The azure-native:policyinsights:RemediationAtSubscription resource, part of the Pulumi Azure Native provider, defines remediation tasks that automatically fix non-compliant resources detected by Azure Policy assignments at subscription scope. This guide focuses on three capabilities: linking remediations to policy assignments, filtering by location or explicit resource IDs, and controlling execution with failure thresholds and parallelism.
Remediations depend on existing policy assignments and operate on resources that have been evaluated for compliance. The examples are intentionally small. Combine them with your own policy assignments and compliance workflows.
Create a basic remediation for a policy assignment
When Azure Policy detects non-compliant resources, remediation tasks automatically apply the policy’s effect to bring them into compliance.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const remediationAtSubscription = new azure_native.policyinsights.RemediationAtSubscription("remediationAtSubscription", {
policyAssignmentId: "/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5",
remediationName: "storageRemediation",
});
import pulumi
import pulumi_azure_native as azure_native
remediation_at_subscription = azure_native.policyinsights.RemediationAtSubscription("remediationAtSubscription",
policy_assignment_id="/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5",
remediation_name="storageRemediation")
package main
import (
policyinsights "github.com/pulumi/pulumi-azure-native-sdk/policyinsights/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := policyinsights.NewRemediationAtSubscription(ctx, "remediationAtSubscription", &policyinsights.RemediationAtSubscriptionArgs{
PolicyAssignmentId: pulumi.String("/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5"),
RemediationName: pulumi.String("storageRemediation"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var remediationAtSubscription = new AzureNative.PolicyInsights.RemediationAtSubscription("remediationAtSubscription", new()
{
PolicyAssignmentId = "/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5",
RemediationName = "storageRemediation",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.policyinsights.RemediationAtSubscription;
import com.pulumi.azurenative.policyinsights.RemediationAtSubscriptionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var remediationAtSubscription = new RemediationAtSubscription("remediationAtSubscription", RemediationAtSubscriptionArgs.builder()
.policyAssignmentId("/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5")
.remediationName("storageRemediation")
.build());
}
}
resources:
remediationAtSubscription:
type: azure-native:policyinsights:RemediationAtSubscription
properties:
policyAssignmentId: /subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5
remediationName: storageRemediation
The policyAssignmentId links the remediation to an existing policy assignment. The remediationName provides a unique identifier for tracking the remediation task. Without additional configuration, the remediation discovers and fixes all non-compliant resources in the subscription using default settings.
Control remediation scope and execution with filters and limits
Large-scale remediations benefit from controls that limit scope, manage failure tolerance, and tune deployment speed.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const remediationAtSubscription = new azure_native.policyinsights.RemediationAtSubscription("remediationAtSubscription", {
failureThreshold: {
percentage: 0.1,
},
filters: {
locations: [
"eastus",
"westus",
],
},
parallelDeployments: 6,
policyAssignmentId: "/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5",
policyDefinitionReferenceId: "8c8fa9e4",
remediationName: "storageRemediation",
resourceCount: 42,
resourceDiscoveryMode: azure_native.policyinsights.ResourceDiscoveryMode.ReEvaluateCompliance,
});
import pulumi
import pulumi_azure_native as azure_native
remediation_at_subscription = azure_native.policyinsights.RemediationAtSubscription("remediationAtSubscription",
failure_threshold={
"percentage": 0.1,
},
filters={
"locations": [
"eastus",
"westus",
],
},
parallel_deployments=6,
policy_assignment_id="/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5",
policy_definition_reference_id="8c8fa9e4",
remediation_name="storageRemediation",
resource_count=42,
resource_discovery_mode=azure_native.policyinsights.ResourceDiscoveryMode.RE_EVALUATE_COMPLIANCE)
package main
import (
policyinsights "github.com/pulumi/pulumi-azure-native-sdk/policyinsights/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := policyinsights.NewRemediationAtSubscription(ctx, "remediationAtSubscription", &policyinsights.RemediationAtSubscriptionArgs{
FailureThreshold: &policyinsights.RemediationPropertiesFailureThresholdArgs{
Percentage: pulumi.Float64(0.1),
},
Filters: &policyinsights.RemediationFiltersArgs{
Locations: pulumi.StringArray{
pulumi.String("eastus"),
pulumi.String("westus"),
},
},
ParallelDeployments: pulumi.Int(6),
PolicyAssignmentId: pulumi.String("/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5"),
PolicyDefinitionReferenceId: pulumi.String("8c8fa9e4"),
RemediationName: pulumi.String("storageRemediation"),
ResourceCount: pulumi.Int(42),
ResourceDiscoveryMode: pulumi.String(policyinsights.ResourceDiscoveryModeReEvaluateCompliance),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var remediationAtSubscription = new AzureNative.PolicyInsights.RemediationAtSubscription("remediationAtSubscription", new()
{
FailureThreshold = new AzureNative.PolicyInsights.Inputs.RemediationPropertiesFailureThresholdArgs
{
Percentage = 0.1,
},
Filters = new AzureNative.PolicyInsights.Inputs.RemediationFiltersArgs
{
Locations = new[]
{
"eastus",
"westus",
},
},
ParallelDeployments = 6,
PolicyAssignmentId = "/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5",
PolicyDefinitionReferenceId = "8c8fa9e4",
RemediationName = "storageRemediation",
ResourceCount = 42,
ResourceDiscoveryMode = AzureNative.PolicyInsights.ResourceDiscoveryMode.ReEvaluateCompliance,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.policyinsights.RemediationAtSubscription;
import com.pulumi.azurenative.policyinsights.RemediationAtSubscriptionArgs;
import com.pulumi.azurenative.policyinsights.inputs.RemediationPropertiesFailureThresholdArgs;
import com.pulumi.azurenative.policyinsights.inputs.RemediationFiltersArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var remediationAtSubscription = new RemediationAtSubscription("remediationAtSubscription", RemediationAtSubscriptionArgs.builder()
.failureThreshold(RemediationPropertiesFailureThresholdArgs.builder()
.percentage(0.1)
.build())
.filters(RemediationFiltersArgs.builder()
.locations(
"eastus",
"westus")
.build())
.parallelDeployments(6)
.policyAssignmentId("/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5")
.policyDefinitionReferenceId("8c8fa9e4")
.remediationName("storageRemediation")
.resourceCount(42)
.resourceDiscoveryMode("ReEvaluateCompliance")
.build());
}
}
resources:
remediationAtSubscription:
type: azure-native:policyinsights:RemediationAtSubscription
properties:
failureThreshold:
percentage: 0.1
filters:
locations:
- eastus
- westus
parallelDeployments: 6
policyAssignmentId: /subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5
policyDefinitionReferenceId: 8c8fa9e4
remediationName: storageRemediation
resourceCount: 42
resourceDiscoveryMode: ReEvaluateCompliance
The filters property restricts remediation to specific locations (eastus, westus). The failureThreshold sets a percentage limit; if more than 10% of deployments fail, the remediation stops. The parallelDeployments property controls how many resources are remediated simultaneously, and resourceCount caps the total number of resources processed. The resourceDiscoveryMode determines whether to re-evaluate compliance or use existing evaluation results. When remediating a policy set definition (initiative), policyDefinitionReferenceId specifies which individual policy within the set to remediate.
Target specific resources with explicit resource IDs
When you need surgical remediation of known non-compliant resources rather than broad discovery, explicit resource ID lists ensure only specified resources are affected.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const remediationAtSubscription = new azure_native.policyinsights.RemediationAtSubscription("remediationAtSubscription", {
failureThreshold: {
percentage: 0.1,
},
filters: {
locations: [
"eastus",
"westus",
],
resourceIds: [
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/res2627/providers/Microsoft.Storage/storageAccounts/sto1125",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/testcmk3/providers/Microsoft.Storage/storageAccounts/sto3699",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/res9407/providers/Microsoft.Storage/storageAccounts/sto8596",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/testcmk3/providers/Microsoft.Storage/storageAccounts/sto6637",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/res8186/providers/Microsoft.Storage/storageAccounts/sto834",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/testcmk3/providers/Microsoft.Storage/storageAccounts/sto9174",
],
},
parallelDeployments: 6,
policyAssignmentId: "/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5",
policyDefinitionReferenceId: "8c8fa9e4",
remediationName: "storageRemediation",
resourceCount: 42,
resourceDiscoveryMode: azure_native.policyinsights.ResourceDiscoveryMode.ExistingNonCompliant,
});
import pulumi
import pulumi_azure_native as azure_native
remediation_at_subscription = azure_native.policyinsights.RemediationAtSubscription("remediationAtSubscription",
failure_threshold={
"percentage": 0.1,
},
filters={
"locations": [
"eastus",
"westus",
],
"resource_ids": [
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/res2627/providers/Microsoft.Storage/storageAccounts/sto1125",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/testcmk3/providers/Microsoft.Storage/storageAccounts/sto3699",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/res9407/providers/Microsoft.Storage/storageAccounts/sto8596",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/testcmk3/providers/Microsoft.Storage/storageAccounts/sto6637",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/res8186/providers/Microsoft.Storage/storageAccounts/sto834",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/testcmk3/providers/Microsoft.Storage/storageAccounts/sto9174",
],
},
parallel_deployments=6,
policy_assignment_id="/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5",
policy_definition_reference_id="8c8fa9e4",
remediation_name="storageRemediation",
resource_count=42,
resource_discovery_mode=azure_native.policyinsights.ResourceDiscoveryMode.EXISTING_NON_COMPLIANT)
package main
import (
policyinsights "github.com/pulumi/pulumi-azure-native-sdk/policyinsights/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := policyinsights.NewRemediationAtSubscription(ctx, "remediationAtSubscription", &policyinsights.RemediationAtSubscriptionArgs{
FailureThreshold: &policyinsights.RemediationPropertiesFailureThresholdArgs{
Percentage: pulumi.Float64(0.1),
},
Filters: &policyinsights.RemediationFiltersArgs{
Locations: pulumi.StringArray{
pulumi.String("eastus"),
pulumi.String("westus"),
},
ResourceIds: pulumi.StringArray{
pulumi.String("/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/res2627/providers/Microsoft.Storage/storageAccounts/sto1125"),
pulumi.String("/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/testcmk3/providers/Microsoft.Storage/storageAccounts/sto3699"),
pulumi.String("/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/res9407/providers/Microsoft.Storage/storageAccounts/sto8596"),
pulumi.String("/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/testcmk3/providers/Microsoft.Storage/storageAccounts/sto6637"),
pulumi.String("/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/res8186/providers/Microsoft.Storage/storageAccounts/sto834"),
pulumi.String("/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/testcmk3/providers/Microsoft.Storage/storageAccounts/sto9174"),
},
},
ParallelDeployments: pulumi.Int(6),
PolicyAssignmentId: pulumi.String("/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5"),
PolicyDefinitionReferenceId: pulumi.String("8c8fa9e4"),
RemediationName: pulumi.String("storageRemediation"),
ResourceCount: pulumi.Int(42),
ResourceDiscoveryMode: pulumi.String(policyinsights.ResourceDiscoveryModeExistingNonCompliant),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var remediationAtSubscription = new AzureNative.PolicyInsights.RemediationAtSubscription("remediationAtSubscription", new()
{
FailureThreshold = new AzureNative.PolicyInsights.Inputs.RemediationPropertiesFailureThresholdArgs
{
Percentage = 0.1,
},
Filters = new AzureNative.PolicyInsights.Inputs.RemediationFiltersArgs
{
Locations = new[]
{
"eastus",
"westus",
},
ResourceIds = new[]
{
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/res2627/providers/Microsoft.Storage/storageAccounts/sto1125",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/testcmk3/providers/Microsoft.Storage/storageAccounts/sto3699",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/res9407/providers/Microsoft.Storage/storageAccounts/sto8596",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/testcmk3/providers/Microsoft.Storage/storageAccounts/sto6637",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/res8186/providers/Microsoft.Storage/storageAccounts/sto834",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/testcmk3/providers/Microsoft.Storage/storageAccounts/sto9174",
},
},
ParallelDeployments = 6,
PolicyAssignmentId = "/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5",
PolicyDefinitionReferenceId = "8c8fa9e4",
RemediationName = "storageRemediation",
ResourceCount = 42,
ResourceDiscoveryMode = AzureNative.PolicyInsights.ResourceDiscoveryMode.ExistingNonCompliant,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.policyinsights.RemediationAtSubscription;
import com.pulumi.azurenative.policyinsights.RemediationAtSubscriptionArgs;
import com.pulumi.azurenative.policyinsights.inputs.RemediationPropertiesFailureThresholdArgs;
import com.pulumi.azurenative.policyinsights.inputs.RemediationFiltersArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var remediationAtSubscription = new RemediationAtSubscription("remediationAtSubscription", RemediationAtSubscriptionArgs.builder()
.failureThreshold(RemediationPropertiesFailureThresholdArgs.builder()
.percentage(0.1)
.build())
.filters(RemediationFiltersArgs.builder()
.locations(
"eastus",
"westus")
.resourceIds(
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/res2627/providers/Microsoft.Storage/storageAccounts/sto1125",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/testcmk3/providers/Microsoft.Storage/storageAccounts/sto3699",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/res9407/providers/Microsoft.Storage/storageAccounts/sto8596",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/testcmk3/providers/Microsoft.Storage/storageAccounts/sto6637",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/res8186/providers/Microsoft.Storage/storageAccounts/sto834",
"/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/testcmk3/providers/Microsoft.Storage/storageAccounts/sto9174")
.build())
.parallelDeployments(6)
.policyAssignmentId("/subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5")
.policyDefinitionReferenceId("8c8fa9e4")
.remediationName("storageRemediation")
.resourceCount(42)
.resourceDiscoveryMode("ExistingNonCompliant")
.build());
}
}
resources:
remediationAtSubscription:
type: azure-native:policyinsights:RemediationAtSubscription
properties:
failureThreshold:
percentage: 0.1
filters:
locations:
- eastus
- westus
resourceIds:
- /subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/res2627/providers/Microsoft.Storage/storageAccounts/sto1125
- /subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/testcmk3/providers/Microsoft.Storage/storageAccounts/sto3699
- /subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/res9407/providers/Microsoft.Storage/storageAccounts/sto8596
- /subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/testcmk3/providers/Microsoft.Storage/storageAccounts/sto6637
- /subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/res8186/providers/Microsoft.Storage/storageAccounts/sto834
- /subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/resourceGroups/testcmk3/providers/Microsoft.Storage/storageAccounts/sto9174
parallelDeployments: 6
policyAssignmentId: /subscriptions/35ee058e-5fa0-414c-8145-3ebb8d09b6e2/providers/microsoft.authorization/policyassignments/b101830944f246d8a14088c5
policyDefinitionReferenceId: 8c8fa9e4
remediationName: storageRemediation
resourceCount: 42
resourceDiscoveryMode: ExistingNonCompliant
The resourceIds array within filters lists exact resource IDs to remediate. The resourceDiscoveryMode is set to ExistingNonCompliant, which uses the current compliance state without re-evaluation. This approach bypasses location-based discovery and remediates only the listed resources, useful when you know exactly which resources need fixing.
Beyond these examples
These snippets focus on specific remediation features: policy assignment linking and remediation naming, location and resource ID filtering, and failure thresholds and parallel deployment controls. They’re intentionally minimal rather than full compliance automation solutions.
The examples reference pre-existing infrastructure such as Azure Policy assignments at subscription scope and non-compliant resources to remediate. They focus on configuring the remediation task rather than provisioning the underlying policy framework.
To keep things focused, common remediation patterns are omitted, including:
- Remediation at management group or resource group scope
- Status monitoring (provisioningState, deploymentStatus outputs)
- Correlation ID tracking for activity log queries
- Policy set definition handling beyond policyDefinitionReferenceId
These omissions are intentional: the goal is to illustrate how each remediation feature is wired, not provide drop-in compliance modules. See the RemediationAtSubscription resource reference for all available configuration options.
Let's configure Azure Policy Remediation at Subscription Level
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Policy Assignment & Configuration
When do I need to specify a policy definition reference ID?
You must include
policyDefinitionReferenceId when the policy assignment you’re remediating assigns a policy set definition (also called an initiative). This property identifies which individual definition within the set should be remediated.What's the minimum configuration needed to create a remediation?
Only
policyAssignmentId and remediationName are required. The policy assignment ID specifies which assignment to remediate, and the remediation name identifies this remediation task.Resource Discovery & Filtering
What's the difference between ReEvaluateCompliance and ExistingNonCompliant discovery modes?
ExistingNonCompliant (the default) remediates resources that are currently non-compliant. ReEvaluateCompliance re-evaluates compliance before remediation, which can discover newly non-compliant resources.How can I limit remediation to specific locations or resources?
Use the
filters property with locations to target specific Azure regions (e.g., ["eastus", "westus"]), or use resourceIds to specify exact resource IDs to remediate.Remediation Control & Performance
How do I control how fast resources are remediated?
Set
parallelDeployments to control how many resources are remediated simultaneously. Higher values increase remediation speed, while lower values reduce the pace.How do I limit the total number of resources remediated?
Use
resourceCount to set the maximum number of resources that can be remediated by the job. This prevents runaway remediation on large resource sets.What does the failure threshold control?
The
failureThreshold property (specified as a percentage like 0.1 for 10%) determines when the remediation should stop due to too many failures.Monitoring & Lifecycle
How can I track the progress of my remediation in Azure activity logs?
Use the
correlationId output property to find all events related to the remediation in the Azure activity log.What do the different provisioning states mean?
The
provisioningState reflects the entire remediation task status: Evaluating (in progress), Complete or Succeeded (finished successfully), Failed (encountered errors), or Canceled/Cancelling (stopped by user).Can I rename a remediation after creation?
No,
remediationName is immutable. To use a different name, you must delete the existing remediation and create a new one.