[Feature Request]: Disable public network access if PE is enabled unless explicitly enabled

[eriqua]

Description

Private endpoints cannot be enforced by default in our modules since they require networking information specific to the target environment. Hence, similarly to why we do not deny by default network ACLs, publicNetworkAccess disablement is not enforced by default as this would result in locking the resource access by default (no private endpoint + disabled publicNetworkAccess).
However, publicNetworkAccess should be disabled by default if private endpoints are set.

Following agreement on issue Azure/bicep-registry-modules#2510, this issue is about aligning default values for publicNetworkAccess for all modules in the following way:

• If publicNetworkAccess is explicitly set in parameters, keep what is passed which has priority, besides if pe is enabled or not.
• Otherwise:
  • if pe is enabled -> disable publicNetworkAccess
  • if pe is not enabled -> do nothing explicitly on publicNetworkAccess but keep the default

Suggested code snippets

Parameter section

@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.')
@allowed([
  ''
  'Enabled'
  'Disabled'
])
param publicNetworkAccess string = ''

Resource section

publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) ? 'Disabled' : null)