We recently created an Azure policy that enforces a certain set of Tags to be present on all resources. This policy blocks deployments that don't contain the required tags in the deployment. However, certain taggable resources, such as Vnets, don't have an option to add Tags during deployment unless you use an ARM template. It looks like Terraform also attempts to deploy the Vnet as a separate step before adding tags, which causes Terraform-deployed Vnets to fail even if the proper tags are provided. With Terraform, if a ARM template is provided, it will bypass this issue.
How can I get Terraform deploy resources such as Vnets without using an ARM template and without having to ditch the azure policy? Ideally, I'd like to be able to exclude Terraform-initiated resource deployments from the Azure Policy, but I can't find a way to differentiate Terraform deployments from normal Azure Web Portal deployments in Azure policy.
Some other Ideas:
Is there a more elegant solution other than the options mentioned above?
Azure Policy doesn't have any way to differentiate between how an ARM operation was performed, it only sees the resultant set of properties that are going to be applied to the resource.
What about using the inherit resource group tag policy (https://github.com/Azure/azure-policy/tree/master/samples/Tags/inherit-resourcegroup-tag)? Terraform could add the tag to the resource group, then deploy the vnet, at which point Policy will apply the tags from the resource group to the vnet.