From d13dc1795a063996fa950ab191c6e3855a9cafdc Mon Sep 17 00:00:00 2001
From: Erika Gressi <erikag@microsoft.com>
Date: Fri, 17 Jun 2022 19:04:40 +0200
Subject: [PATCH 1/3] test cross referencing pip

---
 .../azureFirewalls/deploy.bicep               | 50 ++++++++++++++++---
 1 file changed, 43 insertions(+), 7 deletions(-)

diff --git a/arm/Microsoft.Network/azureFirewalls/deploy.bicep b/arm/Microsoft.Network/azureFirewalls/deploy.bicep
index c05cbc0a2c..27257f640e 100644
--- a/arm/Microsoft.Network/azureFirewalls/deploy.bicep
+++ b/arm/Microsoft.Network/azureFirewalls/deploy.bicep
@@ -131,6 +131,7 @@ var additionalPublicIpConfigurations_var = [for ipConfiguration in additionalPub
 // 1. Use existing public ip
 // 2. Use new public ip created in this module
 // 3. Do not use a public ip if isCreateDefaultPublicIP is false
+
 var subnet_var = {
   subnet: {
     id: '${vNetId}/subnets/AzureFirewallSubnet' // The subnet name must be AzureFirewallSubnet
@@ -148,12 +149,12 @@ var newPip = {
 }
 
 var ipConfigurations = concat([
-  {
-    name: 'IpConfAzureFirewallSubnet'
-    //Use existing public ip, new public ip created in this module, or none if isCreateDefaultPublicIP is false
-    properties: union(subnet_var, !empty(azureFirewallSubnetPublicIpId) ? existingPip : {}, (isCreateDefaultPublicIP ? newPip : {}))
-  }
-], additionalPublicIpConfigurations_var)
+    {
+      name: 'IpConfAzureFirewallSubnet'
+      //Use existing public ip, new public ip created in this module, or none if isCreateDefaultPublicIP is false
+      properties: union(subnet_var, !empty(azureFirewallSubnetPublicIpId) ? existingPip : {}, (isCreateDefaultPublicIP ? newPip : {}))
+    }
+  ], additionalPublicIpConfigurations_var)
 
 // ----------------------------------------------------------------------------
 
@@ -189,7 +190,42 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena
 }
 
 // create a public ip address if one is not provided and the flag is true
-module publicIPAddress '.bicep/nested_publicIPAddress.bicep' = if (empty(azureFirewallSubnetPublicIpId) && isCreateDefaultPublicIP) {
+// module publicIPAddress '.bicep/nested_publicIPAddress.bicep' = if (empty(azureFirewallSubnetPublicIpId) && isCreateDefaultPublicIP) {
+//   name: '${uniqueString(deployment().name, location)}-Firewall-PIP'
+//   params: {
+//     name: contains(publicIPAddressObject, 'name') ? (!(empty(publicIPAddressObject.name)) ? publicIPAddressObject.name : '${name}-pip') : '${name}-pip'
+//     publicIPPrefixResourceId: contains(publicIPAddressObject, 'publicIPPrefixResourceId') ? (!(empty(publicIPAddressObject.publicIPPrefixResourceId)) ? publicIPAddressObject.publicIPPrefixResourceId : '') : ''
+//     publicIPAllocationMethod: contains(publicIPAddressObject, 'publicIPAllocationMethod') ? (!(empty(publicIPAddressObject.publicIPAllocationMethod)) ? publicIPAddressObject.publicIPAllocationMethod : 'Static') : 'Static'
+//     skuName: contains(publicIPAddressObject, 'skuName') ? (!(empty(publicIPAddressObject.skuName)) ? publicIPAddressObject.skuName : 'Standard') : 'Standard'
+//     skuTier: contains(publicIPAddressObject, 'skuTier') ? (!(empty(publicIPAddressObject.skuTier)) ? publicIPAddressObject.skuTier : 'Regional') : 'Regional'
+//     roleAssignments: contains(publicIPAddressObject, 'roleAssignments') ? (!empty(publicIPAddressObject.roleAssignments) ? publicIPAddressObject.roleAssignments : []) : []
+//     diagnosticMetricsToEnable: contains(publicIPAddressObject, 'diagnosticMetricsToEnable') ? (!(empty(publicIPAddressObject.diagnosticMetricsToEnable)) ? publicIPAddressObject.diagnosticMetricsToEnable : [
+//       'AllMetrics'
+//     ]) : [
+//       'AllMetrics'
+//     ]
+//     diagnosticLogCategoriesToEnable: contains(publicIPAddressObject, 'diagnosticLogCategoriesToEnable') ? (!(empty(publicIPAddressObject.diagnosticLogCategoriesToEnable)) ? publicIPAddressObject.diagnosticLogCategoriesToEnable : [
+//       'DDoSProtectionNotifications'
+//       'DDoSMitigationFlowLogs'
+//       'DDoSMitigationReports'
+//     ]) : [
+//       'DDoSProtectionNotifications'
+//       'DDoSMitigationFlowLogs'
+//       'DDoSMitigationReports'
+//     ]
+//     location: location
+//     diagnosticStorageAccountId: diagnosticStorageAccountId
+//     diagnosticLogsRetentionInDays: diagnosticLogsRetentionInDays
+//     diagnosticWorkspaceId: diagnosticWorkspaceId
+//     diagnosticEventHubAuthorizationRuleId: diagnosticEventHubAuthorizationRuleId
+//     diagnosticEventHubName: diagnosticEventHubName
+//     lock: lock
+//     tags: tags
+//     zones: zones
+//   }
+// }
+
+module publicIPAddress '../../Microsoft.Network/publicIPAddresses/deploy.bicep' = if (empty(azureFirewallSubnetPublicIpId) && isCreateDefaultPublicIP) {
   name: '${uniqueString(deployment().name, location)}-Firewall-PIP'
   params: {
     name: contains(publicIPAddressObject, 'name') ? (!(empty(publicIPAddressObject.name)) ? publicIPAddressObject.name : '${name}-pip') : '${name}-pip'

From f040b682fbcfae86a5f710a2a55d8944911a61c3 Mon Sep 17 00:00:00 2001
From: Erika Gressi <erikag@microsoft.com>
Date: Fri, 17 Jun 2022 19:23:57 +0200
Subject: [PATCH 2/3] remove nested files

---
 .../.bicep/nested_publicIPAddress.bicep       | 161 ------------------
 .../.bicep/nested_publicIPAddress_rbac.bicep  |  61 -------
 2 files changed, 222 deletions(-)
 delete mode 100644 arm/Microsoft.Network/azureFirewalls/.bicep/nested_publicIPAddress.bicep
 delete mode 100644 arm/Microsoft.Network/azureFirewalls/.bicep/nested_publicIPAddress_rbac.bicep

diff --git a/arm/Microsoft.Network/azureFirewalls/.bicep/nested_publicIPAddress.bicep b/arm/Microsoft.Network/azureFirewalls/.bicep/nested_publicIPAddress.bicep
deleted file mode 100644
index c72c028552..0000000000
--- a/arm/Microsoft.Network/azureFirewalls/.bicep/nested_publicIPAddress.bicep
+++ /dev/null
@@ -1,161 +0,0 @@
-@description('Required. The name of the Public IP Address')
-param name string
-
-@description('Optional. Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix.')
-param publicIPPrefixResourceId string = ''
-
-@description('Optional. The public IP address allocation method. - Static or Dynamic.')
-param publicIPAllocationMethod string = 'Dynamic'
-
-@description('Optional. Zone numbers e.g. 1,2,3.')
-param zones array = [
-  '1'
-  '2'
-  '3'
-]
-
-@description('Optional. Public IP Address sku Name')
-param skuName string = 'Basic'
-
-@description('Optional. Public IP Address pricing tier')
-param skuTier string = 'Regional'
-
-@description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.')
-@minValue(0)
-@maxValue(365)
-param diagnosticLogsRetentionInDays int = 365
-
-@description('Optional. Resource ID of the diagnostic storage account.')
-param diagnosticStorageAccountId string = ''
-
-@description('Optional. Resource identifier of log analytics.')
-param diagnosticWorkspaceId string = ''
-
-@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.')
-param diagnosticEventHubAuthorizationRuleId string = ''
-
-@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.')
-param diagnosticEventHubName string = ''
-
-@allowed([
-  ''
-  'CanNotDelete'
-  'ReadOnly'
-])
-@description('Optional. Specify the type of lock.')
-param lock string = ''
-
-@description('Optional. Location for all resources.')
-param location string = resourceGroup().location
-
-@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'')
-param roleAssignments array = []
-
-@description('Optional. Tags of the resource.')
-param tags object = {}
-
-@description('Optional. The name of logs that will be streamed.')
-@allowed([
-  'DDoSProtectionNotifications'
-  'DDoSMitigationFlowLogs'
-  'DDoSMitigationReports'
-])
-param diagnosticLogCategoriesToEnable array = [
-  'DDoSProtectionNotifications'
-  'DDoSMitigationFlowLogs'
-  'DDoSMitigationReports'
-]
-
-@description('Optional. The name of metrics that will be streamed.')
-@allowed([
-  'AllMetrics'
-])
-param diagnosticMetricsToEnable array = [
-  'AllMetrics'
-]
-
-@description('Optional. The name of the diagnostic setting, if deployed.')
-param diagnosticSettingsName string = '${name}-diagnosticSettings'
-
-var diagnosticsLogs = [for category in diagnosticLogCategoriesToEnable: {
-  category: category
-  enabled: true
-  retentionPolicy: {
-    enabled: true
-    days: diagnosticLogsRetentionInDays
-  }
-}]
-
-var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: {
-  category: metric
-  timeGrain: null
-  enabled: true
-  retentionPolicy: {
-    enabled: true
-    days: diagnosticLogsRetentionInDays
-  }
-}]
-
-var publicIPPrefix = {
-  id: publicIPPrefixResourceId
-}
-
-resource publicIpAddress 'Microsoft.Network/publicIPAddresses@2021-05-01' = {
-  name: name
-  location: location
-  tags: tags
-  sku: {
-    name: skuName
-    tier: skuTier
-  }
-  properties: {
-    publicIPAddressVersion: 'IPv4'
-    publicIPAllocationMethod: publicIPAllocationMethod
-    publicIPPrefix: !empty(publicIPPrefixResourceId) ? publicIPPrefix : null
-    idleTimeoutInMinutes: 4
-    ipTags: []
-  }
-  zones: length(zones) == 0 ? null : zones
-}
-
-resource publicIpAddress_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) {
-  name: '${publicIpAddress.name}-${lock}-lock'
-  properties: {
-    level: any(lock)
-    notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
-  }
-  scope: publicIpAddress
-}
-
-resource publicIpAddress_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) {
-  name: diagnosticSettingsName
-  properties: {
-    storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null
-    workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null
-    eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null
-    eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null
-    metrics: diagnosticsMetrics
-    logs: diagnosticsLogs
-  }
-  scope: publicIpAddress
-}
-
-module publicIpAddress_rbac 'nested_publicIPAddress_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: {
-  name: '${deployment().name}-rbac-${index}'
-  params: {
-    description: contains(roleAssignment, 'description') ? roleAssignment.description : ''
-    principalIds: roleAssignment.principalIds
-    principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : ''
-    roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName
-    resourceId: publicIpAddress.id
-  }
-}]
-
-@description('The resource group the public IP address was deployed into')
-output resourceGroupName string = resourceGroup().name
-
-@description('The name of the public IP address')
-output name string = publicIpAddress.name
-
-@description('The resource ID of the public IP address')
-output resourceId string = publicIpAddress.id
diff --git a/arm/Microsoft.Network/azureFirewalls/.bicep/nested_publicIPAddress_rbac.bicep b/arm/Microsoft.Network/azureFirewalls/.bicep/nested_publicIPAddress_rbac.bicep
deleted file mode 100644
index afb6225762..0000000000
--- a/arm/Microsoft.Network/azureFirewalls/.bicep/nested_publicIPAddress_rbac.bicep
+++ /dev/null
@@ -1,61 +0,0 @@
-@sys.description('Required. The IDs of the prinicpals to assign to role to')
-param principalIds array
-
-@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead')
-param roleDefinitionIdOrName string
-
-@sys.description('Required. The resource ID of the resource to apply the role assignment to')
-param resourceId string
-
-@sys.description('Optional. The principal type of the assigned principal ID.')
-@allowed([
-  'ServicePrincipal'
-  'Group'
-  'User'
-  'ForeignGroup'
-  'Device'
-  ''
-])
-param principalType string = ''
-
-@sys.description('Optional. Description of role assignment')
-param description string = ''
-
-var builtInRoleNames = {
-  'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
-  'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
-  'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
-  'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')
-  'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')
-  'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')
-  'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')
-  'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')
-  'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')
-  'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')
-  'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')
-  'Microsoft OneAsset Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fd1bb084-1503-4bd2-99c0-630220046786')
-  'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')
-  'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')
-  'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')
-  'Reservation Purchaser': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689')
-  'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')
-  'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')
-  'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')
-  'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')
-  'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')
-}
-
-resource publicIpAddress 'Microsoft.Network/publicIPAddresses@2021-05-01' existing = {
-  name: last(split(resourceId, '/'))
-}
-
-resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = [for principalId in principalIds: {
-  name: guid(publicIpAddress.name, principalId, roleDefinitionIdOrName)
-  properties: {
-    description: description
-    roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName
-    principalId: principalId
-    principalType: !empty(principalType) ? any(principalType) : null
-  }
-  scope: publicIpAddress
-}]

From a943c684d04d6a9e06c2d04de8c58d1dd9933707 Mon Sep 17 00:00:00 2001
From: Erika Gressi <erikag@microsoft.com>
Date: Fri, 17 Jun 2022 19:26:08 +0200
Subject: [PATCH 3/3] cleanup and format doc

---
 .../azureFirewalls/deploy.bicep               | 35 -------------------
 1 file changed, 35 deletions(-)

diff --git a/arm/Microsoft.Network/azureFirewalls/deploy.bicep b/arm/Microsoft.Network/azureFirewalls/deploy.bicep
index 27257f640e..4f80e3e552 100644
--- a/arm/Microsoft.Network/azureFirewalls/deploy.bicep
+++ b/arm/Microsoft.Network/azureFirewalls/deploy.bicep
@@ -190,41 +190,6 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena
 }
 
 // create a public ip address if one is not provided and the flag is true
-// module publicIPAddress '.bicep/nested_publicIPAddress.bicep' = if (empty(azureFirewallSubnetPublicIpId) && isCreateDefaultPublicIP) {
-//   name: '${uniqueString(deployment().name, location)}-Firewall-PIP'
-//   params: {
-//     name: contains(publicIPAddressObject, 'name') ? (!(empty(publicIPAddressObject.name)) ? publicIPAddressObject.name : '${name}-pip') : '${name}-pip'
-//     publicIPPrefixResourceId: contains(publicIPAddressObject, 'publicIPPrefixResourceId') ? (!(empty(publicIPAddressObject.publicIPPrefixResourceId)) ? publicIPAddressObject.publicIPPrefixResourceId : '') : ''
-//     publicIPAllocationMethod: contains(publicIPAddressObject, 'publicIPAllocationMethod') ? (!(empty(publicIPAddressObject.publicIPAllocationMethod)) ? publicIPAddressObject.publicIPAllocationMethod : 'Static') : 'Static'
-//     skuName: contains(publicIPAddressObject, 'skuName') ? (!(empty(publicIPAddressObject.skuName)) ? publicIPAddressObject.skuName : 'Standard') : 'Standard'
-//     skuTier: contains(publicIPAddressObject, 'skuTier') ? (!(empty(publicIPAddressObject.skuTier)) ? publicIPAddressObject.skuTier : 'Regional') : 'Regional'
-//     roleAssignments: contains(publicIPAddressObject, 'roleAssignments') ? (!empty(publicIPAddressObject.roleAssignments) ? publicIPAddressObject.roleAssignments : []) : []
-//     diagnosticMetricsToEnable: contains(publicIPAddressObject, 'diagnosticMetricsToEnable') ? (!(empty(publicIPAddressObject.diagnosticMetricsToEnable)) ? publicIPAddressObject.diagnosticMetricsToEnable : [
-//       'AllMetrics'
-//     ]) : [
-//       'AllMetrics'
-//     ]
-//     diagnosticLogCategoriesToEnable: contains(publicIPAddressObject, 'diagnosticLogCategoriesToEnable') ? (!(empty(publicIPAddressObject.diagnosticLogCategoriesToEnable)) ? publicIPAddressObject.diagnosticLogCategoriesToEnable : [
-//       'DDoSProtectionNotifications'
-//       'DDoSMitigationFlowLogs'
-//       'DDoSMitigationReports'
-//     ]) : [
-//       'DDoSProtectionNotifications'
-//       'DDoSMitigationFlowLogs'
-//       'DDoSMitigationReports'
-//     ]
-//     location: location
-//     diagnosticStorageAccountId: diagnosticStorageAccountId
-//     diagnosticLogsRetentionInDays: diagnosticLogsRetentionInDays
-//     diagnosticWorkspaceId: diagnosticWorkspaceId
-//     diagnosticEventHubAuthorizationRuleId: diagnosticEventHubAuthorizationRuleId
-//     diagnosticEventHubName: diagnosticEventHubName
-//     lock: lock
-//     tags: tags
-//     zones: zones
-//   }
-// }
-
 module publicIPAddress '../../Microsoft.Network/publicIPAddresses/deploy.bicep' = if (empty(azureFirewallSubnetPublicIpId) && isCreateDefaultPublicIP) {
   name: '${uniqueString(deployment().name, location)}-Firewall-PIP'
   params: {