Policy Remediation Task (DeployIfNotExists) works on existing and new resources, but not after 1st remediation if configuration changes back to not compliant.

[gastori]

I have enabled a Remediation Task for a Policy (Configure diagnostic settings for Azure Network Security Groups to Log Analytics workspace) and ensured that the "Create a remediation task" is selected. I used the default System Identity with no changes. After 1st scan the Policy found 2 not compliant resources and the proper Diagnostic Setting Rule was applied as configured in the Remediation Task. I deleted the newly created rule "setByPolicy" from 1 of the NSG hoping the Policy would recreate again after next scan it would find the resource not compliant. However, the Policy did find the resource not compliant, but the remediation was not applied. Does this mean that DeployifNotExists runs only one time on a remediated resource?

[cloudchristoph]

Hi @gastori,

it all comes down to the remediation task. Also worth noting: A remediation task is a one time(!) task.

How does a DINE policy works? Quote from the docs:

During an evaluation cycle, policy definitions with a DeployIfNotExists effect that match resources are marked as non-compliant, but no action is taken on that resource. Existing non-compliant resources can be remediated with a remediation task.

DINE policies only remediate existing resources with a remediation task - you can create those tasks as often as needed. This is why you had the option to create the first remediation tasks right at the assignment time.

Only if you create a new resource (and I'm not sure if this is the case for all DINE policies, but for all that I've used so far) the deployment starts automatically after a few minutes.

Hope that helps.