From 37f121a6687f4072a3728cb9fa2701d30550578a Mon Sep 17 00:00:00 2001
From: MrMCake <asehr@hotmail.de>
Date: Sat, 5 Mar 2022 19:44:28 +0100
Subject: [PATCH 1/9] Added VPN site module

---
 .../modulePipelines/ms.network.vpnsites.yml   |  52 +++++++
 .github/workflows/ms.network.vpnsites.yml     | 135 ++++++++++++++++++
 .../virtualHubs/deploy.bicep                  |   4 +-
 .../vpnSites/.bicep/nested_cuaId.bicep        |   1 +
 .../vpnSites/.parameters/min.parameters.json  |  20 +++
 .../vpnSites/.parameters/parameters.json      |  64 +++++++++
 arm/Microsoft.Network/vpnSites/deploy.bicep   |  69 +++++++++
 arm/Microsoft.Network/vpnSites/readme.md      | 120 ++++++++++++++++
 8 files changed, 463 insertions(+), 2 deletions(-)
 create mode 100644 .azuredevops/modulePipelines/ms.network.vpnsites.yml
 create mode 100644 .github/workflows/ms.network.vpnsites.yml
 create mode 100644 arm/Microsoft.Network/vpnSites/.bicep/nested_cuaId.bicep
 create mode 100644 arm/Microsoft.Network/vpnSites/.parameters/min.parameters.json
 create mode 100644 arm/Microsoft.Network/vpnSites/.parameters/parameters.json
 create mode 100644 arm/Microsoft.Network/vpnSites/deploy.bicep
 create mode 100644 arm/Microsoft.Network/vpnSites/readme.md

diff --git a/.azuredevops/modulePipelines/ms.network.vpnsites.yml b/.azuredevops/modulePipelines/ms.network.vpnsites.yml
new file mode 100644
index 0000000000..1e81c5d417
--- /dev/null
+++ b/.azuredevops/modulePipelines/ms.network.vpnsites.yml
@@ -0,0 +1,52 @@
+name: 'Network: VPN Sites'
+
+parameters:
+  - name: removeDeployment
+    displayName: Remove deployed module
+    type: boolean
+    default: true
+  - name: prerelease
+    displayName: Publish prerelease module
+    type: boolean
+    default: false
+
+trigger:
+  batch: true
+  branches:
+    include:
+      - main
+  paths:
+    include:
+      - '/.azuredevops/modulePipelines/ms.network.vpnsites.yml'
+      - '/.azuredevops/pipelineTemplates/module.*.yml'
+      - '/arm/Microsoft.Network/vpnSites/*'
+    exclude:
+      - '/**/*.md'
+
+variables:
+  - template: '/.azuredevops/pipelineVariables/global.variables.yml'
+  - group: 'PLATFORM_VARIABLES'
+  - name: modulePath
+    value: '/arm/Microsoft.Network/vpnSites'
+
+stages:
+  - stage: Validation
+    displayName: Pester tests
+    jobs:
+      - template: /.azuredevops/pipelineTemplates/jobs.validateModulePester.yml
+
+  - stage: Deployment
+    displayName: Deployment tests
+    jobs:
+      - template: /.azuredevops/pipelineTemplates/jobs.validateModuleDeployment.yml
+        parameters:
+          removeDeployment: '${{ parameters.removeDeployment }}'
+          deploymentBlocks:
+            - path: $(modulePath)/.parameters/min.parameters.json
+            - path: $(modulePath)/.parameters/parameters.json
+
+  - stage: Publishing
+    displayName: Publish module
+    condition: and(succeeded(), or(eq(variables['Build.SourceBranch'], 'refs/heads/main'), eq(variables['Build.SourceBranch'], 'refs/heads/master'), eq('${{ parameters.prerelease }}', 'true')))
+    jobs:
+      - template: /.azuredevops/pipelineTemplates/jobs.publishModule.yml
diff --git a/.github/workflows/ms.network.vpnsites.yml b/.github/workflows/ms.network.vpnsites.yml
new file mode 100644
index 0000000000..59ca3e609e
--- /dev/null
+++ b/.github/workflows/ms.network.vpnsites.yml
@@ -0,0 +1,135 @@
+name: 'Network: VPN Sites'
+
+on:
+  workflow_dispatch:
+    inputs:
+      removeDeployment:
+        type: boolean
+        description: 'Remove deployed module'
+        required: false
+        default: 'true'
+      prerelease:
+        type: boolean
+        description: 'Publish prerelease module'
+        required: false
+        default: 'false'
+  push:
+    branches:
+      - main
+    paths:
+      - '.github/actions/templates/**'
+      - '.github/workflows/ms.network.vpnsites.yml'
+      - 'arm/Microsoft.Network/vpnSites/**'
+      - '!*/**/readme.md'
+      - 'utilities/pipelines/**'
+      - '!utilities/pipelines/dependencies/**'
+
+env:
+  modulePath: 'arm/Microsoft.Network/vpnSites'
+  workflowPath: '.github/workflows/ms.network.vpnsites.yml'
+  AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
+  ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}'
+  ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}'
+  ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}'
+  DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}'
+
+jobs:
+  ############################
+  #   SET INPUT PARAMETERS   #
+  ############################
+  job_set_workflow_param:
+    runs-on: ubuntu-20.04
+    name: 'Set input parameters to output variables'
+    steps:
+      - name: 'Checkout'
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - name: 'Set input parameters'
+        id: get-workflow-param
+        uses: ./.github/actions/templates/getWorkflowInput
+        with:
+          workflowPath: '${{ env.workflowPath}}'
+    outputs:
+      removeDeployment: ${{ steps.get-workflow-param.outputs.removeDeployment }}
+
+  ####################
+  #   Pester Tests   #
+  ####################
+  job_module_pester_validation:
+    runs-on: ubuntu-20.04
+    name: 'Pester tests'
+    steps:
+      - name: 'Checkout'
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - name: 'Run tests'
+        uses: ./.github/actions/templates/validateModulePester
+        with:
+          modulePath: '${{ env.modulePath }}'
+
+  ####################
+  # Deployment tests #
+  ####################
+  job_module_deploy_validation:
+    runs-on: ubuntu-20.04
+    name: 'Deployment tests'
+    needs:
+      - job_set_workflow_param
+      - job_module_pester_validation
+    strategy:
+      fail-fast: false
+      matrix:
+        parameterFilePaths: ['min.parameters.json', 'parameters.json']
+    steps:
+      - name: 'Checkout'
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - name: Set environment variables
+        uses: deep-mm/set-variables@v1.0
+        with:
+          variableFileName: 'global.variables'
+      - name: 'Using parameter file [${{ matrix.parameterFilePaths }}]'
+        uses: ./.github/actions/templates/validateModuleDeployment
+        with:
+          templateFilePath: '${{ env.modulePath }}/deploy.bicep'
+          parameterFilePath: '${{ env.modulePath }}/.parameters/${{ matrix.parameterFilePaths }}'
+          location: '${{ env.defaultLocation }}'
+          resourceGroupName: '${{ env.resourceGroupName }}'
+          subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}'
+          managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}'
+          removeDeployment: '${{ needs.job_set_workflow_param.outputs.removeDeployment }}'
+
+  ###############
+  #   PUBLISH   #
+  ###############
+  job_publish_module:
+    name: 'Publish module'
+    if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true'
+    runs-on: ubuntu-20.04
+    needs:
+      - job_set_workflow_param
+      - job_module_deploy_validation
+    steps:
+      - name: 'Checkout'
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - name: Set environment variables
+        uses: deep-mm/set-variables@v1.0
+        with:
+          variableFileName: 'global.variables'
+      - name: 'Publish module'
+        uses: ./.github/actions/templates/publishModule
+        with:
+          templateFilePath: '${{ env.modulePath }}/deploy.bicep'
+          templateSpecsRGName: '${{ env.templateSpecsRGName }}'
+          templateSpecsRGLocation: '${{ env.templateSpecsRGLocation }}'
+          templateSpecsDescription: '${{ env.templateSpecsDescription }}'
+          templateSpecsDoPublish: '${{ env.templateSpecsDoPublish }}'
+          bicepRegistryName: '${{ env.bicepRegistryName }}'
+          bicepRegistryRGName: '${{ env.bicepRegistryRGName }}'
+          bicepRegistryRgLocation: '${{ env.bicepRegistryRgLocation }}'
+          bicepRegistryDoPublish: '${{ env.bicepRegistryDoPublish }}'
diff --git a/arm/Microsoft.Network/virtualHubs/deploy.bicep b/arm/Microsoft.Network/virtualHubs/deploy.bicep
index c7c7437961..fb8ac6bb0b 100644
--- a/arm/Microsoft.Network/virtualHubs/deploy.bicep
+++ b/arm/Microsoft.Network/virtualHubs/deploy.bicep
@@ -104,9 +104,9 @@ resource virtualHub 'Microsoft.Network/virtualHubs@2021-05-01' = {
     virtualHubRouteTableV2s: virtualHubRouteTableV2s
     virtualRouterAsn: !(virtualRouterAsn == -1) ? virtualRouterAsn : null
     virtualRouterIps: !empty(virtualRouterIps) ? virtualRouterIps : null
-    virtualWan: !empty(virtualWanId) ? {
+    virtualWan: {
       id: virtualWanId
-    } : null
+    }
     vpnGateway: !empty(vpnGatewayId) ? {
       id: vpnGatewayId
     } : null
diff --git a/arm/Microsoft.Network/vpnSites/.bicep/nested_cuaId.bicep b/arm/Microsoft.Network/vpnSites/.bicep/nested_cuaId.bicep
new file mode 100644
index 0000000000..8b13789179
--- /dev/null
+++ b/arm/Microsoft.Network/vpnSites/.bicep/nested_cuaId.bicep
@@ -0,0 +1 @@
+
diff --git a/arm/Microsoft.Network/vpnSites/.parameters/min.parameters.json b/arm/Microsoft.Network/vpnSites/.parameters/min.parameters.json
new file mode 100644
index 0000000000..5584b9af80
--- /dev/null
+++ b/arm/Microsoft.Network/vpnSites/.parameters/min.parameters.json
@@ -0,0 +1,20 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "name": {
+            "value": "<<namePrefix>>-az-vSite-min-001"
+        },
+        "addressPrefixes": {
+            "value": [
+                "10.0.0.0/16"
+            ]
+        },
+        "ipAddress": {
+            "value": "1.2.3.4"
+        },
+        "virtualWanId": {
+            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualWans/alsehrVWan"
+        }
+    }
+}
diff --git a/arm/Microsoft.Network/vpnSites/.parameters/parameters.json b/arm/Microsoft.Network/vpnSites/.parameters/parameters.json
new file mode 100644
index 0000000000..eb0427c5e4
--- /dev/null
+++ b/arm/Microsoft.Network/vpnSites/.parameters/parameters.json
@@ -0,0 +1,64 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "name": {
+            "value": "<<namePrefix>>-az-vSite-x-001"
+        },
+        "tags": {
+            "value": {
+                "tagA": "valueA",
+                "tagB": "valueB"
+            }
+        },
+        "deviceProperties": {
+            "value": {
+                "linkSpeedInMbps": 0
+            }
+        },
+        "virtualWanId": {
+            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualWans/alsehrVWan"
+        },
+        "vpnSiteLinks": {
+            "value": [
+                {
+                    "name": "<<namePrefix>>-az-vSite-x-001",
+                    "properties": {
+                        "bgpProperties": {
+                            "asn": 65010,
+                            "bgpPeeringAddress": "1.1.1.1"
+                        },
+                        "ipAddress": "1.2.3.4",
+                        "linkProperties": {
+                            "linkProviderName": "contoso",
+                            "linkSpeedInMbps": 5
+                        }
+                    }
+                },
+                {
+                    "name": "Link1",
+                    "properties": {
+                        "bgpProperties": {
+                            "asn": 65020,
+                            "bgpPeeringAddress": "192.168.1.0"
+                        },
+                        "ipAddress": "2.2.2.2",
+                        "linkProperties": {
+                            "linkProviderName": "contoso",
+                            "linkSpeedInMbps": 5
+                        }
+                    }
+                }
+            ]
+        },
+        "o365Policy": {
+            "value": {
+                "breakOutCategories": {
+                    "optimize": true,
+                    "allow": true,
+                    "default": true
+                }
+            }
+        }
+    }
+}
diff --git a/arm/Microsoft.Network/vpnSites/deploy.bicep b/arm/Microsoft.Network/vpnSites/deploy.bicep
new file mode 100644
index 0000000000..88b00e3dc7
--- /dev/null
+++ b/arm/Microsoft.Network/vpnSites/deploy.bicep
@@ -0,0 +1,69 @@
+@description('Required. Name of the VPN Site.')
+param name string
+
+@description('Required. Resource ID of the virtual WAN to link to')
+param virtualWanId string
+
+@description('Optional. Location where all resources will be created.')
+param location string = resourceGroup().location
+
+@description('Optional. Tags of the resource.')
+param tags object = {}
+
+@description('Optional. An array of IP address ranges that can be used by subnets of the virtual network. Must be provided if no bgpProperties or VPNSiteLinks are configured.')
+param addressPrefixes array = []
+
+@description('Optional.	BGP settings details. Must be provided if no addressPrefixes or VPNSiteLinks are configured. Note: This is a deprecated property, please use the corresponding VpnSiteLinks property instead.')
+param bgpProperties object = {}
+
+@description('Optional. List of properties of the device.')
+param deviceProperties object = {}
+
+@description('Optional. The IP-address for the VPN-site. Note: This is a deprecated property, please use the corresponding VpnSiteLinks property instead.')
+param ipAddress string = ''
+
+@description('Optional. IsSecuritySite flag')
+param isSecuritySite bool = false
+
+@description('Optional. The Office365 breakout policy.')
+param o365Policy object = {}
+
+@description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered')
+param cuaId string = ''
+
+@description('Optional. List of all VPN site links.')
+param vpnSiteLinks array = []
+
+module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) {
+  name: 'pid-${cuaId}'
+  params: {}
+}
+
+resource vpnSite 'Microsoft.Network/vpnSites@2021-05-01' = {
+  name: name
+  location: location
+  tags: tags
+  properties: {
+    addressSpace: !empty(addressPrefixes) ? {
+      addressPrefixes: addressPrefixes
+    } : null
+    bgpProperties: !empty(bgpProperties) ? bgpProperties : null
+    deviceProperties: !empty(deviceProperties) ? deviceProperties : null
+    ipAddress: !empty(ipAddress) ? ipAddress : null
+    isSecuritySite: isSecuritySite
+    o365Policy: !empty(o365Policy) ? o365Policy : null
+    virtualWan: {
+      id: virtualWanId
+    }
+    vpnSiteLinks: !empty(vpnSiteLinks) ? vpnSiteLinks : null
+  }
+}
+
+@description('The name of the VPN site')
+output name string = vpnSite.name
+
+@description('The resource ID of the VPN site')
+output resourceId string = vpnSite.id
+
+@description('The resource group the VPN site was deployed into')
+output resourceGroupName string = resourceGroup().name
diff --git a/arm/Microsoft.Network/vpnSites/readme.md b/arm/Microsoft.Network/vpnSites/readme.md
new file mode 100644
index 0000000000..37d3d16ca6
--- /dev/null
+++ b/arm/Microsoft.Network/vpnSites/readme.md
@@ -0,0 +1,120 @@
+# VPN Site `[Microsoft.Network/vpnSites]`
+
+This module deploys a VPN Site.
+## Resource Types
+
+| Resource Type | API Version |
+| :-- | :-- |
+| `Microsoft.Network/vpnSites` | 2021-05-01 |
+
+## Parameters
+
+| Parameter Name | Type | Default Value | Possible Values | Description |
+| :-- | :-- | :-- | :-- | :-- |
+| `addressPrefixes` | array | `[]` |  | Optional. An array of IP address ranges that can be used by subnets of the virtual network. Must be provided if no bgpProperties or VPNSiteLinks are configured. |
+| `bgpProperties` | object | `{object}` |  | Optional.	BGP settings details. Must be provided if no addressPrefixes or VPNSiteLinks are configured. Note: This is a deprecated property, please use the corresponding VpnSiteLinks property instead. |
+| `cuaId` | string |  |  | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered |
+| `deviceProperties` | object | `{object}` |  | Optional. List of properties of the device. |
+| `ipAddress` | string |  |  | Optional. The IP-address for the VPN-site. Note: This is a deprecated property, please use the corresponding VpnSiteLinks property instead. |
+| `isSecuritySite` | bool | `False` |  | Optional. IsSecuritySite flag |
+| `location` | string | `[resourceGroup().location]` |  | Optional. Location where all resources will be created. |
+| `name` | string |  |  | Required. Name of the VPN Site. |
+| `o365Policy` | object | `{object}` |  | Optional. The Office365 breakout policy. |
+| `tags` | object | `{object}` |  | Optional. Tags of the resource. |
+| `virtualWanId` | string |  |  | Required. Resource ID of the virtual WAN to link to |
+| `vpnSiteLinks` | array | `[]` |  | Optional. List of all VPN site links. |
+
+### Parameter Usage `o365Policy`
+
+```json
+"o365Policy": {
+    "value": {
+        "breakOutCategories": {
+            "optimize": true,
+            "allow": true,
+            "default": true
+        }
+    }
+}
+```
+
+### Parameter Usage `deviceProperties`
+
+```json
+"deviceProperties": {
+    "value": {
+        "deviceModel": "morty",
+        "deviceVendor": "contoso",
+        "linkSpeedInMbps": 0
+    }
+}
+```
+
+### Parameter Usage `bgpProperties`
+
+The BGP properties. Note: This is a deprecated property, please use the corresponding `VpnSiteLinks` property instead.
+
+```json
+"bgpProperties": {
+    "value": {
+        "asn": 65010,
+        "bgpPeeringAddress": "1.1.1.1",
+        "peerWeight": 0
+    }
+}
+```
+
+### Parameter Usage `vpnSiteLinks`
+
+An array of links. Should be used instead of the top-level `ipAddress` & `bgpProperties` properties. If using links,  one default link with same name and properties as VpnSite itself is mandatory.
+
+```json
+"vpnSiteLinks": {
+    "value": [
+        {
+            "name": "<<namePrefix>>-az-vSite-x-001",
+            "properties": {
+                "bgpProperties": {
+                    "asn": 65010,
+                    "bgpPeeringAddress": "1.1.1.1"
+                },
+                "ipAddress": "1.2.3.4",
+                "linkProperties": {
+                    "linkProviderName": "contoso",
+                    "linkSpeedInMbps": 5
+                }
+            }
+        }
+    ]
+}
+```
+
+
+### Parameter Usage: `tags`
+
+Tag names and tag values can be provided as needed. A tag can be left without a value.
+
+```json
+"tags": {
+    "value": {
+        "Environment": "Non-Prod",
+        "Contact": "test.user@testcompany.com",
+        "PurchaseOrder": "1234",
+        "CostCenter": "7890",
+        "ServiceName": "DeploymentValidation",
+        "Role": "DeploymentValidation"
+    }
+}
+```
+
+## Outputs
+
+| Output Name | Type | Description |
+| :-- | :-- | :-- |
+| `name` | string | The name of the VPN site |
+| `resourceGroupName` | string | The resource group the VPN site was deployed into |
+| `resourceId` | string | The resource ID of the VPN site |
+
+## Template references
+
+- [Vpnsites](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/vpnSites)

From ee7602670e945117db9ba2afd4b4d920c1bc1103 Mon Sep 17 00:00:00 2001
From: MrMCake <asehr@hotmail.de>
Date: Sat, 5 Mar 2022 19:48:31 +0100
Subject: [PATCH 2/9] Fixed pipeline name

---
 .azuredevops/modulePipelines/ms.network.vpnsites.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.azuredevops/modulePipelines/ms.network.vpnsites.yml b/.azuredevops/modulePipelines/ms.network.vpnsites.yml
index 1e81c5d417..e5a08e8088 100644
--- a/.azuredevops/modulePipelines/ms.network.vpnsites.yml
+++ b/.azuredevops/modulePipelines/ms.network.vpnsites.yml
@@ -1,4 +1,4 @@
-name: 'Network: VPN Sites'
+name: 'Network - VPN Sites'
 
 parameters:
   - name: removeDeployment

From fe19f1af6d197359329853f3f123a57de4dd37a5 Mon Sep 17 00:00:00 2001
From: MrMCake <asehr@hotmail.de>
Date: Sat, 5 Mar 2022 19:51:46 +0100
Subject: [PATCH 3/9] Update to latest

---
 arm/Microsoft.Network/vpnSites/version.json | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 arm/Microsoft.Network/vpnSites/version.json

diff --git a/arm/Microsoft.Network/vpnSites/version.json b/arm/Microsoft.Network/vpnSites/version.json
new file mode 100644
index 0000000000..41f66cc990
--- /dev/null
+++ b/arm/Microsoft.Network/vpnSites/version.json
@@ -0,0 +1,4 @@
+{
+    "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
+    "version": "0.1"
+}

From 5091ca4da1dc7dad320e831fee6a010712dcfc27 Mon Sep 17 00:00:00 2001
From: MrMCake <asehr@hotmail.de>
Date: Sat, 5 Mar 2022 20:12:19 +0100
Subject: [PATCH 4/9] Updated test & fixed issue

---
 arm/.global/global.module.tests.ps1         | 12 +++++-------
 arm/Microsoft.Network/vpnSites/deploy.bicep |  2 +-
 2 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/arm/.global/global.module.tests.ps1 b/arm/.global/global.module.tests.ps1
index 2d44d67cbe..8583dfb678 100644
--- a/arm/.global/global.module.tests.ps1
+++ b/arm/.global/global.module.tests.ps1
@@ -696,22 +696,20 @@ Describe 'Deployment template tests' -Tag Template {
             )
 
             if (-not $templateContent.parameters) {
+                # Skip test
                 $true | Should -Be $true
                 return
             }
 
-            $ParamDescriptionFlag = @()
+            $IncorrectParameters = @()
             $Paramdescoutput = $templateContent.parameters.Keys
             foreach ($Param in $Paramdescoutput) {
                 $Data = ($templateContent.parameters.$Param.metadata).description
-                if ($Data -like 'Optional. [a-zA-Z]*' -or $Data -like 'Required. [a-zA-Z]*' -or $Data -like 'Generated. [a-zA-Z]*') {
-                    $true | Should -Be $true
-                    $ParamDescriptionFlag += $true
-                } else {
-                    $ParamDescriptionFlag += $false
+                if ($Data -notlike 'Optional. [a-zA-Z]*' -and $Data -notlike 'Required. [a-zA-Z]*' -and $Data -notlike 'Generated. [a-zA-Z]*') {
+                    $IncorrectParameters += $Param
                 }
             }
-            $ParamDescriptionFlag | Should -Not -Contain $false
+            $IncorrectParameters | Should -BeNullOrEmpty
         }
 
         # PARAMETER Tests
diff --git a/arm/Microsoft.Network/vpnSites/deploy.bicep b/arm/Microsoft.Network/vpnSites/deploy.bicep
index 88b00e3dc7..0bdf6338b7 100644
--- a/arm/Microsoft.Network/vpnSites/deploy.bicep
+++ b/arm/Microsoft.Network/vpnSites/deploy.bicep
@@ -13,7 +13,7 @@ param tags object = {}
 @description('Optional. An array of IP address ranges that can be used by subnets of the virtual network. Must be provided if no bgpProperties or VPNSiteLinks are configured.')
 param addressPrefixes array = []
 
-@description('Optional.	BGP settings details. Must be provided if no addressPrefixes or VPNSiteLinks are configured. Note: This is a deprecated property, please use the corresponding VpnSiteLinks property instead.')
+@description('Optional. BGP settings details. Must be provided if no addressPrefixes or VPNSiteLinks are configured. Note: This is a deprecated property, please use the corresponding VpnSiteLinks property instead.')
 param bgpProperties object = {}
 
 @description('Optional. List of properties of the device.')

From ef04d5c275efdce462611a5a784d09469fb35fa0 Mon Sep 17 00:00:00 2001
From: MrMCake <asehr@hotmail.de>
Date: Sat, 5 Mar 2022 20:22:27 +0100
Subject: [PATCH 5/9] Updated param

---
 arm/Microsoft.Network/vpnSites/.parameters/min.parameters.json | 2 +-
 arm/Microsoft.Network/vpnSites/.parameters/parameters.json     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/arm/Microsoft.Network/vpnSites/.parameters/min.parameters.json b/arm/Microsoft.Network/vpnSites/.parameters/min.parameters.json
index 5584b9af80..23cf69a01f 100644
--- a/arm/Microsoft.Network/vpnSites/.parameters/min.parameters.json
+++ b/arm/Microsoft.Network/vpnSites/.parameters/min.parameters.json
@@ -14,7 +14,7 @@
             "value": "1.2.3.4"
         },
         "virtualWanId": {
-            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualWans/alsehrVWan"
+            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualWans/<<namePrefix>>-az-vw-x-001"
         }
     }
 }
diff --git a/arm/Microsoft.Network/vpnSites/.parameters/parameters.json b/arm/Microsoft.Network/vpnSites/.parameters/parameters.json
index eb0427c5e4..9fceeb1276 100644
--- a/arm/Microsoft.Network/vpnSites/.parameters/parameters.json
+++ b/arm/Microsoft.Network/vpnSites/.parameters/parameters.json
@@ -17,7 +17,7 @@
             }
         },
         "virtualWanId": {
-            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualWans/alsehrVWan"
+            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualWans/<<namePrefix>>-az-vw-x-001"
         },
         "vpnSiteLinks": {
             "value": [

From be7e8e3be9e95d9de45dee08d9bc08cd079e9802 Mon Sep 17 00:00:00 2001
From: MrMCake <asehr@hotmail.de>
Date: Sat, 5 Mar 2022 20:38:00 +0100
Subject: [PATCH 6/9] Added lock + role assignment

---
 .../vpnSites/.bicep/nested_rbac.bicep         | 35 +++++++++++++++++++
 .../vpnSites/.parameters/parameters.json      | 10 ++++++
 arm/Microsoft.Network/vpnSites/deploy.bicep   | 29 +++++++++++++++
 arm/Microsoft.Network/vpnSites/readme.md      | 30 +++++++++++++++-
 4 files changed, 103 insertions(+), 1 deletion(-)
 create mode 100644 arm/Microsoft.Network/vpnSites/.bicep/nested_rbac.bicep

diff --git a/arm/Microsoft.Network/vpnSites/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/vpnSites/.bicep/nested_rbac.bicep
new file mode 100644
index 0000000000..5775bd43c7
--- /dev/null
+++ b/arm/Microsoft.Network/vpnSites/.bicep/nested_rbac.bicep
@@ -0,0 +1,35 @@
+param principalIds array
+param roleDefinitionIdOrName string
+param resourceId string
+
+var builtInRoleNames = {
+  'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
+  'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
+  'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
+  'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')
+  'Domain Services Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')
+  'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')
+  'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')
+  'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')
+  'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')
+  'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')
+  'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')
+  'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')
+  'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')
+  'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')
+  'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')
+  'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')
+}
+
+resource vpnSite 'Microsoft.Network/vpnSites@2021-05-01' existing = {
+  name: last(split(resourceId, '/'))
+}
+
+resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = [for principalId in principalIds: {
+  name: guid(vpnSite.name, principalId, roleDefinitionIdOrName)
+  properties: {
+    roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName
+    principalId: principalId
+  }
+  scope: vpnSite
+}]
diff --git a/arm/Microsoft.Network/vpnSites/.parameters/parameters.json b/arm/Microsoft.Network/vpnSites/.parameters/parameters.json
index 9fceeb1276..a951639a4a 100644
--- a/arm/Microsoft.Network/vpnSites/.parameters/parameters.json
+++ b/arm/Microsoft.Network/vpnSites/.parameters/parameters.json
@@ -59,6 +59,16 @@
                     "default": true
                 }
             }
+        },
+        "roleAssignments": {
+            "value": [
+                {
+                    "roleDefinitionIdOrName": "Reader",
+                    "principalIds": [
+                        "<<deploymentSpId>>"
+                    ]
+                }
+            ]
         }
     }
 }
diff --git a/arm/Microsoft.Network/vpnSites/deploy.bicep b/arm/Microsoft.Network/vpnSites/deploy.bicep
index 0bdf6338b7..23acdfc14a 100644
--- a/arm/Microsoft.Network/vpnSites/deploy.bicep
+++ b/arm/Microsoft.Network/vpnSites/deploy.bicep
@@ -34,6 +34,17 @@ param cuaId string = ''
 @description('Optional. List of all VPN site links.')
 param vpnSiteLinks array = []
 
+@allowed([
+  'CanNotDelete'
+  'NotSpecified'
+  'ReadOnly'
+])
+@description('Optional. Specify the type of lock.')
+param lock string = 'NotSpecified'
+
+@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'')
+param roleAssignments array = []
+
 module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) {
   name: 'pid-${cuaId}'
   params: {}
@@ -59,6 +70,24 @@ resource vpnSite 'Microsoft.Network/vpnSites@2021-05-01' = {
   }
 }
 
+resource vpnSite_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') {
+  name: '${vpnSite.name}-${lock}-lock'
+  properties: {
+    level: lock
+    notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
+  }
+  scope: vpnSite
+}
+
+module vpnSite_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: {
+  name: '${uniqueString(deployment().name, location)}-VWan-Rbac-${index}'
+  params: {
+    principalIds: roleAssignment.principalIds
+    roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName
+    resourceId: vpnSite.id
+  }
+}]
+
 @description('The name of the VPN site')
 output name string = vpnSite.name
 
diff --git a/arm/Microsoft.Network/vpnSites/readme.md b/arm/Microsoft.Network/vpnSites/readme.md
index 37d3d16ca6..21ee34e16d 100644
--- a/arm/Microsoft.Network/vpnSites/readme.md
+++ b/arm/Microsoft.Network/vpnSites/readme.md
@@ -5,6 +5,8 @@ This module deploys a VPN Site.
 
 | Resource Type | API Version |
 | :-- | :-- |
+| `Microsoft.Authorization/locks` | 2017-04-01 |
+| `Microsoft.Authorization/roleAssignments` | 2021-04-01-preview |
 | `Microsoft.Network/vpnSites` | 2021-05-01 |
 
 ## Parameters
@@ -12,14 +14,16 @@ This module deploys a VPN Site.
 | Parameter Name | Type | Default Value | Possible Values | Description |
 | :-- | :-- | :-- | :-- | :-- |
 | `addressPrefixes` | array | `[]` |  | Optional. An array of IP address ranges that can be used by subnets of the virtual network. Must be provided if no bgpProperties or VPNSiteLinks are configured. |
-| `bgpProperties` | object | `{object}` |  | Optional.	BGP settings details. Must be provided if no addressPrefixes or VPNSiteLinks are configured. Note: This is a deprecated property, please use the corresponding VpnSiteLinks property instead. |
+| `bgpProperties` | object | `{object}` |  | Optional. BGP settings details. Must be provided if no addressPrefixes or VPNSiteLinks are configured. Note: This is a deprecated property, please use the corresponding VpnSiteLinks property instead. |
 | `cuaId` | string |  |  | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered |
 | `deviceProperties` | object | `{object}` |  | Optional. List of properties of the device. |
 | `ipAddress` | string |  |  | Optional. The IP-address for the VPN-site. Note: This is a deprecated property, please use the corresponding VpnSiteLinks property instead. |
 | `isSecuritySite` | bool | `False` |  | Optional. IsSecuritySite flag |
 | `location` | string | `[resourceGroup().location]` |  | Optional. Location where all resources will be created. |
+| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. |
 | `name` | string |  |  | Required. Name of the VPN Site. |
 | `o365Policy` | object | `{object}` |  | Optional. The Office365 breakout policy. |
+| `roleAssignments` | array | `[]` |  | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' |
 | `tags` | object | `{object}` |  | Optional. Tags of the resource. |
 | `virtualWanId` | string |  |  | Required. Resource ID of the virtual WAN to link to |
 | `vpnSiteLinks` | array | `[]` |  | Optional. List of all VPN site links. |
@@ -107,6 +111,28 @@ Tag names and tag values can be provided as needed. A tag can be left without a
 }
 ```
 
+### Parameter Usage: `roleAssignments`
+
+```json
+"roleAssignments": {
+    "value": [
+        {
+            "roleDefinitionIdOrName": "Reader",
+            "principalIds": [
+                "12345678-1234-1234-1234-123456789012", // object 1
+                "78945612-1234-1234-1234-123456789012" // object 2
+            ]
+        },
+        {
+            "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
+            "principalIds": [
+                "12345678-1234-1234-1234-123456789012" // object 1
+            ]
+        }
+    ]
+}
+```
+
 ## Outputs
 
 | Output Name | Type | Description |
@@ -117,4 +143,6 @@ Tag names and tag values can be provided as needed. A tag can be left without a
 
 ## Template references
 
+- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks)
+- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments)
 - [Vpnsites](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/vpnSites)

From 4814c3f9f482e9010284436318541f7f8c9e3ff4 Mon Sep 17 00:00:00 2001
From: Alexander Sehr <ASehr@hotmail.de>
Date: Sat, 5 Mar 2022 22:34:22 +0000
Subject: [PATCH 7/9] Update
 arm/Microsoft.Network/vpnSites/.parameters/parameters.json

Co-authored-by: Marius Storhaug <Marius.Storhaug@microsoft.com>
---
 arm/Microsoft.Network/vpnSites/.parameters/parameters.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arm/Microsoft.Network/vpnSites/.parameters/parameters.json b/arm/Microsoft.Network/vpnSites/.parameters/parameters.json
index a951639a4a..39ec5e30c9 100644
--- a/arm/Microsoft.Network/vpnSites/.parameters/parameters.json
+++ b/arm/Microsoft.Network/vpnSites/.parameters/parameters.json
@@ -17,7 +17,7 @@
             }
         },
         "virtualWanId": {
-            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualWans/<<namePrefix>>-az-vw-x-001"
+            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualWans/apd-<<namePrefix>>-az-vw-x-001"
         },
         "vpnSiteLinks": {
             "value": [

From 7d9474349bec7bfd9c05294bff6e4b58269510bc Mon Sep 17 00:00:00 2001
From: Alexander Sehr <ASehr@hotmail.de>
Date: Sat, 5 Mar 2022 22:34:27 +0000
Subject: [PATCH 8/9] Update arm/Microsoft.Network/virtualHubs/deploy.bicep

Co-authored-by: Marius Storhaug <Marius.Storhaug@microsoft.com>
---
 arm/Microsoft.Network/virtualHubs/deploy.bicep | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arm/Microsoft.Network/virtualHubs/deploy.bicep b/arm/Microsoft.Network/virtualHubs/deploy.bicep
index fb8ac6bb0b..31a7d25998 100644
--- a/arm/Microsoft.Network/virtualHubs/deploy.bicep
+++ b/arm/Microsoft.Network/virtualHubs/deploy.bicep
@@ -102,7 +102,7 @@ resource virtualHub 'Microsoft.Network/virtualHubs@2021-05-01' = {
     securityProviderName: securityProviderName
     sku: sku
     virtualHubRouteTableV2s: virtualHubRouteTableV2s
-    virtualRouterAsn: !(virtualRouterAsn == -1) ? virtualRouterAsn : null
+    virtualRouterAsn: virtualRouterAsn != -1 ? virtualRouterAsn : null
     virtualRouterIps: !empty(virtualRouterIps) ? virtualRouterIps : null
     virtualWan: {
       id: virtualWanId

From 3931796a55c8567eac8ffe2dfd9c17eb776cffa7 Mon Sep 17 00:00:00 2001
From: Alexander Sehr <ASehr@hotmail.de>
Date: Sat, 5 Mar 2022 22:34:32 +0000
Subject: [PATCH 9/9] Update
 arm/Microsoft.Network/vpnSites/.parameters/min.parameters.json

Co-authored-by: Marius Storhaug <Marius.Storhaug@microsoft.com>
---
 arm/Microsoft.Network/vpnSites/.parameters/min.parameters.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arm/Microsoft.Network/vpnSites/.parameters/min.parameters.json b/arm/Microsoft.Network/vpnSites/.parameters/min.parameters.json
index 23cf69a01f..24791e0339 100644
--- a/arm/Microsoft.Network/vpnSites/.parameters/min.parameters.json
+++ b/arm/Microsoft.Network/vpnSites/.parameters/min.parameters.json
@@ -14,7 +14,7 @@
             "value": "1.2.3.4"
         },
         "virtualWanId": {
-            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualWans/<<namePrefix>>-az-vw-x-001"
+            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualWans/apd-<<namePrefix>>-az-vw-x-001"
         }
     }
 }