Closed mejdm5 closed 10 months ago
Updated and converted our custom modules to CARML based modules. This helped with some out of order issues.
Still facing an issue with policy remediation not catching compliance. Will work on a separate pipeline to check and remediate compliance outside of this stack.
Note setting resourceDiscoveryMode: 'ReEvaluateCompliance' works fine, however each subscription takes roughly 15 minutes to get through a deployment/update since bicep waits for the check. this is not feasible at scale.
When azure policy is deployed (Policy Set Definition in our case) It seems the remediation task kicks off before the compliance check finishes.
This causes the remediation task to remediate 0 resources. This means our monitoring agent is never installed on pre-existing resources.
2 ideas for a fix,