Add DdosEnabled toggle and fix logic modPolicyAssignmentConnEnableDdos (

#810)

* Add DdosEnabled toggle and fix logic modPolicyAssignmentConnEnableDdosVnet

* Added or operator to avoid breaking change

* Added additional logic for parDdosEnabled

* Add param to md file for module

* Generate Parameter Markdowns [oZakari/0a9a675f]

* Update docs for Accelerator approaches

---------

Co-authored-by: Zach Olinske <19664186+FallenHoot@users.noreply.github.com>
Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>

docs/wiki/Accelerator.md

@@ -255,25 +255,33 @@ Here you can find the detailed changes for a minimal hub-and-spoke deployment. F
 
 - Remove the DDos Plan: edit config/custom-parameters/hubNetworking.parameters.all.json and set **parDdosEnabled** to **false**.
 
-    ```yaml
+    ```json
     "parDdosEnabled": {
       "value": false
     },
     ```
 
-    Then **you must disable the automatic Policy assignment** by adding the following in config/custom-parameters/alzDefaultPolicyAssignments.parameters.all.json (this may no longer be necessary in a future release, see bug #596):
+    Then you can either **disable the automatic Policy assignment** by adding the following in config/custom-parameters/alzDefaultPolicyAssignments.parameters.all.json:
 
-    ```yaml
+    ```json
     "parExcludedPolicyAssignments": {
       "value": [
         "Enable-DDoS-VNET"
       ]
     },
     ```
 
+    OR if you want to still deploy the assignment to track the compliance against ALZ recommendations, **set the enforcement mode to DoNotEnforce** in the same parameter file by setting `parDdosEnabled` to `false`:
+
+    ```json
+    "parDdosEnabled": {
+      "value": true
+    },
+    ```
+
 - Remove Bastion or Firewall:  edit config/custom-parameters/hubNetworking.parameters.all.json and set **parAzBastionEnabled** and/or **parAzFirewallEnabled** to **false**. You can also keep it enabled and switch to the **Bastion Basic/Developer SKU and Firewall Basic Tier** for a cost-efficient yet functional starting point.
 
-    ```yaml
+    ```json
     "parAzBastionEnabled": {
       "value": false
     },
@@ -284,7 +292,7 @@ Here you can find the detailed changes for a minimal hub-and-spoke deployment. F
 
 - Remove VPN or ExpressRoute gateways: edit config/custom-parameters/hubNetworking.parameters.all.json and set **parVpnGatewayEnabled** and/or **parExpressRouteGatewayEnabled** to **false**. Optionally the parameter **parVpnGatewayConfig** and/or **parExpressRouteGatewayConfig** could be set to an empty object or removed. For vWAN, look for the **parVpnGatewayEnabled** and **parExpressRouteGatewayEnabled** parameters instead.
 
-    ```yaml
+    ```json
     "parVpnGatewayEnabled": {
       "value": false
     },

infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep

@@ -99,7 +99,10 @@ param parAutomationAccountName string = 'alz-automation-account'
 @sys.description('An e-mail address that you want Microsoft Defender for Cloud alerts to be sent to.')
 param parMsDefenderForCloudEmailSecurityContact string = 'security_contact@replace_me.com'
 
-@sys.description('ID of the DdosProtectionPlan which will be applied to the Virtual Networks. If left empty, the policy Enable-DDoS-VNET will not be assigned at connectivity or landing zone Management Groups to avoid VNET deployment issues.')
+@sys.description('Switch to enable/disable DDoS Network Protection deployment. True will enforce policy Enable-DDoS-VNET at connectivity or landing zone Management Groups. False will not enforce policy Enable-DDoS-VNET.')
+param parDdosEnabled bool = true
+
+@sys.description('ID of the DdosProtectionPlan which will be applied to the Virtual Networks.')
 param parDdosProtectionPlanId string = ''
 
 @sys.description('Resource ID of the Resource Group that conatin the Private DNS Zones. If left empty, the policy Deploy-Private-DNS-Zones will not be assigned to the corp Management Group.')
@@ -1227,7 +1230,7 @@ module modPolicyAssignmentConnEnableDdosVnet '../../../policy/assignments/policy
       }
     }
     parPolicyAssignmentIdentityType: varPolicyAssignmentEnableDDoSVNET.libDefinition.identity.type
-    parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.enforcementMode
+    parPolicyAssignmentEnforcementMode: !parDdosEnabled || parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.enforcementMode
     parPolicyAssignmentIdentityRoleDefinitionIds: [
       varRbacRoleDefinitionIds.networkContributor
     ]
@@ -1444,7 +1447,7 @@ module modPolicyAssignmentLzsEnableDdosVnet '../../../policy/assignments/policyA
       }
     }
     parPolicyAssignmentIdentityType: varPolicyAssignmentEnableDDoSVNET.libDefinition.identity.type
-    parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.enforcementMode
+    parPolicyAssignmentEnforcementMode: !parDdosEnabled || parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.enforcementMode
     parPolicyAssignmentIdentityRoleDefinitionIds: [
       varRbacRoleDefinitionIds.networkContributor
     ]

infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md

@@ -22,7 +22,8 @@ parUserAssignedManagedIdentityResourceId | No       | User Assigned Managed Iden
 parLogAnalyticsWorkspaceLogRetentionInDays | No       | Number of days of log retention for Log Analytics Workspace.
 parAutomationAccountName | No       | Automation account name.
 parMsDefenderForCloudEmailSecurityContact | No       | An e-mail address that you want Microsoft Defender for Cloud alerts to be sent to.
-parDdosProtectionPlanId | No       | ID of the DdosProtectionPlan which will be applied to the Virtual Networks. If left empty, the policy Enable-DDoS-VNET will not be assigned at connectivity or landing zone Management Groups to avoid VNET deployment issues.
+parDdosEnabled | No       | Switch to enable/disable DDoS Network Protection deployment. True will enforce policy Enable-DDoS-VNET at connectivity or landing zone Management Groups. False will not enforce policy Enable-DDoS-VNET.
+parDdosProtectionPlanId | No       | ID of the DdosProtectionPlan which will be applied to the Virtual Networks.
 parPrivateDnsResourceGroupId | No       | Resource ID of the Resource Group that conatin the Private DNS Zones. If left empty, the policy Deploy-Private-DNS-Zones will not be assigned to the corp Management Group.
 parPrivateDnsZonesNamesToAuditInCorp | No       | Provide an array/list of Private DNS Zones that you wish to audit if deployed into Subscriptions in the Corp Management Group. NOTE: The policy default values include all the static Private Link Private DNS Zones, e.g. all the DNS Zones that dont have a region or region shortcode in them. If you wish for these to be audited also you must provide a complete array/list to this parameter for ALL Private DNS Zones you wish to audit, including the static Private Link ones, as this parameter performs an overwrite operation. You can get all the Private DNS Zone Names form the `outPrivateDnsZonesNames` output in the Hub Networking or Private DNS Zone modules.
 parDisableAlzDefaultPolicies | No       | Set Enforcement Mode of all default Policies assignments to Do Not Enforce.
@@ -161,11 +162,19 @@ An e-mail address that you want Microsoft Defender for Cloud alerts to be sent t
 
 - Default value: `security_contact@replace_me.com`
 
+### parDdosEnabled
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+Switch to enable/disable DDoS Network Protection deployment. True will enforce policy Enable-DDoS-VNET at connectivity or landing zone Management Groups. False will not enforce policy Enable-DDoS-VNET.
+
+- Default value: `True`
+
 ### parDdosProtectionPlanId
 
 ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
 
-ID of the DdosProtectionPlan which will be applied to the Virtual Networks. If left empty, the policy Enable-DDoS-VNET will not be assigned at connectivity or landing zone Management Groups to avoid VNET deployment issues.
+ID of the DdosProtectionPlan which will be applied to the Virtual Networks.
 
 ### parPrivateDnsResourceGroupId
 
@@ -290,6 +299,9 @@ Set Parameter to true to Opt-out of deployment telemetry
         "parMsDefenderForCloudEmailSecurityContact": {
             "value": "security_contact@replace_me.com"
         },
+        "parDdosEnabled": {
+            "value": true
+        },
         "parDdosProtectionPlanId": {
             "value": ""
         },

infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json

@@ -8,6 +8,9 @@
     "parTopLevelManagementGroupSuffix": {
       "value": ""
     },
+    "parDdosEnabled": {
+      "value": true
+    },
     "parTopLevelPolicyAssignmentSovereigntyGlobal": {
       "value": {
         "parTopLevelSovereigntyGlobalPoliciesEnable": false,

infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.min.json

@@ -5,6 +5,9 @@
         "parTopLevelManagementGroupPrefix": {
             "value": "alz"
         },
+        "parDdosEnabled": {
+          "value": true
+        },
         "parLogAnalyticsWorkSpaceAndAutomationAccountLocation": {
             "value": "eastus"
         },