[Bug Report] DDoS Protection Plan in VNET Module for release version 3.2.1 only supports DDoS plan within the same subscription

Describe the bug

Latest release version 3.2.1 for VNET Module added support for DDoS Protection Plan. However, it only supports DDoS Protection Plan resource within the same subscription as the VNET module due to use of data. azurerm_network_ddos_protection_plan accepting only the resource_group_name and name.

In an enterprise environment, it's fairly common practice (at least for us) to re-use single DDoS Protection Plan for multiple VNETs due to the large upfront cost and single plan supporting up to 100 resources. Because of this, DDoS Protection Plan is created in a separate Azure Subscription instead.

I propose that the VNET module interface be updated to accept the DDoS Protection Plan ID instead and remove data azurerm_network_ddos_protection_plan.

Example:


variable "ddos_protection_plan" {
  description = "The DDoS protection plan configuration. If `id` is provided, DDoS protection is enabled for the VNET."
  type = object({
    id     = optional(string, null)  # If `id` is provided, DDoS protection will be enabled
    enable = optional(bool, true)   # Whether to enable DDoS protection
  })
  default = {
    id     = null
    enable = true
  }
}

resource "azurerm_virtual_network" "this" {
  count = var.create_virtual_network ? 1 : 0

 { ... }

  dynamic "ddos_protection_plan" {
    for_each = var.ddos_protection_plan.id != null ? [1] : []
    content {
      id = var.ddos_protection_plan.id
      enable = var.ddos_protection_plan.enable
    }
  }

{ ... }

Module Version

v2.3.1

Terraform version

1.10.0

Expected behavior

Support using DDoS Protection Plan hosted in a different Azure Subscription within the same Azure tenant.

Current behavior

Only supports DDoS Protection Plan hosted in the same Azure subscription as the VNET

Anything else to add?

No response

PaloAltoNetworks / terraform-azurerm-swfw-modules