I have a Hashicorp Sentinel policy that limits internet access. I need to add an exception for Azure app gateways and load balancers. Looking at the app gateway, I don’t see a way to relate an app gateway to a subnet.
I can upload the mocks and rule if needed.
@wblanchard-bmgf it would probably be best if we could get some mock data. The best way to do this would be via the Sentinel Playground @ https://play.sentinelproject.io.
Be sure to remove any data that may be considered private beforehand 
@wblanchard-bmgf I can see that you are using the common_functions library in your policy. I think you may have more success if you used a filter expression as follows:
import "tfplan/v2" as tfplan
allScopedNetworkSecurityRules = filter tfplan.resource_changes as _, resource_changes {
resource_changes.type is "azurerm_network_security_rule" and
resource_changes.mode is "managed" and
resource_changes.address not contains "app_gateway" and
(resource_changes.change.actions contains "create" or
resource_changes.change.actions is ["update"])
}
main = rule {
allNetworkSecurityRules
}
This however isn’t the most elegant solution as it is dependent on the name of the module that is in use. If a Terraform engineer does not follow the naming standard you define they could sneak in the back door and open you up to a fair amount of risk.
A better solution may be to use Azure Service Tags and then filter out any rules that have a particular tag value defined. Not sure if this is an option for you or not but definitely something worth exploring.
Hope this helps 