parDdosEnabled = false is causing errors
Closed this issue · 3 comments
What happened? Provide a clear and concise description of the bug, including deployment details.
if parDdosEnabled = false then this resource won't be created
resource resDdosProtectionPlan 'Microsoft.Network/ddosProtectionPlans@2023-02-01' = if (parDdosEnabled) {
name: parDdosPlanName
location: parLocation
tags: parTags
}This is causing issues in the bicep file and therefore causing the ALZ-Bicep-4A-HubSpoke GitHub actions to fail.
My current workaround is to remove if (parDdosEnabled) from above.
However, this still ended up creating the DDOS Protection Plan and still attached my hub vnet. I manually deleted this resource after creation.
Please provide the correlation id associated with your error or bug.
159aa7b5-ac7e-40ad-8af0-b13db058dbd9
What was the expected outcome?
ALZ-Bicep-4A-HubSpoke github actions to run properly
Relevant log output
New-AzResourceGroupDeployment: /home/runner/work/raztype-landingzone/raztype-landingzone/pipeline-scripts/Deploy-ALZHub-HubAndSpoke.ps1:30
Line |
30 | New-AzResourceGroupDeployment @inputObject
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| 14:48:21 - The deployment 'alz-Hub-and-SpokeDeploy-20240712T1407218957Z'
| failed with error(s). Showing 1 out of 1 error(s). Status Message:
| Resource
| /subscriptions/.../resourceGroups/rg-alz-connectivity/providers/Microsoft.Network/ddosProtectionPlans/alz-ddos-plan not found. (Code: NotFound) CorrelationId: 159aa7b5-ac7e-40ad-8af0-b13db058dbd9
Error: Error: The process '/usr/bin/pwsh' failed with exit code 1Check previous GitHub issues
- I have searched the issues for this item and found no duplicate
Code of Conduct
- I agree to follow this project's Code of Conduct
Hi @raffertyuy, there is a policy assignment that is attributed to this error. Please take a look at the following issue: #596
There are a couple of options to mitigate this for future deployments while avoiding redeployment of the DDoS plan:
Option 1:
We've recently added another parameter to config\custom-parameters\alzDefaultPolicyAssignments.parameters.all.json which is also called parDdosEnabled as it is in the hub networking module. You can set this to false and then the policy assignments will still exist, but the enforcement mode of the policy assignments at both scopes will be set to DoNotEnforce.
Options 2:
Remove the policy assignments called Virtual networks should be protected by Azure DDoS Protection Standard at the "Landing Zones" and "Connectivity" management group scopes. You will then need to add "Enable-DDoS-VNet" as an excluded policy assignment, so it won't get redeployed if you deploy the ALZ Default Policy Assignments module again. You can do so by going to config\custom-parameters\alzDefaultPolicyAssignments.parameters.all.json and adjusting the following parameter:
"parExcludedPolicyAssignments": {
"value": [
"Enable-DDoS-VNET"
]
},Will go ahead and close this, but please reach out if you have any questions.
Thanks @oZakari , i think option 1 (parDdosEnabled in config\custom-parameters\alzDefaultPolicyAssignments.parameters.all.json) is not released yet. I'm currently on the latest release v0.18.0.
Update: okay, got the latest changes from this repo instead of the release. Works well now! thanks.
Ah yes, forgot to mention I haven't pushed that out to a new release. Glad you found it in the main branch though and it's working for you. Enjoy your weekend!