Incorrect `enforcementMode` setting on `Enable-DDoS-VNET` Policy Assignment

Question

Incorrect `enforcementMode` setting on `Enable-DDoS-VNET` Policy Assignment

krowlandson opened this issue 3 years ago · 0 comments

krowlandson commented 3 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Versions

terraform: v1.0.11

azure provider: v2.86.0

module: v1.0.0

Description

Describe the bug

The Enable-DDoS-VNET Policy Assignment on the ${local.root_id}-landing-zones Management Group is being enforced regardless of whether configure_connectivity_resources.settings.ddos_protection_plan.enabled is set to true or false.

Steps to Reproduce

Create an ES configuration where:
1. deploy_connectivity_resources is set to true
2. configure_connectivity_resources.settings.ddos_protection_plan.enabled is set to false
3. subscription_id_connectivity is set to a valid Subscription ID (also map to the azurerm.connectivity provider
4. Associate a test "Application Workload" Subscription to any Management Group under the scope of the ${local.root_id}-landing-zones Management Group
Deploy the configuration
Try to create a new Virtual Network in the "Application Workload" Subscription
Validate the error message as below, indicating that the Modify effect is being enforced
Also note that the ddosPlan value for parameters on this assignment hasn't been updated

╷
│ Error: creating/updating Virtual Network: (Name "tfes-acc-vnet-northeurope" / Resource Group "tfes-acc-connectivity-northeurope"): network.VirtualNetworksClient#CreateOrUpdate: Failure sending request: StatusCode=403 -- Original Error: Code="LinkedAuthorizationFailed" Message="The client has permission to perform action 'Microsoft.Network/ddosProtectionPlans/join/action' on scope '/subscriptions/5cd8150d-505d-4bc4-bb0f-8b2311439f48/resourceGroups/tfes-acc-connectivity-northeurope/providers/Microsoft.Network/virtualNetworks/tfes-acc-vnet-northeurope', however the linked subscription '00000000-0000-0000-0000-000000000000' was not found. "
│
│   with azurerm_virtual_network.app000001,
│   on spokes.tf line 30, in resource "azurerm_virtual_network" "app000001":
│   30: resource "azurerm_virtual_network" "app000001" {
│
╵

Screenshots

Terraform failure:

Policy Assignment configuration in Terraform state:

Additional context