Forum Discussion
Exempt - Azure CSPM Recommendation
Hi Anshu, your understanding may be right depending on how that recommendation is surfaced.
Terraform `azurerm_subscription_policy_exemption` works cleanly when the recommendation maps to an Azure Policy assignment and a policy definition/reference ID. Some Defender for Cloud CSPM recommendations are assessment-style recommendations or controls inside a security standard, and they do not always expose a normal standalone policy assignment ID the way Azure Policy exemptions expect.
I would first check whether the recommendation appears under a policy initiative with a `policyDefinitionReferenceId`. If it does, exempting the initiative reference is usually the path. If it only exists as a Defender assessment/recommendation and the portal creates a Defender-side exemption, then the Azure Policy exemption resource may not be the right API surface. In that case you may need the Defender for Cloud/governance exemption API path, or manage that exception outside the `azurerm_subscription_policy_exemption` resource until provider support catches up.