We are deploying most of my resources in azure using terraform, but also have a number of azure policies which enforce various various things. What I have noticed is that where a resource is deployed via tf, any azure policies which use deployIfNotExist conditions don’t trigger the remediation tasks. When deploying the same resources via the UI or ARM the policies operate just fine.
The way that I understand deployIfNotExist policies is that they trigger on a successful create or update deployment. Am I right in thinking that this is because terraform doesn’t actually create a ‘deployment’ and therefore the policy engine doesn’t know the resources exist until it does its compliance scan and finds them non-compliant at which point the remediation job can’t fire, they simply get flagged as non-compliant?
Does anyone have a way around this?