Skip to content

azurermResourceGroupPolicyRemediation

Manages an Azure Resource Group Policy Remediation.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermPolicyDefinitionExample =
  new azurerm.policyDefinition.PolicyDefinition(this, "example", {
    display_name: "my-policy-definition",
    mode: "All",
    name: "my-policy-definition",
    parameters:
      '    {\n    "allowedLocations": {\n      "type": "Array",\n      "metadata": {\n        "description": "The list of allowed locations for resources.",\n        "displayName": "Allowed locations",\n        "strongType": "location"\n      }\n    }\n  }\n',
    policy_rule:
      '    {\n    "if": {\n      "not": {\n        "field": "location",\n        "in": "[parameters(\'allowedLocations\')]"\n      }\n    },\n    "then": {\n      "effect": "audit"\n    }\n  }\n',
    policy_type: "Custom",
  });
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example_1",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermResourceGroupExample.overrideLogicalId("example");
const azurermResourceGroupPolicyAssignmentExample =
  new azurerm.resourceGroupPolicyAssignment.ResourceGroupPolicyAssignment(
    this,
    "example_2",
    {
      name: "example",
      policy_definition_id: azurermPolicyDefinitionExample.id,
      resource_group_id: azurermResourceGroupExample.id,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermResourceGroupPolicyAssignmentExample.overrideLogicalId("example");
const azurermResourceGroupPolicyRemediationExample =
  new azurerm.resourceGroupPolicyRemediation.ResourceGroupPolicyRemediation(
    this,
    "example_3",
    {
      location_filters: ["West Europe"],
      name: "example-policy-remediation",
      policy_assignment_id: azurermResourceGroupPolicyAssignmentExample.id,
      resource_group_id: azurermResourceGroupExample.id,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermResourceGroupPolicyRemediationExample.overrideLogicalId("example");

Argument Reference

The following arguments are supported:

  • name - (Required) The name of the Policy Remediation. Changing this forces a new resource to be created.

  • resourceGroupId - (Required) The Resource Group ID at which the Policy Remediation should be applied. Changing this forces a new resource to be created.

  • policyAssignmentId - (Required) The ID of the Policy Assignment that should be remediated.

  • policyDefinitionId - (Optional) The unique ID for the policy definition within the policy set definition that should be remediated. Required when the policy assignment being remediated assigns a policy set definition.

\~> Note: This property has been deprecated and will be removed in version 4.0 of the provider in favour of policyDefinitionReferenceId.

  • policyDefinitionReferenceId - (Optional) The unique ID for the policy definition reference within the policy set definition that should be remediated. Required when the policy assignment being remediated assigns a policy set definition.

  • locationFilters - (Optional) A list of the resource locations that will be remediated.

  • resourceDiscoveryMode - (Optional) The way that resources to remediate are discovered. Possible values are existingNonCompliant, reEvaluateCompliance. Defaults to existingNonCompliant.

  • failurePercentage - (Optional) A number between 0.0 to 1.0 representing the percentage failure threshold. The remediation will fail if the percentage of failed remediation operations (i.e. failed deployments) exceeds this threshold.

  • parallelDeployments - (Optional) Determines how many resources to remediate at any given time. Can be used to increase or reduce the pace of the remediation. If not provided, the default parallel deployments value is used.

  • resourceCount - (Optional) Determines the max number of resources that can be remediated by the remediation job. If not provided, the default resource count is used.

Attributes Reference

The following attributes are exported:

  • id - The ID of the Policy Remediation.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 30 minutes) Used when creating the Policy Remediation.
  • update - (Defaults to 30 minutes) Used when updating the Policy Remediation.
  • read - (Defaults to 5 minutes) Used when retrieving the Policy Remediation.
  • delete - (Defaults to 30 minutes) Used when deleting the Policy Remediation.

Import

Policy Remediations can be imported using the resourceId, e.g.

terraform import azurerm_resource_group_policy_remediation.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.PolicyInsights/remediations/remediation1