Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add security compliance options for avm/res/databricks/workspace #3550

Merged
merged 14 commits into from
Oct 15, 2024
Merged

feat: Add security compliance options for avm/res/databricks/workspace #3550

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
d077ecb
automaticcluterupdate
clintgrove Oct 12, 2024
3ae0d6a
amt ool run
clintgrove Oct 12, 2024
16f06a4
f
clintgrove Oct 12, 2024
b30c63b
f
clintgrove Oct 12, 2024
263eacd
az
clintgrove Oct 13, 2024
2aec7cc
upda
clintgrove Oct 13, 2024
8f80834
na
clintgrove Oct 13, 2024
0a75e3c
enhanced param testing
clintgrove Oct 14, 2024
211c2b9
waf aligned is best to have it on
clintgrove Oct 14, 2024
e5b1996
readmue update
clintgrove Oct 14, 2024
2cb9475
waf corrections
clintgrove Oct 14, 2024
a89cb9b
param tuning
clintgrove Oct 14, 2024
7a85e0f
json updated
clintgrove Oct 14, 2024
4b34035
Merge branch 'main' into 3515-addSecurityComplianc
clintgrove Oct 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
104 changes: 104 additions & 0 deletions avm/res/databricks/workspace/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,12 @@ module workspace 'br/public:avm/res/databricks/workspace:<version>' = {
name: 'dwmax002'
// Non-required parameters
amlWorkspaceResourceId: '<amlWorkspaceResourceId>'
automaticClusterUpdate: 'Enabled'
complianceSecurityProfileValue: 'Enabled'
complianceStandards: [
'HIPAA'
'PCI_DSS'
]
customerManagedKey: {
keyName: '<keyName>'
keyVaultResourceId: '<keyVaultResourceId>'
Expand Down Expand Up @@ -149,6 +155,7 @@ module workspace 'br/public:avm/res/databricks/workspace:<version>' = {
}
]
disablePublicIp: true
enhancedSecurityMonitoring: 'Enabled'
loadBalancerBackendPoolName: '<loadBalancerBackendPoolName>'
loadBalancerResourceId: '<loadBalancerResourceId>'
location: '<location>'
Expand Down Expand Up @@ -243,6 +250,18 @@ module workspace 'br/public:avm/res/databricks/workspace:<version>' = {
"amlWorkspaceResourceId": {
"value": "<amlWorkspaceResourceId>"
},
"automaticClusterUpdate": {
"value": "Enabled"
},
"complianceSecurityProfileValue": {
"value": "Enabled"
},
"complianceStandards": {
"value": [
"HIPAA",
"PCI_DSS"
]
},
"customerManagedKey": {
"value": {
"keyName": "<keyName>",
Expand Down Expand Up @@ -292,6 +311,9 @@ module workspace 'br/public:avm/res/databricks/workspace:<version>' = {
"disablePublicIp": {
"value": true
},
"enhancedSecurityMonitoring": {
"value": "Enabled"
},
"loadBalancerBackendPoolName": {
"value": "<loadBalancerBackendPoolName>"
},
Expand Down Expand Up @@ -416,6 +438,12 @@ using 'br/public:avm/res/databricks/workspace:<version>'
param name = 'dwmax002'
// Non-required parameters
param amlWorkspaceResourceId = '<amlWorkspaceResourceId>'
param automaticClusterUpdate = 'Enabled'
param complianceSecurityProfileValue = 'Enabled'
param complianceStandards = [
'HIPAA'
'PCI_DSS'
]
param customerManagedKey = {
keyName: '<keyName>'
keyVaultResourceId: '<keyVaultResourceId>'
Expand Down Expand Up @@ -449,6 +477,7 @@ param diagnosticSettings = [
}
]
param disablePublicIp = true
param enhancedSecurityMonitoring = 'Enabled'
param loadBalancerBackendPoolName = '<loadBalancerBackendPoolName>'
param loadBalancerResourceId = '<loadBalancerResourceId>'
param location = '<location>'
Expand Down Expand Up @@ -542,6 +571,8 @@ module workspace 'br/public:avm/res/databricks/workspace:<version>' = {
// Non-required parameters
accessConnectorResourceId: '<accessConnectorResourceId>'
amlWorkspaceResourceId: '<amlWorkspaceResourceId>'
automaticClusterUpdate: 'Enabled'
complianceSecurityProfileValue: 'Disabled'
customerManagedKey: {
keyName: '<keyName>'
keyVaultResourceId: '<keyVaultResourceId>'
Expand Down Expand Up @@ -572,6 +603,7 @@ module workspace 'br/public:avm/res/databricks/workspace:<version>' = {
}
]
disablePublicIp: true
enhancedSecurityMonitoring: 'Enabled'
loadBalancerBackendPoolName: '<loadBalancerBackendPoolName>'
loadBalancerResourceId: '<loadBalancerResourceId>'
location: '<location>'
Expand Down Expand Up @@ -657,6 +689,12 @@ module workspace 'br/public:avm/res/databricks/workspace:<version>' = {
"amlWorkspaceResourceId": {
"value": "<amlWorkspaceResourceId>"
},
"automaticClusterUpdate": {
"value": "Enabled"
},
"complianceSecurityProfileValue": {
"value": "Disabled"
},
"customerManagedKey": {
"value": {
"keyName": "<keyName>",
Expand Down Expand Up @@ -701,6 +739,9 @@ module workspace 'br/public:avm/res/databricks/workspace:<version>' = {
"disablePublicIp": {
"value": true
},
"enhancedSecurityMonitoring": {
"value": "Enabled"
},
"loadBalancerBackendPoolName": {
"value": "<loadBalancerBackendPoolName>"
},
Expand Down Expand Up @@ -816,6 +857,8 @@ param name = 'dwwaf001'
// Non-required parameters
param accessConnectorResourceId = '<accessConnectorResourceId>'
param amlWorkspaceResourceId = '<amlWorkspaceResourceId>'
param automaticClusterUpdate = 'Enabled'
param complianceSecurityProfileValue = 'Disabled'
param customerManagedKey = {
keyName: '<keyName>'
keyVaultResourceId: '<keyVaultResourceId>'
Expand Down Expand Up @@ -846,6 +889,7 @@ param diagnosticSettings = [
}
]
param disablePublicIp = true
param enhancedSecurityMonitoring = 'Enabled'
param loadBalancerBackendPoolName = '<loadBalancerBackendPoolName>'
param loadBalancerResourceId = '<loadBalancerResourceId>'
param location = '<location>'
Expand Down Expand Up @@ -928,6 +972,9 @@ param vnetAddressPrefix = '10.100'
| Parameter | Type | Description |
| :-- | :-- | :-- |
| [`amlWorkspaceResourceId`](#parameter-amlworkspaceresourceid) | string | The resource ID of a Azure Machine Learning workspace to link with Databricks workspace. |
| [`automaticClusterUpdate`](#parameter-automaticclusterupdate) | string | The value for enabling automatic cluster updates in enhanced security compliance. |
| [`complianceSecurityProfileValue`](#parameter-compliancesecurityprofilevalue) | string | The value to Enable or Disable for the compliance security profile. |
| [`complianceStandards`](#parameter-compliancestandards) | array | The compliance standards array for the security profile. Should be a list of compliance standards like "HIPAA", "NONE" or "PCI_DSS". |
| [`customerManagedKey`](#parameter-customermanagedkey) | object | The customer managed key definition to use for the managed service. |
| [`customerManagedKeyManagedDisk`](#parameter-customermanagedkeymanageddisk) | object | The customer managed key definition to use for the managed disk. |
| [`customPrivateSubnetName`](#parameter-customprivatesubnetname) | string | The name of the Private Subnet within the Virtual Network. |
Expand All @@ -937,6 +984,7 @@ param vnetAddressPrefix = '10.100'
| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. |
| [`disablePublicIp`](#parameter-disablepublicip) | bool | Disable Public IP. |
| [`enableTelemetry`](#parameter-enabletelemetry) | bool | Enable/Disable usage telemetry for module. |
| [`enhancedSecurityMonitoring`](#parameter-enhancedsecuritymonitoring) | string | The value for enabling or configuring enhanced security monitoring. |
| [`loadBalancerBackendPoolName`](#parameter-loadbalancerbackendpoolname) | string | Name of the outbound Load Balancer Backend Pool for Secure Cluster Connectivity (No Public IP). |
| [`loadBalancerResourceId`](#parameter-loadbalancerresourceid) | string | Resource URI of Outbound Load balancer for Secure Cluster Connectivity (No Public IP) workspace. |
| [`location`](#parameter-location) | string | Location for all Resources. |
Expand Down Expand Up @@ -981,6 +1029,46 @@ The resource ID of a Azure Machine Learning workspace to link with Databricks wo
- Type: string
- Default: `''`

### Parameter: `automaticClusterUpdate`

The value for enabling automatic cluster updates in enhanced security compliance.

- Required: No
- Type: string
- Default: `''`
- Allowed:
```Bicep
[
''
'Disabled'
'Enabled'
]
```

### Parameter: `complianceSecurityProfileValue`

The value to Enable or Disable for the compliance security profile.

- Required: No
- Type: string
- Default: `''`
- Allowed:
```Bicep
[
''
'Disabled'
'Enabled'
]
```

### Parameter: `complianceStandards`

The compliance standards array for the security profile. Should be a list of compliance standards like "HIPAA", "NONE" or "PCI_DSS".

- Required: No
- Type: array
- Default: `[]`

### Parameter: `customerManagedKey`

The customer managed key definition to use for the managed service.
Expand Down Expand Up @@ -1266,6 +1354,22 @@ Enable/Disable usage telemetry for module.
- Type: bool
- Default: `True`

### Parameter: `enhancedSecurityMonitoring`

The value for enabling or configuring enhanced security monitoring.

- Required: No
- Type: string
- Default: `''`
- Allowed:
```Bicep
[
''
'Disabled'
'Enabled'
]
```

### Parameter: `loadBalancerBackendPoolName`

Name of the outbound Load Balancer Backend Pool for Secure Cluster Connectivity (No Public IP).
Expand Down
43 changes: 43 additions & 0 deletions avm/res/databricks/workspace/main.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,33 @@ param accessConnectorResourceId string = ''
@description('Optional. The default catalog configuration for the Databricks workspace.')
AlexanderSehr marked this conversation as resolved.
Show resolved Hide resolved
param defaultCatalog defaultCatalogType?

@description('Optional. The value for enabling automatic cluster updates in enhanced security compliance.')
@allowed([
'Enabled'
'Disabled'
''
])
param automaticClusterUpdate string = ''

@description('Optional. The compliance standards array for the security profile. Should be a list of compliance standards like "HIPAA", "NONE" or "PCI_DSS".')
param complianceStandards array = []

@description('Optional. The value to Enable or Disable for the compliance security profile.')
@allowed([
'Enabled'
'Disabled'
''
])
param complianceSecurityProfileValue string = ''

@description('Optional. The value for enabling or configuring enhanced security monitoring.')
@allowed([
'Enabled'
'Disabled'
''
])
param enhancedSecurityMonitoring string = ''

var builtInRoleNames = {
Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
Expand Down Expand Up @@ -339,6 +366,22 @@ resource workspace 'Microsoft.Databricks/workspaces@2024-05-01' = {
initialType: defaultCatalog.?initialType
}
}
: {},
!empty(automaticClusterUpdate) || !empty(complianceStandards) || !empty(enhancedSecurityMonitoring)
? {
enhancedSecurityCompliance: {
automaticClusterUpdate: {
value: automaticClusterUpdate
}
complianceSecurityProfile: {
complianceStandards: complianceStandards
value: complianceSecurityProfileValue
}
enhancedSecurityMonitoring: {
value: enhancedSecurityMonitoring
}
}
}
: {}
)
}
Expand Down
Loading