Update to docs and change log (#2647)

2024-01-17 11:04:50 +10:00 · 2024-01-17 11:04:50 +10:00 · 3f58228c70
--- a/docs/CHANGELOG-v1.md
+++ b/docs/CHANGELOG-v1.md
@ -34,6 +34,12 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers

 What's changed since pre-release v1.33.0-B0023:

+- New rules:
+  - Databricks:
+    - Check that Databricks workspaces use a non-trial SKU by @batemansogq.
+      [#2646](https://github.com/Azure/PSRule.Rules.Azure/issues/2646)
+    - Check that Databricks workspaces require use of private endpoints by @batemansogq.
+      [#2646](https://github.com/Azure/PSRule.Rules.Azure/issues/2646)
 - Engineering:
  - Bump xunit to v2.6.6.
    [#2645](https://github.com/Azure/PSRule.Rules.Azure/pull/2645)
--- a/docs/en/rules/Azure.Databricks.PublicAccess.md
+++ b/docs/en/rules/Azure.Databricks.PublicAccess.md
@ -15,7 +15,8 @@ Azure Databricks workspaces should disable public network access.

 ## DESCRIPTION

-Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can control exposure of your resources by creating private endpoints instead.
+Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet.
+You can control exposure of your resources by creating private endpoints instead.

 ## RECOMMENDATION

@ -37,9 +38,17 @@ For example:
  "apiVersion": "2023-02-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
+  "sku": {
+    "name": "standard"
+  },
  "properties": {
    "managedResourceGroupId": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', 'example-mg')]",
-    "publicNetworkAccess": "Disabled"
+    "publicNetworkAccess": "Disabled",
+    "parameters": {
+      "enableNoPublicIp": {
+        "value": true
+      }
+    }
  }
 }
 ```
@ -56,10 +65,18 @@ For example:
 resource databricks 'Microsoft.Databricks/workspaces@2023-02-01' = {
  name: name
  location: location
+  sku: {
+    name: 'standard'
+  }
  properties: {
    managedResourceGroupId: managedRg.id
    publicNetworkAccess: 'Disabled'
+    parameters: {
+      enableNoPublicIp: {
+        value: true
+      }
    }
+  }
 }
 ```

--- a/docs/en/rules/Azure.Databricks.SKU.md
+++ b/docs/en/rules/Azure.Databricks.SKU.md
@ -7,7 +7,7 @@ resource: Databricks
 online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Databricks.SKU/
 ---

-# Ensure Databricks workspaces are non-trial SKUs for production workloads 
+# Ensure Databricks workspaces are non-trial SKUs for production workloads

 ## SYNOPSIS

@ -18,11 +18,12 @@ Ensure Databricks workspaces are non-trial SKUs for production workloads.
 An Azure Databricks workspace has three available SKU types to support the compute demands of a workspace.

 The Trial SKU is a time-bound offer which has feature and compute limitations, making it unsuitable for production workloads.
-*NB* - The Trial SKU is a strong candidate for non-production or innovation workloads which can accept the tiers constraints. 
+*NB* - The Trial SKU is a strong candidate for non-production or innovation workloads which can accept the tiers constraints.

 ## RECOMMENDATION

-Consider configuring Databricks workspaces to use either Standard or Premium tiers, dependant on the workload demands non-functional requirements (NFRs).
+Consider configuring Databricks workspaces to use either Standard or Premium tiers,
+dependant on the workload demands and non-functional requirements (NFRs).

 ## EXAMPLES

@ -30,7 +31,7 @@ Consider configuring Databricks workspaces to use either Standard or Premium tie

 To deploy workspaces that pass this rule:

- Set the `sku.name` to a a non-trial tier, i.e. standard.
+- Set the `sku.name` to a a non-trial tier, i.e. `standard`.

 For example:

@ -42,6 +43,15 @@ For example:
  "location": "[parameters('location')]",
  "sku": {
    "name": "standard"
+  },
+  "properties": {
+    "managedResourceGroupId": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', 'example-mg')]",
+    "publicNetworkAccess": "Disabled",
+    "parameters": {
+      "enableNoPublicIp": {
+        "value": true
+      }
+    }
  }
 }
 ```
@ -50,7 +60,7 @@ For example:

 To deploy workspaces that pass this rule:

- Set the `sku.name` to a a non-trial tier, i.e. standard.
+- Set the `sku.name` to a a non-trial tier, i.e. `standard`.

 For example:

@ -59,7 +69,16 @@ resource databricks 'Microsoft.Databricks/workspaces@2023-02-01' = {
  name: name
  location: location
  sku: {
-    name: standard
+    name: 'standard'
+  }
+  properties: {
+    managedResourceGroupId: managedRg.id
+    publicNetworkAccess: 'Disabled'
+    parameters: {
+      enableNoPublicIp: {
+        value: true
+      }
+    }
  }
 }
 ```
@ -67,7 +86,7 @@ resource databricks 'Microsoft.Databricks/workspaces@2023-02-01' = {
 ## LINKS

 - [PE:03 Selecting services](https://learn.microsoft.com/azure/well-architected/performance-efficiency/select-services)
- [Databricks Setup](https://learn.microsoft.com/azure/databricks/getting-started/#:~:text=Bicep-,Note,-When%20you%20create)
+- [Databricks Setup](https://learn.microsoft.com/azure/databricks/getting-started)
 - [Databricks Tier Features](https://azure.microsoft.com/pricing/details/databricks)
 - [Databricks Workspace API](https://learn.microsoft.com/azure/templates/Microsoft.Databricks/workspaces)
 - [Azure Databricks architecture overview](https://learn.microsoft.com/azure/databricks/getting-started/overview)
--- a/docs/en/rules/Azure.Databricks.SecureConnectivity.md
+++ b/docs/en/rules/Azure.Databricks.SecureConnectivity.md
@ -2,7 +2,7 @@
 reviewed: 2023-07-26
 severity: Critical
 pillar: Security
-category: Application endpoints
+category: SE:06 Network controls
 resource: Databricks
 online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Databricks.SecureConnectivity/
 ---
@ -46,8 +46,12 @@ For example:
  "apiVersion": "2023-02-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
+  "sku": {
+    "name": "standard"
+  },
  "properties": {
    "managedResourceGroupId": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', 'example-mg')]",
+    "publicNetworkAccess": "Disabled",
    "parameters": {
      "enableNoPublicIp": {
        "value": true
@ -69,8 +73,12 @@ For example:
 resource databricks 'Microsoft.Databricks/workspaces@2023-02-01' = {
  name: name
  location: location
+  sku: {
+    name: 'standard'
+  }
  properties: {
    managedResourceGroupId: managedRg.id
+    publicNetworkAccess: 'Disabled'
    parameters: {
      enableNoPublicIp: {
        value: true
@ -82,7 +90,7 @@ resource databricks 'Microsoft.Databricks/workspaces@2023-02-01' = {

 ## LINKS

- [Public endpoints](https://learn.microsoft.com/azure/well-architected/security/design-network-endpoints#public-endpoints)
+- [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking)  
 - [Secure cluster connectivity (No Public IP / NPIP)](https://learn.microsoft.com/azure/databricks/security/network/secure-cluster-connectivity)
 - [Network access](https://learn.microsoft.com/azure/databricks/security/network/)
 - [Azure Databricks architecture overview](https://learn.microsoft.com/azure/databricks/getting-started/overview)
--- a/docs/examples-databricks.bicep
+++ b/docs/examples-databricks.bicep
@ -18,8 +18,12 @@ resource managedRg 'Microsoft.Resources/resourceGroups@2022-09-01' existing = {
 resource databricks 'Microsoft.Databricks/workspaces@2023-02-01' = {
  name: name
  location: location
+  sku: {
+    name: 'standard'
+  }
  properties: {
    managedResourceGroupId: managedRg.id
+    publicNetworkAccess: 'Disabled'
    parameters: {
      enableNoPublicIp: {
        value: true
--- a/docs/examples-databricks.json
+++ b/docs/examples-databricks.json
@ -1,20 +1,18 @@
 {
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-  "languageVersion": "1.10-experimental",
  "contentVersion": "1.0.0.0",
  "metadata": {
-    "_EXPERIMENTAL_WARNING": "Symbolic name support in ARM is experimental, and should be enabled for testing purposes only. Do not enable this setting for any production usage, or you may be unexpectedly broken at any time!",
    "_generator": {
      "name": "bicep",
-      "version": "0.19.5.34762",
-      "templateHash": "13081891106656677852"
+      "version": "0.24.24.22086",
+      "templateHash": "6898993126135381945"
    }
  },
  "parameters": {
    "name": {
      "type": "string",
      "metadata": {
-        "description": "The name of the cognitive services account."
+        "description": "The name of the Databricks workspace."
      }
    },
    "location": {
@ -25,21 +23,18 @@
      }
    }
  },
-  "resources": {
-    "managedRg": {
-      "existing": true,
-      "type": "Microsoft.Resources/resourceGroups",
-      "apiVersion": "2022-09-01",
-      "subscriptionId": "[subscription().subscriptionId]",
-      "name": "example-mg"
-    },
-    "databricks": {
+  "resources": [
+    {
      "type": "Microsoft.Databricks/workspaces",
      "apiVersion": "2023-02-01",
      "name": "[parameters('name')]",
      "location": "[parameters('location')]",
+      "sku": {
+        "name": "standard"
+      },
      "properties": {
        "managedResourceGroupId": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', 'example-mg')]",
+        "publicNetworkAccess": "Disabled",
        "parameters": {
          "enableNoPublicIp": {
            "value": true
@ -47,5 +42,5 @@
        }
      }
    }
-  }
+  ]
 }
--- a/src/PSRule.Rules.Azure/rules/Azure.Databricks.Rule.yaml
+++ b/src/PSRule.Rules.Azure/rules/Azure.Databricks.Rule.yaml
@ -35,7 +35,7 @@ metadata:
  ref: AZR-000409
  tags:
    release: GA
-    ruleSet: 2024_01
+    ruleSet: 2024_03
    Azure.WAF/pillar: Performance Efficiency
 spec:
  type:
@ -53,7 +53,7 @@ metadata:
  ref: AZR-000410
  tags:
    release: GA
-    ruleSet: 2024_01
+    ruleSet: 2024_03
    Azure.WAF/pillar: Security
 spec:
  type: