Top / Microsoft Azure / Azure Policy / Remediation

Azure Policy Remediation

This page shows how to write Terraform and Azure Resource Manager for Policy Remediation and write them securely.

terraform-logo

Review your .tf file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

azurerm_policy_remediation (Terraform)

The Remediation in Policy can be configured in Terraform with the resource name azurerm_policy_remediation. The following sections describe 4 examples of how to use the resource and its parameters.

Example Usage from GitHub

main.tf#L7
resource "azurerm_policy_remediation" "this" {
  location_filters               = var.location_filters
  name                           = var.name
  policy_assignment_id           = var.policy_assignment_id
  policy_definition_reference_id = var.policy_definition_reference_id
  scope                          = var.scope
Policy.tf#L46
resource "azurerm_policy_remediation" "remediatetagassignmentpolicy" {
  name                 = "addtagsviapolicyremediation"
  scope                = "/subscriptions/49d3ec60-54b5-41c0-b240-c0cc7980a4f4"
  policy_assignment_id = azurerm_policy_assignment.assigntagonsubscription.id
  resource_discovery_mode = "ReEvaluateCompliance"
  depends_on          = [azurerm_role_assignment.roleManagedidentitytagassignment]
Policy.tf#L46
resource "azurerm_policy_remediation" "remediatetagassignmentpolicy" {
  name                 = "addtagsviapolicyremediation"
  scope                = "/subscriptions/49d3ec60-54b5-41c0-b240-c0cc7980a4f4"
  policy_assignment_id = azurerm_policy_assignment.assigntagonsubscription.id
  resource_discovery_mode = "ReEvaluateCompliance"
  depends_on          = [azurerm_role_assignment.roleManagedidentitytagassignment]
Policy.tf#L46
resource "azurerm_policy_remediation" "remediatetagassignmentpolicy" {
  name                 = "addtagsviapolicyremediation"
  scope                = "/subscriptions/49d3ec60-54b5-41c0-b240-c0cc7980a4f4"
  policy_assignment_id = azurerm_policy_assignment.assigntagonsubscription.id
  resource_discovery_mode = "ReEvaluateCompliance"
  depends_on          = [azurerm_role_assignment.roleManagedidentitytagassignment]

Review your Terraform file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

>> from Terraform Registry

Explanation in Terraform Registry

Manages an Azure Policy Remediation at the specified Scope.

>> from Terraform Registry

Microsoft.PolicyInsights/remediations (Azure Resource Manager)

The remediations in Microsoft.PolicyInsights can be configured in Azure Resource Manager with the resource name Microsoft.PolicyInsights/remediations. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

An example could not be found in GitHub.

Parameters

  • apiVersion required - string
  • name required - string

    The name of the remediation.

  • properties required
      • failureThreshold optional
          • percentage optional - number

            A number between 0.0 to 1.0 representing the percentage failure threshold. The remediation will fail if the percentage of failed remediation operations (i.e. failed deployments) exceeds this threshold.

      • filters optional
          • locations optional - array

            The resource locations that will be remediated.

      • parallelDeployments optional - integer

        Determines how many resources to remediate at any given time. Can be used to increase or reduce the pace of the remediation. If not provided, the default parallel deployments value is used.

      • policyAssignmentId optional - string

        The resource ID of the policy assignment that should be remediated.

      • policyDefinitionReferenceId optional - string

        The policy definition reference ID of the individual definition that should be remediated. Required when the policy assignment being remediated assigns a policy set definition.

      • resourceCount optional - integer

        Determines the max number of resources that can be remediated by the remediation job. If not provided, the default resource count is used.

      • resourceDiscoveryMode optional - string

        The way resources to remediate are discovered. Defaults to ExistingNonCompliant if not specified.

  • type required - string

>> from Azure Resource Manager Documentation

The Other Related Azure Policy Resources

Frequently asked questions

What is Azure Policy Remediation?

Azure Policy Remediation is a resource for Policy of Microsoft Azure. Settings can be wrote in Terraform.

Where can I find the example code for the Azure Policy Remediation?

For Terraform, the niveklabs/azurerm, RekhuGopal/PythonHacks and seeewhy/PythonHacks source code examples are useful. See the Terraform Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents