Incorrect `enforcementMode` setting on `Enable-DDoS-VNET` Policy Assignment
krowlandson opened this issue ยท 0 comments
krowlandson commented
Community Note
- Please vote on this issue by adding a ๐ reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Versions
terraform: v1.0.11
azure provider: v2.86.0
module: v1.0.0
Description
Describe the bug
The Enable-DDoS-VNET
Policy Assignment on the ${local.root_id}-landing-zones
Management Group is being enforced regardless of whether configure_connectivity_resources.settings.ddos_protection_plan.enabled
is set to true
or false
.
Steps to Reproduce
- Create an ES configuration where:
deploy_connectivity_resources
is set totrue
configure_connectivity_resources.settings.ddos_protection_plan.enabled
is set tofalse
subscription_id_connectivity
is set to a valid Subscription ID (also map to theazurerm.connectivity
provider- Associate a test "Application Workload" Subscription to any Management Group under the scope of the
${local.root_id}-landing-zones
Management Group
- Deploy the configuration
- Try to create a new Virtual Network in the "Application Workload" Subscription
- Validate the error message as below, indicating that the
Modify
effect is being enforced - Also note that the
ddosPlan
value for parameters on this assignment hasn't been updated
โท
โ Error: creating/updating Virtual Network: (Name "tfes-acc-vnet-northeurope" / Resource Group "tfes-acc-connectivity-northeurope"): network.VirtualNetworksClient#CreateOrUpdate: Failure sending request: StatusCode=403 -- Original Error: Code="LinkedAuthorizationFailed" Message="The client has permission to perform action 'Microsoft.Network/ddosProtectionPlans/join/action' on scope '/subscriptions/5cd8150d-505d-4bc4-bb0f-8b2311439f48/resourceGroups/tfes-acc-connectivity-northeurope/providers/Microsoft.Network/virtualNetworks/tfes-acc-vnet-northeurope', however the linked subscription '00000000-0000-0000-0000-000000000000' was not found. "
โ
โ with azurerm_virtual_network.app000001,
โ on spokes.tf line 30, in resource "azurerm_virtual_network" "app000001":
โ 30: resource "azurerm_virtual_network" "app000001" {
โ
โต
Screenshots
Terraform failure:
Policy Assignment configuration in Terraform state:
Additional context