If you nest something inside another resource does is it okay to reference it?

How do we know what azure resource can be nested within a primary resource?
I am also deploying multiple VMs in a single TF. (The below VM deployment would be repeated fr each new VM. ) Should the NIC be nested within the VM deployment? If nesting is not used can we always associate with another resource?,… such as if a availability set is associated with two other VMs,… have the “azurerm_availability_set” under each VM deployment command. The azurerm_availability_set would not be nested since there are three VM which are using this availability set. If there is no nesting for the availability set could we add virtual_machine = var.availnodes where the variable (availnodes) is a list of [server1, server2, server3]? If we wanted the have each VM in a separate platform_update_domain would we have to specify the specific domain or would the VM be distributed automatically into separate update domains?

If you reference a resource dependency when it is not required will this create an error? or will this just be overlooked by terraform? For example below the NIC is nested within the VM,… is this ok. And if you do not nest the NIC within the VM would adding virtual_machine_id = var.testserver be sufficient with the string variable testserver1 = webserver. (should this be webserver or webserver.id ?) Or should we use network_interface_ids = ["${azurerm_network_interface.webserver_nic.id}"] within the command for deployment of a VM? I am thinking if you next the dependency parameter does not need to stated however if the resource appears outside of the nest then you will need to add a dependency parameter?

How does terraform know when resource NIC/IP configuration is associated with a specific VM?

Is the azurerm_network_interface nested correctly? Unsure about the use of the {} below.

resource “azurerm_virtual_machine” “JCENMGT01WA” {
resource_group_name = “{azurerm_resource_group.vdms.name}" subnet_id = "{var.subnet_vdms_internal_a_id}”
vm_size = “Standard_D16s_v3”
network_interface_ids = ["${azurerm_network_interface.nicJCENMGT02WB.id}"]

tags = {
Backup = “True”
“Backup Retention” = “Standard”
Critical = “True”
Environment = “Production”
Name = “JCENMGT01WA”
“Operating System” = “Windows Server 2016 Datacenter”
Owner = “AAA”
“Patch Window Day” = “Saturday”
Purpose = “VDMS Windows Bastion Server”
Reboot = “Auto”

#Create a Network Interface for a single vdms-instance(external a)
resource “azurerm_network_interface” “nicJCENMGT02WB” { ### how to

vary name of NIC or else create NIC for each instance (VM)

    name                = "NICJCENMGT02WB"
    location            = "${var.location}"                                                    
    resource_group_name = "${azurerm_resource_group.vdms.name}"

    ip_configuration {
        name                          = "Ip_configuration_JCENMGT01WA"                        ### ?
        subnet_id                     = "${azurerm_subnet.subnet_vdms_external_a_id.id}"             ###original is incorrect?  ${azurerm_subnet.internal.id}"
        private_ip_address_allocation = "Dynamic" 

storage_os_disk {
    name              = "OsDisk"
    caching           = "ReadWrite"
    create_option     = "FromImage"
    managed_disk_type = "Premium_LRS"

storage_image_reference {
    publisher = "MicrosoftWindowsServer"
    offer     = "WindowsServer"
    sku       = "2016-Datacenter"
    version   = "latest"

os_profile {
    computer_name  = "JCENMGT01WA"
    admin_username = "zzadmin"
    admin_password = "Password!"

os_profile_windows_config {   #vm agent is required for windows machines only.  LInux machines require the disable password authentication = false.
provision_vm_agent = true