`hubNetworking` module deployment fails when DDoS is disabled

Azure / ALZ-Bicep

This repository contains the Azure Landing Zones (ALZ) Bicep modules that help deliver and deploy the Azure Landing Zone conceptual architecture in a modular approach. https://aka.ms/alz/docs

MIT License

764 stars 514 forks source link

`hubNetworking` module deployment fails when DDoS is disabled #860

Closed cconstantin closed 2 months ago

cconstantin commented 2 months ago

What happened? Provide a clear and concise description of the bug, including deployment details.

hubNetworking module deployment fails when DDoS is disabled. This appears to be caused by the DDoS plan reference in the outputs.

Please provide the correlation id associated with your error or bug.

xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

What was the expected outcome?

Hub networking resources have been created/updated successfully, and DDoS has been disabled on hub vnet.

Relevant log output

Status Message: Resource /subscriptions/<****>/resourceGroups/rg-aci-connectivity/providers/Microsoft.Network/ddosProtectionPlans/alz-ddos-plan not found. (Code: NotFound)

Check previous GitHub issues

[X] I have searched the issues for this item and found no duplicate

Code of Conduct

[X] I agree to follow this project's Code of Conduct

kasimrehman commented 2 weeks ago

Hi, I would like to reopen this issue again. I am having this after deploying ALZ with DDOS protection enabled and then setting parDdosEnabled to false and redeploying. I am working with the newest release.

What I find odd, is that I get the same status message as above when trying to disable the plan, saying alz-ddos-plan not found whereas the default value for the DDOS protection name should have included a company prefix (which was not "alz" for me), so I am not sure where "alz-ddos-plan" is coming from. It's neither the actual DDOS plan I have, nor the default value of parDdosPlanName in my case. In fact I get the same message when I try to disable the DDOS protection plan from the portal. Deleting the association to the hub vnet fails because it says it cannot find "alz-ddos-plan". Well, that plan never existed. The only plan that exists is called alz-ddos-plan-germanywestcentral, which is the name the accelerator generated for parDdosPlanName.

oZakari commented 1 week ago

Hi @kasimrehman, please ensure that you have also set parDdosEnabled to false in the ALZ Defaults Policy Assignment module parameters file. You'll get the error you mentioned as there is a policy assignment that DDoS plan name.

You'll also need to manually remove the policy assignments as Bicep will not be able to remove them after the fact. There will be one policy assignment scoped at the platform's connectivity management group AND another one at the landing zones management group.

Please reach out if you run into any other issues and apologies for any confusion.