Circumvent Azure Policy - Deny Subnet without NSG


I have recently run into an issue when creating a subnet in without an nsg in Azure. The situation at hand is as follows. I work in a large corporate environment, where IT seniors manage our overall Azure Strategy. The intended workflow is for them to create a subscription with a vnet and nsg, and delegate access rights to other teams that require such a subscription. I am a part of one such team. Within the virtual network all PaaS services are required to disable public network access. For the time being, if a service requires access from on-premise network, a private_endpoint needs to be created. I am now in a situation where I need to create another subnet, and create private links to PaaS resources. However, an Azure Policy assignment prohibits me from doing so, stating Deny-Subnet-Without-Nsg., even though I do try to associate the subet with the existing nsg.

I am aware that one can create a azurerm_virtual_network and associate the nsg to subnet on creation, however this vnet is already created, and I have currently no option to alter it.

My code is as follows:

data "azurerm_virtual_network" "vnet" {
    name =
    resource_group_name = var.vnet.rg_name

data "azurerm_network_security_group" "nsg" {
    name =
    resource_group_name = var.nsg.rg_name

resource "azurerm_subnet" "snet" {
    name =
    address_prefixes = var.subnet.address_prefixes
    resource_group_name = data.azurerm_virtual_network.vnet.resource_group_name
    virtual_network_name =
    enforce_private_link_endpoint_network_policies = var.subnet.enforce_private_link_endpoint_network_policies

resource "azurerm_subnet_network_security_group_association" "snet_nsg_ass" {
    subnet_id =
    network_security_group_id =

I kindly appreciate any advice or guidance towards solving this issue.

Best Regards