Forum Discussion
Exempt - Azure CSPM Recommendation" (Terraform exemption
The reason you're not finding a standalone policyAssignmentId/policyDefinitionId for this specific recommendation is that it isn't a standalone assignment — it's one control inside the built-in CSPM initiative (the "ASC Default" / Microsoft Cloud Security Benchmark assignment). That initiative does have an assignment ID; you just need to target the specific control within it, not look for a separate one.
In azurerm_resource_policy_exemption (or the subscription/resource-group variants), the relevant fields are:
- policy_assignment_id → the ID of the initiative assignment (ASC Default / MCSB), not a per-recommendation assignment
- policy_definition_reference_ids → an array scoping the exemption to just this one control instead of the whole initiative
resource "azurerm_resource_policy_exemption" "function_app_network_exemption" {
name = "exempt-function-network-restriction"
resource_id = azurerm_linux_function_app.example.id
policy_assignment_id = data.azurerm_subscription_policy_assignment.asc_default.id
policy_definition_reference_ids = [
"<reference-id-for-the-specific-control>"
]
exemption_category = "Waiver" # or "Mitigated" if an equivalent control exists
expires_on = "2026-12-31T00:00:00Z"
}
To find the policy_definition_reference_id for this specific control: in the Azure Portal, go to Policy → Definitions, search for "Restricted network access should be configured on Internet exposed Function app" to get its definition ID, then open the initiative definition (ASC Default) and find the matching entry in its policyDefinitions[].policyDefinitionReferenceId array — that string is what goes in the array above.
Two things worth deciding upfront before automating this:
- Waiver vs Mitigated — if you've genuinely restricted access another way (e.g., Private Endpoint), use Mitigated so it's distinguishable from accepted risk in reporting.
- Consider whether the exemption belongs at the resource scope (just this Function App) vs resource group/subscription — narrower is safer, but if you have a pattern of similar apps, a tagged-based resourceSelectors block can scale this without per-resource blocks.