can't use log analytics workspace in a different subscription? terraform azurerm policy assignment

Question

I'm using terraform to write azure policy as code I found two problems 1 I can't seem to use log analytics workspace that is on a different subscription, within same subscription, it's fine 2 For policies that needs managed identity, I can't seem to assign correct rights to it.

resource "azurerm_policy_assignment" "Enable_Azure_Monitor_for_VMs" {
  
  name                 = "Enable Azure Monitor for VMs"
  scope                = data.azurerm_subscription.current.id
  policy_definition_id = "/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a"
  description          = "Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter."
  display_name         = "Enable Azure Monitor for VMs"
  location             = var.location
  metadata = jsonencode(
    {
      "category" : "General"
  })

  parameters = jsonencode({
    "logAnalytics_1" : {
      "value" : var.log_analytics_workspace_ID
    }
  })

  identity {
    type = "SystemAssigned"
  }

}

resource "azurerm_role_assignment" "vm_policy_msi_assignment" {
  scope                = azurerm_policy_assignment.Enable_Azure_Monitor_for_VMs.scope
  role_definition_name = "Contributor"
  principal_id         = azurerm_policy_assignment.Enable_Azure_Monitor_for_VMs.identity[0].principal_id
}

for var.log_analytics_workspace_ID, if i use the workspace id that is in the same subscription as the policy, it would work fine. but If I use a workspace ID from a different subscription, after deployment, the workspace field will be blank.

also for

resource "azurerm_role_assignment" "vm_policy_msi_assignment"

, I have already given myself user access management role, but after deployment, "This identity currently has the following permissions:" is still blank?