Azure · ahmadabdalla · Mar 11, 2022 · Mar 9, 2022 · Mar 9, 2022 · Mar 11, 2022
@@ -59,6 +59,7 @@ param enableDefaultTelemetry bool = true
 
 resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
   name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
+  location: location
   properties: {
     mode: 'Incremental'
     template: {

@@ -19,14 +19,16 @@
                 {
                     "name": "<<namePrefix>>-az-subnet-x-001",
                     "addressPrefix": "10.0.0.0/24",
-                    "networkSecurityGroupName": "adp-<<namePrefix>>-az-nsg-x-001",
+                    "networkSecurityGroupId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/adp-<<namePrefix>>-az-nsg-x-001",
                     "serviceEndpoints": [
-                        "Microsoft.EventHub",
-                        "Microsoft.Sql",
-                        "Microsoft.Storage",
-                        "Microsoft.KeyVault"
+                        {
+                            "service": "Microsoft.Storage"
+                        },
+                        {
+                            "service": "Microsoft.Sql"
+                        }
                     ],
-                    "routeTableName": "adp-<<namePrefix>>-az-udr-x-001"
+                    "routeTableId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/routeTables/adp-<<namePrefix>>-az-udr-x-001"
                 },
                 {
                     "name": "<<namePrefix>>-az-subnet-x-002",

@@ -118,9 +118,40 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2021-05-01' = {
     ddosProtectionPlan: !empty(ddosProtectionPlanId) ? ddosProtectionPlan : null
     dhcpOptions: !empty(dnsServers) ? dnsServers_var : null
     enableDdosProtection: !empty(ddosProtectionPlanId)
+    subnets: [for subnet in subnets: {
+      name: subnet.name
+      properties: {
+        addressPrefix: subnet.addressPrefix
+        addressPrefixes: contains(subnet, 'addressPrefixes') ? subnet.addressPrefixes : []
+        applicationGatewayIpConfigurations: contains(subnet, 'applicationGatewayIpConfigurations') ? subnet.applicationGatewayIpConfigurations : []
+        delegations: contains(subnet, 'delegations') ? subnet.delegations : []
+        ipAllocations: contains(subnet, 'ipAllocations') ? subnet.ipAllocations : []
+        natGateway: contains(subnet, 'natGatewayId') ? {
+          'id': subnet.natGatewayId
+        } : json('null')
+        networkSecurityGroup: contains(subnet, 'networkSecurityGroupId') ? {
+          'id': subnet.networkSecurityGroupId
+        } : json('null')
+        privateEndpointNetworkPolicies: contains(subnet, 'privateEndpointNetworkPolicies') ? subnet.privateEndpointNetworkPolicies : null
+        privateLinkServiceNetworkPolicies: contains(subnet, 'privateLinkServiceNetworkPolicies') ? subnet.privateLinkServiceNetworkPolicies : null
+        routeTable: contains(subnet, 'routeTableId') ? {
+          'id': subnet.routeTableId
+        } : json('null')
+        serviceEndpoints: contains(subnet, 'serviceEndpoints') ? subnet.serviceEndpoints : []
+        serviceEndpointPolicies: contains(subnet, 'serviceEndpointPolicies') ? subnet.serviceEndpointPolicies : []
+      }
+    }]
   }
 }
 
+//NOTE Start: ------------------------------------
+// The below module (virtualNetwork_subnets) is a duplicate of the child resource (subnets) defined in the parent module (virtualNetwork).
+// The reason it exists so that deployment validation tests can be performed on the child module (subnets), in case that module needed to be deployed alone outside of this template.
+// The reason for duplication is due to the current design for the (virtualNetworks) resource from Azure, where if the child module (subnets) does not exist within it, causes
+//    an issue, where the child resource (subnets) gets all of its properties removed, hence not as 'idempotent' as it should be. See https://github.com/Azure/azure-quickstart-templates/issues/2786 for more details.
+// You can safely remove the below child module (virtualNetwork_subnets) in your consumption of the module (virtualNetworks) to reduce the template size and duplication.
+//NOTE End  : ------------------------------------
+
 @batchSize(1)
 module virtualNetwork_subnets 'subnets/deploy.bicep' = [for (subnet, index) in subnets: {
   name: '${uniqueString(deployment().name, location)}-subnet-${index}'
@@ -132,12 +163,11 @@ module virtualNetwork_subnets 'subnets/deploy.bicep' = [for (subnet, index) in s
     applicationGatewayIpConfigurations: contains(subnet, 'applicationGatewayIpConfigurations') ? subnet.applicationGatewayIpConfigurations : []
     delegations: contains(subnet, 'delegations') ? subnet.delegations : []
     ipAllocations: contains(subnet, 'ipAllocations') ? subnet.ipAllocations : []
-    natGatewayName: contains(subnet, 'natGatewayName') ? subnet.natGatewayName : ''
-    networkSecurityGroupName: contains(subnet, 'networkSecurityGroupName') ? subnet.networkSecurityGroupName : ''
-    networkSecurityGroupNameResourceGroupName: contains(subnet, 'networkSecurityGroupNameResourceGroupName') ? subnet.networkSecurityGroupNameResourceGroupName : resourceGroup().name
+    natGatewayId: contains(subnet, 'natGatewayId') ? subnet.natGatewayId : ''
+    networkSecurityGroupId: contains(subnet, 'networkSecurityGroupId') ? subnet.networkSecurityGroupId : ''
     privateEndpointNetworkPolicies: contains(subnet, 'privateEndpointNetworkPolicies') ? subnet.privateEndpointNetworkPolicies : ''
     privateLinkServiceNetworkPolicies: contains(subnet, 'privateLinkServiceNetworkPolicies') ? subnet.privateLinkServiceNetworkPolicies : ''
-    routeTableName: contains(subnet, 'routeTableName') ? subnet.routeTableName : ''
+    routeTableId: contains(subnet, 'routeTableId') ? subnet.routeTableId : ''
     serviceEndpointPolicies: contains(subnet, 'serviceEndpointPolicies') ? subnet.serviceEndpointPolicies : []
     serviceEndpoints: contains(subnet, 'serviceEndpoints') ? subnet.serviceEndpoints : []
   }

@@ -7,26 +7,22 @@ param virtualNetworkName string
 @description('Required. The address prefix for the subnet.')
 param addressPrefix string
 
-@description('Optional. The network security group to assign to the subnet')
-param networkSecurityGroupName string = ''
+@description('Optional. The resource ID of the network security group to assign to the subnet')
+param networkSecurityGroupId string = ''
 
-@description('Optional. Resource Group where NSGs are deployed, if different than VNET Resource Group.')
-@minLength(1)
-param networkSecurityGroupNameResourceGroupName string = resourceGroup().name
-
-@description('Optional. The route table to assign to the subnet')
-param routeTableName string = ''
+@description('Optional. The resource ID of the route table to assign to the subnet')
+param routeTableId string = ''
 
 @description('Optional. The service endpoints to enable on the subnet')
 param serviceEndpoints array = []
 
 @description('Optional. The delegations to enable on the subnet')
 param delegations array = []
 
-@description('Optional. The name of the NAT Gateway to use for the subnet')
-param natGatewayName string = ''
+@description('Optional. The resource ID of the NAT Gateway to use for the subnet')
+param natGatewayId string = ''
 
-@description('Optional. enable or disable apply network policies on private end point in the subnet.')
+@description('Optional. enable or disable apply network policies on private endpoint in the subnet.')
 @allowed([
   'Disabled'
   'Enabled'
@@ -54,10 +50,6 @@ param ipAllocations array = []
 @description('Optional. An array of service endpoint policies.')
 param serviceEndpointPolicies array = []
 
-var formattedServiceEndpoints = [for serviceEndpoint in serviceEndpoints: {
-  service: serviceEndpoint
-}]
-
 @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
 param enableDefaultTelemetry bool = true
 
@@ -77,34 +69,21 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2021-05-01' existing
   name: virtualNetworkName
 }
 
-resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2021-05-01' existing = if (!empty(networkSecurityGroupName)) {
-  name: networkSecurityGroupName
-  scope: resourceGroup(networkSecurityGroupNameResourceGroupName)
-}
-
-resource routeTable 'Microsoft.Network/routeTables@2021-05-01' existing = if (!empty(routeTableName)) {
-  name: routeTableName
-}
-
-resource natGateway 'Microsoft.Network/natGateways@2021-05-01' existing = if (!empty(natGatewayName)) {
-  name: natGatewayName
-}
-
 resource subnet 'Microsoft.Network/virtualNetworks/subnets@2021-05-01' = {
   name: name
   parent: virtualNetwork
   properties: {
     addressPrefix: addressPrefix
-    networkSecurityGroup: !empty(networkSecurityGroupName) ? {
-      id: networkSecurityGroup.id
+    networkSecurityGroup: !empty(networkSecurityGroupId) ? {
+      id: networkSecurityGroupId
     } : null
-    routeTable: !empty(routeTableName) ? {
-      id: routeTable.id
+    routeTable: !empty(routeTableId) ? {
+      id: routeTableId
     } : null
-    natGateway: !empty(natGatewayName) ? {
-      id: natGateway.id
+    natGateway: !empty(natGatewayId) ? {
+      id: natGatewayId
     } : null
-    serviceEndpoints: !empty(formattedServiceEndpoints) ? formattedServiceEndpoints : []
+    serviceEndpoints: serviceEndpoints
     delegations: delegations
     privateEndpointNetworkPolicies: !empty(privateEndpointNetworkPolicies) ? any(privateEndpointNetworkPolicies) : null
     privateLinkServiceNetworkPolicies: !empty(privateLinkServiceNetworkPolicies) ? any(privateLinkServiceNetworkPolicies) : null

@@ -19,12 +19,11 @@ This module deploys a virtual network subnet.
 | `enableDefaultTelemetry` | bool | `True` |  | Optional. Enable telemetry via the Customer Usage Attribution ID (GUID). |
 | `ipAllocations` | array | `[]` |  | Optional. Array of IpAllocation which reference this subnet |
 | `name` | string |  |  | Optional. The Name of the subnet resource. |
-| `natGatewayName` | string |  |  | Optional. The name of the NAT Gateway to use for the subnet |
-| `networkSecurityGroupName` | string |  |  | Optional. The network security group to assign to the subnet |
-| `networkSecurityGroupNameResourceGroupName` | string | `[resourceGroup().name]` |  | Optional. Resource Group where NSGs are deployed, if different than VNET Resource Group. |
-| `privateEndpointNetworkPolicies` | string |  | `[Disabled, Enabled, ]` | Optional. enable or disable apply network policies on private end point in the subnet. |
+| `natGatewayId` | string |  |  | Optional. The resource ID of the NAT Gateway to use for the subnet |
+| `networkSecurityGroupId` | string |  |  | Optional. The resource ID of the network security group to assign to the subnet |
+| `privateEndpointNetworkPolicies` | string |  | `[Disabled, Enabled, ]` | Optional. enable or disable apply network policies on private endpoint in the subnet. |
 | `privateLinkServiceNetworkPolicies` | string |  | `[Disabled, Enabled, ]` | Optional. enable or disable apply network policies on private link service in the subnet. |
-| `routeTableName` | string |  |  | Optional. The route table to assign to the subnet |
+| `routeTableId` | string |  |  | Optional. The resource ID of the route table to assign to the subnet |
 | `serviceEndpointPolicies` | array | `[]` |  | Optional. An array of service endpoint policies. |
 | `serviceEndpoints` | array | `[]` |  | Optional. The service endpoints to enable on the subnet |
 | `virtualNetworkName` | string |  |  | Required. The name of the parent virtual network |

@@ -5,7 +5,7 @@
     "name": {
       "value": "adp-<<namePrefix>>-az-nsg-x-apgw"
     },
-    "networkSecurityGroupSecurityRules": {
+    "securityRules": {
       "value": [
         {
           "name": "AllowPortsForAppGateway",

@@ -5,7 +5,7 @@
     "name": {
       "value": "adp-<<namePrefix>>-az-nsg-x-ase"
     },
-    "networkSecurityGroupSecurityRules": {
+    "securityRules": {
       "value": [
         {
           "name": "AllowPortsForASE",

@@ -5,7 +5,7 @@
         "name": {
             "value": "adp-<<namePrefix>>-az-nsg-x-bastion"
         },
-        "networkSecurityGroupSecurityRules": {
+        "securityRules": {
             "value": [
                 {
                     "name": "AllowHttpsInBound",

@@ -15,7 +15,7 @@
         {
           "name": "AzureBastionSubnet", // Bastion subnet
           "addressPrefix": "10.1.5.0/24",
-          "networkSecurityGroupName": "adp-<<namePrefix>>-az-nsg-x-bastion"
+          "networkSecurityGroupId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/adp-<<namePrefix>>-az-nsg-x-bastion"
         }
       ]
     }

@@ -15,7 +15,7 @@
         {
           "name": "<<namePrefix>>-az-subnet-x-001",
           "addressPrefix": "10.2.0.0/24",
-          "networkSecurityGroupName": "adp-<<namePrefix>>-az-nsg-x-001"
+          "networkSecurityGroupId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/adp-<<namePrefix>>-az-nsg-x-001"
         }
       ]
     }

@@ -15,7 +15,7 @@
         {
           "name": "<<namePrefix>>-az-subnet-x-001",
           "addressPrefix": "10.3.0.0/24",
-          "networkSecurityGroupName": "adp-<<namePrefix>>-az-nsg-x-001"
+          "networkSecurityGroupId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/adp-<<namePrefix>>-az-nsg-x-001"
         }
       ]
     }

@@ -14,10 +14,7 @@
       "value": [
         {
           "name": "AzureFirewallSubnet",
-          "addressPrefix": "10.4.4.0/24",
-          "routeTableName": "",
-          "serviceEndpoints": [],
-          "delegations": []
+          "addressPrefix": "10.4.4.0/24"
         }
       ]
     }

@@ -15,17 +15,17 @@
         {
           "name": "Primary",
           "addressPrefix": "10.5.0.0/18",
-          "networkSecurityGroupName": "adp-<<namePrefix>>-az-nsg-x-001"
+          "networkSecurityGroupId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/adp-<<namePrefix>>-az-nsg-x-001"
         },
         {
           "name": "Secondary",
           "addressPrefix": "10.5.64.0/18",
-          "networkSecurityGroupName": "adp-<<namePrefix>>-az-nsg-x-001"
+          "networkSecurityGroupId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/adp-<<namePrefix>>-az-nsg-x-001"
         },
         {
           "name": "Tertiary",
           "addressPrefix": "10.5.128.0/18",
-          "networkSecurityGroupName": "adp-<<namePrefix>>-az-nsg-x-001"
+          "networkSecurityGroupId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/adp-<<namePrefix>>-az-nsg-x-001"
         }
       ]
     }

@@ -15,9 +15,8 @@
         {
           "name": "<<namePrefix>>-az-subnet-x-sqlmi", // SQLMi subnet
           "addressPrefix": "10.6.0.0/24",
-          "networkSecurityGroupName": "adp-<<namePrefix>>-az-nsg-x-sqlmi",
-          "routeTableName": "adp-<<namePrefix>>-az-udr-x-sqlmi",
-          "serviceEndpoints": [],
+          "networkSecurityGroupId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/adp-<<namePrefix>>-az-nsg-x-sqlmi",
+          "routeTableNameId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/routeTables/adp-<<namePrefix>>-az-udr-x-sqlmi",
           "delegations": [
             {
               "name": "sqlMiDel",

@@ -15,7 +15,7 @@
                 {
                     "name": "default", // Hub connection subnet
                     "addressPrefix": "10.7.0.0/24",
-                    "networkSecurityGroupName": "adp-<<namePrefix>>-az-nsg-x-001"
+                    "networkSecurityGroupId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/adp-<<namePrefix>>-az-nsg-x-001"
                 }
             ]
         }