[Bug] ddos_protection_plan can only be configured for all workspaces

[matthiss]

Description

The ddos_protection_plan can only be configured for all workspaces at once. If it's only enabled in workspace a, the module fails if it is run in workspace b.

  virtual_network = {
    environment = {
      name                = format(local.resource_name.virtual_network, terraform.workspace)
      location            = local.location
      resource_group_name = data.azurerm_resource_group.environment.name
      address_space       = [format("%s/%s", local.network.address_space[terraform.workspace], local.network.netmask.default)]
      tags                = local.tags
      ddos_protection_plan = terraform.workspace != "prod" ? {} : {
        enable  = true
        id      = "/subscriptions/1234/resourceGroups/example-com-rg/providers/Microsoft.Network/ddosProtectionPlans/example-com-ddos-protection"
      }
    }
  }

If terraform plan is executed from test workspace, not from prod, the following error occurs:

│ Error: Missing map element
│ 
│   on .terraform/modules/network/main.tf line 26, in resource "azurerm_virtual_network" "virtual_network":
│   26:       id     = local.virtual_network[each.key].ddos_protection_plan.id
│     ├────────────────
│     │ each.key is "environment"
│     │ local.virtual_network is object with 1 attribute "environment"
│ 
│ This map does not have an element with the key "id".

Reproduction steps

restrict ddos_protection_plan to one workspace, then plan/apply from another workspace

Current Behavior

Error: missing map element

Expected Behavior

ddos_protection_plan is ignored/skipped in unwanted environments/workspaces

Additional information

No response