How do I properly stucture my terraform config if I need to deploy multi-tenant application?


I imagine it shall be something more or less frequent ask but I did not find any reliable information to guide my first implementation of terraform.
I have requirement to deploy both shared infra (good example is VNET) and dedicated infra for client1, client2 etc. I use Terraform cloud. How do I properly structure my repo to have those deployed and TFSTATE to work reliably.
I isolated shared components into their own directory and just the rest of infra (client specific) is fed by variables file. Problem is that clients need to modify shared infra (good example they need to create subnet in VNET specific to client). This means that state file for shared component would become inconsistent since deployed infra was modified outside of state file.
Is there a good solution which would reliably work for this sort of multi-tenancy application?