Azure Policy will not always run compliance check before deploying remediation task. Results in 0 resources remediated.

[mejdm5]

When azure policy is deployed (Policy Set Definition in our case) It seems the remediation task kicks off before the compliance check finishes.

This causes the remediation task to remediate 0 resources. This means our monitoring agent is never installed on pre-existing resources.

2 ideas for a fix,

1. Test out CARML policy deployment templates, which further breaks up the deployment into more modules that run in sequential order. (I currently lump policy creation and remediation into the same module)
2. Attempt to run a compliance check in powershell during or after the bicep deployment is complete.

[mejdm5]

Updated and converted our custom modules to CARML based modules. This helped with some out of order issues.

Still facing an issue with policy remediation not catching compliance. Will work on a separate pipeline to check and remediate compliance outside of this stack.

Note setting resourceDiscoveryMode: 'ReEvaluateCompliance' works fine, however each subscription takes roughly 15 minutes to get through a deployment/update since bicep waits for the check. this is not feasible at scale.