Azure Policy and the AzureRm Provider

My company has recently enabled some Azure policies that require certain resources be deployed a certain way.

One of those restrictions is Subnets must have NSGs.

Our internal module does add the NSG to the subnets when they are built but from a Azure perspective it appears as if you are trying to build a subnet, then in a separate operation attach an NSG.

Because these operations are split into 2 calls to the Azure APIs the policy denies our builds as it is not aware that we are about to attach the NSG.

Does anyone know a workaround for this issue?

Unfortunately there often isn’t a good answer for this sort of situation.

Some providers do have different resource options that might permit multiple actions to be achieved in a single API call (although it depends on what the API capabilities are too).

However we have found the need to sometimes disable these policy checks, or perform them differently - for example switching off a non-compliant instance a few minutes after it is created instead of blocking the creation (because it can’t be done in a single API call [possibly because Terraform doesn’t allot it]).