Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect enforcementMode setting on Enable-DDoS-VNET Policy Assignment #216

Closed
krowlandson opened this issue Nov 23, 2021 · 0 comments · Fixed by #217
Closed

Incorrect enforcementMode setting on Enable-DDoS-VNET Policy Assignment #216

krowlandson opened this issue Nov 23, 2021 · 0 comments · Fixed by #217
Assignees
@krowlandson
Labels
bug Something isn't working
Milestone
v1.1.0 release

Comments

@krowlandson
Copy link
Contributor

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Versions

terraform: v1.0.11

azure provider: v2.86.0

module: v1.0.0

Description

Describe the bug

The Enable-DDoS-VNET Policy Assignment on the ${local.root_id}-landing-zones Management Group is being enforced regardless of whether configure_connectivity_resources.settings.ddos_protection_plan.enabled is set to true or false.

Steps to Reproduce

  1. Create an ES configuration where:
    1. deploy_connectivity_resources is set to true
    2. configure_connectivity_resources.settings.ddos_protection_plan.enabled is set to false
    3. subscription_id_connectivity is set to a valid Subscription ID (also map to the azurerm.connectivity provider
    4. Associate a test "Application Workload" Subscription to any Management Group under the scope of the ${local.root_id}-landing-zones Management Group
  2. Deploy the configuration
  3. Try to create a new Virtual Network in the "Application Workload" Subscription
  4. Validate the error message as below, indicating that the Modify effect is being enforced
  5. Also note that the ddosPlan value for parameters on this assignment hasn't been updated
╷
│ Error: creating/updating Virtual Network: (Name "tfes-acc-vnet-northeurope" / Resource Group "tfes-acc-connectivity-northeurope"): network.VirtualNetworksClient#CreateOrUpdate: Failure sending request: StatusCode=403 -- Original Error: Code="LinkedAuthorizationFailed" Message="The client has permission to perform action 'Microsoft.Network/ddosProtectionPlans/join/action' on scope '/subscriptions/5cd8150d-505d-4bc4-bb0f-8b2311439f48/resourceGroups/tfes-acc-connectivity-northeurope/providers/Microsoft.Network/virtualNetworks/tfes-acc-vnet-northeurope', however the linked subscription '00000000-0000-0000-0000-000000000000' was not found. "
│
│   with azurerm_virtual_network.app000001,
│   on spokes.tf line 30, in resource "azurerm_virtual_network" "app000001":
│   30: resource "azurerm_virtual_network" "app000001" {
│
╵

Screenshots

Terraform failure:

image

Policy Assignment configuration in Terraform state:

image

Additional context
@krowlandson krowlandson added the bug Something isn't working label Nov 23, 2021
@krowlandson krowlandson self-assigned this Nov 23, 2021
krowlandson pushed a commit to krowlandson/terraform-azurerm-caf-enterprise-scale that referenced this issue Nov 24, 2021
Fix Azure#216
f4f5f2d
@krowlandson krowlandson mentioned this issue Nov 24, 2021
Merged
6 tasks
@krowlandson krowlandson added this to the v1.0.1 release milestone Nov 24, 2021
krowlandson pushed a commit that referenced this issue Nov 25, 2021
@matt-FFFFFF
Bug fixes aligned to logged issues (#217)
2185380 
* Fix #216

* Change scope of managed_by_module to fix #204

* Consider both scopes to fix #204

Co-authored-by: Matt White <[email protected]>
@ghost ghost locked as resolved and limited conversation to collaborators Dec 25, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@krowlandson krowlandson

Labels
bug Something isn't working
Projects
None yet
Milestone
v1.1.0 release
Development

Successfully merging a pull request may close this issue.

Bug fixes aligned to logged issues krowlandson/terraform-azurerm-caf-enterprise-scale
1 participant
@krowlandson