Incomplete permissions for `Enable-DDoS-VNET` Policy Assignment

[mw8er]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Versions

terraform: 1.2.3

azure provider: 3.26.0

module: 2.4.1

Description

Describe the bug

We enabled DDoS, including the policies to enforce assigning it in the landing zones management group. However the remediation fails, since the assigned managed identity lacks the permission to modify the DDoS plan

Steps to Reproduce

1. Enable DDoS
2. Remediate an VNet, i.e. apply the DDoS plan to the VNet.
3. Remediation should fail due to lacking permission.

Workaround

Assign the permission Network Contributor on the DDoS Plan to the Managed Identity of the policy assignment.

Screenshots

Additional context

[krowlandson]

Thank you for logging this @mw8er. Unfortunately this is a known limitation currently in place on a number of our policies.

We are already discussing this in issue #439 and we hope to get this on our backlog before long.

Please track progress via #439 as I will close this as a duplicate issue.

Thank you

[mw8er]

@krowlandson Thanks for the triage and the link to #439. I'll follow that issue.

[krowlandson]

Trigger ADO Sync