We have a deployment of a VNET with bicep which works fine. Moving to Terraform and there are issues with Azure policy. We have a policy which denies the creation of subnets with no NSGs. This is fine with Bicep as it seems to create the NSG link to the subnet as an atomic operation. Terraform doesn’t do this – it creates the subnet without an NSG attached and then runs a separate Terraform resource which connects them and so the subnet creation fails because of the policy. Same issue for Route tables. Any general comment on this? There is no way to defer policy eval until after Terraform has finished and no inline was to force Terraform to do such things as an atomic operation …

I have a policy that denies changes on resources that have the tag “source:terraform”.
However I want that policy to only block changes from the ui and not from azure devops.
So I want to exclude the technical user that azure devops is using, from the policy, so that changes on terraform resources via ui are not possible, but via the azure devops pipeline.