fix: Add publicNetworkAccess param and update firewall rule logic (#3959

)

## Description
Add publicNetworkAccess param and update firewall rule logic. Also added
support for Defender for Cloud, a WAF requirement.

Fixes #3717 
Closes #3717 

## Pipeline Reference

<!-- Insert your Pipeline Status Badge below -->

| Pipeline |
| -------- |
|
[![avm.res.db-for-my-sql.flexible-server](https://github.com/hundredacres/bicep-registry-modules/actions/workflows/avm.res.db-for-my-sql.flexible-server.yml/badge.svg?branch=fix%2Fissues%2F3717)](https://github.com/hundredacres/bicep-registry-modules/actions/workflows/avm.res.db-for-my-sql.flexible-server.yml)
|

## Type of Change

<!-- Use the checkboxes [x] on the options that are relevant. -->

- [ ] Update to CI Environment or utilities (Non-module affecting
changes)
- [X] Azure Verified Module updates:
- [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [X] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [X] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [ ] Update to documentation

## Checklist

- [X] I'm sure there are no other open Pull Requests for the same
update/change
- [X] I have run `Set-AVMModule` locally to generate the supporting
module files.
- [X] My corresponding pipelines / checks run clean and green without
any errors or warnings

<!-- Please keep up to date with the contribution guide at
https://aka.ms/avm/contribute/bicep -->

avm/res/db-for-my-sql/flexible-server/README.md

@@ -19,6 +19,7 @@ This module deploys a DBforMySQL Flexible Server.
 | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
 | `Microsoft.DBforMySQL/flexibleServers` | [2023-12-30](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DBforMySQL/2023-12-30/flexibleServers) |
 | `Microsoft.DBforMySQL/flexibleServers/administrators` | [2023-06-30](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DBforMySQL/2023-06-30/flexibleServers/administrators) |
+| `Microsoft.DBforMySQL/flexibleServers/advancedThreatProtectionSettings` | [2023-12-30](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DBforMySQL/2023-12-30/flexibleServers/advancedThreatProtectionSettings) |
 | `Microsoft.DBforMySQL/flexibleServers/databases` | [2023-06-30](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DBforMySQL/2023-06-30/flexibleServers/databases) |
 | `Microsoft.DBforMySQL/flexibleServers/firewallRules` | [2023-06-30](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DBforMySQL/2023-06-30/flexibleServers/firewallRules) |
 | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) |
@@ -145,6 +146,7 @@ module flexibleServer 'br/public:avm/res/db-for-my-sql/flexible-server:<version>
     // Non-required parameters
     administratorLogin: 'adminUserName'
     administratorLoginPassword: '<administratorLoginPassword>'
+    advancedThreatProtection: 'Enabled'
     availabilityZone: '1'
     backupRetentionDays: 20
     customerManagedKey: {
@@ -211,6 +213,7 @@ module flexibleServer 'br/public:avm/res/db-for-my-sql/flexible-server:<version>
         '<managedIdentityResourceId>'
       ]
     }
+    publicNetworkAccess: 'Enabled'
     roleAssignments: [
       {
         name: '2478b63b-0cae-457f-9bd3-9feb00e1925b'
@@ -273,6 +276,9 @@ module flexibleServer 'br/public:avm/res/db-for-my-sql/flexible-server:<version>
     "administratorLoginPassword": {
       "value": "<administratorLoginPassword>"
     },
+    "advancedThreatProtection": {
+      "value": "Enabled"
+    },
     "availabilityZone": {
       "value": "1"
     },
@@ -363,6 +369,9 @@ module flexibleServer 'br/public:avm/res/db-for-my-sql/flexible-server:<version>
         ]
       }
     },
+    "publicNetworkAccess": {
+      "value": "Enabled"
+    },
     "roleAssignments": {
       "value": [
         {
@@ -427,6 +436,7 @@ param tier = 'GeneralPurpose'
 // Non-required parameters
 param administratorLogin = 'adminUserName'
 param administratorLoginPassword = '<administratorLoginPassword>'
+param advancedThreatProtection = 'Enabled'
 param availabilityZone = '1'
 param backupRetentionDays = 20
 param customerManagedKey = {
@@ -493,6 +503,7 @@ param managedIdentities = {
     '<managedIdentityResourceId>'
   ]
 }
+param publicNetworkAccess = 'Enabled'
 param roleAssignments = [
   {
     name: '2478b63b-0cae-457f-9bd3-9feb00e1925b'
@@ -561,6 +572,23 @@ module flexibleServer 'br/public:avm/res/db-for-my-sql/flexible-server:<version>
       }
     ]
     delegatedSubnetResourceId: '<delegatedSubnetResourceId>'
+    firewallRules: [
+      {
+        endIpAddress: '0.0.0.0'
+        name: 'AllowAllWindowsAzureIps'
+        startIpAddress: '0.0.0.0'
+      }
+      {
+        endIpAddress: '10.10.10.10'
+        name: 'test-rule1'
+        startIpAddress: '10.10.10.1'
+      }
+      {
+        endIpAddress: '100.100.100.10'
+        name: 'test-rule2'
+        startIpAddress: '100.100.100.1'
+      }
+    ]
     highAvailability: 'SameZone'
     location: '<location>'
     managedIdentities: {
@@ -628,6 +656,25 @@ module flexibleServer 'br/public:avm/res/db-for-my-sql/flexible-server:<version>
     "delegatedSubnetResourceId": {
       "value": "<delegatedSubnetResourceId>"
     },
+    "firewallRules": {
+      "value": [
+        {
+          "endIpAddress": "0.0.0.0",
+          "name": "AllowAllWindowsAzureIps",
+          "startIpAddress": "0.0.0.0"
+        },
+        {
+          "endIpAddress": "10.10.10.10",
+          "name": "test-rule1",
+          "startIpAddress": "10.10.10.1"
+        },
+        {
+          "endIpAddress": "100.100.100.10",
+          "name": "test-rule2",
+          "startIpAddress": "100.100.100.1"
+        }
+      ]
+    },
     "highAvailability": {
       "value": "SameZone"
     },
@@ -691,6 +738,23 @@ param databases = [
   }
 ]
 param delegatedSubnetResourceId = '<delegatedSubnetResourceId>'
+param firewallRules = [
+  {
+    endIpAddress: '0.0.0.0'
+    name: 'AllowAllWindowsAzureIps'
+    startIpAddress: '0.0.0.0'
+  }
+  {
+    endIpAddress: '10.10.10.10'
+    name: 'test-rule1'
+    startIpAddress: '10.10.10.1'
+  }
+  {
+    endIpAddress: '100.100.100.10'
+    name: 'test-rule2'
+    startIpAddress: '100.100.100.1'
+  }
+]
 param highAvailability = 'SameZone'
 param location = '<location>'
 param managedIdentities = {
@@ -870,6 +934,7 @@ param tags = {
 | [`administratorLogin`](#parameter-administratorlogin) | string | The administrator login name of a server. Can only be specified when the MySQL server is being created. |
 | [`administratorLoginPassword`](#parameter-administratorloginpassword) | securestring | The administrator login password. |
 | [`administrators`](#parameter-administrators) | array | The Azure AD administrators when AAD authentication enabled. |
+| [`advancedThreatProtection`](#parameter-advancedthreatprotection) | string | Enable/Disable Advanced Threat Protection (Microsoft Defender) for the server. |
 | [`availabilityZone`](#parameter-availabilityzone) | string | Availability zone information of the server. Default will have no preference set. |
 | [`backupRetentionDays`](#parameter-backupretentiondays) | int | Backup retention days for the server. |
 | [`createMode`](#parameter-createmode) | string | The mode to create a new MySQL server. |
@@ -886,6 +951,7 @@ param tags = {
 | [`location`](#parameter-location) | string | Location for all resources. |
 | [`lock`](#parameter-lock) | object | The lock settings of the service. |
 | [`maintenanceWindow`](#parameter-maintenancewindow) | object | Properties for the maintenence window. If provided, "customWindow" property must exist and set to "Enabled". |
+| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Specifies whether public network access is allowed for this server. Set to "Enabled" to allow public access, or "Disabled" (default) when the server has VNet integration. |
 | [`replicationRole`](#parameter-replicationrole) | string | The replication role. |
 | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. |
 | [`storageAutoIoScaling`](#parameter-storageautoioscaling) | string | Enable IO Auto Scaling or not. The server scales IOPs up or down automatically depending on your workload needs. |
@@ -949,7 +1015,6 @@ Private dns zone arm resource ID. Used when the desired connectivity mode is "Pr
 
 - Required: No
 - Type: string
-- Default: `''`
 
 ### Parameter: `restorePointInTime`
 
@@ -965,7 +1030,6 @@ The source MySQL server ID. Required if "createMode" is set to "PointInTimeResto
 
 - Required: No
 - Type: string
-- Default: `''`
 
 ### Parameter: `storageAutoGrow`
 
@@ -988,15 +1052,13 @@ The administrator login name of a server. Can only be specified when the MySQL s
 
 - Required: No
 - Type: string
-- Default: `''`
 
 ### Parameter: `administratorLoginPassword`
 
 The administrator login password.
 
 - Required: No
 - Type: securestring
-- Default: `''`
 
 ### Parameter: `administrators`
 
@@ -1006,6 +1068,21 @@ The Azure AD administrators when AAD authentication enabled.
 - Type: array
 - Default: `[]`
 
+### Parameter: `advancedThreatProtection`
+
+Enable/Disable Advanced Threat Protection (Microsoft Defender) for the server.
+
+- Required: No
+- Type: string
+- Default: `'Enabled'`
+- Allowed:
+  ```Bicep
+  [
+    'Disabled'
+    'Enabled'
+  ]
+  ```
+
 ### Parameter: `availabilityZone`
 
 Availability zone information of the server. Default will have no preference set.
@@ -1186,7 +1263,6 @@ Delegated subnet arm resource ID. Used when the desired connectivity mode is "Pr
 
 - Required: No
 - Type: string
-- Default: `''`
 - MinValue: 1
 - MaxValue: 35
 
@@ -1493,6 +1569,23 @@ Properties for the maintenence window. If provided, "customWindow" property must
 - MinValue: 1
 - MaxValue: 35
 
+### Parameter: `publicNetworkAccess`
+
+Specifies whether public network access is allowed for this server. Set to "Enabled" to allow public access, or "Disabled" (default) when the server has VNet integration.
+
+- Required: No
+- Type: string
+- Default: `'Disabled'`
+- Allowed:
+  ```Bicep
+  [
+    'Disabled'
+    'Enabled'
+  ]
+  ```
+- MinValue: 1
+- MaxValue: 35
+
 ### Parameter: `replicationRole`
 
 The replication role.

avm/res/db-for-my-sql/flexible-server/administrator/main.json

@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.31.92.45157",
-      "templateHash": "15901602668303039143"
+      "version": "0.32.4.45862",
+      "templateHash": "4183350849272759957"
     },
     "name": "DBforMySQL Flexible Server Administrators",
     "description": "This module deploys a DBforMySQL Flexible Server Administrator.",

avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/README.md

@@ -0,0 +1,59 @@
+# DBforMySQL Flexible Server Advanced Threat Protection `[Microsoft.DBforMySQL/flexibleServers]`
+
+This module enables Advanced Threat Protection for DBforMySQL Flexible Server.
+
+## Navigation
+
+- [Resource Types](#Resource-Types)
+- [Parameters](#Parameters)
+- [Outputs](#Outputs)
+
+## Resource Types
+
+| Resource Type | API Version |
+| :-- | :-- |
+| `Microsoft.DBforMySQL/flexibleServers/advancedThreatProtectionSettings` | [2023-12-30](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DBforMySQL/2023-12-30/flexibleServers/advancedThreatProtectionSettings) |
+
+## Parameters
+
+**Conditional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`flexibleServerName`](#parameter-flexibleservername) | string | The name of the parent DBforMySQL flexible server. Required if the template is used in a standalone deployment. |
+
+**Optional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`advancedThreatProtection`](#parameter-advancedthreatprotection) | string | The state of the advanced threat protection. |
+
+### Parameter: `flexibleServerName`
+
+The name of the parent DBforMySQL flexible server. Required if the template is used in a standalone deployment.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `advancedThreatProtection`
+
+The state of the advanced threat protection.
+
+- Required: No
+- Type: string
+- Default: `'Enabled'`
+- Allowed:
+  ```Bicep
+  [
+    'Disabled'
+    'Enabled'
+  ]
+  ```
+
+## Outputs
+
+| Output | Type | Description |
+| :-- | :-- | :-- |
+| `name` | string | The name of the deployed threat protection. |
+| `resourceGroupName` | string | The resource group of the deployed threat protection. |
+| `resourceId` | string | The resource ID of the deployed threat protection. |

avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.bicep

@@ -0,0 +1,34 @@
+metadata name = 'DBforMySQL Flexible Server Advanced Threat Protection'
+metadata description = 'This module enables Advanced Threat Protection for DBforMySQL Flexible Server.'
+metadata owner = 'Azure/module-maintainers'
+
+@description('Conditional. The name of the parent DBforMySQL flexible server. Required if the template is used in a standalone deployment.')
+param flexibleServerName string
+
+@description('Optional. The state of the advanced threat protection.')
+@allowed([
+  'Enabled'
+  'Disabled'
+])
+param advancedThreatProtection string = 'Enabled'
+
+resource flexibleServer 'Microsoft.DBforMySQL/flexibleServers@2023-12-30' existing = {
+  name: flexibleServerName
+}
+
+resource advancedThreatProtectionSettings 'Microsoft.DBforMySQL/flexibleServers/advancedThreatProtectionSettings@2023-12-30' = {
+  parent: flexibleServer
+  name: 'Default'
+  properties: {
+    state: advancedThreatProtection
+  }
+}
+
+@description('The name of the deployed threat protection.')
+output name string = advancedThreatProtectionSettings.name
+
+@description('The resource ID of the deployed threat protection.')
+output resourceId string = advancedThreatProtectionSettings.id
+
+@description('The resource group of the deployed threat protection.')
+output resourceGroupName string = resourceGroup().name