Creating an Azure Policy Remediation Task for an Azure Policy Initiative

I recently ran across a weird issue when trying to have an Azure Policy Remediation task auto start with an Azure Policy Initiative.

tl;dr: I was attempting to have a Policy Remediation task auto start during deployment of a Policy Initiative, but it never really started. It turns out you must get the Policy’s Reference ID from the created Initiative when creating the task.

So, I was tasked with creating the following resources for our solution:

1. Azure Policy Initiative containing a few built-in policies, the one that I was tasked with was the ‘Configure diagnostic settings for storage accounts to Log Analytics workspace’
2. Azure Policy Assignment
3. Azure Policy Remediation Task to kick off the remediation process on the newly created initiative

Getting these resources created, using Bicep, was straightforward and you can find many examples on the interwebs. I’ve included a gist below

Like I said it was simple: Create initiative, create an assignment of the initiative to the scope and then create a task linking the assignment and the resource id of the definition I wanted the task run on (in my case the ‘Configure diagnostic settings for storage accounts to Log Analytics workspace’ one).

While it created it fine, it didn’t start the task. So, I went to the portal and double checked that everything had been deployed, and there were no issues there.

Next, I attempted to create the task in the portal on the assignment that I deployed and got my first hint of what could be wrong. The portal was telling me that the configured system identity didn’t have the appropriate roles needed to execute the remediation task.

Fair enough, I’ll just add the role assignments to the MSI then. Again, another couple blocks of simple Bicep code:

Do another deploy with the new and updated resources and still no dice on the auto start of the task. On the plus side it did fix the error about the missing roles. So, I continued with creating a new remediation task within the portal which fired off with no issue. I started scratching my head as everything in my Bicep code looked correct to me based on what I was reading in the docs. I decided to see what az would return when I queried the Policy Initiative and that is where I got some more clues.

Screenshot of the output of `az policy remediation list`

The Policy Definition ID was not what I was expecting to see in the output, as I was expecting (and provided) the usual Resource ID format.

Screenshot of the policyDefinitionReferenceId in the Policy Initiative

After some more az digging, I determined that Azure somehow changed up what the reference id was and is unique to how initiatives are built. I need to do some more digging to verify what I’m thinking is what is happening.

I had to pull out the remediation task into its own module since Bicep (and ARM) doesn’t allow looping results at runtime. The only solution for that at this point is to wrap the resource in a module.

Once all that was built, and deployed the remediation task started right up as I expected, and everything was 💯