🪲 Bug Report - ALZ-Bicep-4a - Hub (Hub-and-Spoke) Deployment does not complete when DDOS set to false

[bojanmisic]

Hello,

I am having trouble with running the ALZ-Bicep-4a Workflow component.

I have edited the config/custom-parameters/hubNetworking.parameters.all.json file to exclude the DDoS protection as following:

"parDdosEnabled": {
  "value": false
},

However, when I run the deployment, it fails with the following error:

Resource /subscriptions/connectivitysubID/resourceGroups/rgname/providers/Microsoft.Network/ddosProtectionPlans/alz-ddos-plan referenced by resource /subscriptions/connectivitysubID/resourceGroups/rgname/providers/Microsoft.Network/virtualNetworks/vnet-name was not found. Please make sure that the referenced resource exists.

Raw error from deployment:

{
  "code": "DeploymentFailed",
  "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.",
  "details": [
    {
      "code": "InvalidGlobalResourceReference",
      "message": "Resource /subscriptions/.../resourceGroups/rg-rbw-connectivity/providers/Microsoft.Network/ddosProtectionPlans/alz-ddos-plan referenced by resource /subscriptions/.../resourceGroups/rg-rbw-connectivity/providers/Microsoft.Network/virtualNetworks/alz-hub-centralus was not found. Please make sure that the referenced resource exists."
    }
  ]
}

To Reproduce

Steps to reproduce the behaviour:

1. Set the parDdosEnabled parameter in hubNetworking.parameters.all.json to "false"

"parDdosEnabled": {
      "value": false
    },

2. Run the ALZ-Bicep-4a Workflow action
3. Wait for results

Expected behaviour

The workflow should not create DDOS Protection and successfully complete.

Screenshots 📷

Correlation ID

c6905a2e-8408-4c9a-96fe-172dc2390a3a

Additional context

Using Accelerator v0.16.0.

config/custom-parameters/hubNetworking.parameters.all.json:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "parLocation": {
      "value": "centralus"
    },
    "parCompanyPrefix": {
      "value": "rbw"
    },
    "parHubNetworkName": {
      "value": "alz-hub-centralus"
    },
    "parHubNetworkAddressPrefix": {
      "value": "10.20.0.0/16"
    },
    "parSubnets": {
      "value": [
        {
          "name": "AzureBastionSubnet",
          "ipAddressRange": "10.20.0.0/24",
          "networkSecurityGroupId": "",
          "routeTableId": ""
        },
        {
          "name": "GatewaySubnet",
          "ipAddressRange": "10.20.254.0/24",
          "networkSecurityGroupId": "",
          "routeTableId": ""
        },
        {
          "name": "AzureFirewallSubnet",
          "ipAddressRange": "10.20.255.0/24",
          "networkSecurityGroupId": "",
          "routeTableId": ""
        },
        {
          "name": "AzureFirewallManagementSubnet",
          "ipAddressRange": "10.20.253.0/24",
          "networkSecurityGroupId": "",
          "routeTableId": ""
        }
      ]
    },
    "parDnsServerIps": {
      "value": []
    },
    "parPublicIpSku": {
      "value": "Standard"
    },
    "parPublicIpPrefix": {
      "value": ""
    },
    "parPublicIpSuffix": {
      "value": "-PublicIP"
    },
    "parAzBastionEnabled": {
      "value": false
    },
    "parAzBastionName": {
      "value": "alz-bastion"
    },
    "parAzBastionSku": {
      "value": "Standard"
    },
    "parAzBastionNsgName": {
      "value": "nsg-AzureBastionSubnet"
    },
    "parDdosEnabled": {
      "value": false
    },
    "parDdosPlanName": {
      "value": "alz-ddos-plan"
    },
    "parAzFirewallEnabled": {
      "value": false
    },
    "parAzFirewallName": {
      "value": "alz-azfw-centralus"
    },
    "parAzFirewallPoliciesName": {
      "value": "alz-azfwpolicy-centralus"
    },
    "parAzFirewallTier": {
      "value": "Standard"
    },
    "parAzFirewallAvailabilityZones": {
      "value": []
    },
    "parAzErGatewayAvailabilityZones": {
      "value": []
    },
    "parAzVpnGatewayAvailabilityZones": {
      "value": []
    },
    "parAzFirewallDnsProxyEnabled": {
      "value": true
    },
    "parHubRouteTableName": {
      "value": "alz-hub-routetable"
    },
    "parDisableBgpRoutePropagation": {
      "value": false
    },
    "parPrivateDnsZonesEnabled": {
      "value": true
    },
    "parPrivateDnsZones": {
      "value": [
        "privatelink.centralus.azmk8s.io",
        "privatelink.centralus.batch.azure.com",
        "privatelink.centralus.kusto.windows.net",
        "privatelink.centralus.backup.windowsazure.com",
        "privatelink.adf.azure.com",
        "privatelink.afs.azure.net",
        "privatelink.agentsvc.azure-automation.net",
        "privatelink.analysis.windows.net",
        "privatelink.api.azureml.ms",
        "privatelink.azconfig.io",
        "privatelink.azure-api.net",
        "privatelink.azure-automation.net",
        "privatelink.azurecr.io",
        "privatelink.azure-devices.net",
        "privatelink.azure-devices-provisioning.net",
        "privatelink.azurehdinsight.net",
        "privatelink.azurehealthcareapis.com",
        "privatelink.azurestaticapps.net",
        "privatelink.azuresynapse.net",
        "privatelink.azurewebsites.net",
        "privatelink.batch.azure.com",
        "privatelink.blob.core.windows.net",
        "privatelink.cassandra.cosmos.azure.com",
        "privatelink.cognitiveservices.azure.com",
        "privatelink.database.windows.net",
        "privatelink.datafactory.azure.net",
        "privatelink.dev.azuresynapse.net",
        "privatelink.dfs.core.windows.net",
        "privatelink.dicom.azurehealthcareapis.com",
        "privatelink.digitaltwins.azure.net",
        "privatelink.directline.botframework.com",
        "privatelink.documents.azure.com",
        "privatelink.eventgrid.azure.net",
        "privatelink.file.core.windows.net",
        "privatelink.gremlin.cosmos.azure.com",
        "privatelink.guestconfiguration.azure.com",
        "privatelink.his.arc.azure.com",
        "privatelink.kubernetesconfiguration.azure.com",
        "privatelink.managedhsm.azure.net",
        "privatelink.mariadb.database.azure.com",
        "privatelink.media.azure.net",
        "privatelink.mongo.cosmos.azure.com",
        "privatelink.monitor.azure.com",
        "privatelink.mysql.database.azure.com",
        "privatelink.notebooks.azure.net",
        "privatelink.ods.opinsights.azure.com",
        "privatelink.oms.opinsights.azure.com",
        "privatelink.pbidedicated.windows.net",
        "privatelink.postgres.database.azure.com",
        "privatelink.prod.migration.windowsazure.com",
        "privatelink.purview.azure.com",
        "privatelink.purviewstudio.azure.com",
        "privatelink.queue.core.windows.net",
        "privatelink.redis.cache.windows.net",
        "privatelink.redisenterprise.cache.azure.net",
        "privatelink.search.windows.net",
        "privatelink.service.signalr.net",
        "privatelink.servicebus.windows.net",
        "privatelink.siterecovery.windowsazure.com",
        "privatelink.sql.azuresynapse.net",
        "privatelink.table.core.windows.net",
        "privatelink.table.cosmos.azure.com",
        "privatelink.tip1.powerquery.microsoft.com",
        "privatelink.token.botframework.com",
        "privatelink.vaultcore.azure.net",
        "privatelink.web.core.windows.net",
        "privatelink.webpubsub.azure.com"
      ]
    },
    "parPrivateDnsZoneAutoMergeAzureBackupZone": {
      "value": true
    },
    "parVpnGatewayConfig": {
      "value": {
        "name": "alz-Vpn-Gateway",
        "gatewayType": "Vpn",
        "sku": "VpnGw1",
        "vpnType": "RouteBased",
        "generation": "Generation1",
        "enableBgp": false,
        "activeActive": false,
        "enableBgpRouteTranslationForNat": false,
        "enableDnsForwarding": false,
        "bgpPeeringAddress": "",
        "bgpsettings": {
          "asn": "65515",
          "bgpPeeringAddress": "",
          "peerWeight": "5"
        }
      }
    },
    "parExpressRouteGatewayConfig": {
      "value": {
        "name": "alz-ExpressRoute-Gateway",
        "gatewayType": "ExpressRoute",
        "sku": "Standard",
        "vpnType": "RouteBased",
        "generation": "None",
        "enableBgp": false,
        "activeActive": false,
        "enableBgpRouteTranslationForNat": false,
        "enableDnsForwarding": false,
        "bgpPeeringAddress": "",
        "bgpsettings": {
          "asn": "65515",
          "bgpPeeringAddress": "",
          "peerWeight": "5"
        }
      }
    },
    "parTags": {
      "value": {
        "Environment": "Production"
      }
    },
    "parTelemetryOptOut": {
      "value": false
    },
    "parBastionOutboundSshRdpPorts": {
      "value": [
        "22",
        "3389"
      ]
    }
  }
}

Pipeline:

name: ALZ-Bicep-4-HubSpoke

trigger:
# YAML PR triggers are supported only in GitHub and Bitbucket Cloud.
# If you use Azure Repos Git, you can configure a branch policy for build validation to trigger your build pipeline for validation.
# https://learn.microsoft.com/en-us/azure/devops/repos/git/branch-policies#build-validation
  branches:
    include:
      - "main"
  paths:
    include:
      - "config/custom-parameters/resourceGroupConnectivity.parameters.all.json"
      - "config/custom-parameters/hubNetworking.parameters.all.json"
pr:
  branches:
    include:
      - "main"
  paths:
    include:
      - "config/custom-parameters/resourceGroupConnectivity.parameters.all.json"
      - "config/custom-parameters/hubNetworking.parameters.all.json"

variables:
  ENV_FILE: ".env"
  SERVICE_CONNECTION_NAME: "***"
  IS_PULL_REQUEST: "false"

jobs:
  - job: ALZ_Bicep_4a_HubSpoke
    pool:
      vmImage: ubuntu-latest
    steps:
      - checkout: self
        displayName: Checkout Repo

      - pwsh: |
          (Get-Content -Path $env:ENV_FILE -Encoding UTF8) | ForEach-Object {$_ -replace '"',''} | Out-File -FilePath $env:ENV_FILE -Encoding UTF8
        displayName: Remove Quotation Marks from Environment File

      - pwsh: |
          Write-Host $env:ENV_FILE
          Get-Content -Path $env:ENV_FILE -Encoding UTF8 | ForEach-Object {
            $envVarName, $envVarValue = ($_ -replace '"','').split('=')
            echo "##vso[task.setvariable variable=$envVarName;]$envVarValue"
            echo "Set $envVarName to $envVarValue]"
          }
        displayName: Import Environment Variables from File

      - pwsh: |
          echo "##vso[task.setvariable variable=IS_PULL_REQUEST;]true"
        condition: eq(variables['Build.Reason'], 'PullRequest')
        displayName: Set IS_PULL_REQUEST Variable to True

      - task: AzurePowerShell@5
        displayName: "Connectivity Resource Group Deployment"
        inputs:
          azureSubscription: ${{ variables.SERVICE_CONNECTION_NAME }}
          azurePowerShellVersion: "LatestVersion"
          pwsh: true
          ScriptType: "InlineScript"
          Inline: |
            .\pipeline-scripts\Deploy-ALZConnectivityResourceGroup.ps1

      - task: AzurePowerShell@5
        displayName: "Hub (Hub-and-Spoke) Deployment"
        inputs:
          azureSubscription: ${{ variables.SERVICE_CONNECTION_NAME }}
          azurePowerShellVersion: "LatestVersion"
          pwsh: true
          ScriptType: "InlineScript"
          Inline: |
            .\pipeline-scripts\Deploy-ALZHub-HubAndSpoke.ps1

Pipeline script:

param (
  [Parameter()]
  [String]$ConnectivitySubscriptionId = "$($env:CONNECTIVITY_SUBSCRIPTION_ID)",

  [Parameter()]
  [String]$ConnectivityResourceGroup = "$($env:CONNECTIVITY_RESOURCE_GROUP)",

  [Parameter()]
  [String]$TemplateFile = "upstream-releases\$($env:UPSTREAM_RELEASE_VERSION)\infra-as-code\bicep\modules\hubNetworking\hubNetworking.bicep",

  [Parameter()]
  [String]$TemplateParameterFile = "config\custom-parameters\hubNetworking.parameters.all.json",

  [Parameter()]
  [Boolean]$WhatIfEnabled = [System.Convert]::ToBoolean($($env:IS_PULL_REQUEST))
)

# Parameters necessary for deployment
$inputObject = @{
  DeploymentName        = 'alz-Hub-and-SpokeDeploy-{0}' -f ( -join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63])
  ResourceGroupName     = $ConnectivityResourceGroup
  TemplateFile          = $TemplateFile
  TemplateParameterFile = $TemplateParameterFile
  WhatIf                = $WhatIfEnabled
  Verbose               = $true
}

Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId

New-AzResourceGroupDeployment @inputObject

[bojanmisic]

Raw pipeline log:

2023-08-02T09:56:43.5509090Z ##[section]Starting: Hub (Hub-and-Spoke) Deployment
2023-08-02T09:56:43.5513881Z ==============================================================================
2023-08-02T09:56:43.5514010Z Task         : Azure PowerShell
2023-08-02T09:56:43.5514082Z Description  : Run a PowerShell script within an Azure environment
2023-08-02T09:56:43.5514186Z Version      : 5.225.1
2023-08-02T09:56:43.5514257Z Author       : Microsoft Corporation
2023-08-02T09:56:43.5514334Z Help         : https://aka.ms/azurepowershelltroubleshooting
2023-08-02T09:56:43.5514415Z ==============================================================================
2023-08-02T09:56:43.8791205Z Generating script.
2023-08-02T09:56:43.8823589Z [command]/usr/bin/pwsh -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command . '/home/vsts/work/_temp/17a39ed3-596b-4acc-8a69-cae453b19cf8.ps1'
2023-08-02T09:56:43.8878365Z File saved!
2023-08-02T09:56:44.3602775Z ##[command]Import-Module -Name /usr/share/az_9.3.0/Az.Accounts/2.12.4/Az.Accounts.psd1 -Global
2023-08-02T09:56:49.9724358Z ##[command]Clear-AzContext -Scope Process
2023-08-02T09:56:50.0936947Z ##[command]Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue
2023-08-02T09:56:50.1451836Z ##[command]Connect-AzAccount -ServicePrincipal -Tenant REDACTED -Credential System.Management.Automation.PSCredential -Environment AzureCloud @processScope
2023-08-02T09:56:51.1152567Z 
2023-08-02T09:56:51.1161750Z Name                                     Account   Subscript Environme TenantId
2023-08-02T09:56:51.1162676Z                                                    ionName   nt
2023-08-02T09:56:51.1163002Z ----                                     -------   --------- --------- --------
2023-08-02T09:56:51.1166215Z Connectivity (03fcda23-1960-49c6-943d-f… abaeed0f… Connecti… AzureClo… 5432105…
2023-08-02T09:56:56.1998476Z VERBOSE: Using Bicep v0.19.5
2023-08-02T09:57:00.0634841Z WARNING: /home/vsts/work/1/s/upstream-releases/v0.16.0/infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdResourceGroup.bicep(1,1) : Info Bicep Linter Configuration: Custom bicepconfig.json file found (/home/vsts/work/1/s/upstream-releases/v0.16.0/infra-as-code/bicep/bicepconfig.json).
2023-08-02T09:57:00.0635826Z /home/vsts/work/1/s/upstream-releases/v0.16.0/infra-as-code/bicep/modules/publicIp/publicIp.bicep(1,1) : Info Bicep Linter Configuration: Custom bicepconfig.json file found (/home/vsts/work/1/s/upstream-releases/v0.16.0/infra-as-code/bicep/bicepconfig.json).
2023-08-02T09:57:00.0636591Z /home/vsts/work/1/s/upstream-releases/v0.16.0/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep(1,1) : Info Bicep Linter Configuration: Custom bicepconfig.json file found (/home/vsts/work/1/s/upstream-releases/v0.16.0/infra-as-code/bicep/modules/hubNetworking/bicepconfig.json).
2023-08-02T09:57:00.0637359Z /home/vsts/work/1/s/upstream-releases/v0.16.0/infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.bicep(1,1) : Info Bicep Linter Configuration: Custom bicepconfig.json file found (/home/vsts/work/1/s/upstream-releases/v0.16.0/infra-as-code/bicep/modules/privateDnsZones/bicepconfig.json).
2023-08-02T09:57:00.0819048Z VERBOSE: Performing the operation "Creating Deployment" on target "rg-rbw-connectivity".
2023-08-02T09:57:04.6953212Z VERBOSE: 09:57:04 - Template is valid.
2023-08-02T09:57:05.6148245Z VERBOSE: 09:57:05 - Create template deployment 'alz-Hub-and-SpokeDeploy-20230802T0908508319Z'
2023-08-02T09:57:05.6159102Z VERBOSE: 09:57:05 - Checking deployment status in 5 seconds
2023-08-02T09:57:11.7503640Z VERBOSE: 09:57:11 - Resource Microsoft.Network/networkSecurityGroups 'nsg-AzureBastionSubnet' provisioning status is succeeded
2023-08-02T09:57:11.7504453Z VERBOSE: 09:57:11 - Resource Microsoft.Resources/deployments 'deploy-Gateway-Public-IP-1' provisioning status is running
2023-08-02T09:57:11.7505949Z VERBOSE: 09:57:11 - Resource Microsoft.Network/publicIPAddresses 'alz-ExpressRoute-Gateway-PublicIP' provisioning status is succeeded
2023-08-02T09:57:11.7506955Z VERBOSE: 09:57:11 - Resource Microsoft.Resources/deployments 'pid-3f85b84c-6bad-4c42-86bf-11c233241c22-7qbbpmud4u7n4' provisioning status is running
2023-08-02T09:57:11.7547888Z VERBOSE: 09:57:11 - Resource Microsoft.Resources/deployments 'deploy-Gateway-Public-IP-0' provisioning status is running
2023-08-02T09:57:11.7550186Z VERBOSE: 09:57:11 - Resource Microsoft.Network/publicIPAddresses 'alz-Vpn-Gateway-PublicIP' provisioning status is succeeded
2023-08-02T09:57:11.7550666Z VERBOSE: 09:57:11 - Resource Microsoft.Resources/deployments 'pid-3f85b84c-6bad-4c42-86bf-11c233241c22-7kksjvcmpkgyy' provisioning status is running
2023-08-02T09:57:11.7551107Z VERBOSE: 09:57:11 - Resource Microsoft.Resources/deployments 'pid-2686e846-5fdc-4d4f-b533-16dcb09d6e6c-lvjmfv5dzfznm' provisioning status is running
2023-08-02T09:57:11.8729121Z VERBOSE: 09:57:11 - Checking deployment status in 12 seconds
2023-08-02T09:57:24.9783425Z VERBOSE: 09:57:24 - Resource Microsoft.Resources/deployments 'pid-3f85b84c-6bad-4c42-86bf-11c233241c22-7qbbpmud4u7n4' provisioning status is succeeded
2023-08-02T09:57:24.9784471Z VERBOSE: 09:57:24 - Resource Microsoft.Resources/deployments 'pid-3f85b84c-6bad-4c42-86bf-11c233241c22-7kksjvcmpkgyy' provisioning status is succeeded
2023-08-02T09:57:24.9785423Z VERBOSE: 09:57:24 - Resource Microsoft.Resources/deployments 'pid-2686e846-5fdc-4d4f-b533-16dcb09d6e6c-lvjmfv5dzfznm' provisioning status is succeeded
2023-08-02T09:57:25.0678916Z VERBOSE: 09:57:25 - Checking deployment status in 14 seconds
2023-08-02T09:57:40.8652720Z VERBOSE: 09:57:40 - Resource Microsoft.Resources/deployments 'deploy-Gateway-Public-IP-0' provisioning status is succeeded
2023-08-02T09:57:40.8653172Z VERBOSE: 09:57:40 - Resource Microsoft.Resources/deployments 'deploy-Gateway-Public-IP-1' provisioning status is succeeded
2023-08-02T09:57:40.8653606Z VERBOSE: 09:57:40 - Resource Microsoft.Resources/deployments 'deploy-Gateway-Public-IP-1' provisioning status is succeeded
2023-08-02T09:57:40.8653990Z VERBOSE: 09:57:40 - Resource Microsoft.Resources/deployments 'deploy-Gateway-Public-IP-0' provisioning status is succeeded
2023-08-02T09:57:41.1666681Z New-AzResourceGroupDeployment: /home/vsts/work/1/s/pipeline-scripts/Deploy-ALZHub-HubAndSpoke.ps1:30
2023-08-02T09:57:41.1667299Z Line |
2023-08-02T09:57:41.1668141Z   30 |  New-AzResourceGroupDeployment @inputObject
2023-08-02T09:57:41.1668486Z      |  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2023-08-02T09:57:41.1668820Z      | 09:57:40 - The deployment 'alz-Hub-and-SpokeDeploy-20230802T0908508319Z'
2023-08-02T09:57:41.1669191Z      | failed with error(s). Showing 1 out of 1 error(s). Status Message:
2023-08-02T09:57:41.1669720Z      | Resource
2023-08-02T09:57:41.1670538Z      | /subscriptions/03fcda23-1960-49c6-943d-f239c7de53a8/resourceGroups/rg-rbw-connectivity/providers/Microsoft.Network/ddosProtectionPlans/alz-ddos-plan referenced by resource /subscriptions/03fcda23-1960-49c6-943d-f239c7de53a8/resourceGroups/rg-rbw-connectivity/providers/Microsoft.Network/virtualNetworks/alz-hub-centralus was not found. Please make sure that the referenced resource exists. (Code: InvalidGlobalResourceReference)   CorrelationId: c6905a2e-8408-4c9a-96fe-172dc2390a3a
2023-08-02T09:57:41.1671111Z 
2023-08-02T09:57:41.2575033Z ##[error]PowerShell exited with code '1'.
2023-08-02T09:57:41.2599725Z ##[section]Finishing: Hub (Hub-and-Spoke) Deployment

[oZakari]

Hi @bojanmisic, thanks for calling out this issue. I was able to replicate your error when passing in false for the parDdosEnabled parameter.

After looking into it, I was able to determine that it is due to the parDdosProtectionPlanId parameter within alzDefaultPolicyAssignments.parameters.all.json being set to the DDoS protection resource ID. This value gets pre-populated automatically after using the ALZ-PowerShell-Module.

Essentially, if this parameter value is not empty then the module named modPolicyAssignmentLzsEnableDdosVnet will be deployed. This module creates a policy assignment to force all virtual networks to be linked with the DDoS plan supplied in the parDdosProtectionPlanId parameter.

To get around this, you will need to manually delete the policy assignment named "Virtual networks should be protected by Azure DDoS Protection Standard". You can then re-run the ALZ-Bicep-4a-HubSpoke workflow. Finally, remove the value that was pre-populated for parDdosProtectionPlanId, otherwise you'll continue to run into the same issue deploying other Virtual Networks.

Apologies for the confusion, and we will work on providing clarification within the documentation for this scenario and any others that could be impacted by the built-in. We will also consider adding an additional input request to the ALZ-PowerShell-Module to determine if the DDoS protection should be enabled or not.

[bojanmisic]

Hi @oZakari,

This did the trick. Thank you.

Just would like to add that this policy assignment "Virtual networks should be protected by Azure DDoS Protection Standard" is added on two levels: "Landing Zones" and "Connectivity", so if someone wants to remove them manually, needs to remove on both levels.

Thanks!

[jtracey93]

Or you can add them to this array parameter parExcludedPolicyAssignments

https://github.com/Azure/ALZ-Bicep/blob/main/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md#parexcludedpolicyassignments

[MarcoJanse]

I just ran into this as well while using the ALZ accelerator pipelines using Azure DevOps. There you have to add it to config\custom-parameters\alzDefaultPolicyAssignments.parameters.all.json

    "parExcludedPolicyAssignments": {
      "value": [
        "Enable-DDoS-VNET"
      ]
    },

A possible solution in the future might be when the parameter files are refactored from json- to bicepparam -files, so that a description or comment can be added with the parameter, for example:

@sys.description('Switch to enable/disable DDoS Network Protection deployment. When you set this to false, make sure you add the folowing policy to the parExcludedPolicyAssignments in the alzDefaultPolicyAssignments.parameters.all parameter file: "Enable-DDoS-VNET" ')
param parDdosEnabled bool = true

[FallenHoot]

@MarcoJanse fix works only if you didn't already deploy the Azure Policy, but if already deployed, you will have to go into the Azure Policy and change enforcement mode from enabled to disabled as outlined in the docs.

Issue: If you update a policy or version, it will revert back to default, because of infra-as-code\bicep\modules\policy\assignments\lib\policy_assignments\policy_assignment_es_enable_ddos_vnet.tmpl.json. Same goes for doing what @oZakari states by removing it from the connection management group. It will simply appear back. Since the Hub is already created, it won't get triggered, but also won't be compliant.

Workaround Because of what is explained above the workaround would be to first go into the Azure Policy and disable it, then go into config\custom-parameters\alzDefaultPolicyAssignments.parameters.all.json and add the parExcludedPolicyAssignments.value = "Enable-DDoS-VNET". This will make it so that that Enable-DDoS-VNET Policy simply will be ignored.

The suggested future fix that @MarcoJanse shared, would be ideal as it keeps with the opt-out function of deploying DDoS.

[marcosgm]

I've documented the workaround described here by MarcoJanse and FallenHoot https://github.com/Azure/ALZ-Bicep/pull/711/files

[dave-007]

As an alternative workaround, can we change the two policy definitions enforcementMode from Default to DoNotEnforce?

definitions are in the files upstream-releases\v0.17.2\infra-as-code\bicep\modules\policy\assignments\lib\policy_assignments\policy_assignment_es_enable_ddos_vnet.tmpl.json

and

upstream-releases\v0.17.2\infra-as-code\bicep\modules\policy\assignments\lib\china\policy_assignments\policy_assignment_es_enable_ddos_vnet.tmpl.json

[oZakari]

The PR mentioned above will also add a parameter parDdosEnabled to the the assignment to DoNotEnforce as well so you don't have to mess with the policy assignment json files directly if you don't want.