ALZ-Bicep
ALZ-Bicep copied to clipboard
Azure
🪲 Bug Report - ALZ-Bicep-4a - Hub (Hub-and-Spoke) Deployment does not complete when DDOS set to false
Hello,
I am having trouble with running the ALZ-Bicep-4a Workflow component.
I have edited the config/custom-parameters/hubNetworking.parameters.all.json file to exclude the DDoS protection as following:
"parDdosEnabled": {
"value": false
},
However, when I run the deployment, it fails with the following error:
Resource /subscriptions/connectivitysubID/resourceGroups/rgname/providers/Microsoft.Network/ddosProtectionPlans/alz-ddos-plan referenced by resource /subscriptions/connectivitysubID/resourceGroups/rgname/providers/Microsoft.Network/virtualNetworks/vnet-name was not found. Please make sure that the referenced resource exists.
Raw error from deployment:
{
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.",
"details": [
{
"code": "InvalidGlobalResourceReference",
"message": "Resource /subscriptions/.../resourceGroups/rg-rbw-connectivity/providers/Microsoft.Network/ddosProtectionPlans/alz-ddos-plan referenced by resource /subscriptions/.../resourceGroups/rg-rbw-connectivity/providers/Microsoft.Network/virtualNetworks/alz-hub-centralus was not found. Please make sure that the referenced resource exists."
}
]
}
To Reproduce
Steps to reproduce the behaviour:
- Set the parDdosEnabled parameter in hubNetworking.parameters.all.json to "false"
"parDdosEnabled": {
"value": false
},
- Run the ALZ-Bicep-4a Workflow action
- Wait for results
Expected behaviour
The workflow should not create DDOS Protection and successfully complete.
Screenshots 📷
Correlation ID
c6905a2e-8408-4c9a-96fe-172dc2390a3a
Additional context
Using Accelerator v0.16.0.
config/custom-parameters/hubNetworking.parameters.all.json:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"parLocation": {
"value": "centralus"
},
"parCompanyPrefix": {
"value": "rbw"
},
"parHubNetworkName": {
"value": "alz-hub-centralus"
},
"parHubNetworkAddressPrefix": {
"value": "10.20.0.0/16"
},
"parSubnets": {
"value": [
{
"name": "AzureBastionSubnet",
"ipAddressRange": "10.20.0.0/24",
"networkSecurityGroupId": "",
"routeTableId": ""
},
{
"name": "GatewaySubnet",
"ipAddressRange": "10.20.254.0/24",
"networkSecurityGroupId": "",
"routeTableId": ""
},
{
"name": "AzureFirewallSubnet",
"ipAddressRange": "10.20.255.0/24",
"networkSecurityGroupId": "",
"routeTableId": ""
},
{
"name": "AzureFirewallManagementSubnet",
"ipAddressRange": "10.20.253.0/24",
"networkSecurityGroupId": "",
"routeTableId": ""
}
]
},
"parDnsServerIps": {
"value": []
},
"parPublicIpSku": {
"value": "Standard"
},
"parPublicIpPrefix": {
"value": ""
},
"parPublicIpSuffix": {
"value": "-PublicIP"
},
"parAzBastionEnabled": {
"value": false
},
"parAzBastionName": {
"value": "alz-bastion"
},
"parAzBastionSku": {
"value": "Standard"
},
"parAzBastionNsgName": {
"value": "nsg-AzureBastionSubnet"
},
"parDdosEnabled": {
"value": false
},
"parDdosPlanName": {
"value": "alz-ddos-plan"
},
"parAzFirewallEnabled": {
"value": false
},
"parAzFirewallName": {
"value": "alz-azfw-centralus"
},
"parAzFirewallPoliciesName": {
"value": "alz-azfwpolicy-centralus"
},
"parAzFirewallTier": {
"value": "Standard"
},
"parAzFirewallAvailabilityZones": {
"value": []
},
"parAzErGatewayAvailabilityZones": {
"value": []
},
"parAzVpnGatewayAvailabilityZones": {
"value": []
},
"parAzFirewallDnsProxyEnabled": {
"value": true
},
"parHubRouteTableName": {
"value": "alz-hub-routetable"
},
"parDisableBgpRoutePropagation": {
"value": false
},
"parPrivateDnsZonesEnabled": {
"value": true
},
"parPrivateDnsZones": {
"value": [
"privatelink.centralus.azmk8s.io",
"privatelink.centralus.batch.azure.com",
"privatelink.centralus.kusto.windows.net",
"privatelink.centralus.backup.windowsazure.com",
"privatelink.adf.azure.com",
"privatelink.afs.azure.net",
"privatelink.agentsvc.azure-automation.net",
"privatelink.analysis.windows.net",
"privatelink.api.azureml.ms",
"privatelink.azconfig.io",
"privatelink.azure-api.net",
"privatelink.azure-automation.net",
"privatelink.azurecr.io",
"privatelink.azure-devices.net",
"privatelink.azure-devices-provisioning.net",
"privatelink.azurehdinsight.net",
"privatelink.azurehealthcareapis.com",
"privatelink.azurestaticapps.net",
"privatelink.azuresynapse.net",
"privatelink.azurewebsites.net",
"privatelink.batch.azure.com",
"privatelink.blob.core.windows.net",
"privatelink.cassandra.cosmos.azure.com",
"privatelink.cognitiveservices.azure.com",
"privatelink.database.windows.net",
"privatelink.datafactory.azure.net",
"privatelink.dev.azuresynapse.net",
"privatelink.dfs.core.windows.net",
"privatelink.dicom.azurehealthcareapis.com",
"privatelink.digitaltwins.azure.net",
"privatelink.directline.botframework.com",
"privatelink.documents.azure.com",
"privatelink.eventgrid.azure.net",
"privatelink.file.core.windows.net",
"privatelink.gremlin.cosmos.azure.com",
"privatelink.guestconfiguration.azure.com",
"privatelink.his.arc.azure.com",
"privatelink.kubernetesconfiguration.azure.com",
"privatelink.managedhsm.azure.net",
"privatelink.mariadb.database.azure.com",
"privatelink.media.azure.net",
"privatelink.mongo.cosmos.azure.com",
"privatelink.monitor.azure.com",
"privatelink.mysql.database.azure.com",
"privatelink.notebooks.azure.net",
"privatelink.ods.opinsights.azure.com",
"privatelink.oms.opinsights.azure.com",
"privatelink.pbidedicated.windows.net",
"privatelink.postgres.database.azure.com",
"privatelink.prod.migration.windowsazure.com",
"privatelink.purview.azure.com",
"privatelink.purviewstudio.azure.com",
"privatelink.queue.core.windows.net",
"privatelink.redis.cache.windows.net",
"privatelink.redisenterprise.cache.azure.net",
"privatelink.search.windows.net",
"privatelink.service.signalr.net",
"privatelink.servicebus.windows.net",
"privatelink.siterecovery.windowsazure.com",
"privatelink.sql.azuresynapse.net",
"privatelink.table.core.windows.net",
"privatelink.table.cosmos.azure.com",
"privatelink.tip1.powerquery.microsoft.com",
"privatelink.token.botframework.com",
"privatelink.vaultcore.azure.net",
"privatelink.web.core.windows.net",
"privatelink.webpubsub.azure.com"
]
},
"parPrivateDnsZoneAutoMergeAzureBackupZone": {
"value": true
},
"parVpnGatewayConfig": {
"value": {
"name": "alz-Vpn-Gateway",
"gatewayType": "Vpn",
"sku": "VpnGw1",
"vpnType": "RouteBased",
"generation": "Generation1",
"enableBgp": false,
"activeActive": false,
"enableBgpRouteTranslationForNat": false,
"enableDnsForwarding": false,
"bgpPeeringAddress": "",
"bgpsettings": {
"asn": "65515",
"bgpPeeringAddress": "",
"peerWeight": "5"
}
}
},
"parExpressRouteGatewayConfig": {
"value": {
"name": "alz-ExpressRoute-Gateway",
"gatewayType": "ExpressRoute",
"sku": "Standard",
"vpnType": "RouteBased",
"generation": "None",
"enableBgp": false,
"activeActive": false,
"enableBgpRouteTranslationForNat": false,
"enableDnsForwarding": false,
"bgpPeeringAddress": "",
"bgpsettings": {
"asn": "65515",
"bgpPeeringAddress": "",
"peerWeight": "5"
}
}
},
"parTags": {
"value": {
"Environment": "Production"
}
},
"parTelemetryOptOut": {
"value": false
},
"parBastionOutboundSshRdpPorts": {
"value": [
"22",
"3389"
]
}
}
}
Pipeline:
name: ALZ-Bicep-4-HubSpoke
trigger:
# YAML PR triggers are supported only in GitHub and Bitbucket Cloud.
# If you use Azure Repos Git, you can configure a branch policy for build validation to trigger your build pipeline for validation.
# https://learn.microsoft.com/en-us/azure/devops/repos/git/branch-policies#build-validation
branches:
include:
- "main"
paths:
include:
- "config/custom-parameters/resourceGroupConnectivity.parameters.all.json"
- "config/custom-parameters/hubNetworking.parameters.all.json"
pr:
branches:
include:
- "main"
paths:
include:
- "config/custom-parameters/resourceGroupConnectivity.parameters.all.json"
- "config/custom-parameters/hubNetworking.parameters.all.json"
variables:
ENV_FILE: ".env"
SERVICE_CONNECTION_NAME: "***"
IS_PULL_REQUEST: "false"
jobs:
- job: ALZ_Bicep_4a_HubSpoke
pool:
vmImage: ubuntu-latest
steps:
- checkout: self
displayName: Checkout Repo
- pwsh: |
(Get-Content -Path $env:ENV_FILE -Encoding UTF8) | ForEach-Object {$_ -replace '"',''} | Out-File -FilePath $env:ENV_FILE -Encoding UTF8
displayName: Remove Quotation Marks from Environment File
- pwsh: |
Write-Host $env:ENV_FILE
Get-Content -Path $env:ENV_FILE -Encoding UTF8 | ForEach-Object {
$envVarName, $envVarValue = ($_ -replace '"','').split('=')
echo "##vso[task.setvariable variable=$envVarName;]$envVarValue"
echo "Set $envVarName to $envVarValue]"
}
displayName: Import Environment Variables from File
- pwsh: |
echo "##vso[task.setvariable variable=IS_PULL_REQUEST;]true"
condition: eq(variables['Build.Reason'], 'PullRequest')
displayName: Set IS_PULL_REQUEST Variable to True
- task: AzurePowerShell@5
displayName: "Connectivity Resource Group Deployment"
inputs:
azureSubscription: ${{ variables.SERVICE_CONNECTION_NAME }}
azurePowerShellVersion: "LatestVersion"
pwsh: true
ScriptType: "InlineScript"
Inline: |
.\pipeline-scripts\Deploy-ALZConnectivityResourceGroup.ps1
- task: AzurePowerShell@5
displayName: "Hub (Hub-and-Spoke) Deployment"
inputs:
azureSubscription: ${{ variables.SERVICE_CONNECTION_NAME }}
azurePowerShellVersion: "LatestVersion"
pwsh: true
ScriptType: "InlineScript"
Inline: |
.\pipeline-scripts\Deploy-ALZHub-HubAndSpoke.ps1
Pipeline script:
param (
[Parameter()]
[String]$ConnectivitySubscriptionId = "$($env:CONNECTIVITY_SUBSCRIPTION_ID)",
[Parameter()]
[String]$ConnectivityResourceGroup = "$($env:CONNECTIVITY_RESOURCE_GROUP)",
[Parameter()]
[String]$TemplateFile = "upstream-releases\$($env:UPSTREAM_RELEASE_VERSION)\infra-as-code\bicep\modules\hubNetworking\hubNetworking.bicep",
[Parameter()]
[String]$TemplateParameterFile = "config\custom-parameters\hubNetworking.parameters.all.json",
[Parameter()]
[Boolean]$WhatIfEnabled = [System.Convert]::ToBoolean($($env:IS_PULL_REQUEST))
)
# Parameters necessary for deployment
$inputObject = @{
DeploymentName = 'alz-Hub-and-SpokeDeploy-{0}' -f ( -join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63])
ResourceGroupName = $ConnectivityResourceGroup
TemplateFile = $TemplateFile
TemplateParameterFile = $TemplateParameterFile
WhatIf = $WhatIfEnabled
Verbose = $true
}
Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId
New-AzResourceGroupDeployment @inputObject
Raw pipeline log:
2023-08-02T09:56:43.5509090Z ##[section]Starting: Hub (Hub-and-Spoke) Deployment
2023-08-02T09:56:43.5513881Z ==============================================================================
2023-08-02T09:56:43.5514010Z Task : Azure PowerShell
2023-08-02T09:56:43.5514082Z Description : Run a PowerShell script within an Azure environment
2023-08-02T09:56:43.5514186Z Version : 5.225.1
2023-08-02T09:56:43.5514257Z Author : Microsoft Corporation
2023-08-02T09:56:43.5514334Z Help : https://aka.ms/azurepowershelltroubleshooting
2023-08-02T09:56:43.5514415Z ==============================================================================
2023-08-02T09:56:43.8791205Z Generating script.
2023-08-02T09:56:43.8823589Z [command]/usr/bin/pwsh -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command . '/home/vsts/work/_temp/17a39ed3-596b-4acc-8a69-cae453b19cf8.ps1'
2023-08-02T09:56:43.8878365Z File saved!
2023-08-02T09:56:44.3602775Z ##[command]Import-Module -Name /usr/share/az_9.3.0/Az.Accounts/2.12.4/Az.Accounts.psd1 -Global
2023-08-02T09:56:49.9724358Z ##[command]Clear-AzContext -Scope Process
2023-08-02T09:56:50.0936947Z ##[command]Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue
2023-08-02T09:56:50.1451836Z ##[command]Connect-AzAccount -ServicePrincipal -Tenant REDACTED -Credential System.Management.Automation.PSCredential -Environment AzureCloud @processScope
2023-08-02T09:56:51.1152567Z
2023-08-02T09:56:51.1161750Z [32;1mName Account Subscript Environme TenantId[0m
2023-08-02T09:56:51.1162676Z [32;1m ionName nt[0m
2023-08-02T09:56:51.1163002Z [32;1m---- ------- --------- --------- --------[0m
2023-08-02T09:56:51.1166215Z Connectivity (03fcda23-1960-49c6-943d-f… abaeed0f… Connecti… AzureClo… 5432105…
2023-08-02T09:56:56.1998476Z [33;1mVERBOSE: Using Bicep v0.19.5[0m
2023-08-02T09:57:00.0634841Z [33;1mWARNING: /home/vsts/work/1/s/upstream-releases/v0.16.0/infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdResourceGroup.bicep(1,1) : Info Bicep Linter Configuration: Custom bicepconfig.json file found (/home/vsts/work/1/s/upstream-releases/v0.16.0/infra-as-code/bicep/bicepconfig.json).
2023-08-02T09:57:00.0635826Z /home/vsts/work/1/s/upstream-releases/v0.16.0/infra-as-code/bicep/modules/publicIp/publicIp.bicep(1,1) : Info Bicep Linter Configuration: Custom bicepconfig.json file found (/home/vsts/work/1/s/upstream-releases/v0.16.0/infra-as-code/bicep/bicepconfig.json).
2023-08-02T09:57:00.0636591Z /home/vsts/work/1/s/upstream-releases/v0.16.0/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep(1,1) : Info Bicep Linter Configuration: Custom bicepconfig.json file found (/home/vsts/work/1/s/upstream-releases/v0.16.0/infra-as-code/bicep/modules/hubNetworking/bicepconfig.json).
2023-08-02T09:57:00.0637359Z /home/vsts/work/1/s/upstream-releases/v0.16.0/infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.bicep(1,1) : Info Bicep Linter Configuration: Custom bicepconfig.json file found (/home/vsts/work/1/s/upstream-releases/v0.16.0/infra-as-code/bicep/modules/privateDnsZones/bicepconfig.json).[0m
2023-08-02T09:57:00.0819048Z [33;1mVERBOSE: Performing the operation "Creating Deployment" on target "rg-rbw-connectivity".[0m
2023-08-02T09:57:04.6953212Z [33;1mVERBOSE: 09:57:04 - Template is valid.[0m
2023-08-02T09:57:05.6148245Z [33;1mVERBOSE: 09:57:05 - Create template deployment 'alz-Hub-and-SpokeDeploy-20230802T0908508319Z'[0m
2023-08-02T09:57:05.6159102Z [33;1mVERBOSE: 09:57:05 - Checking deployment status in 5 seconds[0m
2023-08-02T09:57:11.7503640Z [33;1mVERBOSE: 09:57:11 - Resource Microsoft.Network/networkSecurityGroups 'nsg-AzureBastionSubnet' provisioning status is succeeded[0m
2023-08-02T09:57:11.7504453Z [33;1mVERBOSE: 09:57:11 - Resource Microsoft.Resources/deployments 'deploy-Gateway-Public-IP-1' provisioning status is running[0m
2023-08-02T09:57:11.7505949Z [33;1mVERBOSE: 09:57:11 - Resource Microsoft.Network/publicIPAddresses 'alz-ExpressRoute-Gateway-PublicIP' provisioning status is succeeded[0m
2023-08-02T09:57:11.7506955Z [33;1mVERBOSE: 09:57:11 - Resource Microsoft.Resources/deployments 'pid-3f85b84c-6bad-4c42-86bf-11c233241c22-7qbbpmud4u7n4' provisioning status is running[0m
2023-08-02T09:57:11.7547888Z [33;1mVERBOSE: 09:57:11 - Resource Microsoft.Resources/deployments 'deploy-Gateway-Public-IP-0' provisioning status is running[0m
2023-08-02T09:57:11.7550186Z [33;1mVERBOSE: 09:57:11 - Resource Microsoft.Network/publicIPAddresses 'alz-Vpn-Gateway-PublicIP' provisioning status is succeeded[0m
2023-08-02T09:57:11.7550666Z [33;1mVERBOSE: 09:57:11 - Resource Microsoft.Resources/deployments 'pid-3f85b84c-6bad-4c42-86bf-11c233241c22-7kksjvcmpkgyy' provisioning status is running[0m
2023-08-02T09:57:11.7551107Z [33;1mVERBOSE: 09:57:11 - Resource Microsoft.Resources/deployments 'pid-2686e846-5fdc-4d4f-b533-16dcb09d6e6c-lvjmfv5dzfznm' provisioning status is running[0m
2023-08-02T09:57:11.8729121Z [33;1mVERBOSE: 09:57:11 - Checking deployment status in 12 seconds[0m
2023-08-02T09:57:24.9783425Z [33;1mVERBOSE: 09:57:24 - Resource Microsoft.Resources/deployments 'pid-3f85b84c-6bad-4c42-86bf-11c233241c22-7qbbpmud4u7n4' provisioning status is succeeded[0m
2023-08-02T09:57:24.9784471Z [33;1mVERBOSE: 09:57:24 - Resource Microsoft.Resources/deployments 'pid-3f85b84c-6bad-4c42-86bf-11c233241c22-7kksjvcmpkgyy' provisioning status is succeeded[0m
2023-08-02T09:57:24.9785423Z [33;1mVERBOSE: 09:57:24 - Resource Microsoft.Resources/deployments 'pid-2686e846-5fdc-4d4f-b533-16dcb09d6e6c-lvjmfv5dzfznm' provisioning status is succeeded[0m
2023-08-02T09:57:25.0678916Z [33;1mVERBOSE: 09:57:25 - Checking deployment status in 14 seconds[0m
2023-08-02T09:57:40.8652720Z [33;1mVERBOSE: 09:57:40 - Resource Microsoft.Resources/deployments 'deploy-Gateway-Public-IP-0' provisioning status is succeeded[0m
2023-08-02T09:57:40.8653172Z [33;1mVERBOSE: 09:57:40 - Resource Microsoft.Resources/deployments 'deploy-Gateway-Public-IP-1' provisioning status is succeeded[0m
2023-08-02T09:57:40.8653606Z [33;1mVERBOSE: 09:57:40 - Resource Microsoft.Resources/deployments 'deploy-Gateway-Public-IP-1' provisioning status is succeeded[0m
2023-08-02T09:57:40.8653990Z [33;1mVERBOSE: 09:57:40 - Resource Microsoft.Resources/deployments 'deploy-Gateway-Public-IP-0' provisioning status is succeeded[0m
2023-08-02T09:57:41.1666681Z [31;1mNew-AzResourceGroupDeployment: [0m/home/vsts/work/1/s/pipeline-scripts/Deploy-ALZHub-HubAndSpoke.ps1:30
2023-08-02T09:57:41.1667299Z [36;1mLine |
2023-08-02T09:57:41.1668141Z [36;1m 30 | [0m [36;1mNew-AzResourceGroupDeployment @inputObject[0m
2023-08-02T09:57:41.1668486Z [36;1m | [31;1m ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2023-08-02T09:57:41.1668820Z [31;1m[36;1m | [31;1m09:57:40 - The deployment 'alz-Hub-and-SpokeDeploy-20230802T0908508319Z'
2023-08-02T09:57:41.1669191Z [36;1m | [31;1mfailed with error(s). Showing 1 out of 1 error(s). Status Message:
2023-08-02T09:57:41.1669720Z [36;1m | [31;1mResource
2023-08-02T09:57:41.1670538Z [36;1m | [31;1m/subscriptions/03fcda23-1960-49c6-943d-f239c7de53a8/resourceGroups/rg-rbw-connectivity/providers/Microsoft.Network/ddosProtectionPlans/alz-ddos-plan referenced by resource /subscriptions/03fcda23-1960-49c6-943d-f239c7de53a8/resourceGroups/rg-rbw-connectivity/providers/Microsoft.Network/virtualNetworks/alz-hub-centralus was not found. Please make sure that the referenced resource exists. (Code: InvalidGlobalResourceReference) CorrelationId: c6905a2e-8408-4c9a-96fe-172dc2390a3a
2023-08-02T09:57:41.1671111Z [0m
2023-08-02T09:57:41.2575033Z ##[error]PowerShell exited with code '1'.
2023-08-02T09:57:41.2599725Z ##[section]Finishing: Hub (Hub-and-Spoke) Deployment
Hi @bojanmisic, thanks for calling out this issue. I was able to replicate your error when passing in false for the parDdosEnabled parameter.
After looking into it, I was able to determine that it is due to the parDdosProtectionPlanId parameter within alzDefaultPolicyAssignments.parameters.all.json being set to the DDoS protection resource ID. This value gets pre-populated automatically after using the ALZ-PowerShell-Module.
Essentially, if this parameter value is not empty then the module named modPolicyAssignmentLzsEnableDdosVnet will be deployed. This module creates a policy assignment to force all virtual networks to be linked with the DDoS plan supplied in the parDdosProtectionPlanId parameter.
To get around this, you will need to manually delete the policy assignment named "Virtual networks should be protected by Azure DDoS Protection Standard". You can then re-run the ALZ-Bicep-4a-HubSpoke workflow. Finally, remove the value that was pre-populated for parDdosProtectionPlanId, otherwise you'll continue to run into the same issue deploying other Virtual Networks.
Apologies for the confusion, and we will work on providing clarification within the documentation for this scenario and any others that could be impacted by the built-in. We will also consider adding an additional input request to the ALZ-PowerShell-Module to determine if the DDoS protection should be enabled or not.
Hi @oZakari,
This did the trick. Thank you.
Just would like to add that this policy assignment "Virtual networks should be protected by Azure DDoS Protection Standard" is added on two levels: "Landing Zones" and "Connectivity", so if someone wants to remove them manually, needs to remove on both levels.
Thanks!
Or you can add them to this array parameter parExcludedPolicyAssignments
https://github.com/Azure/ALZ-Bicep/blob/main/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md#parexcludedpolicyassignments
I just ran into this as well while using the ALZ accelerator pipelines using Azure DevOps.
There you have to add it to config\custom-parameters\alzDefaultPolicyAssignments.parameters.all.json
"parExcludedPolicyAssignments": {
"value": [
"Enable-DDoS-VNET"
]
},
A possible solution in the future might be when the parameter files are refactored from json- to bicepparam -files, so that a description or comment can be added with the parameter, for example:
@sys.description('Switch to enable/disable DDoS Network Protection deployment. When you set this to false, make sure you add the folowing policy to the parExcludedPolicyAssignments in the alzDefaultPolicyAssignments.parameters.all parameter file: "Enable-DDoS-VNET" ')
param parDdosEnabled bool = true
@MarcoJanse fix works only if you didn't already deploy the Azure Policy, but if already deployed, you will have to go into the Azure Policy and change enforcement mode from enabled to disabled as outlined in the docs.
Issue:
If you update a policy or version, it will revert back to default, because of infra-as-code\bicep\modules\policy\assignments\lib\policy_assignments\policy_assignment_es_enable_ddos_vnet.tmpl.json. Same goes for doing what @oZakari states by removing it from the connection management group. It will simply appear back. Since the Hub is already created, it won't get triggered, but also won't be compliant.
Workaround
Because of what is explained above the workaround would be to first go into the Azure Policy and disable it, then go into config\custom-parameters\alzDefaultPolicyAssignments.parameters.all.json and add the parExcludedPolicyAssignments.value = "Enable-DDoS-VNET". This will make it so that that Enable-DDoS-VNET Policy simply will be ignored.
The suggested future fix that @MarcoJanse shared, would be ideal as it keeps with the opt-out function of deploying DDoS.
I've documented the workaround described here by MarcoJanse and FallenHoot https://github.com/Azure/ALZ-Bicep/pull/711/files
As an alternative workaround, can we change the two policy definitions enforcementMode from Default to DoNotEnforce?
definitions are in the files
upstream-releases\v0.17.2\infra-as-code\bicep\modules\policy\assignments\lib\policy_assignments\policy_assignment_es_enable_ddos_vnet.tmpl.json
and
upstream-releases\v0.17.2\infra-as-code\bicep\modules\policy\assignments\lib\china\policy_assignments\policy_assignment_es_enable_ddos_vnet.tmpl.json
