Write permission required for azurerm_virtual_network ddos_protection_plan even though ignored by lifecycle

thecodetinker commented 3 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform: v0.14.7 azurerm: v2.49.0

Affected Resource(s)

azurerm_virtual_network

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

resource "azurerm_virtual_network" "virtual_network" {
  name                = "SYDNEY"
  location            = var.location
  resource_group_name = "SYDNEY"
  tags                = var.tags
  address_space       = var.address_space
  dns_servers         = var.dns_servers

  lifecycle {
    ignore_changes = [
      ddos_protection_plan # The DDoS Protection Plan is applied by Azure Management Policy to the relevant networks, and should not be managed by Terraform.
    ]
  }
}

Debug Output

Panic Output

Expected Behaviour

Apply should ignore anything related to ddos_protection_plan when updating the vnet.

Actual Behaviour

Terraform fails when making any changes to the virtual network. Even though DDoS protection is ignored by the lifecycle (in our case, DDoS is applied centrally via Policy) something is still causing a write attempt. Since the service principal running the Terraform has no rights on the central DDoS Policy, this write attempt fails with the following error:

Error: Error Creating/Updating Virtual Network "SYDNEY" (Resource Group "SYDNEY"): network.VirtualNetworksClient#CreateOrUpdate: Failure sending request: StatusCode=403 -- Original Error: Code="LinkedAuthorizationFailed" Message="The client 'f224ee8d-xxxx' with object id 'f224ee8d-xxx' has permission to perform action 'Microsoft.Network/virtualNetworks/write' on scope '/subscriptions/2186xxx/resourceGroups/SYDNEY/providers/Microsoft.Network/virtualNetworks/SYDNEY'; however, it does not have permission to perform action 'Microsoft.Network/ddosProtectionPlans/join/action' on the linked scope(s) '/subscriptions/2688xxx/resourceGroups/RGRP/providers/Microsoft.Network/ddosProtectionPlans/DDoSPlan' or the linked scope(s) are invalid."

However, nothing has changed as far as DDoS goes - indeed, no changes are listed in the plan.

Steps to Reproduce

Add a virtual network with Terraform as per above resources
DDoS Protection is added by an Azure Policy
Make some unrelated change to the virtual network terraform, e.g. update the Tags
Run terraform apply

Important Factoids

References

0000

hobti01 commented 1 year ago

With terraform 0.14 and azurerm 2.99 (and 3.61) we are also affected by this with equivalent code. The only option we found was to grant additional permission

It would be very nice to simply ignore any DDoS plan that is attached after terraforming.

QBY-ChristianHartmann commented 3 months ago

The issue still persits in terraform version 1.9.4/ azurerm version 3.116.0. is there any fix for this?

hashicorp / terraform-provider-azurerm