Azure Policy 'deployIfNotExists' not executing on terraform resources

Hi,

We are deploying most of my resources in azure using terraform, but also have a number of azure policies which enforce various various things. What I have noticed is that where a resource is deployed via tf, any azure policies which use deployIfNotExist conditions don’t trigger the remediation tasks. When deploying the same resources via the UI or ARM the policies operate just fine.

The way that I understand deployIfNotExist policies is that they trigger on a successful create or update deployment. Am I right in thinking that this is because terraform doesn’t actually create a ‘deployment’ and therefore the policy engine doesn’t know the resources exist until it does its compliance scan and finds them non-compliant at which point the remediation job can’t fire, they simply get flagged as non-compliant?

Does anyone have a way around this?

Stu

Any solution for the above question yet ? I do not see any deployment session under Policy definition template for " Deployifnotexits" custom policies. Please advise

A very good question. Why isn’t somebody taking the time and effort to answer this at Hashicorp?

I think this is related to the role assignments for the managed identity not being assigned when an azure policy assignment is assigned via the SDK.

I have not figured out a solution to this yet.