microsoft.Databricks/workspaces@2023-02-01' = { name: name location: location sku: { - name: standard + name: 'standard' + } + properties: { + managedResourceGroupId: managedRg.id + publicNetworkAccess: 'Disabled' + parameters: { + enableNoPublicIp: { + value: true + } + } } } ``` @@ -67,7 +86,7 @@ resource databricks 'Microsoft.Databricks/workspaces@2023-02-01' = { ## LINKS - [PE:03 Selecting services](https://learn.microsoft.com/azure/well-architected/performance-efficiency/select-services) -- [Databricks Setup](https://learn.microsoft.com/azure/databricks/getting-started/#:~:text=Bicep-,Note,-When%20you%20create) +- [Databricks Setup](https://learn.microsoft.com/azure/databricks/getting-started) - [Databricks Tier Features](https://azure.microsoft.com/pricing/details/databricks) - [Databricks Workspace API](https://learn.microsoft.com/azure/templates/Microsoft.Databricks/workspaces) - [Azure Databricks architecture overview](https://learn.microsoft.com/azure/databricks/getting-started/overview) diff --git a/docs/en/rules/Azure.Databricks.SecureConnectivity.md b/docs/en/rules/Azure.Databricks.SecureConnectivity.md index 6f16ace485a..230882b8619 100644 --- a/docs/en/rules/Azure.Databricks.SecureConnectivity.md +++ b/docs/en/rules/Azure.Databricks.SecureConnectivity.md @@ -2,7 +2,7 @@ reviewed: 2023-07-26 severity: Critical pillar: Security -category: Application endpoints +category: SE:06 Network controls resource: Databricks online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Databricks.SecureConnectivity/ --- @@ -46,8 +46,12 @@ For example: "apiVersion": "2023-02-01", "name": "[parameters('name')]", "location": "[parameters('location')]", + "sku": { + "name": "standard" + }, "properties": { "managedResourceGroupId": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', 'example-mg')]", + "publicNetworkAccess": "Disabled", "parameters": { "enableNoPublicIp": { "value": true @@ -69,8 +73,12 @@ For example: resource databricks 'Microsoft.Databricks/workspaces@2023-02-01' = { name: name location: location + sku: { + name: 'standard' + } properties: { managedResourceGroupId: managedRg.id + publicNetworkAccess: 'Disabled' parameters: { enableNoPublicIp: { value: true @@ -82,7 +90,7 @@ resource databricks 'Microsoft.Databricks/workspaces@2023-02-01' = { ## LINKS -- [Public endpoints](https://learn.microsoft.com/azure/well-architected/security/design-network-endpoints#public-endpoints) +- [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) - [Secure cluster connectivity (No Public IP / NPIP)](https://learn.microsoft.com/azure/databricks/security/network/secure-cluster-connectivity) - [Network access](https://learn.microsoft.com/azure/databricks/security/network/) - [Azure Databricks architecture overview](https://learn.microsoft.com/azure/databricks/getting-started/overview) diff --git a/docs/examples-databricks.bicep b/docs/examples-databricks.bicep index 416bcd498ef..76b784d1c1e 100644 --- a/docs/examples-databricks.bicep +++ b/docs/examples-databricks.bicep @@ -18,8 +18,12 @@ resource managedRg 'Microsoft.Resources/resourceGroups@2022-09-01' existing = { resource databricks 'Microsoft.Databricks/workspaces@2023-02-01' = { name: name location: location + sku: { + name: 'standard' + } properties: { managedResourceGroupId: managedRg.id + publicNetworkAccess: 'Disabled' parameters: { enableNoPublicIp: { value: true diff --git a/docs/examples-databricks.json b/docs/examples-databricks.json index c54b9a846fb..493773e864f 100644 --- a/docs/examples-databricks.json +++ b/docs/examples-databricks.json @@ -1,20 +1,18 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "1.10-experimental", "contentVersion": "1.0.0.0", "metadata": { - "_EXPERIMENTAL_WARNING": "Symbolic name support in ARM is experimental, and should be enabled for testing purposes only. Do not enable this setting for any production usage, or you may be unexpectedly broken at any time!", "_generator": { "name": "bicep", - "version": "0.19.5.34762", - "templateHash": "13081891106656677852" + "version": "0.24.24.22086", + "templateHash": "6898993126135381945" } }, "parameters": { "name": { "type": "string", "metadata": { - "description": "The name of the cognitive services account." + "description": "The name of the Databricks workspace." } }, "location": { @@ -25,21 +23,18 @@ } } }, - "resources": { - "managedRg": { - "existing": true, - "type": "Microsoft.Resources/resourceGroups", - "apiVersion": "2022-09-01", - "subscriptionId": "[subscription().subscriptionId]", - "name": "example-mg" - }, - "databricks": { + "resources": [ + { "type": "Microsoft.Databricks/workspaces", "apiVersion": "2023-02-01", "name": "[parameters('name')]", "location": "[parameters('location')]", + "sku": { + "name": "standard" + }, "properties": { "managedResourceGroupId": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', 'example-mg')]", + "publicNetworkAccess": "Disabled", "parameters": { "enableNoPublicIp": { "value": true @@ -47,5 +42,5 @@ } } } - } + ] } \ No newline at end of file diff --git a/src/PSRule.Rules.Azure/rules/Azure.Databricks.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.Databricks.Rule.yaml index e6b6506a09f..010cb423cc6 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Databricks.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.Databricks.Rule.yaml @@ -35,7 +35,7 @@ metadata: ref: AZR-000409 tags: release: GA - ruleSet: 2024_01 + ruleSet: 2024_03 Azure.WAF/pillar: Performance Efficiency spec: type: @@ -53,7 +53,7 @@ metadata: ref: AZR-000410 tags: release: GA - ruleSet: 2024_01 + ruleSet: 2024_03 Azure.WAF/pillar: Security spec: type: