Add DdosEnabled toggle and fix logic modPolicyAssignmentConnEnableDdos

[FallenHoot]

Overview/Summary

Closes Bug #596 and @jamiepla1 flagged this. Policy issue around parDdosProtectionPlanId, because by default parDdosProtectionPlanId is populated during creation of ALZ-Bicep Accelerator. If you don't clean (empty) or catch this, it will deploy a policy Enable-DDoS-VNET. This will block the creation of Virtual Networks in the Connectivity Subscription if you disable/false parDdosEnabled in other areas of ALZ-Bicep. To get around this, simply adding the boolean/toggle of parDdosEnabled will now make this not enable by default even if parDdosProtectionPlanId. Making this uniformed across the ALZ-Bicep deployment.

This PR fixes/adds/changes/removes

@sys.description('Switch to enable/disable DDoS Network Protection deployment. True will enforce policy Enable-DDoS-VNET at connectivity or landing zone Management Groups. False will not enforce policy Enable-DDoS-VNET.')
param parDdosEnabled bool = true

Within the Module modPolicyAssignmentConnEnableDdosVnet the variable parPolicyAssignmentIdentityType, parDisableAlzDefaultPolicies was removed in favor of having parDdosEnabled. This allows the policy to be added, but not inforced if parDdosEnabled is false. If the end-user forgets to set parDdosEnabled, then they will get an error when deploying networking within Connectivity Subscription.

parPolicyAssignmentEnforcementMode: !parDdosEnabled ? 'DoNotEnforce' : varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.enforcementMode

When deploying Hub in Connectivity Subscription the following happens if Enable-DDoS-VNET is enforced

The deployment 'alz-Hub-and-SpokeDeploy-20231209T1712405048Z'
     | failed with error(s). Showing 1 out of 1 error(s). Status Message:
     | Resource
     | /subscriptions/*******-****-****-****-************/resourceGroups/rg-alz-connectivity/providers/Microsoft.Network/ddosProtectionPlans/alz-ddos-plan referenced by resource /subscriptions/*******-****-****-****-************/resourceGroups/rg-alz-connectivity/providers/Microsoft.Network/virtualNetworks/alz-hub-swedencentral was not found. Please make sure that the referenced resource exists. (Code: InvalidGlobalResourceReference)

**Disclaimer
It should be documented that DDoS Protection is a recommendation, therefor the policy is in a non-compliant state as when it is turned to parDdosEnabled = false, as it is not being enforced.

Breaking Changes

1. N/A

Testing Evidence

As part of this Pull Request I have

• Read the Contribution Guide and ensured this PR is compliant with the guide
• Ensured the resource API versions in .bicep file/s I am adding/editing are using the latest API version possible
• Checked for duplicate Pull Requests
• Associated it with relevant GitHub Issues
• (ALZ Bicep Core Team Only) Associated it with relevant ADO Items
• Ensured my code/branch is up-to-date with the latest changes in the main branch
• Performed testing and provided evidence.
• Updated one or more of the following tests (if required)
  • Unit
  • Linting
  • E2E (End-To-End)
  • ValidateAzCloud (Base validation in Azure Cloud)
  • ValidateMcCloud (Base validation in Azure China Cloud)
• Updated relevant and associated documentation (e.g. Contribution Guide, Module READMEs, Wiki Docs etc.)
• If relevant, created or updated Code Tours here

[jtracey93]

This needs to be an OR as otherwise it's going to be a breaking change for anyone using the parDisableAlzDefaultPolicies method. Please adjust.

Also we should make it that if parDdosEnabled = true and parDdosProtectionPlanId !empty is part of the refactored logic

[microsoft-github-policy-service]

This pull request has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 7 days. It will be closed if no further activity occurs within 7 days of this comment.