Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug Report] DDoS Protection Plan in VNET Module for release version 3.2.1 only supports DDoS plan within the same subscription #112

Open
jinkang23 opened this issue Dec 3, 2024 · 1 comment
Open

[Bug Report] DDoS Protection Plan in VNET Module for release version 3.2.1 only supports DDoS plan within the same subscription #112

jinkang23 opened this issue Dec 3, 2024 · 1 comment
Assignees
@acelebanski
Labels
enhancement New feature or request

Comments

@jinkang23
Copy link

jinkang23 commented Dec 3, 2024
edited
Loading

Describe the bug

Latest release version 3.2.1 for VNET Module added support for DDoS Protection Plan. However, it only supports DDoS Protection Plan resource within the same subscription as the VNET module due to use of data. azurerm_network_ddos_protection_plan accepting only the resource_group_name and name.

In an enterprise environment, it's fairly common practice (at least for us) to re-use single DDoS Protection Plan for multiple VNETs due to the large upfront cost and single plan supporting up to 100 resources. Because of this, DDoS Protection Plan is created in a separate Azure Subscription instead.

I propose that the VNET module interface be updated to accept the DDoS Protection Plan ID instead and remove data azurerm_network_ddos_protection_plan.

Example:

variable "ddos_protection_plan" {
  description = "The DDoS protection plan configuration. If `id` is provided, DDoS protection is enabled for the VNET."
  type = object({
    id     = optional(string, null)  # If `id` is provided, DDoS protection will be enabled
    enable = optional(bool, true)   # Whether to enable DDoS protection
  })
  default = {
    id     = null
    enable = true
  }
}

resource "azurerm_virtual_network" "this" {
  count = var.create_virtual_network ? 1 : 0

 { ... }

  dynamic "ddos_protection_plan" {
    for_each = var.ddos_protection_plan.id != null ? [1] : []
    content {
      id = var.ddos_protection_plan.id
      enable = var.ddos_protection_plan.enable
    }
  }

{ ... }

Module Version

v2.3.1

Terraform version

1.10.0

Expected behavior

Support using DDoS Protection Plan hosted in a different Azure Subscription within the same Azure tenant.

Current behavior

Only supports DDoS Protection Plan hosted in the same Azure subscription as the VNET

Anything else to add?

No response
@jinkang23
Copy link
Author

Hello @acelebanski - I appreciate adding support for DDoS Protection Plan to the VNET module in that least release.
After some testing, I've realized that it doesn't really meet our use case due to the lack of support for using DDoS Protection Plan that's hosted in a different Azure subscription. I've opened a bug issue in hope that the module can be tweaked to support accepting The DDoS Protection Plan Id instead.

@acelebanski acelebanski self-assigned this Dec 4, 2024
@acelebanski acelebanski added the enhancement New feature or request label Dec 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@acelebanski acelebanski

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jinkang23 @acelebanski