Microsoft.PolicyInsights/remediations failureThreshold percentage issue

[sdeguchi]

A policy remediation is failing for all the deployments and failing the terraform deployment. Tried to set the failureThreshold.percentage to 1 to allow 100% failure but the resource is still failing the deployment. Expected that all the remediation deployments fail and the Microsoft.PolicyInsights/remediations successfully deploys.

╷
│ Error: Failed to create/update resource
│
│ with module.bootstrap.azapi_resource.policy_remediation_mdfc["migrateToMdeTvm"],
│ on ..\modules\bootstrap\main.tf line 64, in resource "azapi_resource" "policy_remediation_mdfc":
│ 64: resource "azapi_resource" "policy_remediation_mdfc" {
│
│ creating/updating Resource: (ResourceId
│ "/providers/Microsoft.Management/managementGroups/sd115/providers/Microsoft.PolicyInsights/remediations/deploy-mdfc-config-h224-remediation-migrateToMdeTvm"
│ / Api Version "2024-10-01"): GET
│ https://management.azure.com/providers/Microsoft.Management/managementGroups/sd115/providers/Microsoft.PolicyInsights/remediations/deploy-mdfc-config-h224-remediation-migrateToMdeTvm
│ --------------------------------------------------------------------------------
│ RESPONSE 200: 200 OK
│ ERROR CODE UNAVAILABLE
│ --------------------------------------------------------------------------------
│ {
│ "properties": {
│ "policyAssignmentId": "/providers/microsoft.management/managementgroups/sd115/providers/microsoft.authorization/policyassignments/deploy-mdfc-config-h224",
│ "policyDefinitionReferenceId": "migratetomdetvm",
│ "provisioningState": "Failed",
│ "createdOn": "2025-02-11T02:34:50.2177957Z",
│ "lastUpdatedOn": "2025-02-11T02:36:07.3168601Z",
│ "deploymentStatus": {
│ "totalDeployments": 2,
│ "successfulDeployments": 0,
│ "failedDeployments": 2
│ },
│ "resourceDiscoveryMode": "ExistingNonCompliant",
│ "statusMessage": "All remediation deployments failed.",
│ "correlationId": "eb2f5923-3560-1b72-501d-8ff5d5c664d4",
│ "failureThreshold": {
│ "percentage": 1.0
│ }
│ },
│ "id": "/providers/microsoft.management/managementgroups/sd115/providers/microsoft.policyinsights/remediations/deploy-mdfc-config-h224-remediation-migratetomdetvm",
│ "name": "deploy-mdfc-config-h224-remediation-migrateToMdeTvm",
│ "type": "Microsoft.PolicyInsights/remediations",
│ "systemData": {
│ "createdBy": "d18f16e2-a270-4598-952d-782cc1b5b0f1",
│ "createdByType": "Application",
│ "createdAt": "2025-02-11T02:34:49.9066388Z",
│ "lastModifiedBy": "d18f16e2-a270-4598-952d-782cc1b5b0f1",
│ "lastModifiedByType": "Application",
│ "lastModifiedAt": "2025-02-11T02:34:49.9066388Z"
│ }
│ }
│ --------------------------------------------------------------------------------
│

[stemaMSFT]

Thanks for the issue @sdeguchi, is this with preflight_enabled set to true? Also, the intended behavior is to have a successful deployment on the resource, correct?

[sdeguchi]

Re-ran the deployment with preflight_enabled (enable_preflight as of azapi 2.2) and the configuration for the remediation appears to be valid and yes, intended behavior is successful deployment on the resource. Resource is created and persisted to the Terraform state, but the resource is tainted and will always fail on subsequent deployments,

[ms-henglu]

Hi @sdeguchi ,

Thank you for taking time to report this issue.

In the resource's state, provisioningState": "Failed",, that's why azapi stores the resource in the terraform state but marks it as tainted.

Is the provisioningState": "Failed", an expected deployment result?

[sdeguchi]

Hi @ms-henglu,

I was expecting the resource creation to succeed if failureThreshold is set to 1.0.