With the current defaults, setting `enableDdosProtection = true` while leaving `createDdosPlan = false` will attempt to use an empty `ddosProtectionPlanId`, which will cause a deployment/validation failure (invalid resource ID). Consider enforcing a non-empty `ddosProtectionPlanId` when that configuration is used (e.g., via a separate parameter set/boolean gating, or adding a deployment-time assertion/constraint pattern supported by your Bicep toolchain).

[Vallentyne]

With the current defaults, setting enableDdosProtection = true while leaving createDdosPlan = false will attempt to use an empty ddosProtectionPlanId, which will cause a deployment/validation failure (invalid resource ID). Consider enforcing a non-empty ddosProtectionPlanId when that configuration is used (e.g., via a separate parameter set/boolean gating, or adding a deployment-time assertion/constraint pattern supported by your Bicep toolchain).

// Enforce that when DDoS protection is enabled without creating a new plan,
// an existing ddosProtectionPlanId must be provided.
var requireExistingDdosPlanId = enableDdosProtection && !createDdosPlan

assert ddosPlanIdProvided = !requireExistingDdosPlanId || !empty(ddosProtectionPlanId)

Originally posted by @Copilot in #9 (comment)