Azure resource scope for policy as rules

[BernieWhite]

To support exemptions (#1887), exclusions (#1890), and scoped policy assignment rules (#1891) need to emit a scope to resources during expansion.

To further complicate this, a single repository could include resources for more than one scope when defining infrastructure as code. So:

• Expanded resources should default to a specific scope. This should work as a fall back but also for module tests.
• Expansion should add awareness if resource group and subscription are known.
• Metadata can be added to define a target scope for resources when authoring from infrastructure as code.