From 764b13bdfd353eac1a1f9563d176d819a43d23f7 Mon Sep 17 00:00:00 2001
From: Morten Schmidt <morten.schmidt@atea.dk>
Date: Thu, 16 May 2024 07:26:20 +0200
Subject: [PATCH 01/26] aisearchservice with adminkeys in keyvault

---
 avm/res/search/search-service/main.bicep      | 82 +++++++++++++------
 .../modules/secrets-key-vault.bicep           | 23 ++++++
 .../tests/e2e/kvSecrets/dependencies.bicep    | 21 +++++
 .../tests/e2e/kvSecrets/main.test.bicep       | 61 ++++++++++++++
 4 files changed, 163 insertions(+), 24 deletions(-)
 create mode 100644 avm/res/search/search-service/modules/secrets-key-vault.bicep
 create mode 100644 avm/res/search/search-service/tests/e2e/kvSecrets/dependencies.bicep
 create mode 100644 avm/res/search/search-service/tests/e2e/kvSecrets/main.test.bicep

diff --git a/avm/res/search/search-service/main.bicep b/avm/res/search/search-service/main.bicep
index 3beb423d54..ccddb34528 100644
--- a/avm/res/search/search-service/main.bicep
+++ b/avm/res/search/search-service/main.bicep
@@ -60,6 +60,9 @@ param sharedPrivateLinkResources array = []
 ])
 param publicNetworkAccess string = 'enabled'
 
+@description('Optional. Key vault reference and secret settings to add the connection strings and keys generated by the cosmosdb account.')
+param secretsKeyVault secretsKeyVaultType?
+
 @description('Optional. The number of replicas in the search service. If specified, it must be a value between 1 and 12 inclusive for standard SKUs or between 1 and 3 inclusive for basic SKU.')
 @minValue(1)
 @maxValue(12)
@@ -137,24 +140,23 @@ var builtInRoleNames = {
   )
 }
 
-resource avmTelemetry 'Microsoft.Resources/deployments@2023-07-01' =
-  if (enableTelemetry) {
-    name: '46d3xbcp.search-searchservice.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}'
-    properties: {
-      mode: 'Incremental'
-      template: {
-        '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
-        contentVersion: '1.0.0.0'
-        resources: []
-        outputs: {
-          telemetry: {
-            type: 'String'
-            value: 'For more information, see https://aka.ms/avm/TelemetryInfo'
-          }
+resource avmTelemetry 'Microsoft.Resources/deployments@2023-07-01' = if (enableTelemetry) {
+  name: '46d3xbcp.search-searchservice.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}'
+  properties: {
+    mode: 'Incremental'
+    template: {
+      '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
+      contentVersion: '1.0.0.0'
+      resources: []
+      outputs: {
+        telemetry: {
+          type: 'String'
+          value: 'For more information, see https://aka.ms/avm/TelemetryInfo'
         }
       }
     }
   }
+}
 
 resource searchService 'Microsoft.Search/searchServices@2023-11-01' = {
   location: location
@@ -208,17 +210,16 @@ resource searchService_diagnosticSettings 'Microsoft.Insights/diagnosticSettings
   }
 ]
 
-resource searchService_lock 'Microsoft.Authorization/locks@2020-05-01' =
-  if (!empty(lock ?? {}) && lock.?kind != 'None') {
-    name: lock.?name ?? 'lock-${name}'
-    properties: {
-      level: lock.?kind ?? ''
-      notes: lock.?kind == 'CanNotDelete'
-        ? 'Cannot delete resource or child resources.'
-        : 'Cannot delete or modify the resource or child resources.'
-    }
-    scope: searchService
+resource searchService_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') {
+  name: lock.?name ?? 'lock-${name}'
+  properties: {
+    level: lock.?kind ?? ''
+    notes: lock.?kind == 'CanNotDelete'
+      ? 'Cannot delete resource or child resources.'
+      : 'Cannot delete or modify the resource or child resources.'
   }
+  scope: searchService
+}
 
 resource searchService_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
   for (roleAssignment, index) in (roleAssignments ?? []): {
@@ -313,6 +314,25 @@ module searchService_sharedPrivateLinkResources 'shared-private-link-resource/ma
   }
 ]
 
+module keyVault 'modules/secrets-key-vault.bicep' = if (secretsKeyVault != null) {
+  name: '${uniqueString(deployment().name, location)}-secrets-kv'
+  scope: resourceGroup(secretsKeyVault.?resourceGroupName ?? resourceGroup().name)
+  params: {
+    keyVaultName: secretsKeyVault!.keyVaultName
+
+    keySecrets: [
+      {
+        secretName: secretsKeyVault.?primaryAdminKeySecretName ?? 'Primary-Admin-Key'
+        secretValue: searchService.listAdminKeys().primaryKey
+      }
+      {
+        secretName: secretsKeyVault.?secondaryAdminKeySecretName ?? 'Secondary-Admin-Key'
+        secretValue: searchService.listAdminKeys().secondaryKey
+      }
+    ]
+  }
+}
+
 // =========== //
 //   Outputs   //
 // =========== //
@@ -493,3 +513,17 @@ type diagnosticSettingType = {
   @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.')
   marketplacePartnerResourceId: string?
 }[]?
+
+type secretsKeyVaultType = {
+  @description('Required. The key vault name where to store the keys and connection strings generated by the modules.')
+  keyVaultName: string
+
+  @description('Optional. Default to the resource group where this account is. The resource group name where the key vault is.')
+  resourceGroupName: string?
+
+  @description('Optional. Default to API Primary admin key . The primary admin key secret name to create.')
+  primaryAdminKeySecretName: string?
+
+  @description('Optional. Default to API Secondary admin key . The secondary admin key secret name to create.')
+  secondaryAdminKeySecretName: string?
+}
diff --git a/avm/res/search/search-service/modules/secrets-key-vault.bicep b/avm/res/search/search-service/modules/secrets-key-vault.bicep
new file mode 100644
index 0000000000..803afa1f72
--- /dev/null
+++ b/avm/res/search/search-service/modules/secrets-key-vault.bicep
@@ -0,0 +1,23 @@
+param keyVaultName string
+param keySecrets keySecret[]
+
+resource kv 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
+  name: keyVaultName
+}
+
+resource keySecretsSecrets 'Microsoft.KeyVault/vaults/secrets@2022-07-01' = [
+  for secret in keySecrets: {
+    name: secret.secretName
+    parent: kv
+    properties: {
+      value: secret.secretValue
+    }
+  }
+]
+
+type keySecret = {
+  secretName: string
+
+  @secure()
+  secretValue: string
+}
diff --git a/avm/res/search/search-service/tests/e2e/kvSecrets/dependencies.bicep b/avm/res/search/search-service/tests/e2e/kvSecrets/dependencies.bicep
new file mode 100644
index 0000000000..caa4813d58
--- /dev/null
+++ b/avm/res/search/search-service/tests/e2e/kvSecrets/dependencies.bicep
@@ -0,0 +1,21 @@
+@description('Optional. The location to deploy to.')
+param location string = resourceGroup().location
+
+@description('Required. The name of the Managed Identity to create.')
+param keyVaultName string
+
+resource keyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' = {
+  name: keyVaultName
+  location: location
+  properties: {
+    sku: {
+      family: 'A'
+      name: 'standard'
+    }
+    enableRbacAuthorization: true
+    tenantId: subscription().tenantId
+  }
+}
+
+@description('The name of the Key Vault created.')
+output keyVaultName string = keyVaultName
diff --git a/avm/res/search/search-service/tests/e2e/kvSecrets/main.test.bicep b/avm/res/search/search-service/tests/e2e/kvSecrets/main.test.bicep
new file mode 100644
index 0000000000..6940afba92
--- /dev/null
+++ b/avm/res/search/search-service/tests/e2e/kvSecrets/main.test.bicep
@@ -0,0 +1,61 @@
+targetScope = 'subscription'
+
+metadata name = 'Deploying with a key vault reference to save secrets'
+metadata description = 'This instance deploys the module saving all its secrets in a key vault.'
+
+// ========== //
+// Parameters //
+// ========== //
+
+@description('Optional. The name of the resource group to deploy for testing purposes.')
+@maxLength(90)
+param resourceGroupName string = 'dep-${namePrefix}-search.searchservices-${serviceShort}-rg'
+
+@description('Optional. The location to deploy resources to.')
+param resourceLocation string = deployment().location
+
+@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
+param serviceShort string = 'ssskvs'
+
+@description('Optional. A token to inject into the name of each resource.')
+param namePrefix string = '#_namePrefix_#'
+
+// ============== //
+// General resources
+// ============== //
+resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = {
+  name: resourceGroupName
+  location: resourceLocation
+}
+
+module nestedDependencies 'dependencies.bicep' = {
+  scope: resourceGroup
+  name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies'
+  params: {
+    keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}'
+    location: resourceLocation
+  }
+}
+
+// ============== //
+// Test Execution //
+// ============== //
+
+module testDeployment '../../../main.bicep' = {
+  scope: resourceGroup
+  name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}'
+  params: {
+    location: resourceLocation
+    name: '${namePrefix}-kv-ref'
+    disableLocalAuth: false
+    authOptions: {
+      aadOrApiKey: {
+        aadAuthFailureMode: 'http401WithBearerChallenge'
+      }
+    }
+    secretsKeyVault: {
+      keyVaultName: nestedDependencies.outputs.keyVaultName
+      primaryAdminKeySecretName: 'Primary-Admin-Key'
+    }
+  }
+}

From e4e03661ae9b4e396165ea94fe5839162c7dadf1 Mon Sep 17 00:00:00 2001
From: Morten Schmidt <morten.schmidt@atea.dk>
Date: Thu, 16 May 2024 08:23:56 +0200
Subject: [PATCH 02/26] AISearchService with adminkeys in keyvault

---
 avm/ptn/security/security-center/main.json    |  10 +-
 avm/res/aad/domain-service/main.json          |   4 +-
 avm/res/analysis-services/server/main.json    |   4 +-
 .../service/api-version-set/main.json         |   4 +-
 avm/res/api-management/service/api/main.json  |   8 +-
 .../service/api/policy/main.json              |   4 +-
 .../service/authorization-server/main.json    |   4 +-
 .../api-management/service/backend/main.json  |   4 +-
 .../api-management/service/cache/main.json    |   4 +-
 .../service/identity-provider/README.md       |   4 +-
 .../service/identity-provider/main.json       |   4 +-
 avm/res/api-management/service/main.json      |   2 +-
 .../service/named-value/main.json             |   4 +-
 .../api-management/service/policy/main.json   |   4 +-
 .../service/portalsetting/main.json           |   4 +-
 .../service/product/api/main.json             |   4 +-
 .../service/product/group/main.json           |   4 +-
 .../api-management/service/product/main.json  |  12 +-
 .../service/subscription/main.json            |   4 +-
 avm/res/app/job/main.json                     |   4 +-
 avm/res/batch/batch-account/README.md         |   2 +-
 avm/res/batch/batch-account/main.json         |   4 +-
 avm/res/cache/redis/main.json                 |   4 +-
 avm/res/cdn/profile/afdEndpoint/main.json     |   8 +-
 .../cdn/profile/afdEndpoint/route/main.json   |   4 +-
 avm/res/cdn/profile/customdomain/main.json    |   4 +-
 avm/res/cdn/profile/endpoint/main.json        |   8 +-
 avm/res/cdn/profile/endpoint/origin/main.json |   4 +-
 avm/res/cdn/profile/origingroup/main.json     |   8 +-
 .../cdn/profile/origingroup/origin/main.json  |   4 +-
 avm/res/cdn/profile/ruleset/main.json         |   8 +-
 avm/res/cdn/profile/ruleset/rule/main.json    |   4 +-
 avm/res/cdn/profile/secret/main.json          |   4 +-
 avm/res/cognitive-services/account/main.json  |   4 +-
 avm/res/compute/availability-set/main.json    |   4 +-
 avm/res/compute/disk-encryption-set/main.json |  14 +-
 avm/res/compute/disk/main.json                |   4 +-
 avm/res/search/search-service/README.md       | 138 ++++++++++++++++-
 avm/res/search/search-service/main.json       | 139 +++++++++++++++++-
 .../shared-private-link-resource/main.json    |   4 +-
 40 files changed, 363 insertions(+), 106 deletions(-)

diff --git a/avm/ptn/security/security-center/main.json b/avm/ptn/security/security-center/main.json
index 9216e95469..3e7a244558 100644
--- a/avm/ptn/security/security-center/main.json
+++ b/avm/ptn/security/security-center/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "5215368682061207752"
+      "version": "0.26.170.59819",
+      "templateHash": "18438423837890128986"
     },
     "name": "Azure Security Center (Defender for Cloud)",
     "description": "This module deploys an Azure Security Center (Defender for Cloud) Configuration.",
@@ -372,8 +372,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.26.54.24096",
-              "templateHash": "11694037879563074763"
+              "version": "0.26.170.59819",
+              "templateHash": "16876993197536829325"
             }
           },
           "parameters": {
@@ -423,4 +423,4 @@
       "value": "Security"
     }
   }
-}
+}
\ No newline at end of file
diff --git a/avm/res/aad/domain-service/main.json b/avm/res/aad/domain-service/main.json
index b82ba31545..352f88edd8 100644
--- a/avm/res/aad/domain-service/main.json
+++ b/avm/res/aad/domain-service/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "7265620724598107360"
+      "version": "0.26.170.59819",
+      "templateHash": "9940505035843194916"
     },
     "name": "Azure Active Directory Domain Services",
     "description": "This module deploys an Azure Active Directory Domain Services (AADDS) instance.",
diff --git a/avm/res/analysis-services/server/main.json b/avm/res/analysis-services/server/main.json
index 499b9433a1..5fc2826031 100644
--- a/avm/res/analysis-services/server/main.json
+++ b/avm/res/analysis-services/server/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "1590669612196455003"
+      "version": "0.26.170.59819",
+      "templateHash": "10166979415850302029"
     },
     "name": "Analysis Services Servers",
     "description": "This module deploys an Analysis Services Server.",
diff --git a/avm/res/api-management/service/api-version-set/main.json b/avm/res/api-management/service/api-version-set/main.json
index b20b0388c7..e72964e17a 100644
--- a/avm/res/api-management/service/api-version-set/main.json
+++ b/avm/res/api-management/service/api-version-set/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "14411287735172753559"
+      "version": "0.26.170.59819",
+      "templateHash": "2022925118326989470"
     },
     "name": "API Management Service API Version Sets",
     "description": "This module deploys an API Management Service API Version Set.",
diff --git a/avm/res/api-management/service/api/main.json b/avm/res/api-management/service/api/main.json
index 149062f9e8..c7694d5324 100644
--- a/avm/res/api-management/service/api/main.json
+++ b/avm/res/api-management/service/api/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "5827467280453778347"
+      "version": "0.26.170.59819",
+      "templateHash": "4982579131778182813"
     },
     "name": "API Management Service APIs",
     "description": "This module deploys an API Management Service API.",
@@ -267,8 +267,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.26.54.24096",
-              "templateHash": "11734266416309377949"
+              "version": "0.26.170.59819",
+              "templateHash": "7030990401011468302"
             },
             "name": "API Management Service APIs Policies",
             "description": "This module deploys an API Management Service API Policy.",
diff --git a/avm/res/api-management/service/api/policy/main.json b/avm/res/api-management/service/api/policy/main.json
index bcbaf1d3bc..dac60a7818 100644
--- a/avm/res/api-management/service/api/policy/main.json
+++ b/avm/res/api-management/service/api/policy/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "11734266416309377949"
+      "version": "0.26.170.59819",
+      "templateHash": "7030990401011468302"
     },
     "name": "API Management Service APIs Policies",
     "description": "This module deploys an API Management Service API Policy.",
diff --git a/avm/res/api-management/service/authorization-server/main.json b/avm/res/api-management/service/authorization-server/main.json
index 78869fc966..7409325aee 100644
--- a/avm/res/api-management/service/authorization-server/main.json
+++ b/avm/res/api-management/service/authorization-server/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "505882801529152233"
+      "version": "0.26.170.59819",
+      "templateHash": "18174659605054562490"
     },
     "name": "API Management Service Authorization Servers",
     "description": "This module deploys an API Management Service Authorization Server.",
diff --git a/avm/res/api-management/service/backend/main.json b/avm/res/api-management/service/backend/main.json
index bba5ebcc1f..6735b4b4cd 100644
--- a/avm/res/api-management/service/backend/main.json
+++ b/avm/res/api-management/service/backend/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "5914852504306173482"
+      "version": "0.26.170.59819",
+      "templateHash": "2373122860271627831"
     },
     "name": "API Management Service Backends",
     "description": "This module deploys an API Management Service Backend.",
diff --git a/avm/res/api-management/service/cache/main.json b/avm/res/api-management/service/cache/main.json
index 537d4e1259..635fc75b2e 100644
--- a/avm/res/api-management/service/cache/main.json
+++ b/avm/res/api-management/service/cache/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "5452536693649070190"
+      "version": "0.26.170.59819",
+      "templateHash": "7716740574911932509"
     },
     "name": "API Management Service Caches",
     "description": "This module deploys an API Management Service Cache.",
diff --git a/avm/res/api-management/service/identity-provider/README.md b/avm/res/api-management/service/identity-provider/README.md
index bb82ad51bc..e6efa155c5 100644
--- a/avm/res/api-management/service/identity-provider/README.md
+++ b/avm/res/api-management/service/identity-provider/README.md
@@ -141,12 +141,12 @@ Identity Provider Type identifier.
 - Allowed:
   ```Bicep
   [
-    'aad'
-    'aadB2C'
     'facebook'
     'google'
     'microsoft'
     'twitter'
+    'aad'
+    'aadB2C'
   ]
   ```
 
diff --git a/avm/res/api-management/service/identity-provider/main.json b/avm/res/api-management/service/identity-provider/main.json
index d1ac06182d..e707857bc2 100644
--- a/avm/res/api-management/service/identity-provider/main.json
+++ b/avm/res/api-management/service/identity-provider/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "6944159515007886666"
+      "version": "0.26.170.59819",
+      "templateHash": "3154989001112723220"
     },
     "name": "API Management Service Identity Providers",
     "description": "This module deploys an API Management Service Identity Provider.",
diff --git a/avm/res/api-management/service/main.json b/avm/res/api-management/service/main.json
index 6e828a8cfc..83c5695051 100644
--- a/avm/res/api-management/service/main.json
+++ b/avm/res/api-management/service/main.json
@@ -2899,4 +2899,4 @@
       "value": "[reference('service', '2021-08-01', 'full').location]"
     }
   }
-}
+}
\ No newline at end of file
diff --git a/avm/res/api-management/service/named-value/main.json b/avm/res/api-management/service/named-value/main.json
index 2087682ca4..40ba0474c7 100644
--- a/avm/res/api-management/service/named-value/main.json
+++ b/avm/res/api-management/service/named-value/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "17256518550792037410"
+      "version": "0.26.170.59819",
+      "templateHash": "8836145661772426348"
     },
     "name": "API Management Service Named Values",
     "description": "This module deploys an API Management Service Named Value.",
diff --git a/avm/res/api-management/service/policy/main.json b/avm/res/api-management/service/policy/main.json
index a2d8a0624c..789f442757 100644
--- a/avm/res/api-management/service/policy/main.json
+++ b/avm/res/api-management/service/policy/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "12407621079025229005"
+      "version": "0.26.170.59819",
+      "templateHash": "11401408412631964174"
     },
     "name": "API Management Service Policies",
     "description": "This module deploys an API Management Service Policy.",
diff --git a/avm/res/api-management/service/portalsetting/main.json b/avm/res/api-management/service/portalsetting/main.json
index 510cbe1b2c..f6882b3f61 100644
--- a/avm/res/api-management/service/portalsetting/main.json
+++ b/avm/res/api-management/service/portalsetting/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "6528716876560144579"
+      "version": "0.26.170.59819",
+      "templateHash": "17742652979966426375"
     },
     "name": "API Management Service Portal Settings",
     "description": "This module deploys an API Management Service Portal Setting.",
diff --git a/avm/res/api-management/service/product/api/main.json b/avm/res/api-management/service/product/api/main.json
index 6e0c22412b..6a8980317c 100644
--- a/avm/res/api-management/service/product/api/main.json
+++ b/avm/res/api-management/service/product/api/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "2440306385645798125"
+      "version": "0.26.170.59819",
+      "templateHash": "11861068623935926152"
     },
     "name": "API Management Service Products APIs",
     "description": "This module deploys an API Management Service Product API.",
diff --git a/avm/res/api-management/service/product/group/main.json b/avm/res/api-management/service/product/group/main.json
index af4900659f..b676f6bf18 100644
--- a/avm/res/api-management/service/product/group/main.json
+++ b/avm/res/api-management/service/product/group/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "7056381119937736015"
+      "version": "0.26.170.59819",
+      "templateHash": "16009390664131411394"
     },
     "name": "API Management Service Products Groups",
     "description": "This module deploys an API Management Service Product Group.",
diff --git a/avm/res/api-management/service/product/main.json b/avm/res/api-management/service/product/main.json
index 36c877e581..1e5cde7d1f 100644
--- a/avm/res/api-management/service/product/main.json
+++ b/avm/res/api-management/service/product/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "2407987626180908324"
+      "version": "0.26.170.59819",
+      "templateHash": "11338797354163447995"
     },
     "name": "API Management Service Products",
     "description": "This module deploys an API Management Service Product.",
@@ -126,8 +126,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.26.54.24096",
-              "templateHash": "2440306385645798125"
+              "version": "0.26.170.59819",
+              "templateHash": "11861068623935926152"
             },
             "name": "API Management Service Products APIs",
             "description": "This module deploys an API Management Service Product API.",
@@ -216,8 +216,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.26.54.24096",
-              "templateHash": "7056381119937736015"
+              "version": "0.26.170.59819",
+              "templateHash": "16009390664131411394"
             },
             "name": "API Management Service Products Groups",
             "description": "This module deploys an API Management Service Product Group.",
diff --git a/avm/res/api-management/service/subscription/main.json b/avm/res/api-management/service/subscription/main.json
index 7bfb9de555..911fa7543e 100644
--- a/avm/res/api-management/service/subscription/main.json
+++ b/avm/res/api-management/service/subscription/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "12071485798846786639"
+      "version": "0.26.170.59819",
+      "templateHash": "1707587491854823408"
     },
     "name": "API Management Service Subscriptions",
     "description": "This module deploys an API Management Service Subscription.",
diff --git a/avm/res/app/job/main.json b/avm/res/app/job/main.json
index 6d8ee06c25..58fed4a24e 100644
--- a/avm/res/app/job/main.json
+++ b/avm/res/app/job/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.27.1.19265",
-      "templateHash": "11649443218681434280"
+      "version": "0.26.170.59819",
+      "templateHash": "3096359783958038878"
     },
     "name": "Container App Jobs",
     "description": "This module deploys a Container App Job.",
diff --git a/avm/res/batch/batch-account/README.md b/avm/res/batch/batch-account/README.md
index f2d6ddd938..90a7b88bdb 100644
--- a/avm/res/batch/batch-account/README.md
+++ b/avm/res/batch/batch-account/README.md
@@ -691,9 +691,9 @@ List of allowed authentication modes for the Batch account that can be used to a
 - Allowed:
   ```Bicep
   [
-    'AAD'
     'SharedKey'
     'TaskAuthenticationToken'
+    'AAD'
   ]
   ```
 
diff --git a/avm/res/batch/batch-account/main.json b/avm/res/batch/batch-account/main.json
index 918b144932..982aca6bf9 100644
--- a/avm/res/batch/batch-account/main.json
+++ b/avm/res/batch/batch-account/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "11103817479788393007"
+      "version": "0.26.170.59819",
+      "templateHash": "3893634721932693918"
     },
     "name": "Batch Accounts",
     "description": "This module deploys a Batch Account.",
diff --git a/avm/res/cache/redis/main.json b/avm/res/cache/redis/main.json
index b7da02c047..d2c8d21350 100644
--- a/avm/res/cache/redis/main.json
+++ b/avm/res/cache/redis/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "15170120544539480286"
+      "version": "0.26.170.59819",
+      "templateHash": "14610347286140734482"
     },
     "name": "Redis Cache",
     "description": "This module deploys a Redis Cache.",
diff --git a/avm/res/cdn/profile/afdEndpoint/main.json b/avm/res/cdn/profile/afdEndpoint/main.json
index dbaf3c9233..23fd2d72d2 100644
--- a/avm/res/cdn/profile/afdEndpoint/main.json
+++ b/avm/res/cdn/profile/afdEndpoint/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "8869132357079269087"
+      "version": "0.26.170.59819",
+      "templateHash": "3255198433705940781"
     },
     "name": "CDN Profiles AFD Endpoints",
     "description": "This module deploys a CDN Profile AFD Endpoint.",
@@ -156,8 +156,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.26.54.24096",
-              "templateHash": "8525791914559803218"
+              "version": "0.26.170.59819",
+              "templateHash": "12469321322924109409"
             },
             "name": "CDN Profiles AFD Endpoint Route",
             "description": "This module deploys a CDN Profile AFD Endpoint route.",
diff --git a/avm/res/cdn/profile/afdEndpoint/route/main.json b/avm/res/cdn/profile/afdEndpoint/route/main.json
index ce9f9ea2c5..1144b0099f 100644
--- a/avm/res/cdn/profile/afdEndpoint/route/main.json
+++ b/avm/res/cdn/profile/afdEndpoint/route/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "8525791914559803218"
+      "version": "0.26.170.59819",
+      "templateHash": "12469321322924109409"
     },
     "name": "CDN Profiles AFD Endpoint Route",
     "description": "This module deploys a CDN Profile AFD Endpoint route.",
diff --git a/avm/res/cdn/profile/customdomain/main.json b/avm/res/cdn/profile/customdomain/main.json
index 54f6fa7a8d..2834e7dc00 100644
--- a/avm/res/cdn/profile/customdomain/main.json
+++ b/avm/res/cdn/profile/customdomain/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "15657388199001378642"
+      "version": "0.26.170.59819",
+      "templateHash": "15721665305636481516"
     },
     "name": "CDN Profiles Custom Domains",
     "description": "This module deploys a CDN Profile Custom Domains.",
diff --git a/avm/res/cdn/profile/endpoint/main.json b/avm/res/cdn/profile/endpoint/main.json
index 4866a4cf53..f38b67df97 100644
--- a/avm/res/cdn/profile/endpoint/main.json
+++ b/avm/res/cdn/profile/endpoint/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "5516612458443504281"
+      "version": "0.26.170.59819",
+      "templateHash": "2906172435071993445"
     },
     "name": "CDN Profiles Endpoints",
     "description": "This module deploys a CDN Profile Endpoint.",
@@ -125,8 +125,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.26.54.24096",
-              "templateHash": "11112660703037023992"
+              "version": "0.26.170.59819",
+              "templateHash": "3665403791951260301"
             },
             "name": "CDN Profiles Endpoints Origins",
             "description": "This module deploys a CDN Profile Endpoint Origin.",
diff --git a/avm/res/cdn/profile/endpoint/origin/main.json b/avm/res/cdn/profile/endpoint/origin/main.json
index bb4eefa74d..139f01f24a 100644
--- a/avm/res/cdn/profile/endpoint/origin/main.json
+++ b/avm/res/cdn/profile/endpoint/origin/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "11112660703037023992"
+      "version": "0.26.170.59819",
+      "templateHash": "3665403791951260301"
     },
     "name": "CDN Profiles Endpoints Origins",
     "description": "This module deploys a CDN Profile Endpoint Origin.",
diff --git a/avm/res/cdn/profile/origingroup/main.json b/avm/res/cdn/profile/origingroup/main.json
index 4dce9e8ca3..7d36c13c02 100644
--- a/avm/res/cdn/profile/origingroup/main.json
+++ b/avm/res/cdn/profile/origingroup/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "8706007645911322422"
+      "version": "0.26.170.59819",
+      "templateHash": "12438540618132459307"
     },
     "name": "CDN Profiles Origin Group",
     "description": "This module deploys a CDN Profile Origin Group.",
@@ -142,8 +142,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.26.54.24096",
-              "templateHash": "16657064743499074369"
+              "version": "0.26.170.59819",
+              "templateHash": "8566106020570825253"
             },
             "name": "CDN Profiles Origin",
             "description": "This module deploys a CDN Profile Origin.",
diff --git a/avm/res/cdn/profile/origingroup/origin/main.json b/avm/res/cdn/profile/origingroup/origin/main.json
index fb48ec8744..4f80a2bd95 100644
--- a/avm/res/cdn/profile/origingroup/origin/main.json
+++ b/avm/res/cdn/profile/origingroup/origin/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "16657064743499074369"
+      "version": "0.26.170.59819",
+      "templateHash": "8566106020570825253"
     },
     "name": "CDN Profiles Origin",
     "description": "This module deploys a CDN Profile Origin.",
diff --git a/avm/res/cdn/profile/ruleset/main.json b/avm/res/cdn/profile/ruleset/main.json
index 349d081644..9610ff8024 100644
--- a/avm/res/cdn/profile/ruleset/main.json
+++ b/avm/res/cdn/profile/ruleset/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "1809010747275335698"
+      "version": "0.26.170.59819",
+      "templateHash": "5891069247146856543"
     },
     "name": "CDN Profiles Rule Sets",
     "description": "This module deploys a CDN Profile rule set.",
@@ -91,8 +91,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.26.54.24096",
-              "templateHash": "8195283154733773558"
+              "version": "0.26.170.59819",
+              "templateHash": "4690708071413750601"
             },
             "name": "CDN Profiles Rules",
             "description": "This module deploys a CDN Profile rule.",
diff --git a/avm/res/cdn/profile/ruleset/rule/main.json b/avm/res/cdn/profile/ruleset/rule/main.json
index dc817e69f6..7b3a3304f7 100644
--- a/avm/res/cdn/profile/ruleset/rule/main.json
+++ b/avm/res/cdn/profile/ruleset/rule/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "8195283154733773558"
+      "version": "0.26.170.59819",
+      "templateHash": "4690708071413750601"
     },
     "name": "CDN Profiles Rules",
     "description": "This module deploys a CDN Profile rule.",
diff --git a/avm/res/cdn/profile/secret/main.json b/avm/res/cdn/profile/secret/main.json
index 9ba045e7be..99e5939112 100644
--- a/avm/res/cdn/profile/secret/main.json
+++ b/avm/res/cdn/profile/secret/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "7298174434641608123"
+      "version": "0.26.170.59819",
+      "templateHash": "364931243138434002"
     },
     "name": "CDN Profiles Secret",
     "description": "This module deploys a CDN Profile Secret.",
diff --git a/avm/res/cognitive-services/account/main.json b/avm/res/cognitive-services/account/main.json
index 8b8cbfdf28..d121bff4e2 100644
--- a/avm/res/cognitive-services/account/main.json
+++ b/avm/res/cognitive-services/account/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "16646471610876147779"
+      "version": "0.26.170.59819",
+      "templateHash": "499952504813132750"
     },
     "name": "Cognitive Services",
     "description": "This module deploys a Cognitive Service.",
diff --git a/avm/res/compute/availability-set/main.json b/avm/res/compute/availability-set/main.json
index 290131af55..e5935e4235 100644
--- a/avm/res/compute/availability-set/main.json
+++ b/avm/res/compute/availability-set/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "9732921541323544854"
+      "version": "0.26.170.59819",
+      "templateHash": "1482827040324478831"
     },
     "name": "Availability Sets",
     "description": "This module deploys an Availability Set.",
diff --git a/avm/res/compute/disk-encryption-set/main.json b/avm/res/compute/disk-encryption-set/main.json
index db3719112f..d8c8ba7e58 100644
--- a/avm/res/compute/disk-encryption-set/main.json
+++ b/avm/res/compute/disk-encryption-set/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "12741671665077521328"
+      "version": "0.26.170.59819",
+      "templateHash": "17419089387885253563"
     },
     "name": "Disk Encryption Sets",
     "description": "This module deploys a Disk Encryption Set. The module will attempt to set permissions on the provided Key Vault for any used user-assigned identity.",
@@ -374,8 +374,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.26.54.24096",
-              "templateHash": "11328049361610922964"
+              "version": "0.26.170.59819",
+              "templateHash": "16786824117269367102"
             }
           },
           "parameters": {
@@ -462,8 +462,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.26.54.24096",
-                      "templateHash": "3020199531226338329"
+                      "version": "0.26.170.59819",
+                      "templateHash": "4087128099053179532"
                     },
                     "name": "Key Vault Access Policies",
                     "description": "This module deploys a Key Vault Access Policy.",
@@ -735,4 +735,4 @@
       "value": "[reference('diskEncryptionSet', '2023-10-02', 'full').location]"
     }
   }
-}
+}
\ No newline at end of file
diff --git a/avm/res/compute/disk/main.json b/avm/res/compute/disk/main.json
index 3a754a36b6..c2622b1a78 100644
--- a/avm/res/compute/disk/main.json
+++ b/avm/res/compute/disk/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "13557505070746246600"
+      "version": "0.26.170.59819",
+      "templateHash": "12176121248469967352"
     },
     "name": "Compute Disks",
     "description": "This module deploys a Compute Disk",
diff --git a/avm/res/search/search-service/README.md b/avm/res/search/search-service/README.md
index fddc70b242..2389f6e886 100644
--- a/avm/res/search/search-service/README.md
+++ b/avm/res/search/search-service/README.md
@@ -18,6 +18,7 @@ This module deploys a Search Service.
 | `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) |
 | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
 | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) |
+| `Microsoft.KeyVault/vaults/secrets` | [2022-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2022-07-01/vaults/secrets) |
 | `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) |
 | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) |
 | `Microsoft.Search/searchServices` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Search/2023-11-01/searchServices) |
@@ -32,9 +33,10 @@ The following section provides usage examples for the module, which were used to
 >**Note**: To reference the module, please use the following syntax `br/public:avm/res/search/search-service:<version>`.
 
 - [Using only defaults](#example-1-using-only-defaults)
-- [Using large parameter set](#example-2-using-large-parameter-set)
-- [Private endpoint-enabled deployment](#example-3-private-endpoint-enabled-deployment)
-- [WAF-aligned](#example-4-waf-aligned)
+- [Deploying with a key vault reference to save secrets](#example-2-deploying-with-a-key-vault-reference-to-save-secrets)
+- [Using large parameter set](#example-3-using-large-parameter-set)
+- [Private endpoint-enabled deployment](#example-4-private-endpoint-enabled-deployment)
+- [WAF-aligned](#example-5-waf-aligned)
 
 ### Example 1: _Using only defaults_
 
@@ -84,7 +86,81 @@ module searchService 'br/public:avm/res/search/search-service:<version>' = {
 </details>
 <p>
 
-### Example 2: _Using large parameter set_
+### Example 2: _Deploying with a key vault reference to save secrets_
+
+This instance deploys the module saving all its secrets in a key vault.
+
+
+<details>
+
+<summary>via Bicep module</summary>
+
+```bicep
+module searchService 'br/public:avm/res/search/search-service:<version>' = {
+  name: 'searchServiceDeployment'
+  params: {
+    // Required parameters
+    name: 'kv-ref'
+    // Non-required parameters
+    authOptions: {
+      aadOrApiKey: {
+        aadAuthFailureMode: 'http401WithBearerChallenge'
+      }
+    }
+    disableLocalAuth: false
+    location: '<location>'
+    secretsKeyVault: {
+      keyVaultName: '<keyVaultName>'
+      primaryAdminKeySecretName: 'Primary-Admin-Key'
+    }
+  }
+}
+```
+
+</details>
+<p>
+
+<details>
+
+<summary>via JSON Parameter file</summary>
+
+```json
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    // Required parameters
+    "name": {
+      "value": "kv-ref"
+    },
+    // Non-required parameters
+    "authOptions": {
+      "value": {
+        "aadOrApiKey": {
+          "aadAuthFailureMode": "http401WithBearerChallenge"
+        }
+      }
+    },
+    "disableLocalAuth": {
+      "value": false
+    },
+    "location": {
+      "value": "<location>"
+    },
+    "secretsKeyVault": {
+      "value": {
+        "keyVaultName": "<keyVaultName>",
+        "primaryAdminKeySecretName": "Primary-Admin-Key"
+      }
+    }
+  }
+}
+```
+
+</details>
+<p>
+
+### Example 3: _Using large parameter set_
 
 This instance deploys the module with most of its features enabled.
 
@@ -290,7 +366,7 @@ module searchService 'br/public:avm/res/search/search-service:<version>' = {
 </details>
 <p>
 
-### Example 3: _Private endpoint-enabled deployment_
+### Example 4: _Private endpoint-enabled deployment_
 
 This instance deploys the module with private endpoints.
 
@@ -426,7 +502,7 @@ module searchService 'br/public:avm/res/search/search-service:<version>' = {
 </details>
 <p>
 
-### Example 4: _WAF-aligned_
+### Example 5: _WAF-aligned_
 
 This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.
 
@@ -620,6 +696,7 @@ module searchService 'br/public:avm/res/search/search-service:<version>' = {
 | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | This value can be set to 'enabled' to avoid breaking changes on existing customer resources and templates. If set to 'disabled', traffic over public interface is not allowed, and private endpoint connections would be the exclusive access method. |
 | [`replicaCount`](#parameter-replicacount) | int | The number of replicas in the search service. If specified, it must be a value between 1 and 12 inclusive for standard SKUs or between 1 and 3 inclusive for basic SKU. |
 | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. |
+| [`secretsKeyVault`](#parameter-secretskeyvault) | object | Key vault reference and secret settings to add the connection strings and keys generated by the cosmosdb account. |
 | [`semanticSearch`](#parameter-semanticsearch) | string | Sets options that control the availability of semantic search. This configuration is only possible for certain search SKUs in certain locations. |
 | [`sharedPrivateLinkResources`](#parameter-sharedprivatelinkresources) | array | The sharedPrivateLinkResources to create as part of the search Service. |
 | [`sku`](#parameter-sku) | string | Defines the SKU of an Azure Cognitive Search Service, which determines price tier and capacity limits. |
@@ -1368,6 +1445,55 @@ The principal type of the assigned principal ID.
   ]
   ```
 
+### Parameter: `secretsKeyVault`
+
+Key vault reference and secret settings to add the connection strings and keys generated by the cosmosdb account.
+
+- Required: No
+- Type: object
+
+**Required parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`keyVaultName`](#parameter-secretskeyvaultkeyvaultname) | string | The key vault name where to store the keys and connection strings generated by the modules. |
+
+**Optional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`primaryAdminKeySecretName`](#parameter-secretskeyvaultprimaryadminkeysecretname) | string | Default to API Primary admin key . The primary admin key secret name to create. |
+| [`resourceGroupName`](#parameter-secretskeyvaultresourcegroupname) | string | Default to the resource group where this account is. The resource group name where the key vault is. |
+| [`secondaryAdminKeySecretName`](#parameter-secretskeyvaultsecondaryadminkeysecretname) | string | Default to API Secondary admin key . The secondary admin key secret name to create. |
+
+### Parameter: `secretsKeyVault.keyVaultName`
+
+The key vault name where to store the keys and connection strings generated by the modules.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `secretsKeyVault.primaryAdminKeySecretName`
+
+Default to API Primary admin key . The primary admin key secret name to create.
+
+- Required: No
+- Type: string
+
+### Parameter: `secretsKeyVault.resourceGroupName`
+
+Default to the resource group where this account is. The resource group name where the key vault is.
+
+- Required: No
+- Type: string
+
+### Parameter: `secretsKeyVault.secondaryAdminKeySecretName`
+
+Default to API Secondary admin key . The secondary admin key secret name to create.
+
+- Required: No
+- Type: string
+
 ### Parameter: `semanticSearch`
 
 Sets options that control the availability of semantic search. This configuration is only possible for certain search SKUs in certain locations.
diff --git a/avm/res/search/search-service/main.json b/avm/res/search/search-service/main.json
index df489a9cab..d0103292f8 100644
--- a/avm/res/search/search-service/main.json
+++ b/avm/res/search/search-service/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "13069544635575133650"
+      "version": "0.27.1.19265",
+      "templateHash": "4742187527066809212"
     },
     "name": "Search Services",
     "description": "This module deploys a Search Service.",
@@ -433,6 +433,38 @@
         }
       },
       "nullable": true
+    },
+    "secretsKeyVaultType": {
+      "type": "object",
+      "properties": {
+        "keyVaultName": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The key vault name where to store the keys and connection strings generated by the modules."
+          }
+        },
+        "resourceGroupName": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Default to the resource group where this account is. The resource group name where the key vault is."
+          }
+        },
+        "primaryAdminKeySecretName": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Default to API Primary admin key . The primary admin key secret name to create."
+          }
+        },
+        "secondaryAdminKeySecretName": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Default to API Secondary admin key . The secondary admin key secret name to create."
+          }
+        }
+      }
     }
   },
   "parameters": {
@@ -539,6 +571,13 @@
         "description": "Optional. This value can be set to 'enabled' to avoid breaking changes on existing customer resources and templates. If set to 'disabled', traffic over public interface is not allowed, and private endpoint connections would be the exclusive access method."
       }
     },
+    "secretsKeyVault": {
+      "$ref": "#/definitions/secretsKeyVaultType",
+      "nullable": true,
+      "metadata": {
+        "description": "Optional. Key vault reference and secret settings to add the connection strings and keys generated by the cosmosdb account."
+      }
+    },
     "replicaCount": {
       "type": "int",
       "defaultValue": 3,
@@ -1439,8 +1478,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.26.54.24096",
-              "templateHash": "4284041533987186633"
+              "version": "0.27.1.19265",
+              "templateHash": "12246294953666077655"
             },
             "name": "Search Services Private Link Resources",
             "description": "This module deploys a Search Service Private Link Resource.",
@@ -1535,6 +1574,98 @@
       "dependsOn": [
         "searchService"
       ]
+    },
+    "keyVault": {
+      "condition": "[not(equals(parameters('secretsKeyVault'), null()))]",
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2022-09-01",
+      "name": "[format('{0}-secrets-kv', uniqueString(deployment().name, parameters('location')))]",
+      "resourceGroup": "[coalesce(tryGet(parameters('secretsKeyVault'), 'resourceGroupName'), resourceGroup().name)]",
+      "properties": {
+        "expressionEvaluationOptions": {
+          "scope": "inner"
+        },
+        "mode": "Incremental",
+        "parameters": {
+          "keyVaultName": {
+            "value": "[parameters('secretsKeyVault').keyVaultName]"
+          },
+          "keySecrets": {
+            "value": [
+              {
+                "secretName": "[coalesce(tryGet(parameters('secretsKeyVault'), 'primaryAdminKeySecretName'), 'Primary-Admin-Key')]",
+                "secretValue": "[listAdminKeys(resourceId('Microsoft.Search/searchServices', parameters('name')), '2023-11-01').primaryKey]"
+              },
+              {
+                "secretName": "[coalesce(tryGet(parameters('secretsKeyVault'), 'secondaryAdminKeySecretName'), 'Secondary-Admin-Key')]",
+                "secretValue": "[listAdminKeys(resourceId('Microsoft.Search/searchServices', parameters('name')), '2023-11-01').secondaryKey]"
+              }
+            ]
+          }
+        },
+        "template": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "languageVersion": "2.0",
+          "contentVersion": "1.0.0.0",
+          "metadata": {
+            "_generator": {
+              "name": "bicep",
+              "version": "0.27.1.19265",
+              "templateHash": "17423703517558214368"
+            }
+          },
+          "definitions": {
+            "keySecret": {
+              "type": "object",
+              "properties": {
+                "secretName": {
+                  "type": "string"
+                },
+                "secretValue": {
+                  "type": "securestring"
+                }
+              }
+            }
+          },
+          "parameters": {
+            "keyVaultName": {
+              "type": "string"
+            },
+            "keySecrets": {
+              "type": "array",
+              "items": {
+                "$ref": "#/definitions/keySecret"
+              }
+            }
+          },
+          "resources": {
+            "kv": {
+              "existing": true,
+              "type": "Microsoft.KeyVault/vaults",
+              "apiVersion": "2022-07-01",
+              "name": "[parameters('keyVaultName')]"
+            },
+            "keySecretsSecrets": {
+              "copy": {
+                "name": "keySecretsSecrets",
+                "count": "[length(parameters('keySecrets'))]"
+              },
+              "type": "Microsoft.KeyVault/vaults/secrets",
+              "apiVersion": "2022-07-01",
+              "name": "[format('{0}/{1}', parameters('keyVaultName'), parameters('keySecrets')[copyIndex()].secretName)]",
+              "properties": {
+                "value": "[parameters('keySecrets')[copyIndex()].secretValue]"
+              },
+              "dependsOn": [
+                "kv"
+              ]
+            }
+          }
+        }
+      },
+      "dependsOn": [
+        "searchService"
+      ]
     }
   },
   "outputs": {
diff --git a/avm/res/search/search-service/shared-private-link-resource/main.json b/avm/res/search/search-service/shared-private-link-resource/main.json
index e6f281a453..cd5294c419 100644
--- a/avm/res/search/search-service/shared-private-link-resource/main.json
+++ b/avm/res/search/search-service/shared-private-link-resource/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "4284041533987186633"
+      "version": "0.27.1.19265",
+      "templateHash": "12246294953666077655"
     },
     "name": "Search Services Private Link Resources",
     "description": "This module deploys a Search Service Private Link Resource.",

From 2c71c35e06c652182d1a5513b44e36399fecae18 Mon Sep 17 00:00:00 2001
From: Morten Schmidt <morten.schmidt@atea.dk>
Date: Thu, 16 May 2024 09:59:17 +0200
Subject: [PATCH 03/26] AiSearchService with AdminKeys in Keyvault

---
 avm/res/search/search-service/README.md                | 10 +++++-----
 avm/res/search/search-service/main.bicep               |  4 ++--
 avm/res/search/search-service/main.json                |  6 +++---
 .../search-service/tests/e2e/kvSecrets/main.test.bicep |  2 +-
 4 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/avm/res/search/search-service/README.md b/avm/res/search/search-service/README.md
index 2389f6e886..b6c0dbe2cb 100644
--- a/avm/res/search/search-service/README.md
+++ b/avm/res/search/search-service/README.md
@@ -88,7 +88,7 @@ module searchService 'br/public:avm/res/search/search-service:<version>' = {
 
 ### Example 2: _Deploying with a key vault reference to save secrets_
 
-This instance deploys the module saving all its secrets in a key vault.
+This instance deploys the module saving adminkey secrets in a key vault.
 
 
 <details>
@@ -696,7 +696,7 @@ module searchService 'br/public:avm/res/search/search-service:<version>' = {
 | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | This value can be set to 'enabled' to avoid breaking changes on existing customer resources and templates. If set to 'disabled', traffic over public interface is not allowed, and private endpoint connections would be the exclusive access method. |
 | [`replicaCount`](#parameter-replicacount) | int | The number of replicas in the search service. If specified, it must be a value between 1 and 12 inclusive for standard SKUs or between 1 and 3 inclusive for basic SKU. |
 | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. |
-| [`secretsKeyVault`](#parameter-secretskeyvault) | object | Key vault reference and secret settings to add the connection strings and keys generated by the cosmosdb account. |
+| [`secretsKeyVault`](#parameter-secretskeyvault) | object | Key vault reference and secret settings to add the API admin keys generated by the search-service account. |
 | [`semanticSearch`](#parameter-semanticsearch) | string | Sets options that control the availability of semantic search. This configuration is only possible for certain search SKUs in certain locations. |
 | [`sharedPrivateLinkResources`](#parameter-sharedprivatelinkresources) | array | The sharedPrivateLinkResources to create as part of the search Service. |
 | [`sku`](#parameter-sku) | string | Defines the SKU of an Azure Cognitive Search Service, which determines price tier and capacity limits. |
@@ -1447,7 +1447,7 @@ The principal type of the assigned principal ID.
 
 ### Parameter: `secretsKeyVault`
 
-Key vault reference and secret settings to add the connection strings and keys generated by the cosmosdb account.
+Key vault reference and secret settings to add the API admin keys generated by the search-service account.
 
 - Required: No
 - Type: object
@@ -1456,7 +1456,7 @@ Key vault reference and secret settings to add the connection strings and keys g
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`keyVaultName`](#parameter-secretskeyvaultkeyvaultname) | string | The key vault name where to store the keys and connection strings generated by the modules. |
+| [`keyVaultName`](#parameter-secretskeyvaultkeyvaultname) | string | The key vault name where to store the API Admin keys generated by the modules. |
 
 **Optional parameters**
 
@@ -1468,7 +1468,7 @@ Key vault reference and secret settings to add the connection strings and keys g
 
 ### Parameter: `secretsKeyVault.keyVaultName`
 
-The key vault name where to store the keys and connection strings generated by the modules.
+The key vault name where to store the API Admin keys generated by the modules.
 
 - Required: Yes
 - Type: string
diff --git a/avm/res/search/search-service/main.bicep b/avm/res/search/search-service/main.bicep
index ccddb34528..49cba6df27 100644
--- a/avm/res/search/search-service/main.bicep
+++ b/avm/res/search/search-service/main.bicep
@@ -60,7 +60,7 @@ param sharedPrivateLinkResources array = []
 ])
 param publicNetworkAccess string = 'enabled'
 
-@description('Optional. Key vault reference and secret settings to add the connection strings and keys generated by the cosmosdb account.')
+@description('Optional. Key vault reference and secret settings to add the API admin keys generated by the search-service account.')
 param secretsKeyVault secretsKeyVaultType?
 
 @description('Optional. The number of replicas in the search service. If specified, it must be a value between 1 and 12 inclusive for standard SKUs or between 1 and 3 inclusive for basic SKU.')
@@ -515,7 +515,7 @@ type diagnosticSettingType = {
 }[]?
 
 type secretsKeyVaultType = {
-  @description('Required. The key vault name where to store the keys and connection strings generated by the modules.')
+  @description('Required. The key vault name where to store the API Admin keys generated by the modules.')
   keyVaultName: string
 
   @description('Optional. Default to the resource group where this account is. The resource group name where the key vault is.')
diff --git a/avm/res/search/search-service/main.json b/avm/res/search/search-service/main.json
index d0103292f8..7a7e2b8085 100644
--- a/avm/res/search/search-service/main.json
+++ b/avm/res/search/search-service/main.json
@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.27.1.19265",
-      "templateHash": "4742187527066809212"
+      "templateHash": "3771642557846929937"
     },
     "name": "Search Services",
     "description": "This module deploys a Search Service.",
@@ -440,7 +440,7 @@
         "keyVaultName": {
           "type": "string",
           "metadata": {
-            "description": "Required. The key vault name where to store the keys and connection strings generated by the modules."
+            "description": "Required. The key vault name where to store the API Admin keys generated by the modules."
           }
         },
         "resourceGroupName": {
@@ -575,7 +575,7 @@
       "$ref": "#/definitions/secretsKeyVaultType",
       "nullable": true,
       "metadata": {
-        "description": "Optional. Key vault reference and secret settings to add the connection strings and keys generated by the cosmosdb account."
+        "description": "Optional. Key vault reference and secret settings to add the API admin keys generated by the search-service account."
       }
     },
     "replicaCount": {
diff --git a/avm/res/search/search-service/tests/e2e/kvSecrets/main.test.bicep b/avm/res/search/search-service/tests/e2e/kvSecrets/main.test.bicep
index 6940afba92..dc7386e9cd 100644
--- a/avm/res/search/search-service/tests/e2e/kvSecrets/main.test.bicep
+++ b/avm/res/search/search-service/tests/e2e/kvSecrets/main.test.bicep
@@ -1,7 +1,7 @@
 targetScope = 'subscription'
 
 metadata name = 'Deploying with a key vault reference to save secrets'
-metadata description = 'This instance deploys the module saving all its secrets in a key vault.'
+metadata description = 'This instance deploys the module saving adminkey secrets in a key vault.'
 
 // ========== //
 // Parameters //

From 72e0aaf0fb6633dba2be016f44c36b4d14f9871d Mon Sep 17 00:00:00 2001
From: Morten Schmidt <morten.schmidt@atea.dk>
Date: Thu, 16 May 2024 10:11:18 +0200
Subject: [PATCH 04/26] Typo in main.test.bicep

---
 .../search/search-service/tests/e2e/kvSecrets/main.test.bicep   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/avm/res/search/search-service/tests/e2e/kvSecrets/main.test.bicep b/avm/res/search/search-service/tests/e2e/kvSecrets/main.test.bicep
index dc7386e9cd..1f84c968fb 100644
--- a/avm/res/search/search-service/tests/e2e/kvSecrets/main.test.bicep
+++ b/avm/res/search/search-service/tests/e2e/kvSecrets/main.test.bicep
@@ -1,7 +1,7 @@
 targetScope = 'subscription'
 
 metadata name = 'Deploying with a key vault reference to save secrets'
-metadata description = 'This instance deploys the module saving adminkey secrets in a key vault.'
+metadata description = 'This instance deploys the module saving admin key secrets in a key vault.'
 
 // ========== //
 // Parameters //

From 6f92af01b4ead14d99ac2f56eeec125ab1b977af Mon Sep 17 00:00:00 2001
From: Morten Schmidt <morten.schmidt@atea.dk>
Date: Thu, 16 May 2024 11:00:44 +0200
Subject: [PATCH 05/26] Typo in main.test.bicep

---
 avm/res/search/search-service/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/avm/res/search/search-service/README.md b/avm/res/search/search-service/README.md
index b6c0dbe2cb..e7fb95dd06 100644
--- a/avm/res/search/search-service/README.md
+++ b/avm/res/search/search-service/README.md
@@ -88,7 +88,7 @@ module searchService 'br/public:avm/res/search/search-service:<version>' = {
 
 ### Example 2: _Deploying with a key vault reference to save secrets_
 
-This instance deploys the module saving adminkey secrets in a key vault.
+This instance deploys the module saving admin key secrets in a key vault.
 
 
 <details>

From 46ba06824ff1255896dab21bbb31ad027de795c7 Mon Sep 17 00:00:00 2001
From: Morten Schmidt <morten.schmidt@atea.dk>
Date: Fri, 17 May 2024 09:52:27 +0200
Subject: [PATCH 06/26] Revert "AISearchService with adminkeys in keyvault undo
 recurse"

This reverts commit e4e03661ae9b4e396165ea94fe5839162c7dadf1.
---
 avm/ptn/security/security-center/main.json    | 10 +-
 avm/res/aad/domain-service/main.json          |  4 +-
 avm/res/analysis-services/server/main.json    |  4 +-
 .../service/api-version-set/main.json         |  4 +-
 avm/res/api-management/service/api/main.json  |  8 +-
 .../service/api/policy/main.json              |  4 +-
 .../service/authorization-server/main.json    |  4 +-
 .../api-management/service/backend/main.json  |  4 +-
 .../api-management/service/cache/main.json    |  4 +-
 .../service/identity-provider/README.md       |  4 +-
 .../service/identity-provider/main.json       |  4 +-
 avm/res/api-management/service/main.json      |  2 +-
 .../service/named-value/main.json             |  4 +-
 .../api-management/service/policy/main.json   |  4 +-
 .../service/portalsetting/main.json           |  4 +-
 .../service/product/api/main.json             |  4 +-
 .../service/product/group/main.json           |  4 +-
 .../api-management/service/product/main.json  | 12 +--
 .../service/subscription/main.json            |  4 +-
 avm/res/app/job/main.json                     |  4 +-
 avm/res/batch/batch-account/README.md         |  2 +-
 avm/res/batch/batch-account/main.json         |  4 +-
 avm/res/cache/redis/main.json                 |  4 +-
 avm/res/cdn/profile/afdEndpoint/main.json     |  8 +-
 .../cdn/profile/afdEndpoint/route/main.json   |  4 +-
 avm/res/cdn/profile/customdomain/main.json    |  4 +-
 avm/res/cdn/profile/endpoint/main.json        |  8 +-
 avm/res/cdn/profile/endpoint/origin/main.json |  4 +-
 avm/res/cdn/profile/origingroup/main.json     |  8 +-
 .../cdn/profile/origingroup/origin/main.json  |  4 +-
 avm/res/cdn/profile/ruleset/main.json         |  8 +-
 avm/res/cdn/profile/ruleset/rule/main.json    |  4 +-
 avm/res/cdn/profile/secret/main.json          |  4 +-
 avm/res/cognitive-services/account/main.json  |  4 +-
 avm/res/compute/availability-set/main.json    |  4 +-
 avm/res/compute/disk-encryption-set/main.json | 14 +--
 avm/res/compute/disk/main.json                |  4 +-
 avm/res/search/search-service/README.md       | 22 +++--
 avm/res/search/search-service/main.json       | 98 +------------------
 .../shared-private-link-resource/main.json    |  4 +-
 40 files changed, 114 insertions(+), 198 deletions(-)

diff --git a/avm/ptn/security/security-center/main.json b/avm/ptn/security/security-center/main.json
index 3e7a244558..9216e95469 100644
--- a/avm/ptn/security/security-center/main.json
+++ b/avm/ptn/security/security-center/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.170.59819",
-      "templateHash": "18438423837890128986"
+      "version": "0.26.54.24096",
+      "templateHash": "5215368682061207752"
     },
     "name": "Azure Security Center (Defender for Cloud)",
     "description": "This module deploys an Azure Security Center (Defender for Cloud) Configuration.",
@@ -372,8 +372,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.26.170.59819",
-              "templateHash": "16876993197536829325"
+              "version": "0.26.54.24096",
+              "templateHash": "11694037879563074763"
             }
           },
           "parameters": {
@@ -423,4 +423,4 @@
       "value": "Security"
     }
   }
-}
\ No newline at end of file
+}
diff --git a/avm/res/aad/domain-service/main.json b/avm/res/aad/domain-service/main.json
index 352f88edd8..b82ba31545 100644
--- a/avm/res/aad/domain-service/main.json
+++ b/avm/res/aad/domain-service/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.170.59819",
-      "templateHash": "9940505035843194916"
+      "version": "0.26.54.24096",
+      "templateHash": "7265620724598107360"
     },
     "name": "Azure Active Directory Domain Services",
     "description": "This module deploys an Azure Active Directory Domain Services (AADDS) instance.",
diff --git a/avm/res/analysis-services/server/main.json b/avm/res/analysis-services/server/main.json
index 5fc2826031..499b9433a1 100644
--- a/avm/res/analysis-services/server/main.json
+++ b/avm/res/analysis-services/server/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.170.59819",
-      "templateHash": "10166979415850302029"
+      "version": "0.26.54.24096",
+      "templateHash": "1590669612196455003"
     },
     "name": "Analysis Services Servers",
     "description": "This module deploys an Analysis Services Server.",
diff --git a/avm/res/api-management/service/api-version-set/main.json b/avm/res/api-management/service/api-version-set/main.json
index e72964e17a..b20b0388c7 100644
--- a/avm/res/api-management/service/api-version-set/main.json
+++ b/avm/res/api-management/service/api-version-set/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.170.59819",
-      "templateHash": "2022925118326989470"
+      "version": "0.26.54.24096",
+      "templateHash": "14411287735172753559"
     },
     "name": "API Management Service API Version Sets",
     "description": "This module deploys an API Management Service API Version Set.",
diff --git a/avm/res/api-management/service/api/main.json b/avm/res/api-management/service/api/main.json
index c7694d5324..149062f9e8 100644
--- a/avm/res/api-management/service/api/main.json
+++ b/avm/res/api-management/service/api/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.170.59819",
-      "templateHash": "4982579131778182813"
+      "version": "0.26.54.24096",
+      "templateHash": "5827467280453778347"
     },
     "name": "API Management Service APIs",
     "description": "This module deploys an API Management Service API.",
@@ -267,8 +267,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.26.170.59819",
-              "templateHash": "7030990401011468302"
+              "version": "0.26.54.24096",
+              "templateHash": "11734266416309377949"
             },
             "name": "API Management Service APIs Policies",
             "description": "This module deploys an API Management Service API Policy.",
diff --git a/avm/res/api-management/service/api/policy/main.json b/avm/res/api-management/service/api/policy/main.json
index dac60a7818..bcbaf1d3bc 100644
--- a/avm/res/api-management/service/api/policy/main.json
+++ b/avm/res/api-management/service/api/policy/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.170.59819",
-      "templateHash": "7030990401011468302"
+      "version": "0.26.54.24096",
+      "templateHash": "11734266416309377949"
     },
     "name": "API Management Service APIs Policies",
     "description": "This module deploys an API Management Service API Policy.",
diff --git a/avm/res/api-management/service/authorization-server/main.json b/avm/res/api-management/service/authorization-server/main.json
index 7409325aee..78869fc966 100644
--- a/avm/res/api-management/service/authorization-server/main.json
+++ b/avm/res/api-management/service/authorization-server/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.170.59819",
-      "templateHash": "18174659605054562490"
+      "version": "0.26.54.24096",
+      "templateHash": "505882801529152233"
     },
     "name": "API Management Service Authorization Servers",
     "description": "This module deploys an API Management Service Authorization Server.",
diff --git a/avm/res/api-management/service/backend/main.json b/avm/res/api-management/service/backend/main.json
index 6735b4b4cd..bba5ebcc1f 100644
--- a/avm/res/api-management/service/backend/main.json
+++ b/avm/res/api-management/service/backend/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.170.59819",
-      "templateHash": "2373122860271627831"
+      "version": "0.26.54.24096",
+      "templateHash": "5914852504306173482"
     },
     "name": "API Management Service Backends",
     "description": "This module deploys an API Management Service Backend.",
diff --git a/avm/res/api-management/service/cache/main.json b/avm/res/api-management/service/cache/main.json
index 635fc75b2e..537d4e1259 100644
--- a/avm/res/api-management/service/cache/main.json
+++ b/avm/res/api-management/service/cache/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.170.59819",
-      "templateHash": "7716740574911932509"
+      "version": "0.26.54.24096",
+      "templateHash": "5452536693649070190"
     },
     "name": "API Management Service Caches",
     "description": "This module deploys an API Management Service Cache.",
diff --git a/avm/res/api-management/service/identity-provider/README.md b/avm/res/api-management/service/identity-provider/README.md
index e6efa155c5..bb82ad51bc 100644
--- a/avm/res/api-management/service/identity-provider/README.md
+++ b/avm/res/api-management/service/identity-provider/README.md
@@ -141,12 +141,12 @@ Identity Provider Type identifier.
 - Allowed:
   ```Bicep
   [
+    'aad'
+    'aadB2C'
     'facebook'
     'google'
     'microsoft'
     'twitter'
-    'aad'
-    'aadB2C'
   ]
   ```
 
diff --git a/avm/res/api-management/service/identity-provider/main.json b/avm/res/api-management/service/identity-provider/main.json
index e707857bc2..d1ac06182d 100644
--- a/avm/res/api-management/service/identity-provider/main.json
+++ b/avm/res/api-management/service/identity-provider/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.170.59819",
-      "templateHash": "3154989001112723220"
+      "version": "0.26.54.24096",
+      "templateHash": "6944159515007886666"
     },
     "name": "API Management Service Identity Providers",
     "description": "This module deploys an API Management Service Identity Provider.",
diff --git a/avm/res/api-management/service/main.json b/avm/res/api-management/service/main.json
index 83c5695051..6e828a8cfc 100644
--- a/avm/res/api-management/service/main.json
+++ b/avm/res/api-management/service/main.json
@@ -2899,4 +2899,4 @@
       "value": "[reference('service', '2021-08-01', 'full').location]"
     }
   }
-}
\ No newline at end of file
+}
diff --git a/avm/res/api-management/service/named-value/main.json b/avm/res/api-management/service/named-value/main.json
index 40ba0474c7..2087682ca4 100644
--- a/avm/res/api-management/service/named-value/main.json
+++ b/avm/res/api-management/service/named-value/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.170.59819",
-      "templateHash": "8836145661772426348"
+      "version": "0.26.54.24096",
+      "templateHash": "17256518550792037410"
     },
     "name": "API Management Service Named Values",
     "description": "This module deploys an API Management Service Named Value.",
diff --git a/avm/res/api-management/service/policy/main.json b/avm/res/api-management/service/policy/main.json
index 789f442757..a2d8a0624c 100644
--- a/avm/res/api-management/service/policy/main.json
+++ b/avm/res/api-management/service/policy/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.170.59819",
-      "templateHash": "11401408412631964174"
+      "version": "0.26.54.24096",
+      "templateHash": "12407621079025229005"
     },
     "name": "API Management Service Policies",
     "description": "This module deploys an API Management Service Policy.",
diff --git a/avm/res/api-management/service/portalsetting/main.json b/avm/res/api-management/service/portalsetting/main.json
index f6882b3f61..510cbe1b2c 100644
--- a/avm/res/api-management/service/portalsetting/main.json
+++ b/avm/res/api-management/service/portalsetting/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.170.59819",
-      "templateHash": "17742652979966426375"
+      "version": "0.26.54.24096",
+      "templateHash": "6528716876560144579"
     },
     "name": "API Management Service Portal Settings",
     "description": "This module deploys an API Management Service Portal Setting.",
diff --git a/avm/res/api-management/service/product/api/main.json b/avm/res/api-management/service/product/api/main.json
index 6a8980317c..6e0c22412b 100644
--- a/avm/res/api-management/service/product/api/main.json
+++ b/avm/res/api-management/service/product/api/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.170.59819",
-      "templateHash": "11861068623935926152"
+      "version": "0.26.54.24096",
+      "templateHash": "2440306385645798125"
     },
     "name": "API Management Service Products APIs",
     "description": "This module deploys an API Management Service Product API.",
diff --git a/avm/res/api-management/service/product/group/main.json b/avm/res/api-management/service/product/group/main.json
index b676f6bf18..af4900659f 100644
--- a/avm/res/api-management/service/product/group/main.json
+++ b/avm/res/api-management/service/product/group/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.170.59819",
-      "templateHash": "16009390664131411394"
+      "version": "0.26.54.24096",
+      "templateHash": "7056381119937736015"
     },
     "name": "API Management Service Products Groups",
     "description": "This module deploys an API Management Service Product Group.",
diff --git a/avm/res/api-management/service/product/main.json b/avm/res/api-management/service/product/main.json
index 1e5cde7d1f..36c877e581 100644
--- a/avm/res/api-management/service/product/main.json
+++ b/avm/res/api-management/service/product/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.170.59819",
-      "templateHash": "11338797354163447995"
+      "version": "0.26.54.24096",
+      "templateHash": "2407987626180908324"
     },
     "name": "API Management Service Products",
     "description": "This module deploys an API Management Service Product.",
@@ -126,8 +126,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.26.170.59819",
-              "templateHash": "11861068623935926152"
+              "version": "0.26.54.24096",
+              "templateHash": "2440306385645798125"
             },
             "name": "API Management Service Products APIs",
             "description": "This module deploys an API Management Service Product API.",
@@ -216,8 +216,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.26.170.59819",
-              "templateHash": "16009390664131411394"
+              "version": "0.26.54.24096",
+              "templateHash": "7056381119937736015"
             },
             "name": "API Management Service Products Groups",
             "description": "This module deploys an API Management Service Product Group.",
diff --git a/avm/res/api-management/service/subscription/main.json b/avm/res/api-management/service/subscription/main.json
index 911fa7543e..7bfb9de555 100644
--- a/avm/res/api-management/service/subscription/main.json
+++ b/avm/res/api-management/service/subscription/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.170.59819",
-      "templateHash": "1707587491854823408"
+      "version": "0.26.54.24096",
+      "templateHash": "12071485798846786639"
     },
     "name": "API Management Service Subscriptions",
     "description": "This module deploys an API Management Service Subscription.",
diff --git a/avm/res/app/job/main.json b/avm/res/app/job/main.json
index 58fed4a24e..6d8ee06c25 100644
--- a/avm/res/app/job/main.json
+++ b/avm/res/app/job/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.170.59819",
-      "templateHash": "3096359783958038878"
+      "version": "0.27.1.19265",
+      "templateHash": "11649443218681434280"
     },
     "name": "Container App Jobs",
     "description": "This module deploys a Container App Job.",
diff --git a/avm/res/batch/batch-account/README.md b/avm/res/batch/batch-account/README.md
index 90a7b88bdb..f2d6ddd938 100644
--- a/avm/res/batch/batch-account/README.md
+++ b/avm/res/batch/batch-account/README.md
@@ -691,9 +691,9 @@ List of allowed authentication modes for the Batch account that can be used to a
 - Allowed:
   ```Bicep
   [
+    'AAD'
     'SharedKey'
     'TaskAuthenticationToken'
-    'AAD'
   ]
   ```
 
diff --git a/avm/res/batch/batch-account/main.json b/avm/res/batch/batch-account/main.json
index 982aca6bf9..918b144932 100644
--- a/avm/res/batch/batch-account/main.json
+++ b/avm/res/batch/batch-account/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.170.59819",
-      "templateHash": "3893634721932693918"
+      "version": "0.26.54.24096",
+      "templateHash": "11103817479788393007"
     },
     "name": "Batch Accounts",
     "description": "This module deploys a Batch Account.",
diff --git a/avm/res/cache/redis/main.json b/avm/res/cache/redis/main.json
index d2c8d21350..b7da02c047 100644
--- a/avm/res/cache/redis/main.json
+++ b/avm/res/cache/redis/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.170.59819",
-      "templateHash": "14610347286140734482"
+      "version": "0.26.54.24096",
+      "templateHash": "15170120544539480286"
     },
     "name": "Redis Cache",
     "description": "This module deploys a Redis Cache.",
diff --git a/avm/res/cdn/profile/afdEndpoint/main.json b/avm/res/cdn/profile/afdEndpoint/main.json
index 23fd2d72d2..dbaf3c9233 100644
--- a/avm/res/cdn/profile/afdEndpoint/main.json
+++ b/avm/res/cdn/profile/afdEndpoint/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.170.59819",
-      "templateHash": "3255198433705940781"
+      "version": "0.26.54.24096",
+      "templateHash": "8869132357079269087"
     },
     "name": "CDN Profiles AFD Endpoints",
     "description": "This module deploys a CDN Profile AFD Endpoint.",
@@ -156,8 +156,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.26.170.59819",
-              "templateHash": "12469321322924109409"
+              "version": "0.26.54.24096",
+              "templateHash": "8525791914559803218"
             },
             "name": "CDN Profiles AFD Endpoint Route",
             "description": "This module deploys a CDN Profile AFD Endpoint route.",
diff --git a/avm/res/cdn/profile/afdEndpoint/route/main.json b/avm/res/cdn/profile/afdEndpoint/route/main.json
index 1144b0099f..ce9f9ea2c5 100644
--- a/avm/res/cdn/profile/afdEndpoint/route/main.json
+++ b/avm/res/cdn/profile/afdEndpoint/route/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.170.59819",
-      "templateHash": "12469321322924109409"
+      "version": "0.26.54.24096",
+      "templateHash": "8525791914559803218"
     },
     "name": "CDN Profiles AFD Endpoint Route",
     "description": "This module deploys a CDN Profile AFD Endpoint route.",
diff --git a/avm/res/cdn/profile/customdomain/main.json b/avm/res/cdn/profile/customdomain/main.json
index 2834e7dc00..54f6fa7a8d 100644
--- a/avm/res/cdn/profile/customdomain/main.json
+++ b/avm/res/cdn/profile/customdomain/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.170.59819",
-      "templateHash": "15721665305636481516"
+      "version": "0.26.54.24096",
+      "templateHash": "15657388199001378642"
     },
     "name": "CDN Profiles Custom Domains",
     "description": "This module deploys a CDN Profile Custom Domains.",
diff --git a/avm/res/cdn/profile/endpoint/main.json b/avm/res/cdn/profile/endpoint/main.json
index f38b67df97..4866a4cf53 100644
--- a/avm/res/cdn/profile/endpoint/main.json
+++ b/avm/res/cdn/profile/endpoint/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.170.59819",
-      "templateHash": "2906172435071993445"
+      "version": "0.26.54.24096",
+      "templateHash": "5516612458443504281"
     },
     "name": "CDN Profiles Endpoints",
     "description": "This module deploys a CDN Profile Endpoint.",
@@ -125,8 +125,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.26.170.59819",
-              "templateHash": "3665403791951260301"
+              "version": "0.26.54.24096",
+              "templateHash": "11112660703037023992"
             },
             "name": "CDN Profiles Endpoints Origins",
             "description": "This module deploys a CDN Profile Endpoint Origin.",
diff --git a/avm/res/cdn/profile/endpoint/origin/main.json b/avm/res/cdn/profile/endpoint/origin/main.json
index 139f01f24a..bb4eefa74d 100644
--- a/avm/res/cdn/profile/endpoint/origin/main.json
+++ b/avm/res/cdn/profile/endpoint/origin/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.170.59819",
-      "templateHash": "3665403791951260301"
+      "version": "0.26.54.24096",
+      "templateHash": "11112660703037023992"
     },
     "name": "CDN Profiles Endpoints Origins",
     "description": "This module deploys a CDN Profile Endpoint Origin.",
diff --git a/avm/res/cdn/profile/origingroup/main.json b/avm/res/cdn/profile/origingroup/main.json
index 7d36c13c02..4dce9e8ca3 100644
--- a/avm/res/cdn/profile/origingroup/main.json
+++ b/avm/res/cdn/profile/origingroup/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.170.59819",
-      "templateHash": "12438540618132459307"
+      "version": "0.26.54.24096",
+      "templateHash": "8706007645911322422"
     },
     "name": "CDN Profiles Origin Group",
     "description": "This module deploys a CDN Profile Origin Group.",
@@ -142,8 +142,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.26.170.59819",
-              "templateHash": "8566106020570825253"
+              "version": "0.26.54.24096",
+              "templateHash": "16657064743499074369"
             },
             "name": "CDN Profiles Origin",
             "description": "This module deploys a CDN Profile Origin.",
diff --git a/avm/res/cdn/profile/origingroup/origin/main.json b/avm/res/cdn/profile/origingroup/origin/main.json
index 4f80a2bd95..fb48ec8744 100644
--- a/avm/res/cdn/profile/origingroup/origin/main.json
+++ b/avm/res/cdn/profile/origingroup/origin/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.170.59819",
-      "templateHash": "8566106020570825253"
+      "version": "0.26.54.24096",
+      "templateHash": "16657064743499074369"
     },
     "name": "CDN Profiles Origin",
     "description": "This module deploys a CDN Profile Origin.",
diff --git a/avm/res/cdn/profile/ruleset/main.json b/avm/res/cdn/profile/ruleset/main.json
index 9610ff8024..349d081644 100644
--- a/avm/res/cdn/profile/ruleset/main.json
+++ b/avm/res/cdn/profile/ruleset/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.170.59819",
-      "templateHash": "5891069247146856543"
+      "version": "0.26.54.24096",
+      "templateHash": "1809010747275335698"
     },
     "name": "CDN Profiles Rule Sets",
     "description": "This module deploys a CDN Profile rule set.",
@@ -91,8 +91,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.26.170.59819",
-              "templateHash": "4690708071413750601"
+              "version": "0.26.54.24096",
+              "templateHash": "8195283154733773558"
             },
             "name": "CDN Profiles Rules",
             "description": "This module deploys a CDN Profile rule.",
diff --git a/avm/res/cdn/profile/ruleset/rule/main.json b/avm/res/cdn/profile/ruleset/rule/main.json
index 7b3a3304f7..dc817e69f6 100644
--- a/avm/res/cdn/profile/ruleset/rule/main.json
+++ b/avm/res/cdn/profile/ruleset/rule/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.170.59819",
-      "templateHash": "4690708071413750601"
+      "version": "0.26.54.24096",
+      "templateHash": "8195283154733773558"
     },
     "name": "CDN Profiles Rules",
     "description": "This module deploys a CDN Profile rule.",
diff --git a/avm/res/cdn/profile/secret/main.json b/avm/res/cdn/profile/secret/main.json
index 99e5939112..9ba045e7be 100644
--- a/avm/res/cdn/profile/secret/main.json
+++ b/avm/res/cdn/profile/secret/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.170.59819",
-      "templateHash": "364931243138434002"
+      "version": "0.26.54.24096",
+      "templateHash": "7298174434641608123"
     },
     "name": "CDN Profiles Secret",
     "description": "This module deploys a CDN Profile Secret.",
diff --git a/avm/res/cognitive-services/account/main.json b/avm/res/cognitive-services/account/main.json
index d121bff4e2..8b8cbfdf28 100644
--- a/avm/res/cognitive-services/account/main.json
+++ b/avm/res/cognitive-services/account/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.170.59819",
-      "templateHash": "499952504813132750"
+      "version": "0.26.54.24096",
+      "templateHash": "16646471610876147779"
     },
     "name": "Cognitive Services",
     "description": "This module deploys a Cognitive Service.",
diff --git a/avm/res/compute/availability-set/main.json b/avm/res/compute/availability-set/main.json
index e5935e4235..290131af55 100644
--- a/avm/res/compute/availability-set/main.json
+++ b/avm/res/compute/availability-set/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.170.59819",
-      "templateHash": "1482827040324478831"
+      "version": "0.26.54.24096",
+      "templateHash": "9732921541323544854"
     },
     "name": "Availability Sets",
     "description": "This module deploys an Availability Set.",
diff --git a/avm/res/compute/disk-encryption-set/main.json b/avm/res/compute/disk-encryption-set/main.json
index d8c8ba7e58..db3719112f 100644
--- a/avm/res/compute/disk-encryption-set/main.json
+++ b/avm/res/compute/disk-encryption-set/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.170.59819",
-      "templateHash": "17419089387885253563"
+      "version": "0.26.54.24096",
+      "templateHash": "12741671665077521328"
     },
     "name": "Disk Encryption Sets",
     "description": "This module deploys a Disk Encryption Set. The module will attempt to set permissions on the provided Key Vault for any used user-assigned identity.",
@@ -374,8 +374,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.26.170.59819",
-              "templateHash": "16786824117269367102"
+              "version": "0.26.54.24096",
+              "templateHash": "11328049361610922964"
             }
           },
           "parameters": {
@@ -462,8 +462,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.26.170.59819",
-                      "templateHash": "4087128099053179532"
+                      "version": "0.26.54.24096",
+                      "templateHash": "3020199531226338329"
                     },
                     "name": "Key Vault Access Policies",
                     "description": "This module deploys a Key Vault Access Policy.",
@@ -735,4 +735,4 @@
       "value": "[reference('diskEncryptionSet', '2023-10-02', 'full').location]"
     }
   }
-}
\ No newline at end of file
+}
diff --git a/avm/res/compute/disk/main.json b/avm/res/compute/disk/main.json
index c2622b1a78..3a754a36b6 100644
--- a/avm/res/compute/disk/main.json
+++ b/avm/res/compute/disk/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.170.59819",
-      "templateHash": "12176121248469967352"
+      "version": "0.26.54.24096",
+      "templateHash": "13557505070746246600"
     },
     "name": "Compute Disks",
     "description": "This module deploys a Compute Disk",
diff --git a/avm/res/search/search-service/README.md b/avm/res/search/search-service/README.md
index e7fb95dd06..c1e4b4a552 100644
--- a/avm/res/search/search-service/README.md
+++ b/avm/res/search/search-service/README.md
@@ -18,7 +18,6 @@ This module deploys a Search Service.
 | `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) |
 | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
 | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) |
-| `Microsoft.KeyVault/vaults/secrets` | [2022-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2022-07-01/vaults/secrets) |
 | `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) |
 | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) |
 | `Microsoft.Search/searchServices` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Search/2023-11-01/searchServices) |
@@ -33,10 +32,9 @@ The following section provides usage examples for the module, which were used to
 >**Note**: To reference the module, please use the following syntax `br/public:avm/res/search/search-service:<version>`.
 
 - [Using only defaults](#example-1-using-only-defaults)
-- [Deploying with a key vault reference to save secrets](#example-2-deploying-with-a-key-vault-reference-to-save-secrets)
-- [Using large parameter set](#example-3-using-large-parameter-set)
-- [Private endpoint-enabled deployment](#example-4-private-endpoint-enabled-deployment)
-- [WAF-aligned](#example-5-waf-aligned)
+- [Using large parameter set](#example-2-using-large-parameter-set)
+- [Private endpoint-enabled deployment](#example-3-private-endpoint-enabled-deployment)
+- [WAF-aligned](#example-4-waf-aligned)
 
 ### Example 1: _Using only defaults_
 
@@ -86,6 +84,7 @@ module searchService 'br/public:avm/res/search/search-service:<version>' = {
 </details>
 <p>
 
+<<<<<<< HEAD
 ### Example 2: _Deploying with a key vault reference to save secrets_
 
 This instance deploys the module saving admin key secrets in a key vault.
@@ -161,6 +160,9 @@ module searchService 'br/public:avm/res/search/search-service:<version>' = {
 <p>
 
 ### Example 3: _Using large parameter set_
+=======
+### Example 2: _Using large parameter set_
+>>>>>>> parent of e4e03661 (AISearchService with adminkeys in keyvault)
 
 This instance deploys the module with most of its features enabled.
 
@@ -366,7 +368,7 @@ module searchService 'br/public:avm/res/search/search-service:<version>' = {
 </details>
 <p>
 
-### Example 4: _Private endpoint-enabled deployment_
+### Example 3: _Private endpoint-enabled deployment_
 
 This instance deploys the module with private endpoints.
 
@@ -502,7 +504,7 @@ module searchService 'br/public:avm/res/search/search-service:<version>' = {
 </details>
 <p>
 
-### Example 5: _WAF-aligned_
+### Example 4: _WAF-aligned_
 
 This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.
 
@@ -696,7 +698,10 @@ module searchService 'br/public:avm/res/search/search-service:<version>' = {
 | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | This value can be set to 'enabled' to avoid breaking changes on existing customer resources and templates. If set to 'disabled', traffic over public interface is not allowed, and private endpoint connections would be the exclusive access method. |
 | [`replicaCount`](#parameter-replicacount) | int | The number of replicas in the search service. If specified, it must be a value between 1 and 12 inclusive for standard SKUs or between 1 and 3 inclusive for basic SKU. |
 | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. |
+<<<<<<< HEAD
 | [`secretsKeyVault`](#parameter-secretskeyvault) | object | Key vault reference and secret settings to add the API admin keys generated by the search-service account. |
+=======
+>>>>>>> parent of e4e03661 (AISearchService with adminkeys in keyvault)
 | [`semanticSearch`](#parameter-semanticsearch) | string | Sets options that control the availability of semantic search. This configuration is only possible for certain search SKUs in certain locations. |
 | [`sharedPrivateLinkResources`](#parameter-sharedprivatelinkresources) | array | The sharedPrivateLinkResources to create as part of the search Service. |
 | [`sku`](#parameter-sku) | string | Defines the SKU of an Azure Cognitive Search Service, which determines price tier and capacity limits. |
@@ -1445,6 +1450,7 @@ The principal type of the assigned principal ID.
   ]
   ```
 
+<<<<<<< HEAD
 ### Parameter: `secretsKeyVault`
 
 Key vault reference and secret settings to add the API admin keys generated by the search-service account.
@@ -1494,6 +1500,8 @@ Default to API Secondary admin key . The secondary admin key secret name to crea
 - Required: No
 - Type: string
 
+=======
+>>>>>>> parent of e4e03661 (AISearchService with adminkeys in keyvault)
 ### Parameter: `semanticSearch`
 
 Sets options that control the availability of semantic search. This configuration is only possible for certain search SKUs in certain locations.
diff --git a/avm/res/search/search-service/main.json b/avm/res/search/search-service/main.json
index 7a7e2b8085..68d40f5977 100644
--- a/avm/res/search/search-service/main.json
+++ b/avm/res/search/search-service/main.json
@@ -1478,8 +1478,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.27.1.19265",
-              "templateHash": "12246294953666077655"
+              "version": "0.26.54.24096",
+              "templateHash": "4284041533987186633"
             },
             "name": "Search Services Private Link Resources",
             "description": "This module deploys a Search Service Private Link Resource.",
@@ -1574,98 +1574,6 @@
       "dependsOn": [
         "searchService"
       ]
-    },
-    "keyVault": {
-      "condition": "[not(equals(parameters('secretsKeyVault'), null()))]",
-      "type": "Microsoft.Resources/deployments",
-      "apiVersion": "2022-09-01",
-      "name": "[format('{0}-secrets-kv', uniqueString(deployment().name, parameters('location')))]",
-      "resourceGroup": "[coalesce(tryGet(parameters('secretsKeyVault'), 'resourceGroupName'), resourceGroup().name)]",
-      "properties": {
-        "expressionEvaluationOptions": {
-          "scope": "inner"
-        },
-        "mode": "Incremental",
-        "parameters": {
-          "keyVaultName": {
-            "value": "[parameters('secretsKeyVault').keyVaultName]"
-          },
-          "keySecrets": {
-            "value": [
-              {
-                "secretName": "[coalesce(tryGet(parameters('secretsKeyVault'), 'primaryAdminKeySecretName'), 'Primary-Admin-Key')]",
-                "secretValue": "[listAdminKeys(resourceId('Microsoft.Search/searchServices', parameters('name')), '2023-11-01').primaryKey]"
-              },
-              {
-                "secretName": "[coalesce(tryGet(parameters('secretsKeyVault'), 'secondaryAdminKeySecretName'), 'Secondary-Admin-Key')]",
-                "secretValue": "[listAdminKeys(resourceId('Microsoft.Search/searchServices', parameters('name')), '2023-11-01').secondaryKey]"
-              }
-            ]
-          }
-        },
-        "template": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "languageVersion": "2.0",
-          "contentVersion": "1.0.0.0",
-          "metadata": {
-            "_generator": {
-              "name": "bicep",
-              "version": "0.27.1.19265",
-              "templateHash": "17423703517558214368"
-            }
-          },
-          "definitions": {
-            "keySecret": {
-              "type": "object",
-              "properties": {
-                "secretName": {
-                  "type": "string"
-                },
-                "secretValue": {
-                  "type": "securestring"
-                }
-              }
-            }
-          },
-          "parameters": {
-            "keyVaultName": {
-              "type": "string"
-            },
-            "keySecrets": {
-              "type": "array",
-              "items": {
-                "$ref": "#/definitions/keySecret"
-              }
-            }
-          },
-          "resources": {
-            "kv": {
-              "existing": true,
-              "type": "Microsoft.KeyVault/vaults",
-              "apiVersion": "2022-07-01",
-              "name": "[parameters('keyVaultName')]"
-            },
-            "keySecretsSecrets": {
-              "copy": {
-                "name": "keySecretsSecrets",
-                "count": "[length(parameters('keySecrets'))]"
-              },
-              "type": "Microsoft.KeyVault/vaults/secrets",
-              "apiVersion": "2022-07-01",
-              "name": "[format('{0}/{1}', parameters('keyVaultName'), parameters('keySecrets')[copyIndex()].secretName)]",
-              "properties": {
-                "value": "[parameters('keySecrets')[copyIndex()].secretValue]"
-              },
-              "dependsOn": [
-                "kv"
-              ]
-            }
-          }
-        }
-      },
-      "dependsOn": [
-        "searchService"
-      ]
     }
   },
   "outputs": {
@@ -1705,4 +1613,4 @@
       "value": "[reference('searchService', '2023-11-01', 'full').location]"
     }
   }
-}
\ No newline at end of file
+}
diff --git a/avm/res/search/search-service/shared-private-link-resource/main.json b/avm/res/search/search-service/shared-private-link-resource/main.json
index cd5294c419..e6f281a453 100644
--- a/avm/res/search/search-service/shared-private-link-resource/main.json
+++ b/avm/res/search/search-service/shared-private-link-resource/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.27.1.19265",
-      "templateHash": "12246294953666077655"
+      "version": "0.26.54.24096",
+      "templateHash": "4284041533987186633"
     },
     "name": "Search Services Private Link Resources",
     "description": "This module deploys a Search Service Private Link Resource.",

From 46f01798325668601ec5da6fa14c2ae8b925823e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Axel=20B=C3=B8g=20Andersen?= <axel.boeg.andersen@atea.dk>
Date: Wed, 14 Aug 2024 16:31:24 +0200
Subject: [PATCH 07/26] Updated to Secrets export

---
 avm/res/search/search-service/README.md       |  67 +++---
 avm/res/search/search-service/main.bicep      |  71 ++++---
 avm/res/search/search-service/main.json       | 198 ++++++++++++++++--
 .../modules/keyVaultExport.bicep              |  62 ++++++
 .../modules/secrets-key-vault.bicep           |  23 --
 .../tests/e2e/kvSecrets/dependencies.bicep    |   4 +-
 .../tests/e2e/kvSecrets/main.test.bicep       |   7 +-
 7 files changed, 322 insertions(+), 110 deletions(-)
 create mode 100644 avm/res/search/search-service/modules/keyVaultExport.bicep
 delete mode 100644 avm/res/search/search-service/modules/secrets-key-vault.bicep

diff --git a/avm/res/search/search-service/README.md b/avm/res/search/search-service/README.md
index 6e0ae49fd3..a13fb5ce9e 100644
--- a/avm/res/search/search-service/README.md
+++ b/avm/res/search/search-service/README.md
@@ -18,6 +18,7 @@ This module deploys a Search Service.
 | `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) |
 | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
 | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) |
+| `Microsoft.KeyVault/vaults/secrets` | [2023-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2023-07-01/vaults/secrets) |
 | `Microsoft.Network/privateEndpoints` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-11-01/privateEndpoints) |
 | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-11-01/privateEndpoints/privateDnsZoneGroups) |
 | `Microsoft.Search/searchServices` | [2024-03-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Search/2024-03-01-preview/searchServices) |
@@ -32,9 +33,10 @@ The following section provides usage examples for the module, which were used to
 >**Note**: To reference the module, please use the following syntax `br/public:avm/res/search/search-service:<version>`.
 
 - [Using only defaults](#example-1-using-only-defaults)
-- [Using large parameter set](#example-2-using-large-parameter-set)
-- [Private endpoint-enabled deployment](#example-3-private-endpoint-enabled-deployment)
-- [WAF-aligned](#example-4-waf-aligned)
+- [Deploying with a key vault reference to save secrets](#example-2-deploying-with-a-key-vault-reference-to-save-secrets)
+- [Using large parameter set](#example-3-using-large-parameter-set)
+- [Private endpoint-enabled deployment](#example-4-private-endpoint-enabled-deployment)
+- [WAF-aligned](#example-5-waf-aligned)
 
 ### Example 1: _Using only defaults_
 
@@ -84,7 +86,6 @@ module searchService 'br/public:avm/res/search/search-service:<version>' = {
 </details>
 <p>
 
-<<<<<<< HEAD
 ### Example 2: _Deploying with a key vault reference to save secrets_
 
 This instance deploys the module saving admin key secrets in a key vault.
@@ -108,9 +109,10 @@ module searchService 'br/public:avm/res/search/search-service:<version>' = {
     }
     disableLocalAuth: false
     location: '<location>'
-    secretsKeyVault: {
-      keyVaultName: '<keyVaultName>'
-      primaryAdminKeySecretName: 'Primary-Admin-Key'
+    secretsExportConfiguration: {
+      keyVaultResourceId: '<keyVaultResourceId>'
+      primaryAdminKey: 'Primary-Admin-Key'
+      secondaryAdminKey: 'Secondary-Admin-Key'
     }
   }
 }
@@ -146,10 +148,11 @@ module searchService 'br/public:avm/res/search/search-service:<version>' = {
     "location": {
       "value": "<location>"
     },
-    "secretsKeyVault": {
+    "secretsExportConfiguration": {
       "value": {
-        "keyVaultName": "<keyVaultName>",
-        "primaryAdminKeySecretName": "Primary-Admin-Key"
+        "keyVaultResourceId": "<keyVaultResourceId>",
+        "primaryAdminKey": "Primary-Admin-Key",
+        "secondaryAdminKey": "Secondary-Admin-Key"
       }
     }
   }
@@ -160,9 +163,6 @@ module searchService 'br/public:avm/res/search/search-service:<version>' = {
 <p>
 
 ### Example 3: _Using large parameter set_
-=======
-### Example 2: _Using large parameter set_
->>>>>>> parent of e4e03661 (AISearchService with adminkeys in keyvault)
 
 This instance deploys the module with most of its features enabled.
 
@@ -378,7 +378,7 @@ module searchService 'br/public:avm/res/search/search-service:<version>' = {
 </details>
 <p>
 
-### Example 3: _Private endpoint-enabled deployment_
+### Example 4: _Private endpoint-enabled deployment_
 
 This instance deploys the module with private endpoints.
 
@@ -514,7 +514,7 @@ module searchService 'br/public:avm/res/search/search-service:<version>' = {
 </details>
 <p>
 
-### Example 4: _WAF-aligned_
+### Example 5: _WAF-aligned_
 
 This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.
 
@@ -708,10 +708,7 @@ module searchService 'br/public:avm/res/search/search-service:<version>' = {
 | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | This value can be set to 'enabled' to avoid breaking changes on existing customer resources and templates. If set to 'disabled', traffic over public interface is not allowed, and private endpoint connections would be the exclusive access method. |
 | [`replicaCount`](#parameter-replicacount) | int | The number of replicas in the search service. If specified, it must be a value between 1 and 12 inclusive for standard SKUs or between 1 and 3 inclusive for basic SKU. |
 | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. |
-<<<<<<< HEAD
-| [`secretsKeyVault`](#parameter-secretskeyvault) | object | Key vault reference and secret settings to add the API admin keys generated by the search-service account. |
-=======
->>>>>>> parent of e4e03661 (AISearchService with adminkeys in keyvault)
+| [`secretsExportConfiguration`](#parameter-secretsexportconfiguration) | object | Key vault reference and secret settings for the module's secrets export. |
 | [`semanticSearch`](#parameter-semanticsearch) | string | Sets options that control the availability of semantic search. This configuration is only possible for certain search SKUs in certain locations. |
 | [`sharedPrivateLinkResources`](#parameter-sharedprivatelinkresources) | array | The sharedPrivateLinkResources to create as part of the search Service. |
 | [`sku`](#parameter-sku) | string | Defines the SKU of an Azure Cognitive Search Service, which determines price tier and capacity limits. |
@@ -1484,10 +1481,9 @@ The principal type of the assigned principal ID.
   ]
   ```
 
-<<<<<<< HEAD
-### Parameter: `secretsKeyVault`
+### Parameter: `secretsExportConfiguration`
 
-Key vault reference and secret settings to add the API admin keys generated by the search-service account.
+Key vault reference and secret settings for the module's secrets export.
 
 - Required: No
 - Type: object
@@ -1496,46 +1492,36 @@ Key vault reference and secret settings to add the API admin keys generated by t
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`keyVaultName`](#parameter-secretskeyvaultkeyvaultname) | string | The key vault name where to store the API Admin keys generated by the modules. |
+| [`keyVaultResourceId`](#parameter-secretsexportconfigurationkeyvaultresourceid) | string | The key vault name where to store the API Admin keys generated by the modules. |
 
 **Optional parameters**
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`primaryAdminKeySecretName`](#parameter-secretskeyvaultprimaryadminkeysecretname) | string | Default to API Primary admin key . The primary admin key secret name to create. |
-| [`resourceGroupName`](#parameter-secretskeyvaultresourcegroupname) | string | Default to the resource group where this account is. The resource group name where the key vault is. |
-| [`secondaryAdminKeySecretName`](#parameter-secretskeyvaultsecondaryadminkeysecretname) | string | Default to API Secondary admin key . The secondary admin key secret name to create. |
+| [`primaryAdminKey`](#parameter-secretsexportconfigurationprimaryadminkey) | string | The primaryAdminKey secret name to create. |
+| [`secondaryAdminKey`](#parameter-secretsexportconfigurationsecondaryadminkey) | string | The secondaryAdminKey secret name to create. |
 
-### Parameter: `secretsKeyVault.keyVaultName`
+### Parameter: `secretsExportConfiguration.keyVaultResourceId`
 
 The key vault name where to store the API Admin keys generated by the modules.
 
 - Required: Yes
 - Type: string
 
-### Parameter: `secretsKeyVault.primaryAdminKeySecretName`
+### Parameter: `secretsExportConfiguration.primaryAdminKey`
 
-Default to API Primary admin key . The primary admin key secret name to create.
+The primaryAdminKey secret name to create.
 
 - Required: No
 - Type: string
 
-### Parameter: `secretsKeyVault.resourceGroupName`
+### Parameter: `secretsExportConfiguration.secondaryAdminKey`
 
-Default to the resource group where this account is. The resource group name where the key vault is.
+The secondaryAdminKey secret name to create.
 
 - Required: No
 - Type: string
 
-### Parameter: `secretsKeyVault.secondaryAdminKeySecretName`
-
-Default to API Secondary admin key . The secondary admin key secret name to create.
-
-- Required: No
-- Type: string
-
-=======
->>>>>>> parent of e4e03661 (AISearchService with adminkeys in keyvault)
 ### Parameter: `semanticSearch`
 
 Sets options that control the availability of semantic search. This configuration is only possible for certain search SKUs in certain locations.
@@ -1591,6 +1577,7 @@ Tags to help categorize the resource in the Azure portal.
 
 | Output | Type | Description |
 | :-- | :-- | :-- |
+| `exportedSecrets` |  | A hashtable of references to the secrets exported to the provided Key Vault. The key of each reference is each secret's name. |
 | `location` | string | The location the resource was deployed into. |
 | `name` | string | The name of the search service. |
 | `resourceGroupName` | string | The name of the resource group the search service was created in. |
diff --git a/avm/res/search/search-service/main.bicep b/avm/res/search/search-service/main.bicep
index 14155f24de..6d7e8549fd 100644
--- a/avm/res/search/search-service/main.bicep
+++ b/avm/res/search/search-service/main.bicep
@@ -60,8 +60,8 @@ param sharedPrivateLinkResources array = []
 ])
 param publicNetworkAccess string = 'enabled'
 
-@description('Optional. Key vault reference and secret settings to add the API admin keys generated by the search-service account.')
-param secretsKeyVault secretsKeyVaultType?
+@description('Optional. Key vault reference and secret settings for the module\'s secrets export.')
+param secretsExportConfiguration secretsExportConfigurationType?
 
 @description('Optional. The number of replicas in the search service. If specified, it must be a value between 1 and 12 inclusive for standard SKUs or between 1 and 3 inclusive for basic SKU.')
 @minValue(1)
@@ -318,9 +318,7 @@ module searchService_sharedPrivateLinkResources 'shared-private-link-resource/ma
   for (sharedPrivateLinkResource, index) in sharedPrivateLinkResources: {
     name: '${uniqueString(deployment().name, location)}-searchService-SharedPrivateLink-${index}'
     params: {
-      name: contains(sharedPrivateLinkResource, 'name')
-        ? sharedPrivateLinkResource.name
-        : 'spl-${last(split(searchService.id, '/'))}-${sharedPrivateLinkResource.groupId}-${index}'
+      name: sharedPrivateLinkResource.?name ?? 'spl-${last(split(searchService.id, '/'))}-${sharedPrivateLinkResource.groupId}-${index}'
       searchServiceName: searchService.name
       privateLinkResourceId: sharedPrivateLinkResource.privateLinkResourceId
       groupId: sharedPrivateLinkResource.groupId
@@ -330,22 +328,33 @@ module searchService_sharedPrivateLinkResources 'shared-private-link-resource/ma
   }
 ]
 
-module keyVault 'modules/secrets-key-vault.bicep' = if (secretsKeyVault != null) {
+module secretsExport 'modules/keyVaultExport.bicep' = if (secretsExportConfiguration != null) {
   name: '${uniqueString(deployment().name, location)}-secrets-kv'
-  scope: resourceGroup(secretsKeyVault.?resourceGroupName ?? resourceGroup().name)
+  scope: resourceGroup(
+    split((secretsExportConfiguration.?keyVaultResourceId ?? '//'), '/')[2],
+    split((secretsExportConfiguration.?keyVaultResourceId ?? '////'), '/')[4]
+  )
   params: {
-    keyVaultName: secretsKeyVault!.keyVaultName
-
-    keySecrets: [
-      {
-        secretName: secretsKeyVault.?primaryAdminKeySecretName ?? 'Primary-Admin-Key'
-        secretValue: searchService.listAdminKeys().primaryKey
-      }
-      {
-        secretName: secretsKeyVault.?secondaryAdminKeySecretName ?? 'Secondary-Admin-Key'
-        secretValue: searchService.listAdminKeys().secondaryKey
-      }
-    ]
+    keyVaultName: last(split(secretsExportConfiguration.?keyVaultResourceId ?? '//', '/'))
+    secretsToSet: union(
+      [],
+      contains(secretsExportConfiguration!, 'primaryAdminKey')
+        ? [
+            {
+              name: secretsExportConfiguration!.primaryAdminKey
+              value: searchService.listAdminKeys().primaryKey
+            }
+          ]
+        : [],
+      contains(secretsExportConfiguration!, 'secondaryAdminKey')
+        ? [
+            {
+              name: secretsExportConfiguration!.secondaryAdminKey
+              value: searchService.listAdminKeys().secondaryKey
+            }
+          ]
+        : []
+    )
   }
 }
 
@@ -368,6 +377,11 @@ output systemAssignedMIPrincipalId string = searchService.?identity.?principalId
 @description('The location the resource was deployed into.')
 output location string = searchService.location
 
+@description('A hashtable of references to the secrets exported to the provided Key Vault. The key of each reference is each secret\'s name.')
+output exportedSecrets secretsOutputType = (secretsExportConfiguration != null)
+  ? toObject(secretsExport.outputs.secretsSet, secret => last(split(secret.secretResourceId, '/')), secret => secret)
+  : {}
+
 // =============== //
 //   Definitions   //
 // =============== //
@@ -536,16 +550,19 @@ type diagnosticSettingType = {
   marketplacePartnerResourceId: string?
 }[]?
 
-type secretsKeyVaultType = {
+type secretsExportConfigurationType = {
   @description('Required. The key vault name where to store the API Admin keys generated by the modules.')
-  keyVaultName: string
+  keyVaultResourceId: string
 
-  @description('Optional. Default to the resource group where this account is. The resource group name where the key vault is.')
-  resourceGroupName: string?
+  @description('Optional. The primaryAdminKey secret name to create.')
+  primaryAdminKey: string?
 
-  @description('Optional. Default to API Primary admin key . The primary admin key secret name to create.')
-  primaryAdminKeySecretName: string?
+  @description('Optional. The secondaryAdminKey secret name to create.')
+  secondaryAdminKey: string?
+}
 
-  @description('Optional. Default to API Secondary admin key . The secondary admin key secret name to create.')
-  secondaryAdminKeySecretName: string?
+import { secretSetType } from 'modules/keyVaultExport.bicep'
+type secretsOutputType = {
+  @description('An exported secret\'s references.')
+  *: secretSetType
 }
diff --git a/avm/res/search/search-service/main.json b/avm/res/search/search-service/main.json
index 4357f912de..146cf434f8 100644
--- a/avm/res/search/search-service/main.json
+++ b/avm/res/search/search-service/main.json
@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.29.47.4906",
-      "templateHash": "15785260316401338655"
+      "templateHash": "17248953607027738115"
     },
     "name": "Search Services",
     "description": "This module deploys a Search Service.",
@@ -451,36 +451,61 @@
       },
       "nullable": true
     },
-    "secretsKeyVaultType": {
+    "secretsExportConfigurationType": {
       "type": "object",
       "properties": {
-        "keyVaultName": {
+        "keyVaultResourceId": {
           "type": "string",
           "metadata": {
             "description": "Required. The key vault name where to store the API Admin keys generated by the modules."
           }
         },
-        "resourceGroupName": {
+        "primaryAdminKey": {
           "type": "string",
           "nullable": true,
           "metadata": {
-            "description": "Optional. Default to the resource group where this account is. The resource group name where the key vault is."
+            "description": "Optional. The primaryAdminKey secret name to create."
           }
         },
-        "primaryAdminKeySecretName": {
+        "secondaryAdminKey": {
           "type": "string",
           "nullable": true,
           "metadata": {
-            "description": "Optional. Default to API Primary admin key . The primary admin key secret name to create."
+            "description": "Optional. The secondaryAdminKey secret name to create."
+          }
+        }
+      }
+    },
+    "secretsOutputType": {
+      "type": "object",
+      "properties": {},
+      "additionalProperties": {
+        "$ref": "#/definitions/secretSetType",
+        "metadata": {
+          "description": "An exported secret's references."
+        }
+      }
+    },
+    "secretSetType": {
+      "type": "object",
+      "properties": {
+        "secretResourceId": {
+          "type": "string",
+          "metadata": {
+            "description": "The resourceId of the exported secret."
           }
         },
-        "secondaryAdminKeySecretName": {
+        "secretUri": {
           "type": "string",
-          "nullable": true,
           "metadata": {
-            "description": "Optional. Default to API Secondary admin key . The secondary admin key secret name to create."
+            "description": "The secret URI of the exported secret."
           }
         }
+      },
+      "metadata": {
+        "__bicep_imported_from!": {
+          "sourceTemplate": "modules/keyVaultExport.bicep"
+        }
       }
     }
   },
@@ -588,11 +613,11 @@
         "description": "Optional. This value can be set to 'enabled' to avoid breaking changes on existing customer resources and templates. If set to 'disabled', traffic over public interface is not allowed, and private endpoint connections would be the exclusive access method."
       }
     },
-    "secretsKeyVault": {
-      "$ref": "#/definitions/secretsKeyVaultType",
+    "secretsExportConfiguration": {
+      "$ref": "#/definitions/secretsExportConfigurationType",
       "nullable": true,
       "metadata": {
-        "description": "Optional. Key vault reference and secret settings to add the API admin keys generated by the search-service account."
+        "description": "Optional. Key vault reference and secret settings for the module's secrets export."
       }
     },
     "replicaCount": {
@@ -1506,7 +1531,9 @@
         },
         "mode": "Incremental",
         "parameters": {
-          "name": "[if(contains(parameters('sharedPrivateLinkResources')[copyIndex()], 'name'), createObject('value', parameters('sharedPrivateLinkResources')[copyIndex()].name), createObject('value', format('spl-{0}-{1}-{2}', last(split(resourceId('Microsoft.Search/searchServices', parameters('name')), '/')), parameters('sharedPrivateLinkResources')[copyIndex()].groupId, copyIndex())))]",
+          "name": {
+            "value": "[coalesce(tryGet(parameters('sharedPrivateLinkResources')[copyIndex()], 'name'), format('spl-{0}-{1}-{2}', last(split(resourceId('Microsoft.Search/searchServices', parameters('name')), '/')), parameters('sharedPrivateLinkResources')[copyIndex()].groupId, copyIndex()))]"
+          },
           "searchServiceName": {
             "value": "[parameters('name')]"
           },
@@ -1626,6 +1653,140 @@
       "dependsOn": [
         "searchService"
       ]
+    },
+    "secretsExport": {
+      "condition": "[not(equals(parameters('secretsExportConfiguration'), null()))]",
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2022-09-01",
+      "name": "[format('{0}-secrets-kv', uniqueString(deployment().name, parameters('location')))]",
+      "subscriptionId": "[split(coalesce(tryGet(parameters('secretsExportConfiguration'), 'keyVaultResourceId'), '//'), '/')[2]]",
+      "resourceGroup": "[split(coalesce(tryGet(parameters('secretsExportConfiguration'), 'keyVaultResourceId'), '////'), '/')[4]]",
+      "properties": {
+        "expressionEvaluationOptions": {
+          "scope": "inner"
+        },
+        "mode": "Incremental",
+        "parameters": {
+          "keyVaultName": {
+            "value": "[last(split(coalesce(tryGet(parameters('secretsExportConfiguration'), 'keyVaultResourceId'), '//'), '/'))]"
+          },
+          "secretsToSet": {
+            "value": "[union(createArray(), if(contains(parameters('secretsExportConfiguration'), 'primaryAdminKey'), createArray(createObject('name', parameters('secretsExportConfiguration').primaryAdminKey, 'value', listAdminKeys(resourceId('Microsoft.Search/searchServices', parameters('name')), '2024-03-01-preview').primaryKey)), createArray()), if(contains(parameters('secretsExportConfiguration'), 'secondaryAdminKey'), createArray(createObject('name', parameters('secretsExportConfiguration').secondaryAdminKey, 'value', listAdminKeys(resourceId('Microsoft.Search/searchServices', parameters('name')), '2024-03-01-preview').secondaryKey)), createArray()))]"
+          }
+        },
+        "template": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "languageVersion": "2.0",
+          "contentVersion": "1.0.0.0",
+          "metadata": {
+            "_generator": {
+              "name": "bicep",
+              "version": "0.29.47.4906",
+              "templateHash": "986606208324987345"
+            }
+          },
+          "definitions": {
+            "secretSetType": {
+              "type": "object",
+              "properties": {
+                "secretResourceId": {
+                  "type": "string",
+                  "metadata": {
+                    "description": "The resourceId of the exported secret."
+                  }
+                },
+                "secretUri": {
+                  "type": "string",
+                  "metadata": {
+                    "description": "The secret URI of the exported secret."
+                  }
+                }
+              },
+              "metadata": {
+                "__bicep_export!": true
+              }
+            },
+            "secretToSetType": {
+              "type": "object",
+              "properties": {
+                "name": {
+                  "type": "string",
+                  "metadata": {
+                    "description": "Required. The name of the secret to set."
+                  }
+                },
+                "value": {
+                  "type": "securestring",
+                  "metadata": {
+                    "description": "Required. The value of the secret to set."
+                  }
+                }
+              }
+            }
+          },
+          "parameters": {
+            "keyVaultName": {
+              "type": "string",
+              "metadata": {
+                "description": "Required. The name of the Key Vault to set the ecrets in."
+              }
+            },
+            "secretsToSet": {
+              "type": "array",
+              "items": {
+                "$ref": "#/definitions/secretToSetType"
+              },
+              "metadata": {
+                "description": "Required. The secrets to set in the Key Vault."
+              }
+            }
+          },
+          "resources": {
+            "keyVault": {
+              "existing": true,
+              "type": "Microsoft.KeyVault/vaults",
+              "apiVersion": "2022-07-01",
+              "name": "[parameters('keyVaultName')]"
+            },
+            "secrets": {
+              "copy": {
+                "name": "secrets",
+                "count": "[length(parameters('secretsToSet'))]"
+              },
+              "type": "Microsoft.KeyVault/vaults/secrets",
+              "apiVersion": "2023-07-01",
+              "name": "[format('{0}/{1}', parameters('keyVaultName'), parameters('secretsToSet')[copyIndex()].name)]",
+              "properties": {
+                "value": "[parameters('secretsToSet')[copyIndex()].value]"
+              },
+              "dependsOn": [
+                "keyVault"
+              ]
+            }
+          },
+          "outputs": {
+            "secretsSet": {
+              "type": "array",
+              "items": {
+                "$ref": "#/definitions/secretSetType"
+              },
+              "metadata": {
+                "description": "The references to the secrets exported to the provided Key Vault."
+              },
+              "copy": {
+                "count": "[length(range(0, length(coalesce(parameters('secretsToSet'), createArray()))))]",
+                "input": {
+                  "secretResourceId": "[resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), parameters('secretsToSet')[range(0, length(coalesce(parameters('secretsToSet'), createArray())))[copyIndex()]].name)]",
+                  "secretUri": "[reference(format('secrets[{0}]', range(0, length(coalesce(parameters('secretsToSet'), createArray())))[copyIndex()])).secretUri]"
+                }
+              }
+            }
+          }
+        }
+      },
+      "dependsOn": [
+        "searchService"
+      ]
     }
   },
   "outputs": {
@@ -1663,6 +1824,13 @@
         "description": "The location the resource was deployed into."
       },
       "value": "[reference('searchService', '2024-03-01-preview', 'full').location]"
+    },
+    "exportedSecrets": {
+      "$ref": "#/definitions/secretsOutputType",
+      "metadata": {
+        "description": "A hashtable of references to the secrets exported to the provided Key Vault. The key of each reference is each secret's name."
+      },
+      "value": "[if(not(equals(parameters('secretsExportConfiguration'), null())), toObject(reference('secretsExport').outputs.secretsSet.value, lambda('secret', last(split(lambdaVariables('secret').secretResourceId, '/'))), lambda('secret', lambdaVariables('secret'))), createObject())]"
     }
   }
-}
+}
\ No newline at end of file
diff --git a/avm/res/search/search-service/modules/keyVaultExport.bicep b/avm/res/search/search-service/modules/keyVaultExport.bicep
new file mode 100644
index 0000000000..d537d2407e
--- /dev/null
+++ b/avm/res/search/search-service/modules/keyVaultExport.bicep
@@ -0,0 +1,62 @@
+// ============== //
+//   Parameters   //
+// ============== //
+
+@description('Required. The name of the Key Vault to set the ecrets in.')
+param keyVaultName string
+
+@description('Required. The secrets to set in the Key Vault.')
+param secretsToSet secretToSetType[]
+
+// ============= //
+//   Resources   //
+// ============= //
+
+resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
+  name: keyVaultName
+}
+
+resource secrets 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = [
+  for secret in secretsToSet: {
+    name: secret.name
+    parent: keyVault
+    properties: {
+      value: secret.value
+    }
+  }
+]
+
+// =========== //
+//   Outputs   //
+// =========== //
+
+@description('The references to the secrets exported to the provided Key Vault.')
+output secretsSet secretSetType[] = [
+  #disable-next-line outputs-should-not-contain-secrets // Only returning the references, not a secret value
+  for index in range(0, length(secretsToSet ?? [])): {
+    secretResourceId: secrets[index].id
+    secretUri: secrets[index].properties.secretUri
+  }
+]
+
+// =============== //
+//   Definitions   //
+// =============== //
+
+@export()
+type secretSetType = {
+  @description('The resourceId of the exported secret.')
+  secretResourceId: string
+
+  @description('The secret URI of the exported secret.')
+  secretUri: string
+}
+
+type secretToSetType = {
+  @description('Required. The name of the secret to set.')
+  name: string
+
+  @description('Required. The value of the secret to set.')
+  @secure()
+  value: string
+}
diff --git a/avm/res/search/search-service/modules/secrets-key-vault.bicep b/avm/res/search/search-service/modules/secrets-key-vault.bicep
deleted file mode 100644
index 803afa1f72..0000000000
--- a/avm/res/search/search-service/modules/secrets-key-vault.bicep
+++ /dev/null
@@ -1,23 +0,0 @@
-param keyVaultName string
-param keySecrets keySecret[]
-
-resource kv 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
-  name: keyVaultName
-}
-
-resource keySecretsSecrets 'Microsoft.KeyVault/vaults/secrets@2022-07-01' = [
-  for secret in keySecrets: {
-    name: secret.secretName
-    parent: kv
-    properties: {
-      value: secret.secretValue
-    }
-  }
-]
-
-type keySecret = {
-  secretName: string
-
-  @secure()
-  secretValue: string
-}
diff --git a/avm/res/search/search-service/tests/e2e/kvSecrets/dependencies.bicep b/avm/res/search/search-service/tests/e2e/kvSecrets/dependencies.bicep
index caa4813d58..da0b29e26f 100644
--- a/avm/res/search/search-service/tests/e2e/kvSecrets/dependencies.bicep
+++ b/avm/res/search/search-service/tests/e2e/kvSecrets/dependencies.bicep
@@ -17,5 +17,5 @@ resource keyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' = {
   }
 }
 
-@description('The name of the Key Vault created.')
-output keyVaultName string = keyVaultName
+@description('The key vault id of the Key Vault created.')
+output keyVaultResourceId string = keyVault.id
diff --git a/avm/res/search/search-service/tests/e2e/kvSecrets/main.test.bicep b/avm/res/search/search-service/tests/e2e/kvSecrets/main.test.bicep
index 1f84c968fb..fa2fe6ec0a 100644
--- a/avm/res/search/search-service/tests/e2e/kvSecrets/main.test.bicep
+++ b/avm/res/search/search-service/tests/e2e/kvSecrets/main.test.bicep
@@ -53,9 +53,10 @@ module testDeployment '../../../main.bicep' = {
         aadAuthFailureMode: 'http401WithBearerChallenge'
       }
     }
-    secretsKeyVault: {
-      keyVaultName: nestedDependencies.outputs.keyVaultName
-      primaryAdminKeySecretName: 'Primary-Admin-Key'
+    secretsExportConfiguration: {
+      keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId
+      primaryAdminKey: 'Primary-Admin-Key'
+      secondaryAdminKey: 'Secondary-Admin-Key'
     }
   }
 }

From e8c43fe4000a032401a694472907a47b5eb09c96 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Axel=20B=C3=B8g=20Andersen?= <axel.boeg.andersen@atea.dk>
Date: Wed, 21 Aug 2024 20:30:19 +0200
Subject: [PATCH 08/26] Key valul exists bump name

---
 avm/res/search/search-service/tests/e2e/pe/main.test.bicep | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/avm/res/search/search-service/tests/e2e/pe/main.test.bicep b/avm/res/search/search-service/tests/e2e/pe/main.test.bicep
index 1743c384cc..1584705a5b 100644
--- a/avm/res/search/search-service/tests/e2e/pe/main.test.bicep
+++ b/avm/res/search/search-service/tests/e2e/pe/main.test.bicep
@@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-search.searchservices-${serv
 param resourceLocation string = deployment().location
 
 @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
-param serviceShort string = 'ssspe'
+param serviceShort string = 'ssspe2'
 
 @description('Optional. A token to inject into the name of each resource.')
 param namePrefix string = '#_namePrefix_#'

From 8e6f4ed4593e6c9f1d4b003b08e7e7155450e7d4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Axel=20B=C3=B8g=20Andersen?= <axel.boeg.andersen@atea.dk>
Date: Wed, 21 Aug 2024 20:52:33 +0200
Subject: [PATCH 09/26] Added telemetry fix

---
 avm/res/search/search-service/main.bicep | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/avm/res/search/search-service/main.bicep b/avm/res/search/search-service/main.bicep
index 6d7e8549fd..3824e8af7f 100644
--- a/avm/res/search/search-service/main.bicep
+++ b/avm/res/search/search-service/main.bicep
@@ -161,7 +161,7 @@ var formattedRoleAssignments = [
 
 #disable-next-line no-deployments-resources
 resource avmTelemetry 'Microsoft.Resources/deployments@2024-03-01' = if (enableTelemetry) {
-  name: '46d3xbcp.search-searchservice.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}'
+  name: '46d3xbcp.res.search-searchservice.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}'
   properties: {
     mode: 'Incremental'
     template: {

From 588b56b6f15e00987223d1b7d9fe2598176a1cd5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Axel=20B=C3=B8g=20Andersen?= <axel.boeg.andersen@atea.dk>
Date: Thu, 22 Aug 2024 10:07:43 +0200
Subject: [PATCH 10/26] Ran Set-AVMModule

---
 avm/res/search/search-service/README.md | 5 ++---
 avm/res/search/search-service/main.json | 9 +++------
 2 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/avm/res/search/search-service/README.md b/avm/res/search/search-service/README.md
index 5de28c45a3..6a056aab06 100644
--- a/avm/res/search/search-service/README.md
+++ b/avm/res/search/search-service/README.md
@@ -392,7 +392,7 @@ module searchService 'br/public:avm/res/search/search-service:<version>' = {
   name: 'searchServiceDeployment'
   params: {
     // Required parameters
-    name: 'ssspe001'
+    name: 'ssspe2001'
     // Non-required parameters
     location: '<location>'
     privateEndpoints: [
@@ -461,7 +461,7 @@ module searchService 'br/public:avm/res/search/search-service:<version>' = {
   "parameters": {
     // Required parameters
     "name": {
-      "value": "ssspe001"
+      "value": "ssspe2001"
     },
     // Non-required parameters
     "location": {
@@ -1640,7 +1640,6 @@ Tags to help categorize the resource in the Azure portal.
 | `exportedSecrets` |  | A hashtable of references to the secrets exported to the provided Key Vault. The key of each reference is each secret's name. |
 | `location` | string | The location the resource was deployed into. |
 | `name` | string | The name of the search service. |
-| `privateEndpoints` | array | The private endpoints of the search service. |
 | `resourceGroupName` | string | The name of the resource group the search service was created in. |
 | `resourceId` | string | The resource ID of the search service. |
 | `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. |
diff --git a/avm/res/search/search-service/main.json b/avm/res/search/search-service/main.json
index dfbdb4ba1f..de5c37619a 100644
--- a/avm/res/search/search-service/main.json
+++ b/avm/res/search/search-service/main.json
@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.29.47.4906",
-      "templateHash": "17248953607027738115"
+      "templateHash": "14562557958357334116"
     },
     "name": "Search Services",
     "description": "This module deploys a Search Service.",
@@ -633,7 +633,7 @@
         "Disabled"
       ],
       "metadata": {
-        "description": "Optional. This value can be set to 'enabled' to avoid breaking changes on existing customer resources and templates. If set to 'disabled', traffic over public interface is not allowed, and private endpoint connections would be the exclusive access method."
+        "description": "Optional. This value can be set to 'Enabled' to avoid breaking changes on existing customer resources and templates. If set to 'Disabled', traffic over public interface is not allowed, and private endpoint connections would be the exclusive access method."
       }
     },
     "secretsExportConfiguration": {
@@ -1631,9 +1631,6 @@
         },
         "mode": "Incremental",
         "parameters": {
-          "name": {
-            "value": "[coalesce(tryGet(parameters('sharedPrivateLinkResources')[copyIndex()], 'name'), format('spl-{0}-{1}-{2}', last(split(resourceId('Microsoft.Search/searchServices', parameters('name')), '/')), parameters('sharedPrivateLinkResources')[copyIndex()].groupId, copyIndex()))]"
-          },
           "name": {
             "value": "[coalesce(tryGet(parameters('sharedPrivateLinkResources')[copyIndex()], 'name'), format('spl-{0}-{1}-{2}', last(split(resourceId('Microsoft.Search/searchServices', parameters('name')), '/')), parameters('sharedPrivateLinkResources')[copyIndex()].groupId, copyIndex()))]"
           },
@@ -1936,4 +1933,4 @@
       "value": "[if(not(equals(parameters('secretsExportConfiguration'), null())), toObject(reference('secretsExport').outputs.secretsSet.value, lambda('secret', last(split(lambdaVariables('secret').secretResourceId, '/'))), lambda('secret', lambdaVariables('secret'))), createObject())]"
     }
   }
-}
+}
\ No newline at end of file

From 4475920704850cf5312087f7f6f85bd56a5e21e0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Axel=20B=C3=B8g=20Andersen?= <axel.boeg.andersen@atea.dk>
Date: Fri, 27 Sep 2024 18:42:41 +0200
Subject: [PATCH 11/26] Short changed as agreed

---
 avm/res/search/search-service/tests/e2e/pe/main.test.bicep | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/avm/res/search/search-service/tests/e2e/pe/main.test.bicep b/avm/res/search/search-service/tests/e2e/pe/main.test.bicep
index a89a531d15..76fecb0274 100644
--- a/avm/res/search/search-service/tests/e2e/pe/main.test.bicep
+++ b/avm/res/search/search-service/tests/e2e/pe/main.test.bicep
@@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-search.searchservices-${serv
 param resourceLocation string = deployment().location
 
 @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
-param serviceShort string = 'ssspe2'
+param serviceShort string = 'ssspr'
 
 @description('Optional. A token to inject into the name of each resource.')
 param namePrefix string = '#_namePrefix_#'

From 751c5eeec7cb633585972f13fbdfa9b7427c3640 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Axel=20B=C3=B8g=20Andersen?= <axel.boeg.andersen@atea.dk>
Date: Fri, 27 Sep 2024 19:04:27 +0200
Subject: [PATCH 12/26] Fix readme bug

---
 avm/res/search/search-service/README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/avm/res/search/search-service/README.md b/avm/res/search/search-service/README.md
index 371c1edd4d..927e159ef3 100644
--- a/avm/res/search/search-service/README.md
+++ b/avm/res/search/search-service/README.md
@@ -392,7 +392,7 @@ module searchService 'br/public:avm/res/search/search-service:<version>' = {
   name: 'searchServiceDeployment'
   params: {
     // Required parameters
-    name: 'ssspe2001'
+    name: 'ssspr001'
     // Non-required parameters
     location: '<location>'
     privateEndpoints: [
@@ -461,7 +461,7 @@ module searchService 'br/public:avm/res/search/search-service:<version>' = {
   "parameters": {
     // Required parameters
     "name": {
-      "value": "ssspe2001"
+      "value": "ssspr001"
     },
     // Non-required parameters
     "location": {

From 726d5f8b80cacef2aeaf0d617f6c54b576fad17d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Axel=20B=C3=B8g=20Andersen?= <axel.boeg.andersen@atea.dk>
Date: Mon, 30 Sep 2024 17:43:15 +0200
Subject: [PATCH 13/26] Updated according to comment

---
 avm/res/search/search-service/main.bicep | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/avm/res/search/search-service/main.bicep b/avm/res/search/search-service/main.bicep
index 775907acd0..6f76fa6abf 100644
--- a/avm/res/search/search-service/main.bicep
+++ b/avm/res/search/search-service/main.bicep
@@ -563,10 +563,10 @@ type secretsExportConfigurationType = {
   keyVaultResourceId: string
 
   @description('Optional. The primaryAdminKey secret name to create.')
-  primaryAdminKey: string?
+  primaryAdminKeyName: string?
 
   @description('Optional. The secondaryAdminKey secret name to create.')
-  secondaryAdminKey: string?
+  secondaryAdminKeyName: string?
 }
 
 import { secretSetType } from 'modules/keyVaultExport.bicep'

From 4b04e6748f556798286ae7d3a200b90d526944a4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Axel=20B=C3=B8g=20Andersen?= <axel.boeg.andersen@atea.dk>
Date: Mon, 30 Sep 2024 17:45:11 +0200
Subject: [PATCH 14/26] Updated according to comment

---
 avm/res/search/search-service/main.bicep                  | 8 ++++----
 .../search-service/tests/e2e/kvSecrets/main.test.bicep    | 4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/avm/res/search/search-service/main.bicep b/avm/res/search/search-service/main.bicep
index 6f76fa6abf..df608c8af6 100644
--- a/avm/res/search/search-service/main.bicep
+++ b/avm/res/search/search-service/main.bicep
@@ -337,18 +337,18 @@ module secretsExport 'modules/keyVaultExport.bicep' = if (secretsExportConfigura
     keyVaultName: last(split(secretsExportConfiguration.?keyVaultResourceId ?? '//', '/'))
     secretsToSet: union(
       [],
-      contains(secretsExportConfiguration!, 'primaryAdminKey')
+      contains(secretsExportConfiguration!, 'primaryAdminKeyName')
         ? [
             {
-              name: secretsExportConfiguration!.primaryAdminKey
+              name: secretsExportConfiguration!.primaryAdminKeyName
               value: searchService.listAdminKeys().primaryKey
             }
           ]
         : [],
-      contains(secretsExportConfiguration!, 'secondaryAdminKey')
+      contains(secretsExportConfiguration!, 'secondaryAdminKeyName')
         ? [
             {
-              name: secretsExportConfiguration!.secondaryAdminKey
+              name: secretsExportConfiguration!.secondaryAdminKeyName
               value: searchService.listAdminKeys().secondaryKey
             }
           ]
diff --git a/avm/res/search/search-service/tests/e2e/kvSecrets/main.test.bicep b/avm/res/search/search-service/tests/e2e/kvSecrets/main.test.bicep
index fa2fe6ec0a..cdd93d36cd 100644
--- a/avm/res/search/search-service/tests/e2e/kvSecrets/main.test.bicep
+++ b/avm/res/search/search-service/tests/e2e/kvSecrets/main.test.bicep
@@ -55,8 +55,8 @@ module testDeployment '../../../main.bicep' = {
     }
     secretsExportConfiguration: {
       keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId
-      primaryAdminKey: 'Primary-Admin-Key'
-      secondaryAdminKey: 'Secondary-Admin-Key'
+      primaryAdminKeyName: 'Primary-Admin-Key'
+      secondaryAdminKeyName: 'Secondary-Admin-Key'
     }
   }
 }

From bc2e35fed3c579661777b206bc180dc77783f4c0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Axel=20B=C3=B8g=20Andersen?= <axel.boeg.andersen@atea.dk>
Date: Mon, 30 Sep 2024 18:00:33 +0200
Subject: [PATCH 15/26] Readme updated

---
 avm/res/search/search-service/README.md | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/avm/res/search/search-service/README.md b/avm/res/search/search-service/README.md
index 927e159ef3..7d76ef5871 100644
--- a/avm/res/search/search-service/README.md
+++ b/avm/res/search/search-service/README.md
@@ -111,8 +111,8 @@ module searchService 'br/public:avm/res/search/search-service:<version>' = {
     location: '<location>'
     secretsExportConfiguration: {
       keyVaultResourceId: '<keyVaultResourceId>'
-      primaryAdminKey: 'Primary-Admin-Key'
-      secondaryAdminKey: 'Secondary-Admin-Key'
+      primaryAdminKeyName: 'Primary-Admin-Key-Name'
+      secondaryAdminKeyName: 'Secondary-Admin-Key-Name'
     }
   }
 }
@@ -151,8 +151,8 @@ module searchService 'br/public:avm/res/search/search-service:<version>' = {
     "secretsExportConfiguration": {
       "value": {
         "keyVaultResourceId": "<keyVaultResourceId>",
-        "primaryAdminKey": "Primary-Admin-Key",
-        "secondaryAdminKey": "Secondary-Admin-Key"
+        "primaryAdminKeyName": "Primary-Admin-Key-Name",
+        "secondaryAdminKeyName": "Secondary-Admin-Key-Name"
       }
     }
   }
@@ -1577,8 +1577,8 @@ Key vault reference and secret settings for the module's secrets export.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`primaryAdminKey`](#parameter-secretsexportconfigurationprimaryadminkey) | string | The primaryAdminKey secret name to create. |
-| [`secondaryAdminKey`](#parameter-secretsexportconfigurationsecondaryadminkey) | string | The secondaryAdminKey secret name to create. |
+| [`primaryAdminKeyName`](#parameter-secretsexportconfigurationprimaryadminkeyname) | string | The primaryAdminKey secret name to create. |
+| [`secondaryAdminKeyName`](#parameter-secretsexportconfigurationsecondaryadminkeyname) | string | The secondaryAdminKey secret name to create. |
 
 ### Parameter: `secretsExportConfiguration.keyVaultResourceId`
 
@@ -1587,14 +1587,14 @@ The key vault name where to store the API Admin keys generated by the modules.
 - Required: Yes
 - Type: string
 
-### Parameter: `secretsExportConfiguration.primaryAdminKey`
+### Parameter: `secretsExportConfiguration.primaryAdminKeyName`
 
 The primaryAdminKey secret name to create.
 
 - Required: No
 - Type: string
 
-### Parameter: `secretsExportConfiguration.secondaryAdminKey`
+### Parameter: `secretsExportConfiguration.secondaryAdminKeyName`
 
 The secondaryAdminKey secret name to create.
 

From 9e0e703c30341700fa8c562c4f536dc759b4fcd9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Axel=20B=C3=B8g=20Andersen?= <axel.boeg.andersen@atea.dk>
Date: Mon, 30 Sep 2024 18:11:15 +0200
Subject: [PATCH 16/26] Readme updated

---
 avm/res/search/search-service/README.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/avm/res/search/search-service/README.md b/avm/res/search/search-service/README.md
index 7d76ef5871..423d293fce 100644
--- a/avm/res/search/search-service/README.md
+++ b/avm/res/search/search-service/README.md
@@ -1,4 +1,4 @@
-# Search Services `[Microsoft.Search/searchServices]`
+# Search Services `[Search/SearchService]`
 
 This module deploys a Search Service.
 
@@ -111,8 +111,8 @@ module searchService 'br/public:avm/res/search/search-service:<version>' = {
     location: '<location>'
     secretsExportConfiguration: {
       keyVaultResourceId: '<keyVaultResourceId>'
-      primaryAdminKeyName: 'Primary-Admin-Key-Name'
-      secondaryAdminKeyName: 'Secondary-Admin-Key-Name'
+      primaryAdminKeyName: 'Primary-Admin-Key'
+      secondaryAdminKeyName: 'Secondary-Admin-Key'
     }
   }
 }
@@ -151,8 +151,8 @@ module searchService 'br/public:avm/res/search/search-service:<version>' = {
     "secretsExportConfiguration": {
       "value": {
         "keyVaultResourceId": "<keyVaultResourceId>",
-        "primaryAdminKeyName": "Primary-Admin-Key-Name",
-        "secondaryAdminKeyName": "Secondary-Admin-Key-Name"
+        "primaryAdminKeyName": "Primary-Admin-Key",
+        "secondaryAdminKeyName": "Secondary-Admin-Key"
       }
     }
   }

From b78353c5017fbd47bbbe6da72f3e6bb72c881b25 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Axel=20B=C3=B8g=20Andersen?= <axel.boeg.andersen@atea.dk>
Date: Mon, 30 Sep 2024 18:44:21 +0200
Subject: [PATCH 17/26] fixed main.json

---
 avm/res/search/search-service/main.json | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/avm/res/search/search-service/main.json b/avm/res/search/search-service/main.json
index 198627f75d..24719a5ca7 100644
--- a/avm/res/search/search-service/main.json
+++ b/avm/res/search/search-service/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "8483667347070963331"
+      "version": "0.30.23.60470",
+      "templateHash": "13527260085574333800"
     },
     "name": "Search Services",
     "description": "This module deploys a Search Service.",
@@ -483,14 +483,14 @@
             "description": "Required. The key vault name where to store the API Admin keys generated by the modules."
           }
         },
-        "primaryAdminKey": {
+        "primaryAdminKeyName": {
           "type": "string",
           "nullable": true,
           "metadata": {
             "description": "Optional. The primaryAdminKey secret name to create."
           }
         },
-        "secondaryAdminKey": {
+        "secondaryAdminKeyName": {
           "type": "string",
           "nullable": true,
           "metadata": {
@@ -1657,8 +1657,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "2330033720810948871"
+              "version": "0.30.23.60470",
+              "templateHash": "1073269867332822875"
             },
             "name": "Search Services Private Link Resources",
             "description": "This module deploys a Search Service Private Link Resource.",
@@ -1771,7 +1771,7 @@
             "value": "[last(split(coalesce(tryGet(parameters('secretsExportConfiguration'), 'keyVaultResourceId'), '//'), '/'))]"
           },
           "secretsToSet": {
-            "value": "[union(createArray(), if(contains(parameters('secretsExportConfiguration'), 'primaryAdminKey'), createArray(createObject('name', parameters('secretsExportConfiguration').primaryAdminKey, 'value', listAdminKeys(resourceId('Microsoft.Search/searchServices', parameters('name')), '2024-03-01-preview').primaryKey)), createArray()), if(contains(parameters('secretsExportConfiguration'), 'secondaryAdminKey'), createArray(createObject('name', parameters('secretsExportConfiguration').secondaryAdminKey, 'value', listAdminKeys(resourceId('Microsoft.Search/searchServices', parameters('name')), '2024-03-01-preview').secondaryKey)), createArray()))]"
+            "value": "[union(createArray(), if(contains(parameters('secretsExportConfiguration'), 'primaryAdminKeyName'), createArray(createObject('name', parameters('secretsExportConfiguration').primaryAdminKeyName, 'value', listAdminKeys(resourceId('Microsoft.Search/searchServices', parameters('name')), '2024-03-01-preview').primaryKey)), createArray()), if(contains(parameters('secretsExportConfiguration'), 'secondaryAdminKeyName'), createArray(createObject('name', parameters('secretsExportConfiguration').secondaryAdminKeyName, 'value', listAdminKeys(resourceId('Microsoft.Search/searchServices', parameters('name')), '2024-03-01-preview').secondaryKey)), createArray()))]"
           }
         },
         "template": {
@@ -1781,8 +1781,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "986606208324987345"
+              "version": "0.30.23.60470",
+              "templateHash": "12263717469683062316"
             }
           },
           "definitions": {
@@ -1933,4 +1933,4 @@
       "value": "[if(not(equals(parameters('secretsExportConfiguration'), null())), toObject(reference('secretsExport').outputs.secretsSet.value, lambda('secret', last(split(lambdaVariables('secret').secretResourceId, '/'))), lambda('secret', lambdaVariables('secret'))), createObject())]"
     }
   }
-}
+}
\ No newline at end of file

From 61db651ef53181daf10ecf9df2a9452142ac7ab9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Axel=20B=C3=B8g=20Andersen?= <axel.boeg.andersen@atea.dk>
Date: Mon, 30 Sep 2024 18:55:04 +0200
Subject: [PATCH 18/26] Fixed the other readme

---
 .../search-service/shared-private-link-resource/README.md       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/avm/res/search/search-service/shared-private-link-resource/README.md b/avm/res/search/search-service/shared-private-link-resource/README.md
index a41c805a6a..94bc886208 100644
--- a/avm/res/search/search-service/shared-private-link-resource/README.md
+++ b/avm/res/search/search-service/shared-private-link-resource/README.md
@@ -1,4 +1,4 @@
-# Search Services Private Link Resources `[Microsoft.Search/searchServices/sharedPrivateLinkResources]`
+# Search Services Private Link Resources `[Search/SearchServiceSharedPrivateLinkResource]`
 
 This module deploys a Search Service Private Link Resource.
 

From b2b9bf769c96414baa343d5f564fdf886b90e36e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Axel=20B=C3=B8g=20Andersen?= <axel.boeg.andersen@atea.dk>
Date: Tue, 1 Oct 2024 08:23:15 +0200
Subject: [PATCH 19/26] Fixed Readme manually

---
 .../search-service/shared-private-link-resource/README.md       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/avm/res/search/search-service/shared-private-link-resource/README.md b/avm/res/search/search-service/shared-private-link-resource/README.md
index 94bc886208..a41c805a6a 100644
--- a/avm/res/search/search-service/shared-private-link-resource/README.md
+++ b/avm/res/search/search-service/shared-private-link-resource/README.md
@@ -1,4 +1,4 @@
-# Search Services Private Link Resources `[Search/SearchServiceSharedPrivateLinkResource]`
+# Search Services Private Link Resources `[Microsoft.Search/searchServices/sharedPrivateLinkResources]`
 
 This module deploys a Search Service Private Link Resource.
 

From 2dbe17ac344902038d5745d9e89c2f1c13656602 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Axel=20B=C3=B8g=20Andersen?= <axel.boeg.andersen@atea.dk>
Date: Tue, 1 Oct 2024 08:29:01 +0200
Subject: [PATCH 20/26] Updated readme manually

---
 avm/res/search/search-service/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/avm/res/search/search-service/README.md b/avm/res/search/search-service/README.md
index 423d293fce..fd6c1b9d19 100644
--- a/avm/res/search/search-service/README.md
+++ b/avm/res/search/search-service/README.md
@@ -1,4 +1,4 @@
-# Search Services `[Search/SearchService]`
+# Search Services `[Microsoft.Search/SearchService]`
 
 This module deploys a Search Service.
 

From efc4b8a24b63e5975d2c6f86cc9c113cebbc7e44 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Axel=20B=C3=B8g=20Andersen?= <axel.boeg.andersen@atea.dk>
Date: Tue, 1 Oct 2024 08:36:45 +0200
Subject: [PATCH 21/26] Casing and plural manually updated

---
 avm/res/search/search-service/README.md                         | 2 +-
 .../search-service/shared-private-link-resource/README.md       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/avm/res/search/search-service/README.md b/avm/res/search/search-service/README.md
index fd6c1b9d19..dca3e83f01 100644
--- a/avm/res/search/search-service/README.md
+++ b/avm/res/search/search-service/README.md
@@ -1,4 +1,4 @@
-# Search Services `[Microsoft.Search/SearchService]`
+# Search Services `[Microsoft.Search/SearchServices]`
 
 This module deploys a Search Service.
 
diff --git a/avm/res/search/search-service/shared-private-link-resource/README.md b/avm/res/search/search-service/shared-private-link-resource/README.md
index a41c805a6a..c4878907a7 100644
--- a/avm/res/search/search-service/shared-private-link-resource/README.md
+++ b/avm/res/search/search-service/shared-private-link-resource/README.md
@@ -1,4 +1,4 @@
-# Search Services Private Link Resources `[Microsoft.Search/searchServices/sharedPrivateLinkResources]`
+# Search Services Private Link Resources `[Microsoft.Search/SearchServices/sharedPrivateLinkResources]`
 
 This module deploys a Search Service Private Link Resource.
 

From b97485a2234d9755b7b6b835bd115d85f8c9218d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Axel=20B=C3=B8g=20Andersen?= <axel.boeg.andersen@atea.dk>
Date: Tue, 1 Oct 2024 08:42:24 +0200
Subject: [PATCH 22/26] Strange place to camelCase - fixed manually

---
 .../search-service/shared-private-link-resource/README.md       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/avm/res/search/search-service/shared-private-link-resource/README.md b/avm/res/search/search-service/shared-private-link-resource/README.md
index c4878907a7..a41c805a6a 100644
--- a/avm/res/search/search-service/shared-private-link-resource/README.md
+++ b/avm/res/search/search-service/shared-private-link-resource/README.md
@@ -1,4 +1,4 @@
-# Search Services Private Link Resources `[Microsoft.Search/SearchServices/sharedPrivateLinkResources]`
+# Search Services Private Link Resources `[Microsoft.Search/searchServices/sharedPrivateLinkResources]`
 
 This module deploys a Search Service Private Link Resource.
 

From 5c921d96d4d5df94b07a9a1ffdfb73e6769133fe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Axel=20B=C3=B8g=20Andersen?= <axel.boeg.andersen@atea.dk>
Date: Tue, 1 Oct 2024 08:48:04 +0200
Subject: [PATCH 23/26] A linebreak seems to be missing

---
 .../search/search-service/shared-private-link-resource/README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/avm/res/search/search-service/shared-private-link-resource/README.md b/avm/res/search/search-service/shared-private-link-resource/README.md
index a41c805a6a..4178f881d9 100644
--- a/avm/res/search/search-service/shared-private-link-resource/README.md
+++ b/avm/res/search/search-service/shared-private-link-resource/README.md
@@ -1,5 +1,6 @@
 # Search Services Private Link Resources `[Microsoft.Search/searchServices/sharedPrivateLinkResources]`
 
+
 This module deploys a Search Service Private Link Resource.
 
 ## Navigation

From d0a875ade7cfcc6ad2f08c4e0eb27efae6a911f9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Axel=20B=C3=B8g=20Andersen?= <axel.boeg.andersen@atea.dk>
Date: Tue, 1 Oct 2024 08:53:09 +0200
Subject: [PATCH 24/26] Too many linebreaks ...

---
 .../search-service/shared-private-link-resource/README.md       | 2 --
 1 file changed, 2 deletions(-)

diff --git a/avm/res/search/search-service/shared-private-link-resource/README.md b/avm/res/search/search-service/shared-private-link-resource/README.md
index 4178f881d9..a55eb35c43 100644
--- a/avm/res/search/search-service/shared-private-link-resource/README.md
+++ b/avm/res/search/search-service/shared-private-link-resource/README.md
@@ -1,6 +1,4 @@
 # Search Services Private Link Resources `[Microsoft.Search/searchServices/sharedPrivateLinkResources]`
-
-
 This module deploys a Search Service Private Link Resource.
 
 ## Navigation

From c21bb2153fec4bd71c31e53e2ab700c58bc1b09c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Axel=20B=C3=B8g=20Andersen?= <axel.boeg.andersen@atea.dk>
Date: Tue, 1 Oct 2024 08:59:55 +0200
Subject: [PATCH 25/26] Added a linebreak

---
 .../search/search-service/shared-private-link-resource/README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/avm/res/search/search-service/shared-private-link-resource/README.md b/avm/res/search/search-service/shared-private-link-resource/README.md
index a55eb35c43..a41c805a6a 100644
--- a/avm/res/search/search-service/shared-private-link-resource/README.md
+++ b/avm/res/search/search-service/shared-private-link-resource/README.md
@@ -1,4 +1,5 @@
 # Search Services Private Link Resources `[Microsoft.Search/searchServices/sharedPrivateLinkResources]`
+
 This module deploys a Search Service Private Link Resource.
 
 ## Navigation

From 945c1ed014b9c82256244798a5533fd96989bd68 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Axel=20B=C3=B8g=20Andersen?= <axel.boeg.andersen@atea.dk>
Date: Tue, 1 Oct 2024 09:04:39 +0200
Subject: [PATCH 26/26] More camelCase

---
 avm/res/search/search-service/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/avm/res/search/search-service/README.md b/avm/res/search/search-service/README.md
index dca3e83f01..e8645d04a5 100644
--- a/avm/res/search/search-service/README.md
+++ b/avm/res/search/search-service/README.md
@@ -1,4 +1,4 @@
-# Search Services `[Microsoft.Search/SearchServices]`
+# Search Services `[Microsoft.Search/searchServices]`
 
 This module deploys a Search Service.