How to deploy 2 VMs with same app in 2 different Azure regions and allow for server/app to be updated one by one in future

I am new to Terraform. We use Terraform with Azure devops.

So I will be creating a pipeline to createbackups, keyvault, monitoring and 2 VMs with Terraform code. The 2 VMs will reside in 2 different Azure regions and a application cluster will be formed. We use a hardened image which gets updated every month. And then a script is passed through to the VM through custom script extension(CSE) to install the application.

Intention is to create Terraform code so that we can disable VM1 in application cluster, then destroy and rebuild VM1 with the new hardened image (with latest updates) and join it back to the application cluster. And then do the same with VM2.

This way the application is working all the time and we are still able to perform updates on OS and application level.

From what I have read it seems that the VM needs to be “tainted” before it is rebuilt with the new image by Terraform (provided we pointed code to new image). Or does changing the image in the variables automatically destroys and recreate the VM and then runs the script we have through the CSE?

And if we have to taint the VM before changing the image ID then how should Azure Devops pipeline be structured. Do I need a separate pipeline to taint the VM apart from the deploy and destroy pipelines that I am planning now?