From a000a901bc41709127e7ab06dd4c2a8129ca6014 Mon Sep 17 00:00:00 2001
From: Jan-Henrik Damaschke <jdamaschke@visorian.com>
Date: Tue, 21 Jun 2022 21:28:51 +0200
Subject: [PATCH 1/8] feat(webpubsub):  Added Web PubSub module

---
 .../.bicep/nested_rbac.bicep                  |  61 ++++
 arm/Microsoft.SignalRService/deploy.bicep     | 161 +++++++++++
 arm/Microsoft.SignalRService/readme.md        | 265 ++++++++++++++++++
 3 files changed, 487 insertions(+)
 create mode 100644 arm/Microsoft.SignalRService/.bicep/nested_rbac.bicep
 create mode 100644 arm/Microsoft.SignalRService/deploy.bicep
 create mode 100644 arm/Microsoft.SignalRService/readme.md

diff --git a/arm/Microsoft.SignalRService/.bicep/nested_rbac.bicep b/arm/Microsoft.SignalRService/.bicep/nested_rbac.bicep
new file mode 100644
index 0000000000..7d3e0bce74
--- /dev/null
+++ b/arm/Microsoft.SignalRService/.bicep/nested_rbac.bicep
@@ -0,0 +1,61 @@
+@sys.description('Required. The IDs of the principals to assign the role to.')
+param principalIds array
+
+@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.')
+param roleDefinitionIdOrName string
+
+@sys.description('Required. The resource ID of the resource to apply the role assignment to.')
+param resourceId string
+
+@sys.description('Optional. The principal type of the assigned principal ID.')
+@allowed([
+  'ServicePrincipal'
+  'Group'
+  'User'
+  'ForeignGroup'
+  'Device'
+  ''
+])
+param principalType string = ''
+
+@sys.description('Optional. The description of the role assignment.')
+param description string = ''
+
+var builtInRoleNames = {
+  'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
+  'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
+  'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
+  'Avere Cluster Create': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7b1b19a-0e83-4fe5-935c-faaefbfd18c3')
+  'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')
+  'Azure Service Deploy Release Management Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21d96096-b162-414a-8302-d8354f9d91b2')
+  'CAL-Custom-Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b266cd7-0bba-4ae2-8423-90ede5e1e898')
+  'ExpressRoute Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a48d7896-14b4-4889-afef-fbb65a96e5a2')
+  'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')
+  'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')
+  'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')
+  'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')
+  'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')
+  'masterreader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a48d7796-14b4-4889-afef-fbb65a93e5a2')
+  'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')
+  'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')
+  'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')
+  'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')
+  'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')
+  'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')
+  'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')
+}
+
+resource webPubSub 'Microsoft.SignalRService/webPubSub@2021-10-01' existing = {
+  name: last(split(resourceId, '/'))
+}
+
+resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = [for principalId in principalIds: {
+  name: guid(webPubSub.id, principalId, roleDefinitionIdOrName)
+  properties: {
+    description: description
+    roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName
+    principalId: principalId
+    principalType: !empty(principalType) ? any(principalType) : null
+  }
+  scope: webPubSub
+}]
diff --git a/arm/Microsoft.SignalRService/deploy.bicep b/arm/Microsoft.SignalRService/deploy.bicep
new file mode 100644
index 0000000000..5b202683a6
--- /dev/null
+++ b/arm/Microsoft.SignalRService/deploy.bicep
@@ -0,0 +1,161 @@
+@description('Optional. The location to deploy the Web PubSub service.')
+param location string = resourceGroup().location
+
+@description('Required. The name of the Web PubSub resource.')
+param name string
+
+@description('Optional. Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.')
+param privateEndpoints array = []
+
+@allowed([
+  ''
+  'CanNotDelete'
+  'ReadOnly'
+])
+@description('Optional. Specify the type of lock.')
+param lock string = ''
+
+@description('Optional. Tags of the resource.')
+param tags object = {}
+
+@description('The unit count of the resource. 1 by default.')
+param capacity int = 1
+
+@allowed([
+  'Free_F1'
+  'Standard_S1'
+])
+@description('Optional. Pricing tier of App Configuration.')
+param sku string = 'Free_F1'
+
+@description('Optional. Enables system assigned managed identity on the resource.')
+param systemAssignedIdentity bool = false
+
+@description('Optional. The ID(s) to assign to the resource.')
+param userAssignedIdentities object = {}
+
+@description('Optional. When set as true, connection with AuthType=aad won\'t work.')
+param disableAadAuth bool = false
+
+@description('Optional. Disables all authentication methods other than AAD authentication.')
+param disableLocalAuth bool = false
+
+@description('Optional. Control permission for data plane traffic coming from public networks while private endpoint is enabled.')
+param publicNetworkAccess string = 'Enabled'
+
+@allowed([
+  'ConnectivityLogs'
+  'MessagingLogs'
+])
+@description('Optional. Control permission for data plane traffic coming from public networks while private endpoint is enabled.')
+param resourceLogConfigurationsToEnable array = [
+  'ConnectivityLogs'
+  'MessagingLogs'
+]
+
+@description('Optional. Request client certificate during TLS handshake if enabled.')
+param clientCertEnabled bool = false
+
+@description('Optional. Networks ACLs, this value contains IPs to whitelist and/or Subnet information. For security reasons, it is recommended to set the DefaultAction Deny.')
+param networkAcls array = []
+
+@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.')
+param roleAssignments array = []
+
+var resourceLogConfiguration = [for configuration in resourceLogConfigurationsToEnable: {
+  name: configuration
+  enabled: 'true'
+}]
+
+var identityType = systemAssignedIdentity ? 'SystemAssigned' : !empty(userAssignedIdentities) ? 'UserAssigned' : 'None'
+
+var identity = {
+  type: identityType
+  userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null
+}
+
+@description('Optional. Network ACLs for the resource. The values for the \'allow\' and \'deny\' array can be one or more of: ClientConnection, ServerConnection, RESTAPI.')
+var webPubSubNetworkAcls = [for acl in networkAcls: {
+  defaultAction: !empty(acl.defaultAction) ? contains([ 'Allow',  'Deny' ],  acl.defaultAction) ? acl.defaultAction : 'Deny' : null
+  publicNetwork: {
+    allow: !empty(acl.allow) ? acl.allow : []
+    deny: !empty(acl.deny) ? acl.deny : []
+  }
+}]
+
+resource webPubSub 'Microsoft.SignalRService/webPubSub@2021-10-01' = {
+  name: name
+  location: location
+  tags: tags
+  sku: {
+    capacity: capacity
+    name: sku
+    tier: sku == 'Standard_S1' ? 'Standard' : 'Free'
+  }
+  identity: identity
+  properties: {
+    disableAadAuth: disableAadAuth
+    disableLocalAuth: disableLocalAuth
+    networkACLs: !empty(webPubSubNetworkAcls) ? {
+    } : null
+    publicNetworkAccess: publicNetworkAccess
+    resourceLogConfiguration: {
+      categories: resourceLogConfiguration
+    }
+    tls: {
+      clientCertEnabled: clientCertEnabled
+    }
+  }
+}
+
+module webPubSub_privateEndpoints '../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: {
+  name: '${uniqueString(deployment().name, location)}-appConfiguration-PrivateEndpoint-${index}'
+  params: {
+    groupIds: [
+      privateEndpoint.service
+    ]
+    name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(webPubSub.id, '/'))}-${privateEndpoint.service}-${index}'
+    serviceResourceId: webPubSub.id
+    subnetResourceId: privateEndpoint.subnetResourceId
+    location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location
+    lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock
+    privateDnsZoneGroups: contains(privateEndpoint, 'privateDnsZoneGroups') ? privateEndpoint.privateDnsZoneGroups : []
+    roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : []
+    tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {}
+    manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : []
+    customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : []
+  }
+}]
+
+resource webPubSub_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) {
+  name: '${webPubSub.name}-${lock}-lock'
+  properties: {
+    level: any(lock)
+    notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
+  }
+  scope: webPubSub
+}
+
+
+module webPubSub_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: {
+  name: '${uniqueString(deployment().name, location)}-AppGateway-Rbac-${index}'
+  params: {
+    description: contains(roleAssignment, 'description') ? roleAssignment.description : ''
+    principalIds: roleAssignment.principalIds
+    principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : ''
+    roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName
+    resourceId: webPubSub.id
+  }
+}]
+
+@description('The name of the Web PubSub service.')
+output name string = webPubSub.name
+
+@description('The resource ID of the Web PubSub service.')
+output resourceId string = webPubSub.id
+
+@description('The resource group the Web PubSub service was deployed into.')
+output resourceGroupName string = resourceGroup().name
+
+@description('The location the Web PubSub service was deployed into.')
+output location string = webPubSub.location
diff --git a/arm/Microsoft.SignalRService/readme.md b/arm/Microsoft.SignalRService/readme.md
new file mode 100644
index 0000000000..4a496e441e
--- /dev/null
+++ b/arm/Microsoft.SignalRService/readme.md
@@ -0,0 +1,265 @@
+# SignalRService `[Microsoft.SignalRService]`
+
+This module deploys a Web PubSub resource.
+
+## Navigation
+
+- [Resource Types](#Resource-Types)
+- [Parameters](#Parameters)
+- [Outputs](#Outputs)
+
+## Resource Types
+
+| Resource Type | API Version |
+| :-- | :-- |
+| `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) |
+| `Microsoft.Authorization/roleAssignments` | [2020-10-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-10-01-preview/roleAssignments) |
+| `Microsoft.Network/privateEndpoints` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) |
+| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints/privateDnsZoneGroups) |
+| `Microsoft.SignalRService/webPubSub` | [2021-10-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.SignalRService/2021-10-01/webPubSub) |
+
+## Parameters
+
+**Required parameters**
+| Parameter Name | Type | Description |
+| :-- | :-- | :-- |
+| `name` | string | The name of the Web PubSub resource. |
+
+**Optional parameters**
+| Parameter Name | Type | Default Value | Allowed Values | Description |
+| :-- | :-- | :-- | :-- | :-- |
+| `capacity` | int | `1` | The unit count of the resource. 1 by default. |
+| `clientCertEnabled` | bool | `False` |  | Request client certificate during TLS handshake if enabled. |
+| `disableAadAuth` | bool | `False` |  | When set as true, connection with AuthType=aad won't work. |
+| `disableLocalAuth` | bool | `False` |  | Disables all authentication methods other than AAD authentication. |
+| `location` | string | `[resourceGroup().location]` |  | The location to deploy the Web PubSub service. |
+| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. |
+| `networkAcls` | array | `[]` |  | Networks ACLs, this value contains IPs to whitelist and/or Subnet information. For security reasons, it is recommended to set the DefaultAction Deny. |
+| `privateEndpoints` | array | `[]` |  | Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. |
+| `publicNetworkAccess` | string | `'Enabled'` |  | Control permission for data plane traffic coming from public networks while private endpoint is enabled. |
+| `resourceLogConfigurationsToEnable` | array | `[ConnectivityLogs, MessagingLogs]` | `[ConnectivityLogs, MessagingLogs]` | Control permission for data plane traffic coming from public networks while private endpoint is enabled. |
+| `roleAssignments` | array | `[]` |  | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. |
+| `sku` | string | `'Free_F1'` | `[Free_F1, Standard_S1]` | Pricing tier of App Configuration. |
+| `systemAssignedIdentity` | bool | `False` |  | Enables system assigned managed identity on the resource. |
+| `tags` | object | `{object}` |  | Tags of the resource. |
+| `userAssignedIdentities` | object | `{object}` |  | The ID(s) to assign to the resource. |
+
+
+### Parameter Usage: `privateEndpoints`
+
+To use Private Endpoint the following dependencies must be deployed:
+
+- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`.  Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module.
+- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information.
+
+<details>
+
+<summary>Parameter JSON format</summary>
+
+```json
+"privateEndpoints": {
+    "value": [
+        // Example showing all available fields
+        {
+            "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here
+            "subnetResourceId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001",
+            "service": "<<serviceName>>", // e.g. vault, registry, file, blob, queue, table etc.
+            "privateDnsZoneResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified
+                "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net"
+            ],
+            "customDnsConfigs": [ // Optional
+                {
+                    "fqdn": "customname.test.local",
+                    "ipAddresses": [
+                        "10.10.10.10"
+                    ]
+                }
+            ]
+        },
+        // Example showing only mandatory fields
+        {
+            "subnetResourceId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001",
+            "service": "<<serviceName>>" // e.g. vault, registry, file, blob, queue, table etc.
+        }
+    ]
+}
+```
+
+</details>
+
+<details>
+
+<summary>Bicep format</summary>
+
+```bicep
+privateEndpoints:  [
+    // Example showing all available fields
+    {
+        name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here
+        subnetResourceId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001'
+        service: '<<serviceName>>' // e.g. vault registry file blob queue table etc.
+        privateDnsZoneResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified
+            '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net'
+        ]
+        // Optional
+        customDnsConfigs: [
+            {
+                fqdn: 'customname.test.local'
+                ipAddresses: [
+                    '10.10.10.10'
+                ]
+            }
+        ]
+    }
+    // Example showing only mandatory fields
+    {
+        subnetResourceId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001'
+        service: '<<serviceName>>' // e.g. vault registry file blob queue table etc.
+    }
+]
+```
+
+</details>
+<p>
+
+### Parameter Usage: `roleAssignments`
+
+Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure.
+
+<details>
+
+<summary>Parameter JSON format</summary>
+
+```json
+"roleAssignments": {
+    "value": [
+        {
+            "roleDefinitionIdOrName": "Reader",
+            "description": "Reader Role Assignment",
+            "principalIds": [
+                "12345678-1234-1234-1234-123456789012", // object 1
+                "78945612-1234-1234-1234-123456789012" // object 2
+            ]
+        },
+        {
+            "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
+            "principalIds": [
+                "12345678-1234-1234-1234-123456789012" // object 1
+            ],
+            "principalType": "ServicePrincipal"
+        }
+    ]
+}
+```
+
+</details>
+
+<details>
+
+<summary>Bicep format</summary>
+
+```bicep
+roleAssignments: [
+    {
+        roleDefinitionIdOrName: 'Reader'
+        description: 'Reader Role Assignment'
+        principalIds: [
+            '12345678-1234-1234-1234-123456789012' // object 1
+            '78945612-1234-1234-1234-123456789012' // object 2
+        ]
+    }
+    {
+        roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'
+        principalIds: [
+            '12345678-1234-1234-1234-123456789012' // object 1
+        ]
+        principalType: 'ServicePrincipal'
+    }
+]
+```
+
+</details>
+<p>
+
+### Parameter Usage: `tags`
+
+Tag names and tag values can be provided as needed. A tag can be left without a value.
+
+<details>
+
+<summary>Parameter JSON format</summary>
+
+```json
+"tags": {
+    "value": {
+        "Environment": "Non-Prod",
+        "Contact": "test.user@testcompany.com",
+        "PurchaseOrder": "1234",
+        "CostCenter": "7890",
+        "ServiceName": "DeploymentValidation",
+        "Role": "DeploymentValidation"
+    }
+}
+```
+
+</details>
+
+<details>
+
+<summary>Bicep format</summary>
+
+```bicep
+tags: {
+    Environment: 'Non-Prod'
+    Contact: 'test.user@testcompany.com'
+    PurchaseOrder: '1234'
+    CostCenter: '7890'
+    ServiceName: 'DeploymentValidation'
+    Role: 'DeploymentValidation'
+}
+```
+
+</details>
+<p>
+
+### Parameter Usage: `userAssignedIdentities`
+
+You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format:
+
+<details>
+
+<summary>Parameter JSON format</summary>
+
+```json
+"userAssignedIdentities": {
+    "value": {
+        "/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {},
+        "/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {}
+    }
+}
+```
+
+</details>
+
+<details>
+
+<summary>Bicep format</summary>
+
+```bicep
+userAssignedIdentities: {
+    '/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {}
+    '/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {}
+}
+```
+
+</details>
+<p>
+
+## Outputs
+
+| Output Name | Type | Description |
+| :-- | :-- | :-- |
+| `location` | string | The location the Web PubSub service was deployed into. |
+| `name` | string | The name of the Web PubSub service. |
+| `resourceGroupName` | string | The resource group the Web PubSub service was deployed into. |
+| `resourceId` | string | The resource ID of the Web PubSub service. |

From ee3645d71d4cae72a9b51166c815314d55d2a04b Mon Sep 17 00:00:00 2001
From: Jan-Henrik Damaschke <jdamaschke@visorian.com>
Date: Thu, 23 Jun 2022 20:51:10 +0200
Subject: [PATCH 2/8] feat(webpubsub):  Updated folders, added tests, updated
 readme

---
 .../{ => webPubSub}/.bicep/nested_rbac.bicep  |  0
 .../webPubSub/.test/deploy.full.test.bicep    | 22 +++++++++
 .../webPubSub/.test/deploy.minimal.test.bicep |  9 ++++
 .../{ => webPubSub}/deploy.bicep              | 48 +++++++------------
 .../{ => webPubSub}/readme.md                 |  1 +
 .../webPubSub/version.json                    |  4 ++
 6 files changed, 53 insertions(+), 31 deletions(-)
 rename arm/Microsoft.SignalRService/{ => webPubSub}/.bicep/nested_rbac.bicep (100%)
 create mode 100644 arm/Microsoft.SignalRService/webPubSub/.test/deploy.full.test.bicep
 create mode 100644 arm/Microsoft.SignalRService/webPubSub/.test/deploy.minimal.test.bicep
 rename arm/Microsoft.SignalRService/{ => webPubSub}/deploy.bicep (74%)
 rename arm/Microsoft.SignalRService/{ => webPubSub}/readme.md (96%)
 create mode 100644 arm/Microsoft.SignalRService/webPubSub/version.json

diff --git a/arm/Microsoft.SignalRService/.bicep/nested_rbac.bicep b/arm/Microsoft.SignalRService/webPubSub/.bicep/nested_rbac.bicep
similarity index 100%
rename from arm/Microsoft.SignalRService/.bicep/nested_rbac.bicep
rename to arm/Microsoft.SignalRService/webPubSub/.bicep/nested_rbac.bicep
diff --git a/arm/Microsoft.SignalRService/webPubSub/.test/deploy.full.test.bicep b/arm/Microsoft.SignalRService/webPubSub/.test/deploy.full.test.bicep
new file mode 100644
index 0000000000..4cc31dbcce
--- /dev/null
+++ b/arm/Microsoft.SignalRService/webPubSub/.test/deploy.full.test.bicep
@@ -0,0 +1,22 @@
+var location = 'westeurope'
+
+module fullWebPubSubDeployment '../deploy.bicep' = {
+  name: 'fullWebPubSubDeployment'
+  params: {
+    name: 'fullWebPubSubDeployment'
+    location: location
+    capacity: 2
+    clientCertEnabled: false
+    disableAadAuth: false
+    disableLocalAuth: true
+    lock: 'CanNotDelete'
+    sku: 'Standard_S1'
+    systemAssignedIdentity: true
+    tags: {
+      purpose: 'test'
+    }
+    resourceLogConfigurationsToEnable: [
+      'ConnectivityLogs'
+    ]
+  }
+}
diff --git a/arm/Microsoft.SignalRService/webPubSub/.test/deploy.minimal.test.bicep b/arm/Microsoft.SignalRService/webPubSub/.test/deploy.minimal.test.bicep
new file mode 100644
index 0000000000..f502cb53bc
--- /dev/null
+++ b/arm/Microsoft.SignalRService/webPubSub/.test/deploy.minimal.test.bicep
@@ -0,0 +1,9 @@
+var location = 'westeurope'
+
+module minimalWebPubSubDeployment '../deploy.bicep' = {
+  name: 'minimalWebPubSubDeployment'
+  params: {
+    name: 'minimalWebPubSubDeployment'
+    location: location
+  }
+}
diff --git a/arm/Microsoft.SignalRService/deploy.bicep b/arm/Microsoft.SignalRService/webPubSub/deploy.bicep
similarity index 74%
rename from arm/Microsoft.SignalRService/deploy.bicep
rename to arm/Microsoft.SignalRService/webPubSub/deploy.bicep
index 5b202683a6..be769de6de 100644
--- a/arm/Microsoft.SignalRService/deploy.bicep
+++ b/arm/Microsoft.SignalRService/webPubSub/deploy.bicep
@@ -59,8 +59,8 @@ param clientCertEnabled bool = false
 @description('Optional. Networks ACLs, this value contains IPs to whitelist and/or Subnet information. For security reasons, it is recommended to set the DefaultAction Deny.')
 param networkAcls array = []
 
-@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.')
-param roleAssignments array = []
+@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
+param enableDefaultTelemetry bool = true
 
 var resourceLogConfiguration = [for configuration in resourceLogConfigurationsToEnable: {
   name: configuration
@@ -76,13 +76,25 @@ var identity = {
 
 @description('Optional. Network ACLs for the resource. The values for the \'allow\' and \'deny\' array can be one or more of: ClientConnection, ServerConnection, RESTAPI.')
 var webPubSubNetworkAcls = [for acl in networkAcls: {
-  defaultAction: !empty(acl.defaultAction) ? contains([ 'Allow',  'Deny' ],  acl.defaultAction) ? acl.defaultAction : 'Deny' : null
+  defaultAction: !empty(acl.defaultAction) ? contains([ 'Allow', 'Deny' ], acl.defaultAction) ? acl.defaultAction : 'Deny' : null
   publicNetwork: {
     allow: !empty(acl.allow) ? acl.allow : []
     deny: !empty(acl.deny) ? acl.deny : []
   }
 }]
 
+resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
+  name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
+  properties: {
+    mode: 'Incremental'
+    template: {
+      '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
+      contentVersion: '1.0.0.0'
+      resources: []
+    }
+  }
+}
+
 resource webPubSub 'Microsoft.SignalRService/webPubSub@2021-10-01' = {
   name: name
   location: location
@@ -108,12 +120,10 @@ resource webPubSub 'Microsoft.SignalRService/webPubSub@2021-10-01' = {
   }
 }
 
-module webPubSub_privateEndpoints '../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: {
+module webPubSub_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: {
   name: '${uniqueString(deployment().name, location)}-appConfiguration-PrivateEndpoint-${index}'
   params: {
-    groupIds: [
-      privateEndpoint.service
-    ]
+    groupIds: [ privateEndpoint.service ]
     name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(webPubSub.id, '/'))}-${privateEndpoint.service}-${index}'
     serviceResourceId: webPubSub.id
     subnetResourceId: privateEndpoint.subnetResourceId
@@ -135,27 +145,3 @@ resource webPubSub_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(
   }
   scope: webPubSub
 }
-
-
-module webPubSub_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: {
-  name: '${uniqueString(deployment().name, location)}-AppGateway-Rbac-${index}'
-  params: {
-    description: contains(roleAssignment, 'description') ? roleAssignment.description : ''
-    principalIds: roleAssignment.principalIds
-    principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : ''
-    roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName
-    resourceId: webPubSub.id
-  }
-}]
-
-@description('The name of the Web PubSub service.')
-output name string = webPubSub.name
-
-@description('The resource ID of the Web PubSub service.')
-output resourceId string = webPubSub.id
-
-@description('The resource group the Web PubSub service was deployed into.')
-output resourceGroupName string = resourceGroup().name
-
-@description('The location the Web PubSub service was deployed into.')
-output location string = webPubSub.location
diff --git a/arm/Microsoft.SignalRService/readme.md b/arm/Microsoft.SignalRService/webPubSub/readme.md
similarity index 96%
rename from arm/Microsoft.SignalRService/readme.md
rename to arm/Microsoft.SignalRService/webPubSub/readme.md
index 4a496e441e..878faa1ea3 100644
--- a/arm/Microsoft.SignalRService/readme.md
+++ b/arm/Microsoft.SignalRService/webPubSub/readme.md
@@ -32,6 +32,7 @@ This module deploys a Web PubSub resource.
 | `clientCertEnabled` | bool | `False` |  | Request client certificate during TLS handshake if enabled. |
 | `disableAadAuth` | bool | `False` |  | When set as true, connection with AuthType=aad won't work. |
 | `disableLocalAuth` | bool | `False` |  | Disables all authentication methods other than AAD authentication. |
+| `enableDefaultTelemetry` | bool | `True` |  | Enable telemetry via the Customer Usage Attribution ID (GUID). |
 | `location` | string | `[resourceGroup().location]` |  | The location to deploy the Web PubSub service. |
 | `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. |
 | `networkAcls` | array | `[]` |  | Networks ACLs, this value contains IPs to whitelist and/or Subnet information. For security reasons, it is recommended to set the DefaultAction Deny. |
diff --git a/arm/Microsoft.SignalRService/webPubSub/version.json b/arm/Microsoft.SignalRService/webPubSub/version.json
new file mode 100644
index 0000000000..badc0a2285
--- /dev/null
+++ b/arm/Microsoft.SignalRService/webPubSub/version.json
@@ -0,0 +1,4 @@
+{
+    "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
+    "version": "0.5"
+}

From 663c96c17d6af9e512dd5638195090aceedc65d3 Mon Sep 17 00:00:00 2001
From: Jan-Henrik Damaschke <jdamaschke@visorian.com>
Date: Thu, 23 Jun 2022 20:57:44 +0200
Subject: [PATCH 3/8] feat(webpubsub):  Added nested rbac

---
 .../webPubSub/deploy.bicep                         | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/arm/Microsoft.SignalRService/webPubSub/deploy.bicep b/arm/Microsoft.SignalRService/webPubSub/deploy.bicep
index be769de6de..a435cf654c 100644
--- a/arm/Microsoft.SignalRService/webPubSub/deploy.bicep
+++ b/arm/Microsoft.SignalRService/webPubSub/deploy.bicep
@@ -15,6 +15,9 @@ param privateEndpoints array = []
 @description('Optional. Specify the type of lock.')
 param lock string = ''
 
+@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.')
+param roleAssignments array = []
+
 @description('Optional. Tags of the resource.')
 param tags object = {}
 
@@ -145,3 +148,14 @@ resource webPubSub_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(
   }
   scope: webPubSub
 }
+
+module webPubSub_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: {
+  name: '${uniqueString(deployment().name, location)}-AppConfig-Rbac-${index}'
+  params: {
+    description: contains(roleAssignment, 'description') ? roleAssignment.description : ''
+    principalIds: roleAssignment.principalIds
+    principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : ''
+    roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName
+    resourceId: webPubSub.id
+  }
+}]

From 7aefb741b08adf4c014f2817e74e68ca4cfec8e0 Mon Sep 17 00:00:00 2001
From: Jan-Henrik Damaschke <jdamaschke@visorian.com>
Date: Thu, 23 Jun 2022 21:20:55 +0200
Subject: [PATCH 4/8] feat(redis-cache):  Added Redis cache module

---
 .../redis/.bicep/nested_rbac.bicep            |  61 +++++
 .../redis/.test/deploy.full.test.bicep        |  31 +++
 .../redis/.test/deploy.minimal.test.bicep     |   9 +
 arm/Microsoft.Cache/redis/deploy.bicep        | 259 ++++++++++++++++++
 arm/Microsoft.Cache/redis/readme.md           | 236 ++++++++++++++++
 arm/Microsoft.Cache/redis/version.json        |   4 +
 6 files changed, 600 insertions(+)
 create mode 100644 arm/Microsoft.Cache/redis/.bicep/nested_rbac.bicep
 create mode 100644 arm/Microsoft.Cache/redis/.test/deploy.full.test.bicep
 create mode 100644 arm/Microsoft.Cache/redis/.test/deploy.minimal.test.bicep
 create mode 100644 arm/Microsoft.Cache/redis/deploy.bicep
 create mode 100644 arm/Microsoft.Cache/redis/readme.md
 create mode 100644 arm/Microsoft.Cache/redis/version.json

diff --git a/arm/Microsoft.Cache/redis/.bicep/nested_rbac.bicep b/arm/Microsoft.Cache/redis/.bicep/nested_rbac.bicep
new file mode 100644
index 0000000000..96d8d307df
--- /dev/null
+++ b/arm/Microsoft.Cache/redis/.bicep/nested_rbac.bicep
@@ -0,0 +1,61 @@
+@sys.description('Required. The IDs of the principals to assign the role to.')
+param principalIds array
+
+@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.')
+param roleDefinitionIdOrName string
+
+@sys.description('Required. The resource ID of the resource to apply the role assignment to.')
+param resourceId string
+
+@sys.description('Optional. The principal type of the assigned principal ID.')
+@allowed([
+  'ServicePrincipal'
+  'Group'
+  'User'
+  'ForeignGroup'
+  'Device'
+  ''
+])
+param principalType string = ''
+
+@sys.description('Optional. The description of the role assignment.')
+param description string = ''
+
+var builtInRoleNames = {
+  'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
+  'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
+  'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
+  'Avere Cluster Create': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7b1b19a-0e83-4fe5-935c-faaefbfd18c3')
+  'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')
+  'Azure Service Deploy Release Management Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21d96096-b162-414a-8302-d8354f9d91b2')
+  'CAL-Custom-Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b266cd7-0bba-4ae2-8423-90ede5e1e898')
+  'ExpressRoute Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a48d7896-14b4-4889-afef-fbb65a96e5a2')
+  'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')
+  'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')
+  'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')
+  'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')
+  'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')
+  'masterreader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a48d7796-14b4-4889-afef-fbb65a93e5a2')
+  'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')
+  'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')
+  'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')
+  'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')
+  'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')
+  'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')
+  'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')
+}
+
+resource redisCache 'Microsoft.Cache/redis@2021-06-01' existing = {
+  name: last(split(resourceId, '/'))
+}
+
+resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = [for principalId in principalIds: {
+  name: guid(redisCache.id, principalId, roleDefinitionIdOrName)
+  properties: {
+    description: description
+    roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName
+    principalId: principalId
+    principalType: !empty(principalType) ? any(principalType) : null
+  }
+  scope: redisCache
+}]
diff --git a/arm/Microsoft.Cache/redis/.test/deploy.full.test.bicep b/arm/Microsoft.Cache/redis/.test/deploy.full.test.bicep
new file mode 100644
index 0000000000..797a8f7b82
--- /dev/null
+++ b/arm/Microsoft.Cache/redis/.test/deploy.full.test.bicep
@@ -0,0 +1,31 @@
+var location = 'westeurope'
+
+module fullRedisCacheDeployment '../deploy.bicep' = {
+  name: 'fullRedisCacheDeployment'
+  params: {
+    name: 'redis01'
+    location: location
+    capacity: 2
+    diagnosticLogCategoriesToEnable: [
+      'ApplicationGatewayAccessLog'
+      'ApplicationGatewayFirewallLog'
+    ]
+    diagnosticMetricsToEnable: [
+      'AllMetrics'
+    ]
+    enableNonSslPort: true
+    family: 'P'
+    lock: 'CanNotDelete'
+    minimumTlsVersion: '1.2'
+    diagnosticSettingsName: 'redisdiagnostics'
+    publicNetworkAccess: 'Enabled'
+    redisVersion: '6'
+    skuName: 'Premium'
+    systemAssignedIdentity: true
+    shardCount: 1
+    tags: {
+      purpose: 'test'
+    }
+    enableDefaultTelemetry: false
+  }
+}
diff --git a/arm/Microsoft.Cache/redis/.test/deploy.minimal.test.bicep b/arm/Microsoft.Cache/redis/.test/deploy.minimal.test.bicep
new file mode 100644
index 0000000000..9f10ca20fb
--- /dev/null
+++ b/arm/Microsoft.Cache/redis/.test/deploy.minimal.test.bicep
@@ -0,0 +1,9 @@
+var location = 'westeurope'
+
+module minimalRedisCacheDeployment '../deploy.bicep' = {
+  name: 'minimalRedisCacheDeployment'
+  params: {
+    name: 'redis01'
+    location: location
+  }
+}
diff --git a/arm/Microsoft.Cache/redis/deploy.bicep b/arm/Microsoft.Cache/redis/deploy.bicep
new file mode 100644
index 0000000000..de9c4e9287
--- /dev/null
+++ b/arm/Microsoft.Cache/redis/deploy.bicep
@@ -0,0 +1,259 @@
+@description('Optional. The location to deploy the Redis cache service.')
+param location string = resourceGroup().location
+
+@description('Required. The name of the Redis cache resource.')
+param name string
+
+@allowed([
+  ''
+  'CanNotDelete'
+  'ReadOnly'
+])
+@description('Optional. Specify the type of lock.')
+param lock string = ''
+
+@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.')
+param roleAssignments array = []
+
+@description('Optional. Tags of the resource.')
+param tags object = {}
+
+@description('Optional. Enables system assigned managed identity on the resource.')
+param systemAssignedIdentity bool = false
+
+@description('Optional. The ID(s) to assign to the resource.')
+param userAssignedIdentities object = {}
+
+@description('Optional. Specifies whether the non-ssl Redis server port (6379) is enabled.')
+param enableNonSslPort bool = false
+
+@allowed([
+  '1.0'
+  '1.1'
+  '1.2'
+])
+@description('Optional. Specify the type of lock.')
+param minimumTlsVersion string = '1.2'
+
+@allowed([
+  'Disabled'
+  'Enabled'
+])
+@description('Optional. Control permission for data plane traffic coming from public networks while private endpoint is enabled.')
+param publicNetworkAccess string = 'Enabled'
+
+@description('Optional. All Redis Settings. Few possible keys: rdb-backup-enabled,rdb-storage-connection-string,rdb-backup-frequency,maxmemory-delta,maxmemory-policy,notify-keyspace-events,maxmemory-samples,slowlog-log-slower-than,slowlog-max-len,list-max-ziplist-entries,list-max-ziplist-value,hash-max-ziplist-entries,hash-max-ziplist-value,set-max-intset-entries,zset-max-ziplist-entries,zset-max-ziplist-value etc.')
+param redisConfiguration object = {}
+
+@allowed([
+  '4'
+  '6'
+])
+@description('Optional. Redis version. Only major version will be used in PUT/PATCH request with current valid values: (4, 6)')
+param redisVersion string = '6'
+
+@minValue(1)
+@description('Optional. The number of replicas to be created per primary.')
+param replicasPerMaster int = 1
+
+@minValue(1)
+@description('Optional. The number of replicas to be created per primary.')
+param replicasPerPrimary int = 1
+
+@minValue(1)
+@description('Optional. The number of shards to be created on a Premium Cluster Cache.')
+param shardCount int = 1
+
+@allowed([
+  0
+  1
+  2
+  3
+  4
+  5
+  6
+])
+@description('Optional. The size of the Redis cache to deploy. Valid values: for C (Basic/Standard) family (0, 1, 2, 3, 4, 5, 6), for P (Premium) family (1, 2, 3, 4).')
+param capacity int = 0
+
+@allowed([
+  'C'
+  'P'
+])
+@description('Optional. The SKU family to use. Valid values: (C, P). (C = Basic/Standard, P = Premium).')
+param family string = 'C'
+
+@allowed([
+  'Basic'
+  'Premium'
+  'Standard'
+])
+@description('Optional. The type of Redis cache to deploy. Valid values: (Basic, Standard, Premium)')
+param skuName string = 'Basic'
+
+@description('Optional. Static IP address. Optionally, may be specified when deploying a Redis cache inside an existing Azure Virtual Network; auto assigned by default.')
+param staticIP string = ''
+
+@description('Optional. The full resource ID of a subnet in a virtual network to deploy the Redis cache in. Example format: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/Microsoft.{Network|ClassicNetwork}/VirtualNetworks/vnet1/subnets/subnet1')
+param subnetId string = ''
+
+@description('Optional. A dictionary of tenant settings.')
+param tenantSettings object = {}
+
+@description('Optional. The name of the diagnostic setting, if deployed.')
+param diagnosticSettingsName string = '${name}-diagnosticSettings'
+
+@description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.')
+@minValue(0)
+@maxValue(365)
+param diagnosticLogsRetentionInDays int = 365
+
+@description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.')
+param diagnosticStorageAccountId string = ''
+
+@description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.')
+param diagnosticWorkspaceId string = ''
+
+@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.')
+param diagnosticEventHubAuthorizationRuleId string = ''
+
+@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.')
+param diagnosticEventHubName string = ''
+
+@description('Optional. The name of logs that will be streamed.')
+@allowed([
+  'ApplicationGatewayAccessLog'
+  'ApplicationGatewayPerformanceLog'
+  'ApplicationGatewayFirewallLog'
+])
+param diagnosticLogCategoriesToEnable array = [
+  'ApplicationGatewayAccessLog'
+  'ApplicationGatewayPerformanceLog'
+  'ApplicationGatewayFirewallLog'
+]
+
+@description('Optional. The name of metrics that will be streamed.')
+@allowed([
+  'AllMetrics'
+])
+param diagnosticMetricsToEnable array = [
+  'AllMetrics'
+]
+
+@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
+param enableDefaultTelemetry bool = true
+
+var diagnosticsLogs = [for category in diagnosticLogCategoriesToEnable: {
+  category: category
+  enabled: true
+  retentionPolicy: {
+    enabled: true
+    days: diagnosticLogsRetentionInDays
+  }
+}]
+
+var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: {
+  category: metric
+  timeGrain: null
+  enabled: true
+  retentionPolicy: {
+    enabled: true
+    days: diagnosticLogsRetentionInDays
+  }
+}]
+
+var identityType = systemAssignedIdentity ? 'SystemAssigned' : !empty(userAssignedIdentities) ? 'UserAssigned' : 'None'
+
+var identity = {
+  type: identityType
+  userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null
+}
+
+resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
+  name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
+  properties: {
+    mode: 'Incremental'
+    template: {
+      '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
+      contentVersion: '1.0.0.0'
+      resources: []
+    }
+  }
+}
+
+resource redisCache 'Microsoft.Cache/redis@2021-06-01' = {
+  name: name
+  location: location
+  tags: tags
+  identity: identity
+  properties: {
+    enableNonSslPort: enableNonSslPort
+    minimumTlsVersion: minimumTlsVersion
+    publicNetworkAccess: publicNetworkAccess
+    redisConfiguration: !empty(redisConfiguration) ? redisConfiguration : null
+    redisVersion: redisVersion
+    replicasPerMaster: skuName == 'Premium' ? replicasPerMaster : null
+    replicasPerPrimary: skuName == 'Premium' ? replicasPerPrimary : null
+    shardCount: family == 'P' ? shardCount : null // Not supported in free tier
+    sku: {
+      capacity: capacity
+      family: family
+      name: skuName
+    }
+    staticIP: !empty(staticIP) ? staticIP : null
+    subnetId: !empty(subnetId) ? subnetId : null
+    tenantSettings: tenantSettings
+  }
+  zones: skuName == 'Premium' ? pickZones('Microsoft.Cache', 'redis', location, 1) : null
+}
+
+resource redisCache_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) {
+  name: '${redisCache.name}-${lock}-lock'
+  properties: {
+    level: any(lock)
+    notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
+  }
+  scope: redisCache
+}
+
+resource redisCache_diagnosticSettingName 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) {
+  name: diagnosticSettingsName
+  properties: {
+    storageAccountId: empty(diagnosticStorageAccountId) ? null : diagnosticStorageAccountId
+    workspaceId: empty(diagnosticWorkspaceId) ? null : diagnosticWorkspaceId
+    eventHubAuthorizationRuleId: empty(diagnosticEventHubAuthorizationRuleId) ? null : diagnosticEventHubAuthorizationRuleId
+    eventHubName: empty(diagnosticEventHubName) ? null : diagnosticEventHubName
+    metrics: empty(diagnosticStorageAccountId) && empty(diagnosticWorkspaceId) && empty(diagnosticEventHubAuthorizationRuleId) && empty(diagnosticEventHubName) ? null : diagnosticsMetrics
+    logs: empty(diagnosticStorageAccountId) && empty(diagnosticWorkspaceId) && empty(diagnosticEventHubAuthorizationRuleId) && empty(diagnosticEventHubName) ? null : diagnosticsLogs
+  }
+  scope: redisCache
+}
+
+module redisCache_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: {
+  name: '${uniqueString(deployment().name, location)}-AppGateway-Rbac-${index}'
+  params: {
+    description: contains(roleAssignment, 'description') ? roleAssignment.description : ''
+    principalIds: roleAssignment.principalIds
+    principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : ''
+    roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName
+    resourceId: redisCache.id
+  }
+}]
+
+@description('The resource name')
+output name string = redisCache.name
+
+@description('The resource id')
+output resourceId string = redisCache.id
+
+@description('The name of the resource group the Redis cache was created in.')
+output resourceGroupName string = resourceGroup().name
+
+@description('Redis host name.')
+output hostName string = redisCache.properties.hostName
+
+@description('Redis SSL port.')
+output sslPort int = redisCache.properties.sslPort
+
+@description('The full resource ID of a subnet in a virtual network where the Redis cache was deployed in.')
+output subnetId int = redisCache.properties.subnetId
diff --git a/arm/Microsoft.Cache/redis/readme.md b/arm/Microsoft.Cache/redis/readme.md
new file mode 100644
index 0000000000..aa45d2990b
--- /dev/null
+++ b/arm/Microsoft.Cache/redis/readme.md
@@ -0,0 +1,236 @@
+# Cache Redis `[Microsoft.Cache/redis]`
+
+This module deploys a Redis Cache service.
+
+## Navigation
+
+- [Resource Types](#Resource-Types)
+- [Parameters](#Parameters)
+- [Outputs](#Outputs)
+
+## Resource Types
+
+| Resource Type | API Version |
+| :-- | :-- |
+| `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) |
+| `Microsoft.Authorization/roleAssignments` | [2020-10-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-10-01-preview/roleAssignments) |
+| `Microsoft.Cache/redis` | [2021-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Cache/2021-06-01/redis) |
+| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) |
+
+## Parameters
+
+**Required parameters**
+| Parameter Name | Type | Description |
+| :-- | :-- | :-- |
+| `name` | string | The name of the Redis cache resource. |
+
+**Optional parameters**
+| Parameter Name | Type | Default Value | Allowed Values | Description |
+| :-- | :-- | :-- | :-- | :-- |
+| `capacity` | int | `0` | `[0, 1, 2, 3, 4, 5, 6]` | The size of the Redis cache to deploy. Valid values: for C (Basic/Standard) family (0, 1, 2, 3, 4, 5, 6), for P (Premium) family (1, 2, 3, 4). |
+| `diagnosticEventHubAuthorizationRuleId` | string | `''` |  | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. |
+| `diagnosticEventHubName` | string | `''` |  | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. |
+| `diagnosticLogCategoriesToEnable` | array | `[ApplicationGatewayAccessLog, ApplicationGatewayPerformanceLog, ApplicationGatewayFirewallLog]` | `[ApplicationGatewayAccessLog, ApplicationGatewayPerformanceLog, ApplicationGatewayFirewallLog]` | The name of logs that will be streamed. |
+| `diagnosticLogsRetentionInDays` | int | `365` |  | Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. |
+| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. |
+| `diagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` |  | The name of the diagnostic setting, if deployed. |
+| `diagnosticStorageAccountId` | string | `''` |  | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. |
+| `diagnosticWorkspaceId` | string | `''` |  | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. |
+| `enableDefaultTelemetry` | bool | `True` |  | Enable telemetry via the Customer Usage Attribution ID (GUID). |
+| `enableNonSslPort` | bool | `False` |  | Specifies whether the non-ssl Redis server port (6379) is enabled. |
+| `family` | string | `'C'` | `[C, P]` | The SKU family to use. Valid values: (C, P). (C = Basic/Standard, P = Premium). |
+| `location` | string | `[resourceGroup().location]` |  | The location to deploy the Redis cache service. |
+| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. |
+| `minimumTlsVersion` | string | `'1.2'` | `[1.0, 1.1, 1.2]` | Specify the type of lock. |
+| `publicNetworkAccess` | string | `'Enabled'` | `[Disabled, Enabled]` | Control permission for data plane traffic coming from public networks while private endpoint is enabled. |
+| `redisConfiguration` | object | `{object}` |  | All Redis Settings. Few possible keys: rdb-backup-enabled,rdb-storage-connection-string,rdb-backup-frequency,maxmemory-delta,maxmemory-policy,notify-keyspace-events,maxmemory-samples,slowlog-log-slower-than,slowlog-max-len,list-max-ziplist-entries,list-max-ziplist-value,hash-max-ziplist-entries,hash-max-ziplist-value,set-max-intset-entries,zset-max-ziplist-entries,zset-max-ziplist-value etc. |
+| `redisVersion` | string | `'6'` | `[4, 6]` | Redis version. Only major version will be used in PUT/PATCH request with current valid values: (4, 6) |
+| `replicasPerMaster` | int | `1` |  | The number of replicas to be created per primary. |
+| `replicasPerPrimary` | int | `1` |  | The number of replicas to be created per primary. |
+| `roleAssignments` | array | `[]` |  | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. |
+| `shardCount` | int | `1` |  | The number of shards to be created on a Premium Cluster Cache. |
+| `skuName` | string | `'Basic'` | `[Basic, Premium, Standard]` | The type of Redis cache to deploy. Valid values: (Basic, Standard, Premium) |
+| `staticIP` | string | `''` |  | Static IP address. Optionally, may be specified when deploying a Redis cache inside an existing Azure Virtual Network; auto assigned by default. |
+| `subnetId` | string | `''` |  | The full resource ID of a subnet in a virtual network to deploy the Redis cache in. Example format: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/Microsoft.{Network|ClassicNetwork}/VirtualNetworks/vnet1/subnets/subnet1 |
+| `systemAssignedIdentity` | bool | `False` |  | Enables system assigned managed identity on the resource. |
+| `tags` | object | `{object}` |  | Tags of the resource. |
+| `tenantSettings` | object | `{object}` |  | A dictionary of tenant settings. |
+| `userAssignedIdentities` | object | `{object}` |  | The ID(s) to assign to the resource. |
+
+
+### Parameter Usage: `roleAssignments`
+
+Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure.
+
+<details>
+
+<summary>Parameter JSON format</summary>
+
+```json
+"roleAssignments": {
+    "value": [
+        {
+            "roleDefinitionIdOrName": "Reader",
+            "description": "Reader Role Assignment",
+            "principalIds": [
+                "12345678-1234-1234-1234-123456789012", // object 1
+                "78945612-1234-1234-1234-123456789012" // object 2
+            ]
+        },
+        {
+            "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
+            "principalIds": [
+                "12345678-1234-1234-1234-123456789012" // object 1
+            ],
+            "principalType": "ServicePrincipal"
+        }
+    ]
+}
+```
+
+</details>
+
+<details>
+
+<summary>Bicep format</summary>
+
+```bicep
+roleAssignments: [
+    {
+        roleDefinitionIdOrName: 'Reader'
+        description: 'Reader Role Assignment'
+        principalIds: [
+            '12345678-1234-1234-1234-123456789012' // object 1
+            '78945612-1234-1234-1234-123456789012' // object 2
+        ]
+    }
+    {
+        roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'
+        principalIds: [
+            '12345678-1234-1234-1234-123456789012' // object 1
+        ]
+        principalType: 'ServicePrincipal'
+    }
+]
+```
+
+</details>
+<p>
+
+### Parameter Usage: `tags`
+
+Tag names and tag values can be provided as needed. A tag can be left without a value.
+
+<details>
+
+<summary>Parameter JSON format</summary>
+
+```json
+"tags": {
+    "value": {
+        "Environment": "Non-Prod",
+        "Contact": "test.user@testcompany.com",
+        "PurchaseOrder": "1234",
+        "CostCenter": "7890",
+        "ServiceName": "DeploymentValidation",
+        "Role": "DeploymentValidation"
+    }
+}
+```
+
+</details>
+
+<details>
+
+<summary>Bicep format</summary>
+
+```bicep
+tags: {
+    Environment: 'Non-Prod'
+    Contact: 'test.user@testcompany.com'
+    PurchaseOrder: '1234'
+    CostCenter: '7890'
+    ServiceName: 'DeploymentValidation'
+    Role: 'DeploymentValidation'
+}
+```
+
+</details>
+<p>
+
+### Parameter Usage: `userAssignedIdentities`
+
+You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format:
+
+<details>
+
+<summary>Parameter JSON format</summary>
+
+```json
+"userAssignedIdentities": {
+    "value": {
+        "/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {},
+        "/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {}
+    }
+}
+```
+
+</details>
+
+<details>
+
+<summary>Bicep format</summary>
+
+```bicep
+userAssignedIdentities: {
+    '/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {}
+    '/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {}
+}
+```
+
+</details>
+<p>
+
+### Parameter Usage: `redisConfiguration`
+
+All Redis Settings. Few possible keys: rdb-backup-enabled,rdb-storage-connection-string,rdb-backup-frequency,maxmemory-delta,maxmemory-policy,notify-keyspace-events,maxmemory-samples,slowlog-log-slower-than,slowlog-max-len,list-max-ziplist-entries,list-max-ziplist-value,hash-max-ziplist-entries,hash-max-ziplist-value,set-max-intset-entries,zset-max-ziplist-entries,zset-max-ziplist-value etc..
+
+Name | Description | Value
+---------|----------|---------
+aof-storage-connection-string-0 | First storage account connection string | string
+aof-storage-connection-string-1 | Second storage account connection string | string
+maxfragmentationmemory-reserved | Value in megabytes reserved for fragmentation per shard | string
+maxmemory-delta | Value in megabytes reserved for non-cache usage per shard e.g. failover. | string
+maxmemory-policy | The eviction strategy used when your data won't fit within its memory limit. | string
+maxmemory-reserved | Value in megabytes reserved for non-cache usage per shard e.g. failover. | string
+rdb-backup-enabled | Specifies whether the rdb backup is enabled | string
+rdb-backup-frequency | Specifies the frequency for creating rdb backup | string
+rdb-backup-max-snapshot-count | Specifies the maximum number of snapshots for rdb backup | string
+rdb-storage-connection-string | The storage account connection string for storing rdb file | string
+
+For more details visit [Microsoft.Cache redis reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.cache/redis?tabs=bicep)
+
+<details>
+
+<summary>Bicep format</summary>
+
+```bicep
+userAssignedIdentities: {
+    '/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {}
+    '/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {}
+}
+```
+
+</details>
+<p>
+
+## Outputs
+
+| Output Name | Type | Description |
+| :-- | :-- | :-- |
+| `hostName` | string | Redis host name. |
+| `name` | string | The name of the graph. |
+| `resourceGroupName` | string | The name of the resource group the graph was created in. |
+| `resourceId` | string | The resource ID of the graph. |
+| `sslPort` | int | Redis SSL port. |
+| `subnetId` | int | The full resource ID of a subnet in a virtual network where the Redis cache was deployed in. |
diff --git a/arm/Microsoft.Cache/redis/version.json b/arm/Microsoft.Cache/redis/version.json
new file mode 100644
index 0000000000..badc0a2285
--- /dev/null
+++ b/arm/Microsoft.Cache/redis/version.json
@@ -0,0 +1,4 @@
+{
+    "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
+    "version": "0.5"
+}

From 9e596efff9424d9d9aea02d964ca3baa606a7389 Mon Sep 17 00:00:00 2001
From: Jan-Henrik Damaschke <jdamaschke@visorian.com>
Date: Thu, 23 Jun 2022 21:25:39 +0200
Subject: [PATCH 5/8] feat(redis-cache):  Cleaned up branch history

---
 .../webPubSub/.bicep/nested_rbac.bicep        |  61 ----
 .../webPubSub/.test/deploy.full.test.bicep    |  22 --
 .../webPubSub/.test/deploy.minimal.test.bicep |   9 -
 .../webPubSub/deploy.bicep                    | 161 -----------
 .../webPubSub/readme.md                       | 266 ------------------
 .../webPubSub/version.json                    |   4 -
 6 files changed, 523 deletions(-)
 delete mode 100644 arm/Microsoft.SignalRService/webPubSub/.bicep/nested_rbac.bicep
 delete mode 100644 arm/Microsoft.SignalRService/webPubSub/.test/deploy.full.test.bicep
 delete mode 100644 arm/Microsoft.SignalRService/webPubSub/.test/deploy.minimal.test.bicep
 delete mode 100644 arm/Microsoft.SignalRService/webPubSub/deploy.bicep
 delete mode 100644 arm/Microsoft.SignalRService/webPubSub/readme.md
 delete mode 100644 arm/Microsoft.SignalRService/webPubSub/version.json

diff --git a/arm/Microsoft.SignalRService/webPubSub/.bicep/nested_rbac.bicep b/arm/Microsoft.SignalRService/webPubSub/.bicep/nested_rbac.bicep
deleted file mode 100644
index 7d3e0bce74..0000000000
--- a/arm/Microsoft.SignalRService/webPubSub/.bicep/nested_rbac.bicep
+++ /dev/null
@@ -1,61 +0,0 @@
-@sys.description('Required. The IDs of the principals to assign the role to.')
-param principalIds array
-
-@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.')
-param roleDefinitionIdOrName string
-
-@sys.description('Required. The resource ID of the resource to apply the role assignment to.')
-param resourceId string
-
-@sys.description('Optional. The principal type of the assigned principal ID.')
-@allowed([
-  'ServicePrincipal'
-  'Group'
-  'User'
-  'ForeignGroup'
-  'Device'
-  ''
-])
-param principalType string = ''
-
-@sys.description('Optional. The description of the role assignment.')
-param description string = ''
-
-var builtInRoleNames = {
-  'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
-  'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
-  'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
-  'Avere Cluster Create': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7b1b19a-0e83-4fe5-935c-faaefbfd18c3')
-  'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')
-  'Azure Service Deploy Release Management Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21d96096-b162-414a-8302-d8354f9d91b2')
-  'CAL-Custom-Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b266cd7-0bba-4ae2-8423-90ede5e1e898')
-  'ExpressRoute Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a48d7896-14b4-4889-afef-fbb65a96e5a2')
-  'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')
-  'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')
-  'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')
-  'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')
-  'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')
-  'masterreader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a48d7796-14b4-4889-afef-fbb65a93e5a2')
-  'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')
-  'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')
-  'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')
-  'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')
-  'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')
-  'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')
-  'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')
-}
-
-resource webPubSub 'Microsoft.SignalRService/webPubSub@2021-10-01' existing = {
-  name: last(split(resourceId, '/'))
-}
-
-resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = [for principalId in principalIds: {
-  name: guid(webPubSub.id, principalId, roleDefinitionIdOrName)
-  properties: {
-    description: description
-    roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName
-    principalId: principalId
-    principalType: !empty(principalType) ? any(principalType) : null
-  }
-  scope: webPubSub
-}]
diff --git a/arm/Microsoft.SignalRService/webPubSub/.test/deploy.full.test.bicep b/arm/Microsoft.SignalRService/webPubSub/.test/deploy.full.test.bicep
deleted file mode 100644
index 4cc31dbcce..0000000000
--- a/arm/Microsoft.SignalRService/webPubSub/.test/deploy.full.test.bicep
+++ /dev/null
@@ -1,22 +0,0 @@
-var location = 'westeurope'
-
-module fullWebPubSubDeployment '../deploy.bicep' = {
-  name: 'fullWebPubSubDeployment'
-  params: {
-    name: 'fullWebPubSubDeployment'
-    location: location
-    capacity: 2
-    clientCertEnabled: false
-    disableAadAuth: false
-    disableLocalAuth: true
-    lock: 'CanNotDelete'
-    sku: 'Standard_S1'
-    systemAssignedIdentity: true
-    tags: {
-      purpose: 'test'
-    }
-    resourceLogConfigurationsToEnable: [
-      'ConnectivityLogs'
-    ]
-  }
-}
diff --git a/arm/Microsoft.SignalRService/webPubSub/.test/deploy.minimal.test.bicep b/arm/Microsoft.SignalRService/webPubSub/.test/deploy.minimal.test.bicep
deleted file mode 100644
index f502cb53bc..0000000000
--- a/arm/Microsoft.SignalRService/webPubSub/.test/deploy.minimal.test.bicep
+++ /dev/null
@@ -1,9 +0,0 @@
-var location = 'westeurope'
-
-module minimalWebPubSubDeployment '../deploy.bicep' = {
-  name: 'minimalWebPubSubDeployment'
-  params: {
-    name: 'minimalWebPubSubDeployment'
-    location: location
-  }
-}
diff --git a/arm/Microsoft.SignalRService/webPubSub/deploy.bicep b/arm/Microsoft.SignalRService/webPubSub/deploy.bicep
deleted file mode 100644
index a435cf654c..0000000000
--- a/arm/Microsoft.SignalRService/webPubSub/deploy.bicep
+++ /dev/null
@@ -1,161 +0,0 @@
-@description('Optional. The location to deploy the Web PubSub service.')
-param location string = resourceGroup().location
-
-@description('Required. The name of the Web PubSub resource.')
-param name string
-
-@description('Optional. Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.')
-param privateEndpoints array = []
-
-@allowed([
-  ''
-  'CanNotDelete'
-  'ReadOnly'
-])
-@description('Optional. Specify the type of lock.')
-param lock string = ''
-
-@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.')
-param roleAssignments array = []
-
-@description('Optional. Tags of the resource.')
-param tags object = {}
-
-@description('The unit count of the resource. 1 by default.')
-param capacity int = 1
-
-@allowed([
-  'Free_F1'
-  'Standard_S1'
-])
-@description('Optional. Pricing tier of App Configuration.')
-param sku string = 'Free_F1'
-
-@description('Optional. Enables system assigned managed identity on the resource.')
-param systemAssignedIdentity bool = false
-
-@description('Optional. The ID(s) to assign to the resource.')
-param userAssignedIdentities object = {}
-
-@description('Optional. When set as true, connection with AuthType=aad won\'t work.')
-param disableAadAuth bool = false
-
-@description('Optional. Disables all authentication methods other than AAD authentication.')
-param disableLocalAuth bool = false
-
-@description('Optional. Control permission for data plane traffic coming from public networks while private endpoint is enabled.')
-param publicNetworkAccess string = 'Enabled'
-
-@allowed([
-  'ConnectivityLogs'
-  'MessagingLogs'
-])
-@description('Optional. Control permission for data plane traffic coming from public networks while private endpoint is enabled.')
-param resourceLogConfigurationsToEnable array = [
-  'ConnectivityLogs'
-  'MessagingLogs'
-]
-
-@description('Optional. Request client certificate during TLS handshake if enabled.')
-param clientCertEnabled bool = false
-
-@description('Optional. Networks ACLs, this value contains IPs to whitelist and/or Subnet information. For security reasons, it is recommended to set the DefaultAction Deny.')
-param networkAcls array = []
-
-@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
-param enableDefaultTelemetry bool = true
-
-var resourceLogConfiguration = [for configuration in resourceLogConfigurationsToEnable: {
-  name: configuration
-  enabled: 'true'
-}]
-
-var identityType = systemAssignedIdentity ? 'SystemAssigned' : !empty(userAssignedIdentities) ? 'UserAssigned' : 'None'
-
-var identity = {
-  type: identityType
-  userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null
-}
-
-@description('Optional. Network ACLs for the resource. The values for the \'allow\' and \'deny\' array can be one or more of: ClientConnection, ServerConnection, RESTAPI.')
-var webPubSubNetworkAcls = [for acl in networkAcls: {
-  defaultAction: !empty(acl.defaultAction) ? contains([ 'Allow', 'Deny' ], acl.defaultAction) ? acl.defaultAction : 'Deny' : null
-  publicNetwork: {
-    allow: !empty(acl.allow) ? acl.allow : []
-    deny: !empty(acl.deny) ? acl.deny : []
-  }
-}]
-
-resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
-  name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
-  properties: {
-    mode: 'Incremental'
-    template: {
-      '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
-      contentVersion: '1.0.0.0'
-      resources: []
-    }
-  }
-}
-
-resource webPubSub 'Microsoft.SignalRService/webPubSub@2021-10-01' = {
-  name: name
-  location: location
-  tags: tags
-  sku: {
-    capacity: capacity
-    name: sku
-    tier: sku == 'Standard_S1' ? 'Standard' : 'Free'
-  }
-  identity: identity
-  properties: {
-    disableAadAuth: disableAadAuth
-    disableLocalAuth: disableLocalAuth
-    networkACLs: !empty(webPubSubNetworkAcls) ? {
-    } : null
-    publicNetworkAccess: publicNetworkAccess
-    resourceLogConfiguration: {
-      categories: resourceLogConfiguration
-    }
-    tls: {
-      clientCertEnabled: clientCertEnabled
-    }
-  }
-}
-
-module webPubSub_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: {
-  name: '${uniqueString(deployment().name, location)}-appConfiguration-PrivateEndpoint-${index}'
-  params: {
-    groupIds: [ privateEndpoint.service ]
-    name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(webPubSub.id, '/'))}-${privateEndpoint.service}-${index}'
-    serviceResourceId: webPubSub.id
-    subnetResourceId: privateEndpoint.subnetResourceId
-    location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location
-    lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock
-    privateDnsZoneGroups: contains(privateEndpoint, 'privateDnsZoneGroups') ? privateEndpoint.privateDnsZoneGroups : []
-    roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : []
-    tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {}
-    manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : []
-    customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : []
-  }
-}]
-
-resource webPubSub_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) {
-  name: '${webPubSub.name}-${lock}-lock'
-  properties: {
-    level: any(lock)
-    notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
-  }
-  scope: webPubSub
-}
-
-module webPubSub_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: {
-  name: '${uniqueString(deployment().name, location)}-AppConfig-Rbac-${index}'
-  params: {
-    description: contains(roleAssignment, 'description') ? roleAssignment.description : ''
-    principalIds: roleAssignment.principalIds
-    principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : ''
-    roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName
-    resourceId: webPubSub.id
-  }
-}]
diff --git a/arm/Microsoft.SignalRService/webPubSub/readme.md b/arm/Microsoft.SignalRService/webPubSub/readme.md
deleted file mode 100644
index 878faa1ea3..0000000000
--- a/arm/Microsoft.SignalRService/webPubSub/readme.md
+++ /dev/null
@@ -1,266 +0,0 @@
-# SignalRService `[Microsoft.SignalRService]`
-
-This module deploys a Web PubSub resource.
-
-## Navigation
-
-- [Resource Types](#Resource-Types)
-- [Parameters](#Parameters)
-- [Outputs](#Outputs)
-
-## Resource Types
-
-| Resource Type | API Version |
-| :-- | :-- |
-| `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) |
-| `Microsoft.Authorization/roleAssignments` | [2020-10-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-10-01-preview/roleAssignments) |
-| `Microsoft.Network/privateEndpoints` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) |
-| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints/privateDnsZoneGroups) |
-| `Microsoft.SignalRService/webPubSub` | [2021-10-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.SignalRService/2021-10-01/webPubSub) |
-
-## Parameters
-
-**Required parameters**
-| Parameter Name | Type | Description |
-| :-- | :-- | :-- |
-| `name` | string | The name of the Web PubSub resource. |
-
-**Optional parameters**
-| Parameter Name | Type | Default Value | Allowed Values | Description |
-| :-- | :-- | :-- | :-- | :-- |
-| `capacity` | int | `1` | The unit count of the resource. 1 by default. |
-| `clientCertEnabled` | bool | `False` |  | Request client certificate during TLS handshake if enabled. |
-| `disableAadAuth` | bool | `False` |  | When set as true, connection with AuthType=aad won't work. |
-| `disableLocalAuth` | bool | `False` |  | Disables all authentication methods other than AAD authentication. |
-| `enableDefaultTelemetry` | bool | `True` |  | Enable telemetry via the Customer Usage Attribution ID (GUID). |
-| `location` | string | `[resourceGroup().location]` |  | The location to deploy the Web PubSub service. |
-| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. |
-| `networkAcls` | array | `[]` |  | Networks ACLs, this value contains IPs to whitelist and/or Subnet information. For security reasons, it is recommended to set the DefaultAction Deny. |
-| `privateEndpoints` | array | `[]` |  | Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. |
-| `publicNetworkAccess` | string | `'Enabled'` |  | Control permission for data plane traffic coming from public networks while private endpoint is enabled. |
-| `resourceLogConfigurationsToEnable` | array | `[ConnectivityLogs, MessagingLogs]` | `[ConnectivityLogs, MessagingLogs]` | Control permission for data plane traffic coming from public networks while private endpoint is enabled. |
-| `roleAssignments` | array | `[]` |  | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. |
-| `sku` | string | `'Free_F1'` | `[Free_F1, Standard_S1]` | Pricing tier of App Configuration. |
-| `systemAssignedIdentity` | bool | `False` |  | Enables system assigned managed identity on the resource. |
-| `tags` | object | `{object}` |  | Tags of the resource. |
-| `userAssignedIdentities` | object | `{object}` |  | The ID(s) to assign to the resource. |
-
-
-### Parameter Usage: `privateEndpoints`
-
-To use Private Endpoint the following dependencies must be deployed:
-
-- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`.  Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module.
-- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information.
-
-<details>
-
-<summary>Parameter JSON format</summary>
-
-```json
-"privateEndpoints": {
-    "value": [
-        // Example showing all available fields
-        {
-            "name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here
-            "subnetResourceId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001",
-            "service": "<<serviceName>>", // e.g. vault, registry, file, blob, queue, table etc.
-            "privateDnsZoneResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified
-                "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net"
-            ],
-            "customDnsConfigs": [ // Optional
-                {
-                    "fqdn": "customname.test.local",
-                    "ipAddresses": [
-                        "10.10.10.10"
-                    ]
-                }
-            ]
-        },
-        // Example showing only mandatory fields
-        {
-            "subnetResourceId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001",
-            "service": "<<serviceName>>" // e.g. vault, registry, file, blob, queue, table etc.
-        }
-    ]
-}
-```
-
-</details>
-
-<details>
-
-<summary>Bicep format</summary>
-
-```bicep
-privateEndpoints:  [
-    // Example showing all available fields
-    {
-        name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here
-        subnetResourceId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001'
-        service: '<<serviceName>>' // e.g. vault registry file blob queue table etc.
-        privateDnsZoneResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified
-            '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net'
-        ]
-        // Optional
-        customDnsConfigs: [
-            {
-                fqdn: 'customname.test.local'
-                ipAddresses: [
-                    '10.10.10.10'
-                ]
-            }
-        ]
-    }
-    // Example showing only mandatory fields
-    {
-        subnetResourceId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001'
-        service: '<<serviceName>>' // e.g. vault registry file blob queue table etc.
-    }
-]
-```
-
-</details>
-<p>
-
-### Parameter Usage: `roleAssignments`
-
-Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure.
-
-<details>
-
-<summary>Parameter JSON format</summary>
-
-```json
-"roleAssignments": {
-    "value": [
-        {
-            "roleDefinitionIdOrName": "Reader",
-            "description": "Reader Role Assignment",
-            "principalIds": [
-                "12345678-1234-1234-1234-123456789012", // object 1
-                "78945612-1234-1234-1234-123456789012" // object 2
-            ]
-        },
-        {
-            "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
-            "principalIds": [
-                "12345678-1234-1234-1234-123456789012" // object 1
-            ],
-            "principalType": "ServicePrincipal"
-        }
-    ]
-}
-```
-
-</details>
-
-<details>
-
-<summary>Bicep format</summary>
-
-```bicep
-roleAssignments: [
-    {
-        roleDefinitionIdOrName: 'Reader'
-        description: 'Reader Role Assignment'
-        principalIds: [
-            '12345678-1234-1234-1234-123456789012' // object 1
-            '78945612-1234-1234-1234-123456789012' // object 2
-        ]
-    }
-    {
-        roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'
-        principalIds: [
-            '12345678-1234-1234-1234-123456789012' // object 1
-        ]
-        principalType: 'ServicePrincipal'
-    }
-]
-```
-
-</details>
-<p>
-
-### Parameter Usage: `tags`
-
-Tag names and tag values can be provided as needed. A tag can be left without a value.
-
-<details>
-
-<summary>Parameter JSON format</summary>
-
-```json
-"tags": {
-    "value": {
-        "Environment": "Non-Prod",
-        "Contact": "test.user@testcompany.com",
-        "PurchaseOrder": "1234",
-        "CostCenter": "7890",
-        "ServiceName": "DeploymentValidation",
-        "Role": "DeploymentValidation"
-    }
-}
-```
-
-</details>
-
-<details>
-
-<summary>Bicep format</summary>
-
-```bicep
-tags: {
-    Environment: 'Non-Prod'
-    Contact: 'test.user@testcompany.com'
-    PurchaseOrder: '1234'
-    CostCenter: '7890'
-    ServiceName: 'DeploymentValidation'
-    Role: 'DeploymentValidation'
-}
-```
-
-</details>
-<p>
-
-### Parameter Usage: `userAssignedIdentities`
-
-You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format:
-
-<details>
-
-<summary>Parameter JSON format</summary>
-
-```json
-"userAssignedIdentities": {
-    "value": {
-        "/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {},
-        "/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {}
-    }
-}
-```
-
-</details>
-
-<details>
-
-<summary>Bicep format</summary>
-
-```bicep
-userAssignedIdentities: {
-    '/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {}
-    '/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {}
-}
-```
-
-</details>
-<p>
-
-## Outputs
-
-| Output Name | Type | Description |
-| :-- | :-- | :-- |
-| `location` | string | The location the Web PubSub service was deployed into. |
-| `name` | string | The name of the Web PubSub service. |
-| `resourceGroupName` | string | The resource group the Web PubSub service was deployed into. |
-| `resourceId` | string | The resource ID of the Web PubSub service. |
diff --git a/arm/Microsoft.SignalRService/webPubSub/version.json b/arm/Microsoft.SignalRService/webPubSub/version.json
deleted file mode 100644
index badc0a2285..0000000000
--- a/arm/Microsoft.SignalRService/webPubSub/version.json
+++ /dev/null
@@ -1,4 +0,0 @@
-{
-    "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
-    "version": "0.5"
-}

From 955701f678dc28d4822f6019f8a2425c6169c387 Mon Sep 17 00:00:00 2001
From: Jan-Henrik Damaschke <jdamaschke@outlook.de>
Date: Mon, 27 Jun 2022 19:21:57 +0200
Subject: [PATCH 6/8] fix(redis): Updated diagnostics name

Co-authored-by: Alexander Sehr <ASehr@hotmail.de>
---
 arm/Microsoft.Cache/redis/deploy.bicep | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arm/Microsoft.Cache/redis/deploy.bicep b/arm/Microsoft.Cache/redis/deploy.bicep
index de9c4e9287..f4191e762b 100644
--- a/arm/Microsoft.Cache/redis/deploy.bicep
+++ b/arm/Microsoft.Cache/redis/deploy.bicep
@@ -216,7 +216,7 @@ resource redisCache_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty
   scope: redisCache
 }
 
-resource redisCache_diagnosticSettingName 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) {
+resource redisCache_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) {
   name: diagnosticSettingsName
   properties: {
     storageAccountId: empty(diagnosticStorageAccountId) ? null : diagnosticStorageAccountId

From d11ceb0ab57726ef13b6c768560d71c58c965353 Mon Sep 17 00:00:00 2001
From: Jan-Henrik Damaschke <jdamaschke@visorian.com>
Date: Sun, 3 Jul 2022 18:07:40 +0200
Subject: [PATCH 7/8] feat(redis): :sparkles:  Added tests, pipelines and
 secure defaults

---
 .../modulePipelines/ms.cache.redis.yml        |  55 +++++++
 .github/workflows/ms.cache.redis.yml          | 142 ++++++++++++++++++
 .../redis/.bicep/nested_rbac.bicep            |   8 +-
 .../redis/.parameters/full.parameters.json    |  61 ++++++++
 .../redis/.parameters/min.parameters.json     |   9 ++
 .../redis/.test/deploy.full.test.bicep        |  31 ----
 .../redis/.test/deploy.minimal.test.bicep     |   9 --
 arm/Microsoft.Cache/redis/deploy.bicep        |   4 +-
 8 files changed, 273 insertions(+), 46 deletions(-)
 create mode 100644 .azuredevops/modulePipelines/ms.cache.redis.yml
 create mode 100644 .github/workflows/ms.cache.redis.yml
 create mode 100644 arm/Microsoft.Cache/redis/.parameters/full.parameters.json
 create mode 100644 arm/Microsoft.Cache/redis/.parameters/min.parameters.json
 delete mode 100644 arm/Microsoft.Cache/redis/.test/deploy.full.test.bicep
 delete mode 100644 arm/Microsoft.Cache/redis/.test/deploy.minimal.test.bicep

diff --git a/.azuredevops/modulePipelines/ms.cache.redis.yml b/.azuredevops/modulePipelines/ms.cache.redis.yml
new file mode 100644
index 0000000000..c6b1bb208d
--- /dev/null
+++ b/.azuredevops/modulePipelines/ms.cache.redis.yml
@@ -0,0 +1,55 @@
+name: 'Cache - Redis'
+
+parameters:
+  - name: removeDeployment
+    displayName: Remove deployed module
+    type: boolean
+    default: true
+  - name: prerelease
+    displayName: Publish prerelease module
+    type: boolean
+    default: false
+
+pr: none
+
+trigger:
+  batch: true
+  branches:
+    include:
+      - main
+  paths:
+    include:
+      - '/.azuredevops/modulePipelines/ms.cache.redis.yml'
+      - '/.azuredevops/pipelineTemplates/*.yml'
+      - '/Microsoft.Cache/redis/*'
+      - '/arm/.global/global.module.tests.ps1'
+    exclude:
+      - '/**/*.md'
+
+variables:
+  - template: '../../global.variables.yml'
+  - group: 'PLATFORM_VARIABLES'
+  - name: modulePath
+    value: '/arm/Microsoft.Cache/redis'
+
+stages:
+  - stage: Validation
+    displayName: Static validation
+    jobs:
+      - template: /.azuredevops/pipelineTemplates/module.jobs.validate.yml
+
+  - stage: Deployment
+    displayName: Deployment validation
+    jobs:
+      - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml
+        parameters:
+          removeDeployment: '${{ parameters.removeDeployment }}'
+          deploymentBlocks:
+            - path: $(modulePath)/.parameters/min.parameters.json
+            - path: $(modulePath)/.parameters/full.parameters.json
+
+  - stage: Publishing
+    displayName: Publishing
+    condition: and(succeeded(), or(eq(variables['Build.SourceBranch'], 'refs/heads/main'), eq(variables['Build.SourceBranch'], 'refs/heads/master'), eq('${{ parameters.prerelease }}', 'true')))
+    jobs:
+      - template: /.azuredevops/pipelineTemplates/jobs.publishModule.yml
diff --git a/.github/workflows/ms.cache.redis.yml b/.github/workflows/ms.cache.redis.yml
new file mode 100644
index 0000000000..08ec9c47bc
--- /dev/null
+++ b/.github/workflows/ms.cache.redis.yml
@@ -0,0 +1,142 @@
+name: 'Cache: Redis'
+
+on:
+  workflow_dispatch:
+    inputs:
+      removeDeployment:
+        type: boolean
+        description: 'Remove deployed module'
+        required: false
+        default: true
+      prerelease:
+        type: boolean
+        description: 'Publish prerelease module'
+        required: false
+        default: false
+  push:
+    branches:
+      - main
+    paths:
+      - '.github/actions/templates/**'
+      - '.github/workflows/ms.cache.redis.yml'
+      - 'arm/Microsoft.Cache/redis/**'
+      - 'arm/.global/global.module.tests.ps1'
+      - '!*/**/readme.md'
+      - 'utilities/pipelines/**'
+      - '!utilities/pipelines/dependencies/**'
+
+env:
+  variablesPath: 'global.variables.yml'
+  modulePath: 'arm/Microsoft.Cache/redis'
+  workflowPath: '.github/workflows/ms.cache.redis.yml'
+  AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
+  ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}'
+  ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}'
+  ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}'
+  DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}'
+
+jobs:
+  ###########################
+  #   Initialize pipeline   #
+  ###########################
+  job_initialize_pipeline:
+    runs-on: ubuntu-20.04
+    name: 'Initialize pipeline'
+    steps:
+      - name: 'Checkout'
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - name: 'Set input parameters to output variables'
+        id: get-workflow-param
+        uses: ./.github/actions/templates/getWorkflowInput
+        with:
+          workflowPath: '${{ env.workflowPath}}'
+      - name: 'Get parameter file paths'
+        id: get-parameter-file-paths
+        uses: ./.github/actions/templates/getParameterFiles
+        with:
+          modulePath: '${{ env.modulePath }}'
+    outputs:
+      removeDeployment: ${{ steps.get-workflow-param.outputs.removeDeployment }}
+      parameterFilePaths: ${{ steps.get-parameter-file-paths.outputs.parameterFilePaths }}
+
+  #########################
+  #   Static validation   #
+  #########################
+  job_module_pester_validation:
+    runs-on: ubuntu-20.04
+    name: 'Static validation'
+    steps:
+      - name: 'Checkout'
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - name: 'Run tests'
+        uses: ./.github/actions/templates/validateModulePester
+        with:
+          modulePath: '${{ env.modulePath }}'
+
+  #############################
+  #   Deployment validation   #
+  #############################
+  job_module_deploy_validation:
+    runs-on: ubuntu-20.04
+    name: 'Deployment validation'
+    needs:
+      - job_initialize_pipeline
+      - job_module_pester_validation
+    strategy:
+      fail-fast: false
+      matrix:
+        parameterFilePaths: ${{ fromJSON(needs.job_initialize_pipeline.outputs.parameterFilePaths) }}
+    steps:
+      - name: 'Checkout'
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - name: Set environment variables
+        uses: ./.github/actions/templates/setEnvironmentVariables
+        with:
+          variablesPath: ${{ env.variablesPath }}
+      - name: 'Using parameter file [${{ matrix.parameterFilePaths }}]'
+        uses: ./.github/actions/templates/validateModuleDeployment
+        with:
+          templateFilePath: '${{ env.modulePath }}/deploy.bicep'
+          parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}'
+          location: '${{ env.location }}'
+          resourceGroupName: '${{ env.resourceGroupName }}'
+          subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}'
+          managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}'
+          removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}'
+
+  ##################
+  #   Publishing   #
+  ##################
+  job_publish_module:
+    name: 'Publishing'
+    if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true'
+    runs-on: ubuntu-20.04
+    needs:
+      - job_module_deploy_validation
+    steps:
+      - name: 'Checkout'
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - name: Set environment variables
+        uses: ./.github/actions/templates/setEnvironmentVariables
+        with:
+          variablesPath: ${{ env.variablesPath }}
+      - name: 'Publishing'
+        uses: ./.github/actions/templates/publishModule
+        with:
+          templateFilePath: '${{ env.modulePath }}/deploy.bicep'
+          templateSpecsRGName: '${{ env.templateSpecsRGName }}'
+          templateSpecsRGLocation: '${{ env.templateSpecsRGLocation }}'
+          templateSpecsDescription: '${{ env.templateSpecsDescription }}'
+          templateSpecsDoPublish: '${{ env.templateSpecsDoPublish }}'
+          bicepRegistryName: '${{ env.bicepRegistryName }}'
+          bicepRegistryRGName: '${{ env.bicepRegistryRGName }}'
+          bicepRegistryRgLocation: '${{ env.bicepRegistryRgLocation }}'
+          bicepRegistryDoPublish: '${{ env.bicepRegistryDoPublish }}'
diff --git a/arm/Microsoft.Cache/redis/.bicep/nested_rbac.bicep b/arm/Microsoft.Cache/redis/.bicep/nested_rbac.bicep
index 96d8d307df..edfbb04b7e 100644
--- a/arm/Microsoft.Cache/redis/.bicep/nested_rbac.bicep
+++ b/arm/Microsoft.Cache/redis/.bicep/nested_rbac.bicep
@@ -22,9 +22,9 @@ param principalType string = ''
 param description string = ''
 
 var builtInRoleNames = {
-  'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
-  'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
-  'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
+  Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
+  Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
+  Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
   'Avere Cluster Create': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a7b1b19a-0e83-4fe5-935c-faaefbfd18c3')
   'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')
   'Azure Service Deploy Release Management Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21d96096-b162-414a-8302-d8354f9d91b2')
@@ -35,7 +35,7 @@ var builtInRoleNames = {
   'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')
   'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')
   'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')
-  'masterreader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a48d7796-14b4-4889-afef-fbb65a93e5a2')
+  masterreader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a48d7796-14b4-4889-afef-fbb65a93e5a2')
   'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')
   'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')
   'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')
diff --git a/arm/Microsoft.Cache/redis/.parameters/full.parameters.json b/arm/Microsoft.Cache/redis/.parameters/full.parameters.json
new file mode 100644
index 0000000000..fc6dfe8a3c
--- /dev/null
+++ b/arm/Microsoft.Cache/redis/.parameters/full.parameters.json
@@ -0,0 +1,61 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "name": {
+      "value": "<<namePrefix>>-az-redis-full-001"
+    },
+    "capacity": {
+      "value": 2
+    },
+    "diagnosticLogCategoriesToEnable": {
+      "value": [
+        "ApplicationGatewayAccessLog",
+        "ApplicationGatewayFirewallLog"
+      ]
+    },
+    "diagnosticMetricsToEnable": {
+      "value": [
+        "AllMetrics"
+      ]
+    },
+    "enableNonSslPort": {
+      "value": true
+    },
+    "family": {
+      "value": "P"
+    },
+    "lock": {
+      "value": "CanNotDelete"
+    },
+    "minimumTlsVersion": {
+      "value": "1.2"
+    },
+    "diagnosticSettingsName": {
+      "value": "redisdiagnostics"
+    },
+    "publicNetworkAccess": {
+      "value": "Enabled"
+    },
+    "redisVersion": {
+      "value": "6"
+    },
+    "skuName": {
+      "value": "Premium"
+    },
+    "systemAssignedIdentity": {
+      "value": true
+    },
+    "shardCount": {
+      "value": 1
+    },
+    "tags": {
+      "value": {
+        "resourceType": "Redis Cache"
+      }
+    },
+    "enableDefaultTelemetry": {
+      "value": false
+    }
+  }
+}
diff --git a/arm/Microsoft.Cache/redis/.parameters/min.parameters.json b/arm/Microsoft.Cache/redis/.parameters/min.parameters.json
new file mode 100644
index 0000000000..273328d0a9
--- /dev/null
+++ b/arm/Microsoft.Cache/redis/.parameters/min.parameters.json
@@ -0,0 +1,9 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "name": {
+      "value": "<<namePrefix>>-az-redis-min-001"
+    }
+  }
+}
diff --git a/arm/Microsoft.Cache/redis/.test/deploy.full.test.bicep b/arm/Microsoft.Cache/redis/.test/deploy.full.test.bicep
deleted file mode 100644
index 797a8f7b82..0000000000
--- a/arm/Microsoft.Cache/redis/.test/deploy.full.test.bicep
+++ /dev/null
@@ -1,31 +0,0 @@
-var location = 'westeurope'
-
-module fullRedisCacheDeployment '../deploy.bicep' = {
-  name: 'fullRedisCacheDeployment'
-  params: {
-    name: 'redis01'
-    location: location
-    capacity: 2
-    diagnosticLogCategoriesToEnable: [
-      'ApplicationGatewayAccessLog'
-      'ApplicationGatewayFirewallLog'
-    ]
-    diagnosticMetricsToEnable: [
-      'AllMetrics'
-    ]
-    enableNonSslPort: true
-    family: 'P'
-    lock: 'CanNotDelete'
-    minimumTlsVersion: '1.2'
-    diagnosticSettingsName: 'redisdiagnostics'
-    publicNetworkAccess: 'Enabled'
-    redisVersion: '6'
-    skuName: 'Premium'
-    systemAssignedIdentity: true
-    shardCount: 1
-    tags: {
-      purpose: 'test'
-    }
-    enableDefaultTelemetry: false
-  }
-}
diff --git a/arm/Microsoft.Cache/redis/.test/deploy.minimal.test.bicep b/arm/Microsoft.Cache/redis/.test/deploy.minimal.test.bicep
deleted file mode 100644
index 9f10ca20fb..0000000000
--- a/arm/Microsoft.Cache/redis/.test/deploy.minimal.test.bicep
+++ /dev/null
@@ -1,9 +0,0 @@
-var location = 'westeurope'
-
-module minimalRedisCacheDeployment '../deploy.bicep' = {
-  name: 'minimalRedisCacheDeployment'
-  params: {
-    name: 'redis01'
-    location: location
-  }
-}
diff --git a/arm/Microsoft.Cache/redis/deploy.bicep b/arm/Microsoft.Cache/redis/deploy.bicep
index de9c4e9287..c5e3ef4b4a 100644
--- a/arm/Microsoft.Cache/redis/deploy.bicep
+++ b/arm/Microsoft.Cache/redis/deploy.bicep
@@ -81,7 +81,7 @@ param capacity int = 0
   'P'
 ])
 @description('Optional. The SKU family to use. Valid values: (C, P). (C = Basic/Standard, P = Premium).')
-param family string = 'C'
+param family string = 'P'
 
 @allowed([
   'Basic'
@@ -89,7 +89,7 @@ param family string = 'C'
   'Standard'
 ])
 @description('Optional. The type of Redis cache to deploy. Valid values: (Basic, Standard, Premium)')
-param skuName string = 'Basic'
+param skuName string = 'Premium'
 
 @description('Optional. Static IP address. Optionally, may be specified when deploying a Redis cache inside an existing Azure Virtual Network; auto assigned by default.')
 param staticIP string = ''

From 7ddfc0a247d171e047453c291b9dfe66641fea9a Mon Sep 17 00:00:00 2001
From: Jan-Henrik Damaschke <jdamaschke@visorian.com>
Date: Sun, 3 Jul 2022 20:04:02 +0200
Subject: [PATCH 8/8] refactor(test):  Changed .parameters to .test

---
 .../redis/{.parameters => .test}/full.parameters.json             | 0
 .../redis/{.parameters => .test}/min.parameters.json              | 0
 2 files changed, 0 insertions(+), 0 deletions(-)
 rename arm/Microsoft.Cache/redis/{.parameters => .test}/full.parameters.json (100%)
 rename arm/Microsoft.Cache/redis/{.parameters => .test}/min.parameters.json (100%)

diff --git a/arm/Microsoft.Cache/redis/.parameters/full.parameters.json b/arm/Microsoft.Cache/redis/.test/full.parameters.json
similarity index 100%
rename from arm/Microsoft.Cache/redis/.parameters/full.parameters.json
rename to arm/Microsoft.Cache/redis/.test/full.parameters.json
diff --git a/arm/Microsoft.Cache/redis/.parameters/min.parameters.json b/arm/Microsoft.Cache/redis/.test/min.parameters.json
similarity index 100%
rename from arm/Microsoft.Cache/redis/.parameters/min.parameters.json
rename to arm/Microsoft.Cache/redis/.test/min.parameters.json