The azure-native:policyinsights:RemediationAtSubscription resource, part of the Pulumi Azure Native provider, defines remediation tasks that automatically fix non-compliant resources detected by Azure Policy assignments at subscription scope. This guide focuses on three capabilities: linking remediations to policy assignments, filtering by location or explicit resource IDs, and controlling execution with failure thresholds and parallelism.
Remediations depend on existing policy assignments and operate on resources that have been evaluated for compliance. The examples are intentionally small. Combine them with your own policy assignments and compliance workflows.
Create a basic remediation for a policy assignment
When Azure Policy detects non-compliant resources, remediation tasks automatically apply the policy’s effect to bring them into compliance.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const remediationAtSubscription = new azure_native.policyinsights.RemediationAtSubscription("remediationAtSubscription", {
policyAssignmentId: "/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5",
remediationName: "storageRemediation",
});
import pulumi
import pulumi_azure_native as azure_native
remediation_at_subscription = azure_native.policyinsights.RemediationAtSubscription("remediationAtSubscription",
policy_assignment_id="/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5",
remediation_name="storageRemediation")
package main
import (
policyinsights "github.com/pulumi/pulumi-azure-native-sdk/policyinsights/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := policyinsights.NewRemediationAtSubscription(ctx, "remediationAtSubscription", &policyinsights.RemediationAtSubscriptionArgs{
PolicyAssignmentId: pulumi.String("/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5"),
RemediationName: pulumi.String("storageRemediation"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var remediationAtSubscription = new AzureNative.PolicyInsights.RemediationAtSubscription("remediationAtSubscription", new()
{
PolicyAssignmentId = "/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5",
RemediationName = "storageRemediation",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.policyinsights.RemediationAtSubscription;
import com.pulumi.azurenative.policyinsights.RemediationAtSubscriptionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var remediationAtSubscription = new RemediationAtSubscription("remediationAtSubscription", RemediationAtSubscriptionArgs.builder()
.policyAssignmentId("/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5")
.remediationName("storageRemediation")
.build());
}
}
resources:
remediationAtSubscription:
type: azure-native:policyinsights:RemediationAtSubscription
properties:
policyAssignmentId: /subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5
remediationName: storageRemediation
The policyAssignmentId links the remediation to an existing policy assignment. The remediationName provides a unique identifier for tracking the remediation task. Without additional configuration, the remediation discovers and fixes all non-compliant resources in the subscription using default settings.
Control remediation scope and execution with filters and limits
Large-scale remediations benefit from controls that limit scope, manage failure tolerance, and tune deployment speed.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const remediationAtSubscription = new azure_native.policyinsights.RemediationAtSubscription("remediationAtSubscription", {
failureThreshold: {
percentage: 0.1,
},
filters: {
locations: [
"eastus",
"westus",
],
},
parallelDeployments: 6,
policyAssignmentId: "/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5",
policyDefinitionReferenceId: "8c8fa9e4",
remediationName: "storageRemediation",
resourceCount: 42,
resourceDiscoveryMode: azure_native.policyinsights.ResourceDiscoveryMode.ReEvaluateCompliance,
});
import pulumi
import pulumi_azure_native as azure_native
remediation_at_subscription = azure_native.policyinsights.RemediationAtSubscription("remediationAtSubscription",
failure_threshold={
"percentage": 0.1,
},
filters={
"locations": [
"eastus",
"westus",
],
},
parallel_deployments=6,
policy_assignment_id="/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5",
policy_definition_reference_id="8c8fa9e4",
remediation_name="storageRemediation",
resource_count=42,
resource_discovery_mode=azure_native.policyinsights.ResourceDiscoveryMode.RE_EVALUATE_COMPLIANCE)
package main
import (
policyinsights "github.com/pulumi/pulumi-azure-native-sdk/policyinsights/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := policyinsights.NewRemediationAtSubscription(ctx, "remediationAtSubscription", &policyinsights.RemediationAtSubscriptionArgs{
FailureThreshold: &policyinsights.RemediationPropertiesFailureThresholdArgs{
Percentage: pulumi.Float64(0.1),
},
Filters: &policyinsights.RemediationFiltersArgs{
Locations: pulumi.StringArray{
pulumi.String("eastus"),
pulumi.String("westus"),
},
},
ParallelDeployments: pulumi.Int(6),
PolicyAssignmentId: pulumi.String("/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5"),
PolicyDefinitionReferenceId: pulumi.String("8c8fa9e4"),
RemediationName: pulumi.String("storageRemediation"),
ResourceCount: pulumi.Int(42),
ResourceDiscoveryMode: pulumi.String(policyinsights.ResourceDiscoveryModeReEvaluateCompliance),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var remediationAtSubscription = new AzureNative.PolicyInsights.RemediationAtSubscription("remediationAtSubscription", new()
{
FailureThreshold = new AzureNative.PolicyInsights.Inputs.RemediationPropertiesFailureThresholdArgs
{
Percentage = 0.1,
},
Filters = new AzureNative.PolicyInsights.Inputs.RemediationFiltersArgs
{
Locations = new[]
{
"eastus",
"westus",
},
},
ParallelDeployments = 6,
PolicyAssignmentId = "/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5",
PolicyDefinitionReferenceId = "8c8fa9e4",
RemediationName = "storageRemediation",
ResourceCount = 42,
ResourceDiscoveryMode = AzureNative.PolicyInsights.ResourceDiscoveryMode.ReEvaluateCompliance,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.policyinsights.RemediationAtSubscription;
import com.pulumi.azurenative.policyinsights.RemediationAtSubscriptionArgs;
import com.pulumi.azurenative.policyinsights.inputs.RemediationPropertiesFailureThresholdArgs;
import com.pulumi.azurenative.policyinsights.inputs.RemediationFiltersArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var remediationAtSubscription = new RemediationAtSubscription("remediationAtSubscription", RemediationAtSubscriptionArgs.builder()
.failureThreshold(RemediationPropertiesFailureThresholdArgs.builder()
.percentage(0.1)
.build())
.filters(RemediationFiltersArgs.builder()
.locations(
"eastus",
"westus")
.build())
.parallelDeployments(6)
.policyAssignmentId("/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5")
.policyDefinitionReferenceId("8c8fa9e4")
.remediationName("storageRemediation")
.resourceCount(42)
.resourceDiscoveryMode("ReEvaluateCompliance")
.build());
}
}
resources:
remediationAtSubscription:
type: azure-native:policyinsights:RemediationAtSubscription
properties:
failureThreshold:
percentage: 0.1
filters:
locations:
- eastus
- westus
parallelDeployments: 6
policyAssignmentId: /subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5
policyDefinitionReferenceId: 8c8fa9e4
remediationName: storageRemediation
resourceCount: 42
resourceDiscoveryMode: ReEvaluateCompliance
The filters property restricts remediation to specific locations (eastus, westus). The failureThreshold sets a percentage limit; if more than 10% of deployments fail, the remediation stops. The parallelDeployments property controls how many resources are remediated simultaneously, and resourceCount caps the total number of resources processed. The resourceDiscoveryMode determines whether to re-evaluate compliance or use existing evaluation results. When remediating a policy set definition (initiative), policyDefinitionReferenceId specifies which individual policy within the set to remediate.
Target specific resources with explicit resource IDs
When you need surgical remediation of known non-compliant resources rather than broad discovery, explicit resource ID lists ensure only specified resources are affected.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const remediationAtSubscription = new azure_native.policyinsights.RemediationAtSubscription("remediationAtSubscription", {
failureThreshold: {
percentage: 0.1,
},
filters: {
locations: [
"eastus",
"westus",
],
resourceIds: [
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/res2627/providers/Microsoft.Storage/storageAccounts/sto1125",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/testcmk3/providers/Microsoft.Storage/storageAccounts/sto3699",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/res9407/providers/Microsoft.Storage/storageAccounts/sto8596",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/testcmk3/providers/Microsoft.Storage/storageAccounts/sto6637",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/res8186/providers/Microsoft.Storage/storageAccounts/sto834",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/testcmk3/providers/Microsoft.Storage/storageAccounts/sto9174",
],
},
parallelDeployments: 6,
policyAssignmentId: "/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5",
policyDefinitionReferenceId: "8c8fa9e4",
remediationName: "storageRemediation",
resourceCount: 42,
resourceDiscoveryMode: azure_native.policyinsights.ResourceDiscoveryMode.ExistingNonCompliant,
});
import pulumi
import pulumi_azure_native as azure_native
remediation_at_subscription = azure_native.policyinsights.RemediationAtSubscription("remediationAtSubscription",
failure_threshold={
"percentage": 0.1,
},
filters={
"locations": [
"eastus",
"westus",
],
"resource_ids": [
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/res2627/providers/Microsoft.Storage/storageAccounts/sto1125",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/testcmk3/providers/Microsoft.Storage/storageAccounts/sto3699",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/res9407/providers/Microsoft.Storage/storageAccounts/sto8596",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/testcmk3/providers/Microsoft.Storage/storageAccounts/sto6637",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/res8186/providers/Microsoft.Storage/storageAccounts/sto834",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/testcmk3/providers/Microsoft.Storage/storageAccounts/sto9174",
],
},
parallel_deployments=6,
policy_assignment_id="/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5",
policy_definition_reference_id="8c8fa9e4",
remediation_name="storageRemediation",
resource_count=42,
resource_discovery_mode=azure_native.policyinsights.ResourceDiscoveryMode.EXISTING_NON_COMPLIANT)
package main
import (
policyinsights "github.com/pulumi/pulumi-azure-native-sdk/policyinsights/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := policyinsights.NewRemediationAtSubscription(ctx, "remediationAtSubscription", &policyinsights.RemediationAtSubscriptionArgs{
FailureThreshold: &policyinsights.RemediationPropertiesFailureThresholdArgs{
Percentage: pulumi.Float64(0.1),
},
Filters: &policyinsights.RemediationFiltersArgs{
Locations: pulumi.StringArray{
pulumi.String("eastus"),
pulumi.String("westus"),
},
ResourceIds: pulumi.StringArray{
pulumi.String("/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/res2627/providers/Microsoft.Storage/storageAccounts/sto1125"),
pulumi.String("/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/testcmk3/providers/Microsoft.Storage/storageAccounts/sto3699"),
pulumi.String("/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/res9407/providers/Microsoft.Storage/storageAccounts/sto8596"),
pulumi.String("/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/testcmk3/providers/Microsoft.Storage/storageAccounts/sto6637"),
pulumi.String("/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/res8186/providers/Microsoft.Storage/storageAccounts/sto834"),
pulumi.String("/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/testcmk3/providers/Microsoft.Storage/storageAccounts/sto9174"),
},
},
ParallelDeployments: pulumi.Int(6),
PolicyAssignmentId: pulumi.String("/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5"),
PolicyDefinitionReferenceId: pulumi.String("8c8fa9e4"),
RemediationName: pulumi.String("storageRemediation"),
ResourceCount: pulumi.Int(42),
ResourceDiscoveryMode: pulumi.String(policyinsights.ResourceDiscoveryModeExistingNonCompliant),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var remediationAtSubscription = new AzureNative.PolicyInsights.RemediationAtSubscription("remediationAtSubscription", new()
{
FailureThreshold = new AzureNative.PolicyInsights.Inputs.RemediationPropertiesFailureThresholdArgs
{
Percentage = 0.1,
},
Filters = new AzureNative.PolicyInsights.Inputs.RemediationFiltersArgs
{
Locations = new[]
{
"eastus",
"westus",
},
ResourceIds = new[]
{
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/res2627/providers/Microsoft.Storage/storageAccounts/sto1125",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/testcmk3/providers/Microsoft.Storage/storageAccounts/sto3699",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/res9407/providers/Microsoft.Storage/storageAccounts/sto8596",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/testcmk3/providers/Microsoft.Storage/storageAccounts/sto6637",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/res8186/providers/Microsoft.Storage/storageAccounts/sto834",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/testcmk3/providers/Microsoft.Storage/storageAccounts/sto9174",
},
},
ParallelDeployments = 6,
PolicyAssignmentId = "/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5",
PolicyDefinitionReferenceId = "8c8fa9e4",
RemediationName = "storageRemediation",
ResourceCount = 42,
ResourceDiscoveryMode = AzureNative.PolicyInsights.ResourceDiscoveryMode.ExistingNonCompliant,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.policyinsights.RemediationAtSubscription;
import com.pulumi.azurenative.policyinsights.RemediationAtSubscriptionArgs;
import com.pulumi.azurenative.policyinsights.inputs.RemediationPropertiesFailureThresholdArgs;
import com.pulumi.azurenative.policyinsights.inputs.RemediationFiltersArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var remediationAtSubscription = new RemediationAtSubscription("remediationAtSubscription", RemediationAtSubscriptionArgs.builder()
.failureThreshold(RemediationPropertiesFailureThresholdArgs.builder()
.percentage(0.1)
.build())
.filters(RemediationFiltersArgs.builder()
.locations(
"eastus",
"westus")
.resourceIds(
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/res2627/providers/Microsoft.Storage/storageAccounts/sto1125",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/testcmk3/providers/Microsoft.Storage/storageAccounts/sto3699",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/res9407/providers/Microsoft.Storage/storageAccounts/sto8596",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/testcmk3/providers/Microsoft.Storage/storageAccounts/sto6637",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/res8186/providers/Microsoft.Storage/storageAccounts/sto834",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/testcmk3/providers/Microsoft.Storage/storageAccounts/sto9174")
.build())
.parallelDeployments(6)
.policyAssignmentId("/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5")
.policyDefinitionReferenceId("8c8fa9e4")
.remediationName("storageRemediation")
.resourceCount(42)
.resourceDiscoveryMode("ExistingNonCompliant")
.build());
}
}
resources:
remediationAtSubscription:
type: azure-native:policyinsights:RemediationAtSubscription
properties:
failureThreshold:
percentage: 0.1
filters:
locations:
- eastus
- westus
resourceIds:
- /subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/res2627/providers/Microsoft.Storage/storageAccounts/sto1125
- /subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/testcmk3/providers/Microsoft.Storage/storageAccounts/sto3699
- /subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/res9407/providers/Microsoft.Storage/storageAccounts/sto8596
- /subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/testcmk3/providers/Microsoft.Storage/storageAccounts/sto6637
- /subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/res8186/providers/Microsoft.Storage/storageAccounts/sto834
- /subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/testcmk3/providers/Microsoft.Storage/storageAccounts/sto9174
parallelDeployments: 6
policyAssignmentId: /subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5
policyDefinitionReferenceId: 8c8fa9e4
remediationName: storageRemediation
resourceCount: 42
resourceDiscoveryMode: ExistingNonCompliant
The resourceIds array within filters lists exact resource IDs to remediate. The resourceDiscoveryMode is set to ExistingNonCompliant, which uses the current compliance state without re-evaluation. This approach bypasses location-based discovery and remediates only the listed resources, useful when you know exactly which resources need fixing.
Beyond these examples
These snippets focus on specific remediation features: policy assignment linking and remediation naming, location and resource ID filtering, and failure thresholds and parallel deployment controls. They’re intentionally minimal rather than full compliance automation solutions.
The examples reference pre-existing infrastructure such as Azure Policy assignments at subscription scope and non-compliant resources to remediate. They focus on configuring the remediation task rather than provisioning the underlying policy framework.
To keep things focused, common remediation patterns are omitted, including:
- Remediation at management group or resource group scope
- Status monitoring (provisioningState, deploymentStatus outputs)
- Correlation ID tracking for activity log queries
- Policy set definition handling beyond policyDefinitionReferenceId
These omissions are intentional: the goal is to illustrate how each remediation feature is wired, not provide drop-in compliance modules. See the RemediationAtSubscription resource reference for all available configuration options.
Let's configure Azure Policy Remediation at Subscription Level
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Policy Sets
When do I need to specify policyDefinitionReferenceId?
You must include
policyDefinitionReferenceId when remediating a policy assignment that assigns a policy set definition. This identifies which individual definition within the set should be remediated.Can I rename a remediation after creating it?
No,
remediationName is immutable and cannot be changed after creation. Changing it requires replacing the entire resource.Resource Discovery & Filtering
What's the difference between ReEvaluateCompliance and ExistingNonCompliant discovery modes?
ReEvaluateCompliance re-evaluates resource compliance before remediation, while ExistingNonCompliant (the default) remediates resources already marked as non-compliant without re-evaluation.How do I limit remediation to specific Azure regions?
Use
filters.locations with an array of region names (e.g., ["eastus", "westus"]) to restrict remediation to those locations.Can I remediate only specific resource IDs?
Yes, use
filters.resourceIds with an array of full resource ID paths to target specific resources for remediation.Remediation Control
How do I control the scope and pace of remediation?
Use
parallelDeployments to control how many resources are remediated simultaneously (affecting speed), and resourceCount to set the maximum total number of resources the job can remediate.What does failureThreshold do?
failureThreshold.percentage sets the failure threshold for the remediation. For example, a value of 0.1 means the remediation tolerates up to 10% failures.Monitoring & Tracking
How do I check if my remediation completed successfully?
Check the
provisioningState output property, which shows values like Evaluating, Complete, Failed, Succeeded, Canceled, or Cancelling to indicate the remediation status.How can I find activity log events related to my remediation?
Use the
correlationId output property to search for related events in the Azure activity log.