Is there a way in Azurerm to provision a subnet with an NSG attachment and also provision service endpoints as well . This is considering we have a policy to enforce NSG on subnet . So - - if subnet is a separate resource (as a separate resource nsg_id is not a parameter anymore) - it would fail the policy.
- As a sub resrouce under vnet , can attach a nsg_id - but does not have parameters to provision a service endpoint or service delegation.