Enforce tagging to azure databricks workspace

1
votes

My aim is to enforce the developers to provide tags while they create clusters. I have added a policy in my ARM template which creates an azure workspace. It successfully completes the validation but fails to deploy.Sorry if my question is vague. Please help

{  
   "$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion":"1.0.0.0",
"parameters":{  
  "workspaceName":{  
   "defaultValue":"xyxy",


   "type":"String",
     "metadata":{  
        "description":"The name of the Azure Databricks workspace to create."
     }
  },
  "subscriptionName":{  
     "allowedValues":[  
        "yy",
        "xx"
     ],
     "type":"String",
     "metadata":{  
        "description":"Specifies the subscription in which to create the workspace."
     }
  },
  "resourceGroup":{  
     "defaultValue":"abc",
     "allowedValues":[  
        "dd",
        "bb",
        "abc"
     ],
     "type":"String",
     "metadata":{  
        "description":"Resource group in which to create the workspace."
     }
  },
  "pricingTier":{  
     "defaultValue":"premium",
     "allowedValues":[  
        "standard",
        "premium"
     ],
     "type":"String",
     "metadata":{  
        "description":"The pricing tier of workspace."
     }
  },
  "location":{  
     "defaultValue":"east us",
     "type":"String",
     "metadata":{  
        "description":"Location for all resources."
     }
  }
   },
"variables":{  
  "managedResourceGroupName":"[concat('databricks-rg-', parameters('workspaceName'), '-', uniqueString(parameters('workspaceName'), resourceGroup().id))]"
   },
   "resources":[  
  {  
     "type":"Microsoft.Databricks/workspaces",
     "apiVersion":"2018-04-01",
     "name":"[parameters('workspaceName')]",
     "location":"[parameters('location')]",
     "sku":{  
        "name":"[parameters('pricingTier')]"
     },
     "properties":{  
        "displayName":"Enforce tag and its value",
        "policyType":"BuiltIn",
        "ManagedResourceGroupId":"[concat(subscription().id, '/resourceGroups/', variables('managedResourceGroupName'))]",
        "description":"Enforces a required tag and its value.",
        "parameters":{  
           "tagName":{  
              "type":"String",
              "metadata":{  
                 "description":"Name of the tag, such as costCenter"
              }
           },
           "tagValue":{  
              "type":"String",
              "metadata":{  
                 "description":"Value of the tag, such as headquarter"
              }
           }
        },
        "policyRule":{  
           "if":{  
              "not":{  
                 "field":"[concat('tags[', parameters('tagName'), ']')]",
                 "equals":"[parameters('tagValue')]"
              }
           },
           "then":{  
              "effect":"deny"
           }
        }
     },
     "outputs":{  
        "workspace":{  
           "type":"Object",
           "value":"[reference(resourceId('Microsoft.Databricks/workspaces', parameters('workspaceName')))]"
        }
     }
  }
   ]
}

Error: Unable to process template language expressions for resource '/subscriptions/04jdmgb-5642-8640-9a15-a0504248340f/resourceGroups/abc/providers/Microsoft.Databricks/workspaces/test12' at line '73' and column '9'. 'The template parameter 'tagName' is not found. Please see https://aka.ms/arm-template/#parameters for usage details.' Click here for details Your deployment faile

1
azureazure-databricks

1 Answers

0
votes

Note: Unfortunately, you are not allowed to add custom tags for the Managed Resource Group created in Azure Databricks using Azure portal/PowerShell/CLI/ARM Templates.

Reason: By default, you cannot perform any write operation on the managed resource group.

If you try to modify anything in the managed resource group, you will see this error message:

{"details":[{"code":"ScopeLocked","message":"The scope '/subscriptions/xxxxxxxxxxxxxxxx/resourceGroups/databricks-rg-chepra-d7ensl75cgiki' cannot perform write operation because following scope(s) are locked: '/subscriptions/xxxxxxxxxxxxxxxxxxxx/resourceGroups/databricks-rg-chepra-d7ensl75cgiki'. Please remove the lock and try again."}]}

Possible way: You can specify tags as key-value pairs when while creating/modifying clusters, and Azure Databricks will apply these tags to cloud resources.

Cluster tags allow you to easily monitor the cost of cloud resources used by various groups in your organization. You can specify tags as key-value pairs when you create a cluster, and Databricks applies these tags to cloud resources like VMs and disk volumes.

For convenience, Databricks applies four default tags to each cluster: Vendor, Creator, ClusterName, and ClusterId. You can add custom tags when you create a cluster. To configure cluster tags:

  1. On the cluster configuration page, click the Advanced Options toggle.
  2. At the bottom of the page, click the Tags tab.

enter image description here

  1. Add a key-value pair for each custom tag. You can add up to 45 custom tags.

Now you can see the previously added tag in the portal:

enter image description here

Reference: Azure Databricks - Cluster Tags.

Hope this helps.