terraform-provider-azapi icon indicating copy to clipboard operation
terraform-provider-azapi copied to clipboard
verified publisher icon Azure

Microsoft.PolicyInsights/remediations failureThreshold percentage issue

Open sdeguchi opened this issue 11 months ago • 4 comments

A policy remediation is failing for all the deployments and failing the terraform deployment. Tried to set the failureThreshold.percentage to 1 to allow 100% failure but the resource is still failing the deployment. Expected that all the remediation deployments fail and the Microsoft.PolicyInsights/remediations successfully deploys.

╷ │ Error: Failed to create/update resource │ │ with module.bootstrap.azapi_resource.policy_remediation_mdfc["migrateToMdeTvm"], │ on ..\modules\bootstrap\main.tf line 64, in resource "azapi_resource" "policy_remediation_mdfc": │ 64: resource "azapi_resource" "policy_remediation_mdfc" { │ │ creating/updating Resource: (ResourceId │ "/providers/Microsoft.Management/managementGroups/sd115/providers/Microsoft.PolicyInsights/remediations/deploy-mdfc-config-h224-remediation-migrateToMdeTvm" │ / Api Version "2024-10-01"): GET │ https://management.azure.com/providers/Microsoft.Management/managementGroups/sd115/providers/Microsoft.PolicyInsights/remediations/deploy-mdfc-config-h224-remediation-migrateToMdeTvm │ -------------------------------------------------------------------------------- │ RESPONSE 200: 200 OK │ ERROR CODE UNAVAILABLE │ -------------------------------------------------------------------------------- │ { │ "properties": { │ "policyAssignmentId": "/providers/microsoft.management/managementgroups/sd115/providers/microsoft.authorization/policyassignments/deploy-mdfc-config-h224", │ "policyDefinitionReferenceId": "migratetomdetvm", │ "provisioningState": "Failed", │ "createdOn": "2025-02-11T02:34:50.2177957Z", │ "lastUpdatedOn": "2025-02-11T02:36:07.3168601Z", │ "deploymentStatus": { │ "totalDeployments": 2, │ "successfulDeployments": 0, │ "failedDeployments": 2 │ }, │ "resourceDiscoveryMode": "ExistingNonCompliant", │ "statusMessage": "All remediation deployments failed.", │ "correlationId": "eb2f5923-3560-1b72-501d-8ff5d5c664d4", │ "failureThreshold": { │ "percentage": 1.0 │ } │ }, │ "id": "/providers/microsoft.management/managementgroups/sd115/providers/microsoft.policyinsights/remediations/deploy-mdfc-config-h224-remediation-migratetomdetvm", │ "name": "deploy-mdfc-config-h224-remediation-migrateToMdeTvm", │ "type": "Microsoft.PolicyInsights/remediations", │ "systemData": { │ "createdBy": "d18f16e2-a270-4598-952d-782cc1b5b0f1", │ "createdByType": "Application", │ "createdAt": "2025-02-11T02:34:49.9066388Z", │ "lastModifiedBy": "d18f16e2-a270-4598-952d-782cc1b5b0f1", │ "lastModifiedByType": "Application", │ "lastModifiedAt": "2025-02-11T02:34:49.9066388Z" │ } │ } │ -------------------------------------------------------------------------------- │

sdeguchi avatar Feb 11 '25 03:02 sdeguchi

Thanks for the issue @sdeguchi, is this with preflight_enabled set to true? Also, the intended behavior is to have a successful deployment on the resource, correct?

stemaMSFT avatar Feb 11 '25 19:02 stemaMSFT

Re-ran the deployment with preflight_enabled (enable_preflight as of azapi 2.2) and the configuration for the remediation appears to be valid and yes, intended behavior is successful deployment on the resource. Resource is created and persisted to the Terraform state, but the resource is tainted and will always fail on subsequent deployments,

sdeguchi avatar Feb 11 '25 23:02 sdeguchi

Hi @sdeguchi ,

Thank you for taking time to report this issue.

In the resource's state, provisioningState": "Failed",, that's why azapi stores the resource in the terraform state but marks it as tainted.

Is the provisioningState": "Failed", an expected deployment result?

ms-henglu avatar Feb 20 '25 07:02 ms-henglu

Hi @ms-henglu,

I was expecting the resource creation to succeed if failureThreshold is set to 1.0.

sdeguchi avatar Feb 20 '25 16:02 sdeguchi