{"properties":{"displayName":"Deny non-premium Databricks sku","policyType":"Custom","mode":"Indexed","description":"Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for Microsoft Entra ID.","metadata":{"alzCloudEnvironments":["AzureCloud"],"category":"Databricks","source":"https://github.com/Azure/Enterprise-Scale/","version":"1.0.0","createdBy":"d6bd9b30-e58a-4162-b7d4-23513b48dd8e","createdOn":"2024-02-23T16:41:03.4837025Z","updatedBy":null,"updatedOn":null},"parameters":{"effect":{"type":"String","metadata":{"description":"Enable or disable the execution of the policy","displayName":"Effect"},"allowedValues":["Audit","Disabled","Deny"],"defaultValue":"Deny"}},"policyRule":{"if":{"allOf":[{"equals":"Microsoft.Databricks/workspaces","field":"type"},{"field":"Microsoft.DataBricks/workspaces/sku.name","notEquals":"premium"}]},"then":{"effect":"[parameters('effect')]"}}},"id":"/providers/Microsoft.Management/managementGroups/aasba/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku","type":"Microsoft.Authorization/policyDefinitions","name":"Deny-Databricks-Sku","systemData":{"createdBy":"b5ba898b-861d-409f-ae60-713324b9e2e3","createdByType":"Application","createdAt":"2024-02-23T16:41:03.4691162Z","lastModifiedBy":"b5ba898b-861d-409f-ae60-713324b9e2e3","lastModifiedByType":"Application","lastModifiedAt":"2024-02-23T16:41:03.4691162Z"}}: timestamp=2024-02-23T11:41:04.393-0500 2024-02-23T11:41:04.393-0500 [DEBUG] provider.terraform-provider-azurerm_v3.93.0_x5.exe: Waiting for Policy Definition "Deny-Databricks-Sku" to become available: timestamp=2024-02-23T11:41:04.393-0500 2024-02-23T11:41:04.393-0500 [DEBUG] provider.terraform-provider-azurerm_v3.93.0_x5.exe: Waiting for state to become: [200]: timestamp=2024-02-23T11:41:04.393-0500 2024-02-23T11:41:04.394-0500 [DEBUG] provider.terraform-provider-azurerm_v3.93.0_x5.exe: AzureRM Request: GET /providers/Microsoft.Management/managementGroups/aasba/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku?api-version=2021-06-01 HTTP/1.1 Host: management.azure.com User-Agent: Go/go1.21.6 (amd64-windows) go-autorest/v14.2.1 Azure-SDK-For-Go/v66.0.0 policy/2021-06-01-preview HashiCorp Terraform/1.3.6 (+https://www.terraform.io) Terraform Plugin SDK/2.10.1 terraform-provider-azurerm/3.93.0 pid-222c6c49-1b0a-5959-a213-6608f9eb8820 X-Ms-Correlation-Request-Id: 51d3eb29-3f1f-414e-f385-b6594ee7effe Accept-Encoding: gzip: timestamp=2024-02-23T11:41:04.394-0500 2024-02-23T11:41:04.413-0500 [DEBUG] provider.terraform-provider-azurerm_v3.93.0_x5.exe: AzureRM Response for https://management.azure.com/providers/Microsoft.Management/managementGroups/aasba/providers/Microsoft.Authorization/policyDefinitions/Deny-VNet-Peering?api-version=2021-06-01: HTTP/2.0 200 OK Content-Length: 1329 Cache-Control: no-cache Content-Type: application/json; charset=utf-8 Date: Fri, 23 Feb 2024 16:41:03 GMT Expires: -1 Pragma: no-cache Strict-Transport-Security: max-age=31536000; includeSubDomains X-Cache: CONFIG_NOCACHE X-Content-Type-Options: nosniff X-Ms-Correlation-Request-Id: 51d3eb29-3f1f-414e-f385-b6594ee7effe X-Ms-Ratelimit-Remaining-Tenant-Reads: 11993 X-Ms-Request-Id: 7d431b81-823e-4413-8cda-3f9213c7b505 X-Ms-Routing-Request-Id: CANADACENTRAL:20240223T164103Z:7d431b81-823e-4413-8cda-3f9213c7b505 X-Msedge-Ref: Ref A: A525970B13A24E9C88374726C69864C9 Ref B: YTO221090814051 Ref C: 2024-02-23T16:41:03Z {"properties":{"displayName":"Deny vNet peering ","policyType":"Custom","mode":"All","description":"This policy denies the creation of vNet Peerings under the assigned scope.","metadata":{"alzCloudEnvironments":["AzureCloud","AzureChinaCloud","AzureUSGovernment"],"category":"Network","source":"https://github.com/Azure/Enterprise-Scale/","version":"1.0.1","createdBy":"d6bd9b30-e58a-4162-b7d4-23513b48dd8e","createdOn":"2024-02-23T16:41:03.0874521Z","updatedBy":null,"updatedOn":null},"parameters":{"effect":{"type":"String","metadata":{"description":"Enable or disable the execution of the policy","displayName":"Effect"},"allowedValues":["Audit","Deny","Disabled"],"defaultValue":"Deny"}},"policyRule":{"if":{"equals":"Microsoft.Network/virtualNetworks/virtualNetworkPeerings","field":"type"},"then":{"effect":"[parameters('effect')]"}}},"id":"/providers/Microsoft.Management/managementGroups/aasba/providers/Microsoft.Authorization/policyDefinitions/Deny-VNet-Peering","type":"Microsoft.Authorization/policyDefinitions","name":"Deny-VNet-Peering","systemData":{"createdBy":"b5ba898b-861d-409f-ae60-713324b9e2e3","createdByType":"Application","createdAt":"2024-02-23T16:41:03.0412263Z","lastModifiedBy":"b5ba898b-861d-409f-ae60-713324b9e2e3","lastModifiedByType":"Application","lastModifiedAt":"2024-02-23T16:41:03.0412263Z"}}: timestamp=2024-02-23T11:41:04.413-0500 2024-02-23T11:41:04.436-0500 [DEBUG] provider.terraform-provider-azurerm_v3.93.0_x5.exe: AzureRM Response for https://management.azure.com/providers/Microsoft.Management/managementGroups/aasba/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku?api-version=2021-06-01: HTTP/2.0 200 OK Content-Length: 1516 Cache-Control: no-cache Content-Type: application/json; charset=utf-8 Date: Fri, 23 Feb 2024 16:41:03 GMT Expires: -1 Pragma: no-cache Strict-Transport-Security: max-age=31536000; includeSubDomains X-Cache: CONFIG_NOCACHE X-Content-Type-Options: nosniff X-Ms-Correlation-Request-Id: 51d3eb29-3f1f-414e-f385-b6594ee7effe X-Ms-Ratelimit-Remaining-Tenant-Reads: 11979 X-Ms-Request-Id: d394636d-f843-497f-8878-1592afead11a X-Ms-Routing-Request-Id: CANADACENTRAL:20240223T164103Z:d394636d-f843-497f-8878-1592afead11a X-Msedge-Ref: Ref A: F7679F4A1A2D491CB990D3D137DE790A Ref B: YTO221090814051 Ref C: 2024-02-23T16:41:03Z {"properties":{"displayName":"Deny non-premium Databricks sku","policyType":"Custom","mode":"Indexed","description":"Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for Microsoft Entra ID.","metadata":{"alzCloudEnvironments":["AzureCloud"],"category":"Databricks","source":"https://github.com/Azure/Enterprise-Scale/","version":"1.0.0","createdBy":"d6bd9b30-e58a-4162-b7d4-23513b48dd8e","createdOn":"2024-02-23T16:41:03.4837025Z","updatedBy":null,"updatedOn":null},"parameters":{"effect":{"type":"String","metadata":{"description":"Enable or disable the execution of the policy","displayName":"Effect"},"allowedValues":["Audit","Disabled","Deny"],"defaultValue":"Deny"}},"policyRule":{"if":{"allOf":[{"equals":"Microsoft.Databricks/workspaces","field":"type"},{"field":"Microsoft.DataBricks/workspaces/sku.name","notEquals":"premium"}]},"then":{"effect":"[parameters('effect')]"}}},"id":"/providers/Microsoft.Management/managementGroups/aasba/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku","type":"Microsoft.Authorization/policyDefinitions","name":"Deny-Databricks-Sku","systemData":{"createdBy":"b5ba898b-861d-409f-ae60-713324b9e2e3","createdByType":"Application","createdAt":"2024-02-23T16:41:03.4691162Z","lastModifiedBy":"b5ba898b-861d-409f-ae60-713324b9e2e3","lastModifiedByType":"Application","lastModifiedAt":"2024-02-23T16:41:03.4691162Z"}}: timestamp=2024-02-23T11:41:04.436-0500 2024-02-23T11:41:04.641-0500 [DEBUG] provider.terraform-provider-azurerm_v3.93.0_x5.exe: AzureRM Response for https://management.azure.com/providers/Microsoft.Management/managementGroups/aasba-management/subscriptions/xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx?api-version=2020-05-01: HTTP/2.0 400 Bad Request Content-Length: 270 Cache-Control: no-cache Client-Request-Id: 51d3eb29-3f1f-414e-f385-b6594ee7effe Content-Type: application/json; charset=utf-8 Date: Fri, 23 Feb 2024 16:41:03 GMT Expires: -1 Pragma: no-cache Request-Id: 51d3eb29-3f1f-414e-f385-b6594ee7effe Strict-Transport-Security: max-age=31536000; includeSubDomains X-Ba-Restapi: 3.2024.0118.2 X-Cache: CONFIG_NOCACHE X-Content-Type-Options: nosniff X-Ms-Correlation-Request-Id: 51d3eb29-3f1f-414e-f385-b6594ee7effe X-Ms-Ratelimit-Remaining-Managementgroups-Requests: 249 X-Ms-Ratelimit-Remaining-Tenant-Writes: 1198 X-Ms-Request-Id: canadacentral:51d3eb29-3f1f-414e-f385-b6594ee7effe X-Ms-Routing-Request-Id: CANADACENTRAL:20240223T164104Z:d0dc93ba-0a05-4cce-ab74-1db063677d77 X-Msedge-Ref: Ref A: C628EF523C744B1F9B40718F9B924060 Ref B: YTO221090812053 Ref C: 2024-02-23T16:41:03Z {"error":{"code":"BadRequest","message":"Permission to write and delete on resources of type 'Microsoft.Authorization/roleAssignments' is required on the subscription or its ancestors.","details":"Subscription ID: '/subscriptions/xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'"}}: timestamp=2024-02-23T11:41:04.641-0500 2024-02-23T11:41:04.641-0500 [ERROR] provider.terraform-provider-azurerm_v3.93.0_x5.exe: Response contains error diagnostic: @caller=github.com/hashicorp/terraform-plugin-go@v0.19.0/tfprotov5/internal/diag/diagnostics.go:58 tf_req_id=e003d2f3-57db-8cac-7bc3-d107d752f44a tf_rpc=ApplyResourceChange tf_proto_version=5.4 tf_provider_addr=provider tf_resource_type=azurerm_management_group_subscription_association @module=sdk.proto diagnostic_detail= diagnostic_severity=ERROR diagnostic_summary="creating Management Group Subscription Association between "aasba-management" and "Subscription (Subscription: \"xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\")": managementgroups.SubscriptionsClient#Create: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="BadRequest" Message="Permission to write and delete on resources of type 'Microsoft.Authorization/roleAssignments' is required on the subscription or its ancestors." Details=[{"raw":"Subscription ID: '/subscriptions/xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'"}]" timestamp=2024-02-23T11:41:04.641-0500 2024-02-23T11:41:04.724-0500 [ERROR] vertex "module.enterprise_scale.azurerm_management_group_subscription_association.enterprise_scale[\"/providers/Microsoft.Management/managementGroups/aasba-management/subscriptions/xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\"]" error: creating Management Group Subscription Association between "aasba-management" and "Subscription (Subscription: \"xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\")": managementgroups.SubscriptionsClient#Create: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="BadRequest" Message="Permission to write and delete on resources of type 'Microsoft.Authorization/roleAssignments' is required on the subscription or its ancestors." Details=[{"raw":"Subscription ID: '/subscriptions/xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'"}] 2024-02-23T11:41:04.767-0500 [INFO] Starting apply for module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/aasba/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS"] 2024-02-23T11:41:04.768-0500 [DEBUG] module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/aasba/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS"]: applying the planned Create change 2024-02-23T11:41:04.770-0500 [DEBUG] provider.terraform-provider-azurerm_v3.93.0_x5.exe: setting computed for "role_definition_ids" from ComputedKeys: timestamp=2024-02-23T11:41:04.770-0500 2024-02-23T11:41:04.770-0500 [DEBUG] provider.terraform-provider-azurerm_v3.93.0_x5.exe: AzureRM Request: GET /providers/Microsoft.Management/managementGroups/aasba/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS?api-version=2021-06-01 HTTP/1.1 Host: management.azure.com User-Agent: Go/go1.21.6 (amd64-windows) go-autorest/v14.2.1 Azure-SDK-For-Go/v66.0.0 policy/2021-06-01-preview HashiCorp Terraform/1.3.6 (+https://www.terraform.io) Terraform Plugin SDK/2.10.1 terraform-provider-azurerm/3.93.0 pid-222c6c49-1b0a-5959-a213-6608f9eb8820 X-Ms-Correlation-Request-Id: 51d3eb29-3f1f-414e-f385-b6594ee7effe Accept-Encoding: gzip: timestamp=2024-02-23T11:41:04.770-0500 2024-02-23T11:41:04.833-0500 [DEBUG] provider.terraform-provider-azurerm_v3.93.0_x5.exe: AzureRM Response for https://management.azure.com/providers/Microsoft.Management/managementGroups/aasba/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS?api-version=2021-06-01: HTTP/2.0 404 Not Found Content-Length: 125 Cache-Control: no-store, no-cache Content-Type: application/json Date: Fri, 23 Feb 2024 16:41:03 GMT Expires: -1 Pragma: no-cache Strict-Transport-Security: max-age=31536000; includeSubDomains X-Cache: CONFIG_NOCACHE X-Content-Type-Options: nosniff X-Ms-Correlation-Request-Id: 51d3eb29-3f1f-414e-f385-b6594ee7effe X-Ms-Ratelimit-Remaining-Tenant-Reads: 11988 X-Ms-Request-Id: 506bf9f1-b763-4bc2-92e7-004f9069a248 X-Ms-Routing-Request-Id: CANADACENTRAL:20240223T164104Z:506bf9f1-b763-4bc2-92e7-004f9069a248 X-Msedge-Ref: Ref A: 72D57BB109E2469FBD7460FB199ECCED Ref B: YTO221090814051 Ref C: 2024-02-23T16:41:04Z {"error":{"code":"PolicyDefinitionNotFound","message":"The policy definition 'Deploy-Diagnostics-VMSS' could not be found."}}: timestamp=2024-02-23T11:41:04.833-0500 2024-02-23T11:41:04.834-0500 [DEBUG] provider.terraform-provider-azurerm_v3.93.0_x5.exe: AzureRM Request: PUT /providers/Microsoft.Management/managementGroups/aasba/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS?api-version=2021-06-01 HTTP/1.1 Host: management.azure.com User-Agent: Go/go1.21.6 (amd64-windows) go-autorest/v14.2.1 Azure-SDK-For-Go/v66.0.0 policy/2021-06-01-preview HashiCorp Terraform/1.3.6 (+https://www.terraform.io) Terraform Plugin SDK/2.10.1 terraform-provider-azurerm/3.93.0 pid-222c6c49-1b0a-5959-a213-6608f9eb8820 Content-Length: 3390 Content-Type: application/json; charset=utf-8 X-Ms-Correlation-Request-Id: 51d3eb29-3f1f-414e-f385-b6594ee7effe Accept-Encoding: gzip {"properties":{"description":"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled","displayName":"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace","metadata":{"alzCloudEnvironments":["AzureCloud","AzureChinaCloud","AzureUSGovernment"],"category":"Monitoring","source":"https://github.com/Azure/Enterprise-Scale/","version":"1.1.0"},"mode":"Indexed","parameters":{"effect":{"type":"String","allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists","metadata":{"description":"Enable or disable the execution of the policy","displayName":"Effect"}},"logAnalytics":{"type":"String","metadata":{"description":"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.","displayName":"Log Analytics workspace","strongType":"omsWorkspace"}},"metricsEnabled":{"type":"String","allowedValues":["True","False"],"defaultValue":"True","metadata":{"description":"Whether to enable metrics stream to the Log Analytics workspace - True or False","displayName":"Enable metrics"}},"profileName":{"type":"String","defaultValue":"setbypolicy","metadata":{"description":"The diagnostic settings profile name","displayName":"Profile name"}}},"policyRule":{"if":{"equals":"Microsoft.Compute/virtualMachineScaleSets","field":"type"},"then":{"details":{"deployment":{"properties":{"mode":"Incremental","parameters":{"location":{"value":"[field('location')]"},"logAnalytics":{"value":"[parameters('logAnalytics')]"},"metricsEnabled":{"value":"[parameters('metricsEnabled')]"},"profileName":{"value":"[parameters('profileName')]"},"resourceName":{"value":"[field('name')]"}},"template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","outputs":{},"parameters":{"location":{"type":"String"},"logAnalytics":{"type":"String"},"metricsEnabled":{"type":"String"},"profileName":{"type":"String"},"resourceName":{"type":"String"}},"resources":[{"apiVersion":"2017-05-01-preview","dependsOn":[],"location":"[parameters('location')]","name":"[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]","properties":{"logs":[],"metrics":[{"category":"AllMetrics","enabled":"[parameters('metricsEnabled')]","retentionPolicy":{"days":0,"enabled":false}}],"workspaceId":"[parameters('logAnalytics')]"},"type":"Microsoft.Compute/virtualMachineScaleSets/providers/diagnosticSettings"}],"variables":{}}}},"existenceCondition":{"allOf":[{"equals":"true","field":"Microsoft.Insights/diagnosticSettings/metrics.enabled"},{"equals":"[parameters('logAnalytics')]","field":"Microsoft.Insights/diagnosticSettings/workspaceId"}]},"name":"[parameters('profileName')]","roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"type":"Microsoft.Insights/diagnosticSettings"},"effect":"[parameters('effect')]"}},"policyType":"Custom"}}: timestamp=2024-02-23T11:41:04.834-0500 2024-02-23T11:41:05.676-0500 [DEBUG] provider.terraform-provider-azurerm_v3.93.0_x5.exe: AzureRM Response for https://management.azure.com/providers/Microsoft.Management/managementGroups/aasba/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS?api-version=2021-06-01: HTTP/2.0 201 Created Content-Length: 4018 Cache-Control: no-cache Content-Type: application/json; charset=utf-8 Date: Fri, 23 Feb 2024 16:41:04 GMT Expires: -1 Pragma: no-cache Strict-Transport-Security: max-age=31536000; includeSubDomains X-Cache: CONFIG_NOCACHE X-Content-Type-Options: nosniff X-Ms-Correlation-Request-Id: 51d3eb29-3f1f-414e-f385-b6594ee7effe X-Ms-Ratelimit-Remaining-Tenant-Writes: 1199 X-Ms-Request-Id: 9fec1b7a-166f-4e3d-bba4-f499322c2ae7 X-Ms-Routing-Request-Id: CANADACENTRAL:20240223T164105Z:9fec1b7a-166f-4e3d-bba4-f499322c2ae7 X-Msedge-Ref: Ref A: 7AE06F27328F4B4EBBFD456AB850BBD6 Ref B: YTO221090814051 Ref C: 2024-02-23T16:41:04Z