Circumvent Azure Policy - Deny Subnet without NSG

Hello,

I have recently run into an issue when creating a subnet in without an nsg in Azure. The situation at hand is as follows. I work in a large corporate environment, where IT seniors manage our overall Azure Strategy. The intended workflow is for them to create a subscription with a vnet and nsg, and delegate access rights to other teams that require such a subscription. I am a part of one such team. Within the virtual network all PaaS services are required to disable public network access. For the time being, if a service requires access from on-premise network, a private_endpoint needs to be created. I am now in a situation where I need to create another subnet, and create private links to PaaS resources. However, an Azure Policy assignment prohibits me from doing so, stating Deny-Subnet-Without-Nsg., even though I do try to associate the subet with the existing nsg.

I am aware that one can create a azurerm_virtual_network and associate the nsg to subnet on creation, however this vnet is already created, and I have currently no option to alter it.

My code is as follows:

data "azurerm_virtual_network" "vnet" {
    name = var.vnet.name
    resource_group_name = var.vnet.rg_name
}

data "azurerm_network_security_group" "nsg" {
    name = var.nsg.name
    resource_group_name = var.nsg.rg_name
}

resource "azurerm_subnet" "snet" {
    name = var.subnet.name
    address_prefixes = var.subnet.address_prefixes
    resource_group_name = data.azurerm_virtual_network.vnet.resource_group_name
    virtual_network_name = data.azurerm_virtual_network.vnet.name
    enforce_private_link_endpoint_network_policies = var.subnet.enforce_private_link_endpoint_network_policies
}

resource "azurerm_subnet_network_security_group_association" "snet_nsg_ass" {
    subnet_id = azurerm_subnet.snet.id
    network_security_group_id = data.azurerm_network_security_group.nsg.id
}

I kindly appreciate any advice or guidance towards solving this issue.

Best Regards