From 4f9cf59263da856931ca5398620e485b821139bc Mon Sep 17 00:00:00 2001
From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com>
Date: Wed, 9 Mar 2022 15:44:11 +1100
Subject: [PATCH 1/6] restoring original subnet config in the vnet

---
 arm/Microsoft.Network/virtualNetworks/deploy.bicep | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/arm/Microsoft.Network/virtualNetworks/deploy.bicep b/arm/Microsoft.Network/virtualNetworks/deploy.bicep
index 057330810a..7f64396c56 100644
--- a/arm/Microsoft.Network/virtualNetworks/deploy.bicep
+++ b/arm/Microsoft.Network/virtualNetworks/deploy.bicep
@@ -111,6 +111,15 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2021-05-01' = {
     ddosProtectionPlan: !empty(ddosProtectionPlanId) ? ddosProtectionPlan : null
     dhcpOptions: !empty(dnsServers) ? dnsServers_var : null
     enableDdosProtection: !empty(ddosProtectionPlanId)
+    subnets: [for subnet in subnets: {
+      name: subnet.name
+      properties: {
+        addressPrefix: subnet.addressPrefix
+        delegations: contains(subnet, 'delegations') ? subnet.delegations : null
+        privateEndpointNetworkPolicies: contains(subnet, 'privateEndpointNetworkPolicies') ? subnet.privateEndpointNetworkPolicies : null
+        privateLinkServiceNetworkPolicies: contains(subnet, 'privateLinkServiceNetworkPolicies') ? subnet.privateLinkServiceNetworkPolicies : null
+      }
+    }]
   }
 }
 

From a6f624bd0b8c31f47f628ea54f6ef5374c9ea4b6 Mon Sep 17 00:00:00 2001
From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com>
Date: Fri, 11 Mar 2022 16:00:07 +1100
Subject: [PATCH 2/6] Updated working state

---
 .../.parameters/parameters.json               | 14 +++---
 .../virtualNetworks/deploy.bicep              | 30 +++++++++--
 .../virtualNetworks/subnets/deploy.bicep      | 47 +++++------------
 .../virtualNetworks/subnets/readme.md         |  7 ++-
 .../parameters/1.bastion.parameters.json      |  2 +-
 .../parameters/2.vnetpeer01.parameters.json   |  2 +-
 .../parameters/3.vnetpeer02.parameters.json   |  2 +-
 .../parameters/4.azfw.parameters.json         |  5 +-
 .../parameters/5.aks.parameters.json          |  6 +--
 .../parameters/6.sqlmi.parameters.json        |  5 +-
 .../7.virtualHubConnection.parameters.json    |  2 +-
 .../parameters/parameters.json                | 50 +++++++++++++------
 12 files changed, 94 insertions(+), 78 deletions(-)

diff --git a/arm/Microsoft.Network/virtualNetworks/.parameters/parameters.json b/arm/Microsoft.Network/virtualNetworks/.parameters/parameters.json
index 8afa179ab2..1023495b15 100644
--- a/arm/Microsoft.Network/virtualNetworks/.parameters/parameters.json
+++ b/arm/Microsoft.Network/virtualNetworks/.parameters/parameters.json
@@ -19,14 +19,16 @@
                 {
                     "name": "<<namePrefix>>-az-subnet-x-001",
                     "addressPrefix": "10.0.0.0/24",
-                    "networkSecurityGroupName": "adp-<<namePrefix>>-az-nsg-x-001",
+                    "networkSecurityGroupId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/adp-<<namePrefix>>-az-nsg-x-001",
                     "serviceEndpoints": [
-                        "Microsoft.EventHub",
-                        "Microsoft.Sql",
-                        "Microsoft.Storage",
-                        "Microsoft.KeyVault"
+                        {
+                            "service": "Microsoft.Storage"
+                        },
+                        {
+                            "service": "Microsoft.Sql"
+                        }
                     ],
-                    "routeTableName": "adp-<<namePrefix>>-az-udr-x-001"
+                    "routeTableId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/routeTables/adp-<<namePrefix>>-az-udr-x-001"
                 },
                 {
                     "name": "<<namePrefix>>-az-subnet-x-002",
diff --git a/arm/Microsoft.Network/virtualNetworks/deploy.bicep b/arm/Microsoft.Network/virtualNetworks/deploy.bicep
index 057330810a..3d940723d1 100644
--- a/arm/Microsoft.Network/virtualNetworks/deploy.bicep
+++ b/arm/Microsoft.Network/virtualNetworks/deploy.bicep
@@ -111,6 +111,29 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2021-05-01' = {
     ddosProtectionPlan: !empty(ddosProtectionPlanId) ? ddosProtectionPlan : null
     dhcpOptions: !empty(dnsServers) ? dnsServers_var : null
     enableDdosProtection: !empty(ddosProtectionPlanId)
+    subnets: [for subnet in subnets: {
+      name: subnet.name
+      properties: {
+        addressPrefix: subnet.addressPrefix
+        addressPrefixes: contains(subnet, 'addressPrefixes') ? subnet.addressPrefixes : []
+        applicationGatewayIpConfigurations: contains(subnet, 'applicationGatewayIpConfigurations') ? subnet.applicationGatewayIpConfigurations : []
+        delegations: contains(subnet, 'delegations') ? subnet.delegations : []
+        ipAllocations: contains(subnet, 'ipAllocations') ? subnet.ipAllocations : []
+        natGateway: contains(subnet, 'natGatewayId') ? {
+          'id': subnet.natGatewayId
+        } : json('null')
+        networkSecurityGroup: contains(subnet, 'networkSecurityGroupId') ? {
+          'id': subnet.networkSecurityGroupId
+        } : json('null')
+        privateEndpointNetworkPolicies: contains(subnet, 'privateEndpointNetworkPolicies') ? subnet.privateEndpointNetworkPolicies : null
+        privateLinkServiceNetworkPolicies: contains(subnet, 'privateLinkServiceNetworkPolicies') ? subnet.privateLinkServiceNetworkPolicies : null
+        routeTable: contains(subnet, 'routeTableId') ? {
+          'id': subnet.routeTableId
+        } : json('null')
+        serviceEndpoints: contains(subnet, 'serviceEndpoints') ? subnet.serviceEndpoints : []
+        serviceEndpointPolicies: contains(subnet, 'serviceEndpointPolicies') ? subnet.serviceEndpointPolicies : []
+      }
+    }]
   }
 }
 
@@ -125,12 +148,11 @@ module virtualNetwork_subnets 'subnets/deploy.bicep' = [for (subnet, index) in s
     applicationGatewayIpConfigurations: contains(subnet, 'applicationGatewayIpConfigurations') ? subnet.applicationGatewayIpConfigurations : []
     delegations: contains(subnet, 'delegations') ? subnet.delegations : []
     ipAllocations: contains(subnet, 'ipAllocations') ? subnet.ipAllocations : []
-    natGatewayName: contains(subnet, 'natGatewayName') ? subnet.natGatewayName : ''
-    networkSecurityGroupName: contains(subnet, 'networkSecurityGroupName') ? subnet.networkSecurityGroupName : ''
-    networkSecurityGroupNameResourceGroupName: contains(subnet, 'networkSecurityGroupNameResourceGroupName') ? subnet.networkSecurityGroupNameResourceGroupName : resourceGroup().name
+    natGatewayId: contains(subnet, 'natGatewayId') ? subnet.natGatewayId : ''
+    networkSecurityGroupId: contains(subnet, 'networkSecurityGroupId') ? subnet.networkSecurityGroupId : ''
     privateEndpointNetworkPolicies: contains(subnet, 'privateEndpointNetworkPolicies') ? subnet.privateEndpointNetworkPolicies : ''
     privateLinkServiceNetworkPolicies: contains(subnet, 'privateLinkServiceNetworkPolicies') ? subnet.privateLinkServiceNetworkPolicies : ''
-    routeTableName: contains(subnet, 'routeTableName') ? subnet.routeTableName : ''
+    routeTableId: contains(subnet, 'routeTableId') ? subnet.routeTableId : ''
     serviceEndpointPolicies: contains(subnet, 'serviceEndpointPolicies') ? subnet.serviceEndpointPolicies : []
     serviceEndpoints: contains(subnet, 'serviceEndpoints') ? subnet.serviceEndpoints : []
   }
diff --git a/arm/Microsoft.Network/virtualNetworks/subnets/deploy.bicep b/arm/Microsoft.Network/virtualNetworks/subnets/deploy.bicep
index 9466a0a063..50b1e8a8ac 100644
--- a/arm/Microsoft.Network/virtualNetworks/subnets/deploy.bicep
+++ b/arm/Microsoft.Network/virtualNetworks/subnets/deploy.bicep
@@ -7,15 +7,11 @@ param virtualNetworkName string
 @description('Required. The address prefix for the subnet.')
 param addressPrefix string
 
-@description('Optional. The network security group to assign to the subnet')
-param networkSecurityGroupName string = ''
+@description('Optional. The resource ID of the network security group to assign to the subnet')
+param networkSecurityGroupId string = ''
 
-@description('Optional. Resource Group where NSGs are deployed, if different than VNET Resource Group.')
-@minLength(1)
-param networkSecurityGroupNameResourceGroupName string = resourceGroup().name
-
-@description('Optional. The route table to assign to the subnet')
-param routeTableName string = ''
+@description('Optional. The resource ID of the route table to assign to the subnet')
+param routeTableId string = ''
 
 @description('Optional. The service endpoints to enable on the subnet')
 param serviceEndpoints array = []
@@ -23,8 +19,8 @@ param serviceEndpoints array = []
 @description('Optional. The delegations to enable on the subnet')
 param delegations array = []
 
-@description('Optional. The name of the NAT Gateway to use for the subnet')
-param natGatewayName string = ''
+@description('Optional. The resource ID of the NAT Gateway to use for the subnet')
+param natGatewayId string = ''
 
 @description('Optional. enable or disable apply network policies on private end point in the subnet.')
 @allowed([
@@ -54,10 +50,6 @@ param ipAllocations array = []
 @description('Optional. An array of service endpoint policies.')
 param serviceEndpointPolicies array = []
 
-var formattedServiceEndpoints = [for serviceEndpoint in serviceEndpoints: {
-  service: serviceEndpoint
-}]
-
 @description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered')
 param cuaId string = ''
 
@@ -70,34 +62,21 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2021-05-01' existing
   name: virtualNetworkName
 }
 
-resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2021-05-01' existing = if (!empty(networkSecurityGroupName)) {
-  name: networkSecurityGroupName
-  scope: resourceGroup(networkSecurityGroupNameResourceGroupName)
-}
-
-resource routeTable 'Microsoft.Network/routeTables@2021-05-01' existing = if (!empty(routeTableName)) {
-  name: routeTableName
-}
-
-resource natGateway 'Microsoft.Network/natGateways@2021-05-01' existing = if (!empty(natGatewayName)) {
-  name: natGatewayName
-}
-
 resource subnet 'Microsoft.Network/virtualNetworks/subnets@2021-05-01' = {
   name: name
   parent: virtualNetwork
   properties: {
     addressPrefix: addressPrefix
-    networkSecurityGroup: !empty(networkSecurityGroupName) ? {
-      id: networkSecurityGroup.id
+    networkSecurityGroup: !empty(networkSecurityGroupId) ? {
+      id: networkSecurityGroupId
     } : null
-    routeTable: !empty(routeTableName) ? {
-      id: routeTable.id
+    routeTable: !empty(routeTableId) ? {
+      id: routeTableId
     } : null
-    natGateway: !empty(natGatewayName) ? {
-      id: natGateway.id
+    natGateway: !empty(natGatewayId) ? {
+      id: natGatewayId
     } : null
-    serviceEndpoints: !empty(formattedServiceEndpoints) ? formattedServiceEndpoints : []
+    serviceEndpoints: serviceEndpoints
     delegations: delegations
     privateEndpointNetworkPolicies: !empty(privateEndpointNetworkPolicies) ? any(privateEndpointNetworkPolicies) : null
     privateLinkServiceNetworkPolicies: !empty(privateLinkServiceNetworkPolicies) ? any(privateLinkServiceNetworkPolicies) : null
diff --git a/arm/Microsoft.Network/virtualNetworks/subnets/readme.md b/arm/Microsoft.Network/virtualNetworks/subnets/readme.md
index 7e783a3e6e..ff54ccb439 100644
--- a/arm/Microsoft.Network/virtualNetworks/subnets/readme.md
+++ b/arm/Microsoft.Network/virtualNetworks/subnets/readme.md
@@ -19,12 +19,11 @@ This module deploys a virtual network subnet.
 | `delegations` | array | `[]` |  | Optional. The delegations to enable on the subnet |
 | `ipAllocations` | array | `[]` |  | Optional. Array of IpAllocation which reference this subnet |
 | `name` | string |  |  | Optional. The Name of the subnet resource. |
-| `natGatewayName` | string |  |  | Optional. The name of the NAT Gateway to use for the subnet |
-| `networkSecurityGroupName` | string |  |  | Optional. The network security group to assign to the subnet |
-| `networkSecurityGroupNameResourceGroupName` | string | `[resourceGroup().name]` |  | Optional. Resource Group where NSGs are deployed, if different than VNET Resource Group. |
+| `natGatewayId` | string |  |  | Optional. The resource ID of the NAT Gateway to use for the subnet |
+| `networkSecurityGroupId` | string |  |  | Optional. The resource ID of the network security group to assign to the subnet |
 | `privateEndpointNetworkPolicies` | string |  | `[Disabled, Enabled, ]` | Optional. enable or disable apply network policies on private end point in the subnet. |
 | `privateLinkServiceNetworkPolicies` | string |  | `[Disabled, Enabled, ]` | Optional. enable or disable apply network policies on private link service in the subnet. |
-| `routeTableName` | string |  |  | Optional. The route table to assign to the subnet |
+| `routeTableId` | string |  |  | Optional. The resource ID of the route table to assign to the subnet |
 | `serviceEndpointPolicies` | array | `[]` |  | Optional. An array of service endpoint policies. |
 | `serviceEndpoints` | array | `[]` |  | Optional. The service endpoints to enable on the subnet |
 | `virtualNetworkName` | string |  |  | Required. The name of the parent virtual network |
diff --git a/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/1.bastion.parameters.json b/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/1.bastion.parameters.json
index abae935c98..8b1d62b36a 100644
--- a/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/1.bastion.parameters.json
+++ b/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/1.bastion.parameters.json
@@ -15,7 +15,7 @@
         {
           "name": "AzureBastionSubnet", // Bastion subnet
           "addressPrefix": "10.1.5.0/24",
-          "networkSecurityGroupName": "adp-<<namePrefix>>-az-nsg-x-bastion"
+          "networkSecurityGroupId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/adp-<<namePrefix>>-az-nsg-x-bastion"
         }
       ]
     }
diff --git a/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/2.vnetpeer01.parameters.json b/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/2.vnetpeer01.parameters.json
index d5df6201a5..a6f1c719c5 100644
--- a/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/2.vnetpeer01.parameters.json
+++ b/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/2.vnetpeer01.parameters.json
@@ -15,7 +15,7 @@
         {
           "name": "<<namePrefix>>-az-subnet-x-001",
           "addressPrefix": "10.2.0.0/24",
-          "networkSecurityGroupName": "adp-<<namePrefix>>-az-nsg-x-001"
+          "networkSecurityGroupId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/adp-<<namePrefix>>-az-nsg-x-001"
         }
       ]
     }
diff --git a/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/3.vnetpeer02.parameters.json b/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/3.vnetpeer02.parameters.json
index c7c6b8f2f5..d9e058de62 100644
--- a/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/3.vnetpeer02.parameters.json
+++ b/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/3.vnetpeer02.parameters.json
@@ -15,7 +15,7 @@
         {
           "name": "<<namePrefix>>-az-subnet-x-001",
           "addressPrefix": "10.3.0.0/24",
-          "networkSecurityGroupName": "adp-<<namePrefix>>-az-nsg-x-001"
+          "networkSecurityGroupId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/adp-<<namePrefix>>-az-nsg-x-001"
         }
       ]
     }
diff --git a/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/4.azfw.parameters.json b/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/4.azfw.parameters.json
index fea560d3f0..28913a9674 100644
--- a/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/4.azfw.parameters.json
+++ b/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/4.azfw.parameters.json
@@ -14,10 +14,7 @@
       "value": [
         {
           "name": "AzureFirewallSubnet",
-          "addressPrefix": "10.4.4.0/24",
-          "routeTableName": "",
-          "serviceEndpoints": [],
-          "delegations": []
+          "addressPrefix": "10.4.4.0/24"
         }
       ]
     }
diff --git a/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/5.aks.parameters.json b/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/5.aks.parameters.json
index 7235917e7a..34523c9ef3 100644
--- a/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/5.aks.parameters.json
+++ b/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/5.aks.parameters.json
@@ -15,17 +15,17 @@
         {
           "name": "Primary",
           "addressPrefix": "10.5.0.0/18",
-          "networkSecurityGroupName": "adp-<<namePrefix>>-az-nsg-x-001"
+          "networkSecurityGroupId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/adp-<<namePrefix>>-az-nsg-x-001"
         },
         {
           "name": "Secondary",
           "addressPrefix": "10.5.64.0/18",
-          "networkSecurityGroupName": "adp-<<namePrefix>>-az-nsg-x-001"
+          "networkSecurityGroupId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/adp-<<namePrefix>>-az-nsg-x-001"
         },
         {
           "name": "Tertiary",
           "addressPrefix": "10.5.128.0/18",
-          "networkSecurityGroupName": "adp-<<namePrefix>>-az-nsg-x-001"
+          "networkSecurityGroupId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/adp-<<namePrefix>>-az-nsg-x-001"
         }
       ]
     }
diff --git a/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/6.sqlmi.parameters.json b/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/6.sqlmi.parameters.json
index ddb63750ec..039880fcf6 100644
--- a/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/6.sqlmi.parameters.json
+++ b/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/6.sqlmi.parameters.json
@@ -15,9 +15,8 @@
         {
           "name": "<<namePrefix>>-az-subnet-x-sqlmi", // SQLMi subnet
           "addressPrefix": "10.6.0.0/24",
-          "networkSecurityGroupName": "adp-<<namePrefix>>-az-nsg-x-sqlmi",
-          "routeTableName": "adp-<<namePrefix>>-az-udr-x-sqlmi",
-          "serviceEndpoints": [],
+          "networkSecurityGroupId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/adp-<<namePrefix>>-az-nsg-x-sqlmi",
+          "routeTableNameId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/routeTables/adp-<<namePrefix>>-az-udr-x-sqlmi",
           "delegations": [
             {
               "name": "sqlMiDel",
diff --git a/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/7.virtualHubConnection.parameters.json b/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/7.virtualHubConnection.parameters.json
index ee68e6d7d7..15dd746673 100644
--- a/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/7.virtualHubConnection.parameters.json
+++ b/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/7.virtualHubConnection.parameters.json
@@ -15,7 +15,7 @@
                 {
                     "name": "default", // Hub connection subnet
                     "addressPrefix": "10.7.0.0/24",
-                    "networkSecurityGroupName": "adp-<<namePrefix>>-az-nsg-x-001"
+                    "networkSecurityGroupId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/adp-<<namePrefix>>-az-nsg-x-001"
                 }
             ]
         }
diff --git a/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/parameters.json b/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/parameters.json
index 30f8c90768..3d5662f556 100644
--- a/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/parameters.json
+++ b/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/parameters.json
@@ -19,31 +19,49 @@
         {
           "name": "<<namePrefix>>-az-subnet-x-001", // VM subnet
           "addressPrefix": "10.0.0.0/24",
-          "networkSecurityGroupName": "adp-<<namePrefix>>-az-nsg-x-001",
+          "networkSecurityGroupId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/adp-<<namePrefix>>-az-nsg-x-001",
           "serviceEndpoints": [
-            "Microsoft.EventHub",
-            "Microsoft.Sql",
-            "Microsoft.Storage",
-            "Microsoft.KeyVault"
+            {
+              "service": "Microsoft.EventHub"
+            },
+            {
+              "service": "Microsoft.Sql"
+            },
+            {
+              "service": "Microsoft.Storage"
+            },
+            {
+              "service": "Microsoft.KeyVault"
+            }
           ]
         },
         {
           "name": "<<namePrefix>>-az-subnet-x-002", // VMSS subnet
           "addressPrefix": "10.0.1.0/24",
-          "networkSecurityGroupName": "adp-<<namePrefix>>-az-nsg-x-001",
+          "networkSecurityGroupId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/adp-<<namePrefix>>-az-nsg-x-001",
           "serviceEndpoints": [
-            "Microsoft.EventHub",
-            "Microsoft.Sql",
-            "Microsoft.Storage",
-            "Microsoft.KeyVault"
+            {
+              "service": "Microsoft.EventHub"
+            },
+            {
+              "service": "Microsoft.Sql"
+            },
+            {
+              "service": "Microsoft.Storage"
+            },
+            {
+              "service": "Microsoft.KeyVault"
+            }
           ]
         },
         {
           "name": "<<namePrefix>>-az-subnet-x-003", // ServiceBus subnet
           "addressPrefix": "10.0.2.0/24",
-          "networkSecurityGroupName": "adp-<<namePrefix>>-az-nsg-x-001",
+          "networkSecurityGroupId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/adp-<<namePrefix>>-az-nsg-x-001",
           "serviceEndpoints": [
-            "Microsoft.ServiceBus"
+            {
+              "service": "Microsoft.ServiceBus"
+            }
           ]
         },
         {
@@ -61,24 +79,24 @@
         {
           "name": "AzureBastionSubnet", // Bastion subnet
           "addressPrefix": "10.0.5.0/24",
-          "networkSecurityGroupName": "adp-<<namePrefix>>-az-nsg-x-bastion"
+          "networkSecurityGroupId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/adp-<<namePrefix>>-az-nsg-x-bastion"
         },
         {
           "name": "<<namePrefix>>-az-subnet-x-005-privateEndpoints", // PE subnet
           "addressPrefix": "10.0.6.0/24",
-          "networkSecurityGroupName": "adp-<<namePrefix>>-az-nsg-x-001",
+          "networkSecurityGroupId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/adp-<<namePrefix>>-az-nsg-x-001",
           "privateEndpointNetworkPolicies": "Disabled", // This property must be set to disabled for subnets that contain private endpoints. It confirms that NSGs rules will not apply to private endpoints (currently not supported). Default Value when not specified is "Enabled".
           "privateLinkServiceNetworkPolicies": "Enabled"
         },
         {
           "name": "<<namePrefix>>-az-subnet-x-006", // ASE subnet
           "addressPrefix": "10.0.7.0/24",
-          "networkSecurityGroupName": "adp-<<namePrefix>>-az-nsg-x-ase"
+          "networkSecurityGroupId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/adp-<<namePrefix>>-az-nsg-x-ase"
         },
         {
           "name": "<<namePrefix>>-az-subnet-x-007", // APGW subnet
           "addressPrefix": "10.0.8.0/24",
-          "networkSecurityGroupName": "adp-<<namePrefix>>-az-nsg-x-apgw"
+          "networkSecurityGroupId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/adp-<<namePrefix>>-az-nsg-x-apgw"
         }
       ]
     }

From d935d8f4fbe0e7167d4073f1b8a03ebd0206f7c1 Mon Sep 17 00:00:00 2001
From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com>
Date: Fri, 11 Mar 2022 16:44:48 +1100
Subject: [PATCH 3/6] Added note for design limitation of network resources

---
 arm/Microsoft.Network/virtualNetworks/deploy.bicep | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/arm/Microsoft.Network/virtualNetworks/deploy.bicep b/arm/Microsoft.Network/virtualNetworks/deploy.bicep
index 3d940723d1..9cac4f7b89 100644
--- a/arm/Microsoft.Network/virtualNetworks/deploy.bicep
+++ b/arm/Microsoft.Network/virtualNetworks/deploy.bicep
@@ -137,6 +137,14 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2021-05-01' = {
   }
 }
 
+//NOTE Start: ------------------------------------
+// The below module (virtualNetwork_subnets) is a duplicate of the child resource (subnets) defined in the parent module (virtualNetwork).
+// The reason it exists so that deployment validation tests can be performed on the child module (subnets), in case that module needed to be deployed alone outside of this template.
+// The reason for duplication is due to the current design for the (virtualNetworks) resource from Azure, where if the child module (subnets) does not exist within it, causes
+//    an issue, where the child resource (subnets) gets all of its properties removed, hence not as 'idempotent' as it should be. See https://github.com/Azure/azure-quickstart-templates/issues/2786 for more details.
+// You can safely remove the below child module (virtualNetwork_subnets) in your consumption of the module (virtualNetworks) to reduce the template size and duplication.
+//NOTE End  : ------------------------------------
+
 @batchSize(1)
 module virtualNetwork_subnets 'subnets/deploy.bicep' = [for (subnet, index) in subnets: {
   name: '${uniqueString(deployment().name, location)}-subnet-${index}'

From 9d2c4355c0d576a6b0f83a0a6c8daf3f9dc1216d Mon Sep 17 00:00:00 2001
From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com>
Date: Fri, 11 Mar 2022 16:56:39 +1100
Subject: [PATCH 4/6] removed uneeded cuaId and updated doc for subnet module

---
 arm/Microsoft.Network/virtualNetworks/subnets/deploy.bicep | 5 +----
 arm/Microsoft.Network/virtualNetworks/subnets/readme.md    | 2 +-
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/arm/Microsoft.Network/virtualNetworks/subnets/deploy.bicep b/arm/Microsoft.Network/virtualNetworks/subnets/deploy.bicep
index 23c0dd3d02..bb13cecca4 100644
--- a/arm/Microsoft.Network/virtualNetworks/subnets/deploy.bicep
+++ b/arm/Microsoft.Network/virtualNetworks/subnets/deploy.bicep
@@ -22,7 +22,7 @@ param delegations array = []
 @description('Optional. The resource ID of the NAT Gateway to use for the subnet')
 param natGatewayId string = ''
 
-@description('Optional. enable or disable apply network policies on private end point in the subnet.')
+@description('Optional. enable or disable apply network policies on private endpoint in the subnet.')
 @allowed([
   'Disabled'
   'Enabled'
@@ -50,9 +50,6 @@ param ipAllocations array = []
 @description('Optional. An array of service endpoint policies.')
 param serviceEndpointPolicies array = []
 
-@description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered')
-param cuaId string = ''
-
 @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
 param enableDefaultTelemetry bool = true
 
diff --git a/arm/Microsoft.Network/virtualNetworks/subnets/readme.md b/arm/Microsoft.Network/virtualNetworks/subnets/readme.md
index cd852fe020..3ec7ceb0a2 100644
--- a/arm/Microsoft.Network/virtualNetworks/subnets/readme.md
+++ b/arm/Microsoft.Network/virtualNetworks/subnets/readme.md
@@ -21,7 +21,7 @@ This module deploys a virtual network subnet.
 | `name` | string |  |  | Optional. The Name of the subnet resource. |
 | `natGatewayId` | string |  |  | Optional. The resource ID of the NAT Gateway to use for the subnet |
 | `networkSecurityGroupId` | string |  |  | Optional. The resource ID of the network security group to assign to the subnet |
-| `privateEndpointNetworkPolicies` | string |  | `[Disabled, Enabled, ]` | Optional. enable or disable apply network policies on private end point in the subnet. |
+| `privateEndpointNetworkPolicies` | string |  | `[Disabled, Enabled, ]` | Optional. enable or disable apply network policies on private endpoint in the subnet. |
 | `privateLinkServiceNetworkPolicies` | string |  | `[Disabled, Enabled, ]` | Optional. enable or disable apply network policies on private link service in the subnet. |
 | `routeTableId` | string |  |  | Optional. The resource ID of the route table to assign to the subnet |
 | `serviceEndpointPolicies` | array | `[]` |  | Optional. An array of service endpoint policies. |

From 2bc41865398484ed40892d9636991659652db3fc Mon Sep 17 00:00:00 2001
From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com>
Date: Fri, 11 Mar 2022 19:13:36 +1100
Subject: [PATCH 5/6] updated dep. pipeline nsgs to reflect name change

---
 .../networkSecurityGroups/parameters/apgw.parameters.json       | 2 +-
 .../networkSecurityGroups/parameters/ase.parameters.json        | 2 +-
 .../networkSecurityGroups/parameters/bastion.parameters.json    | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/utilities/pipelines/dependencies/Microsoft.Network/networkSecurityGroups/parameters/apgw.parameters.json b/utilities/pipelines/dependencies/Microsoft.Network/networkSecurityGroups/parameters/apgw.parameters.json
index 22e2e92b4d..8c3fde073e 100644
--- a/utilities/pipelines/dependencies/Microsoft.Network/networkSecurityGroups/parameters/apgw.parameters.json
+++ b/utilities/pipelines/dependencies/Microsoft.Network/networkSecurityGroups/parameters/apgw.parameters.json
@@ -5,7 +5,7 @@
     "name": {
       "value": "adp-<<namePrefix>>-az-nsg-x-apgw"
     },
-    "networkSecurityGroupSecurityRules": {
+    "securityRules": {
       "value": [
         {
           "name": "AllowPortsForAppGateway",
diff --git a/utilities/pipelines/dependencies/Microsoft.Network/networkSecurityGroups/parameters/ase.parameters.json b/utilities/pipelines/dependencies/Microsoft.Network/networkSecurityGroups/parameters/ase.parameters.json
index 3f21036be1..6321666534 100644
--- a/utilities/pipelines/dependencies/Microsoft.Network/networkSecurityGroups/parameters/ase.parameters.json
+++ b/utilities/pipelines/dependencies/Microsoft.Network/networkSecurityGroups/parameters/ase.parameters.json
@@ -5,7 +5,7 @@
     "name": {
       "value": "adp-<<namePrefix>>-az-nsg-x-ase"
     },
-    "networkSecurityGroupSecurityRules": {
+    "securityRules": {
       "value": [
         {
           "name": "AllowPortsForASE",
diff --git a/utilities/pipelines/dependencies/Microsoft.Network/networkSecurityGroups/parameters/bastion.parameters.json b/utilities/pipelines/dependencies/Microsoft.Network/networkSecurityGroups/parameters/bastion.parameters.json
index 78c47cf2ae..9ee4174403 100644
--- a/utilities/pipelines/dependencies/Microsoft.Network/networkSecurityGroups/parameters/bastion.parameters.json
+++ b/utilities/pipelines/dependencies/Microsoft.Network/networkSecurityGroups/parameters/bastion.parameters.json
@@ -5,7 +5,7 @@
         "name": {
             "value": "adp-<<namePrefix>>-az-nsg-x-bastion"
         },
-        "networkSecurityGroupSecurityRules": {
+        "securityRules": {
             "value": [
                 {
                     "name": "AllowHttpsInBound",

From c57670f899b033228f0a0a1b85246028612c6a44 Mon Sep 17 00:00:00 2001
From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com>
Date: Fri, 11 Mar 2022 19:23:53 +1100
Subject: [PATCH 6/6] updated location property in policy assignment PID
 resource

---
 arm/Microsoft.Authorization/policyAssignments/deploy.bicep | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arm/Microsoft.Authorization/policyAssignments/deploy.bicep b/arm/Microsoft.Authorization/policyAssignments/deploy.bicep
index 300be967bf..5aaeaddaca 100644
--- a/arm/Microsoft.Authorization/policyAssignments/deploy.bicep
+++ b/arm/Microsoft.Authorization/policyAssignments/deploy.bicep
@@ -59,6 +59,7 @@ param enableDefaultTelemetry bool = true
 
 resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
   name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
+  location: location
   properties: {
     mode: 'Incremental'
     template: {