terraform - Restrict Savings Plan creation outside specified subscription in Mgmt group via Azure Policy - Stack Overflow

Using Terraform/Azure Policies, I want to restrict the creation of savings plans only to one of our subscriptions i.e Prod. We have more than 10 subscriptions in the tenant in different management groups.

Since Savings Plans don't have a straightforward path I'm facing difficulties creating a policy for them.

Here's the policy I have so far:

resource "azurerm_policy_definition" "restrict_savings_plan" {
  name         = "restrict-savings-plan-creation"
  policy_type  = "Custom"
  mode         = "All"
  display_name = "Restrict Savings Plan Creation to Prod Subscription"

  policy_rule = <<POLICY
  {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Billing billingAccounts/savingsPlanOrders/savingsPlans"//Not sure if this is correct
        },
        {
          "value": "[subscription().Id]", //Kinda iffy about this
          "notEquals": "Prod-subscription-id"
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  }
  POLICY
}

I referenced the Azure documentation to identify the Savings Plan type for this policy, but I'm not entirely certain it's accurate. If there's a more correct type, I’d appreciate it if you could point it out.

The goal of this policy is to deny the creation of Savings Plans outside the Prod subscription. I expect that if someone attempts this, they should see a deny message.

However, I’m unsure whether the conditions for the Subscription value and the Savings Plan field in the policy_rule are written correctly as our vendor has confirmed that they're still able to create plans without getting any denials. I would greatly appreciate any feedback or suggestions to refine this policy.

Thank you in advance!