Closed skiddder closed 1 year ago
Hey @skiddder,
Thanks for the issue. I think if you also set the link_to_ddos_protection_plan
to false
as part of the hub networks block this will allow you to disable it.
As the DDoS protection of the VPN GW is actually coming from the fact the Hub VNet has DDoS link enabled from the above variable.
So changing this to false
as well as the DDoS plan disablement as you have done should do the trick here.
Hi @jtracey93 ,
I think if you also set the link_to_ddos_protection_plan to false as part of the hub networks block this will allow you to disable it.
I already tried this.
After running the pipeline several times with different combinations of true/false for link_to_ddos_protection_plan and ddos_protection_plan.enabled it finally went through without error. Having to run it several times seems to be an indicator that terraform does not recognize the dependancy between those resources.
So as a best practice, one should deactivate the protection first and in a 2nd step remove the ddos_protection plan itself.
Community Note
Versions
terraform: 1.3.6
azure provider: 3.37.0
module: 3.1.2
Description
DDoS protection plan will not be removed when it was deployed before
When turning the switch in ddos_protection_plan.enabled from true to false, I receive the error message in terraform:
Error: deleting Ddos Protection Plan: (Name "es-ddos-northeurope" / Resource Group "es-ddos"): network.DdosProtectionPlansClient#Delete: Failure sending request: StatusCode=400 -- Original Error: Code="InUseDdosProtectionPlanCannotBeDeleted" Message="DDoS Protection Plan /subscriptions/aacc8343-56ad-4b3f-9986-de980868f677/resourceGroups/es-ddos/providers/Microsoft.Network/ddosProtectionPlans/es-ddos-northeurope cannot be deleted because it is in use with virtual networks /subscriptions/aacc8343-56ad-4b3f-9986-de980868f677/resourceGroups/es-connectivity-westeurope/providers/Microsoft.Network/virtualNetworks/es-hub-westeurope. Please disable DDoS standard on the virtual network as explained in the documentation link : [https://docs.microsoft.com/en-us/azure/virtual-network/manage-ddos-protection#disable-ddos-for-a-virtual-network."](https://docs.microsoft.com/en-us/azure/virtual-network/manage-ddos-protection#disable-ddos-for-a-virtual-network.%22) Details=[]
I checked via Azure portal whether there are any protected resources in ddos protection plan. And I found that there is the hub vnet and the vnet gateway still under protection:
My expectation was that protections that were automatically created by the module will be removed when removing the ddos protection plan.
I did not create any other protectable resources, but I think it might be worth validating that in case you have created a firewall via the module, that this protection is also removed automatically.
Steps to Reproduce
While doing a greenfield deployment in my lab, I used this settings.connectivity.tf file:
I then saw that ddos protection plan will probably bring my budget to the limit, so I decided to switch it off in my lab by changing the ddos_protection_plan.enabled property in settings.connectivity.tf to false:
When I ran into the error above, I checked whether there are switches to disable the protection on hub vnet and vpn gateway. I found that there is a switch for hub vnet which I also set to "false". For vpn gateway I couldn't find such a switch. But I still run into the same error as terraform is first trying to delete the ddos_protection before changing the protection setting on the hub vnet.
Screenshots
Additional context
I am running terraform via an Azure DevOps pipeline.