Support global policy set exclusion list to match the UI

[kunickiaj]

Use-cases

In the TFE UI its possible to set a policy set as global (covering new workspaces) and add a list of workspace exclusions. This ensures that new workspaces are always covered.

Attempted Solutions

Using the tfe provider you cannot set the exclusion list, so one must specify a list of all applicable workspace ids (the inverse of global + allowlist). This means that until the workspace is applied again, new workspaces will not be covered by "global" sentinel policies.

Proposal

Add support to the TFE provider to set exclusions in the tfe_policy_set resource to match the capabilities in the UI.

[kunickiaj]

Found the https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/resources/workspace_policy_set_exclusion but it was not easy to find.