From ba3bbd45428e22f7a51c95e7f5270b64a90cef94 Mon Sep 17 00:00:00 2001
From: Kris Baranek <20225789+krbar@users.noreply.github.com>
Date: Wed, 23 Oct 2024 09:44:40 +0200
Subject: [PATCH 01/13] test: `avm/res/event-grid/namespace` - fixed duplicate
 metadata of a test case (#3613)

## Description

Two of the module test cases had the same metadata (name and
description) causing confusion of the documentation. This PR fixes the
metadata of the one of them.

## Pipeline Reference

<!-- Insert your Pipeline Status Badge below -->

| Pipeline |
| -------- |
|
[![avm.res.event-grid.namespace](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.event-grid.namespace.yml/badge.svg?branch=user%2Fkrbar%2FeventGridTestFix)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.event-grid.namespace.yml)
|

## Type of Change

<!-- Use the checkboxes [x] on the options that are relevant. -->

- [ ] Update to CI Environment or utilities (Non-module affecting
changes)
- [x] Azure Verified Module updates:
- [x] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [ ] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [ ] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [x] Update to documentation

## Checklist

- [x] I'm sure there are no other open Pull Requests for the same
update/change
- [x] I have run `Set-AVMModule` locally to generate the supporting
module files.
- [x] My corresponding pipelines / checks run clean and green without
any errors or warnings

<!-- Please keep up to date with the contribution guide at
https://aka.ms/avm/contribute/bicep -->
---
 avm/res/event-grid/namespace/README.md                      | 6 +++---
 .../event-grid/namespace/tests/e2e/mqttnt/main.test.bicep   | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/avm/res/event-grid/namespace/README.md b/avm/res/event-grid/namespace/README.md
index 68fe8bf4f3..664aad8ec0 100644
--- a/avm/res/event-grid/namespace/README.md
+++ b/avm/res/event-grid/namespace/README.md
@@ -40,7 +40,7 @@ The following section provides usage examples for the module, which were used to
 - [Using only defaults](#example-1-using-only-defaults)
 - [Using large parameter set](#example-2-using-large-parameter-set)
 - [MQTT Broker with routing to a namespace topic](#example-3-mqtt-broker-with-routing-to-a-namespace-topic)
-- [MQTT Broker with routing to a namespace topic](#example-4-mqtt-broker-with-routing-to-a-namespace-topic)
+- [MQTT Broker with routing to a custom topic](#example-4-mqtt-broker-with-routing-to-a-custom-topic)
 - [WAF-aligned](#example-5-waf-aligned)
 
 ### Example 1: _Using only defaults_
@@ -1214,9 +1214,9 @@ param topicSpacesState = 'Enabled'
 </details>
 <p>
 
-### Example 4: _MQTT Broker with routing to a namespace topic_
+### Example 4: _MQTT Broker with routing to a custom topic_
 
-This instance deploys the module as a MQTT Broker with routing to a topic within the same Eventgrid namespace.
+This instance deploys the module as a MQTT Broker with routing to a custom topic.
 
 
 <details>
diff --git a/avm/res/event-grid/namespace/tests/e2e/mqttnt/main.test.bicep b/avm/res/event-grid/namespace/tests/e2e/mqttnt/main.test.bicep
index e2a8332ca0..ec0407199f 100644
--- a/avm/res/event-grid/namespace/tests/e2e/mqttnt/main.test.bicep
+++ b/avm/res/event-grid/namespace/tests/e2e/mqttnt/main.test.bicep
@@ -1,7 +1,7 @@
 targetScope = 'subscription'
 
-metadata name = 'MQTT Broker with routing to a namespace topic'
-metadata description = 'This instance deploys the module as a MQTT Broker with routing to a topic within the same Eventgrid namespace.'
+metadata name = 'MQTT Broker with routing to a custom topic'
+metadata description = 'This instance deploys the module as a MQTT Broker with routing to a custom topic.'
 
 // ========== //
 // Parameters //

From edfc64471d851814d6cfd23e622ee447f1a507d7 Mon Sep 17 00:00:00 2001
From: Sidney Andrews <sidandrews@microsoft.com>
Date: Wed, 23 Oct 2024 04:24:15 -0400
Subject: [PATCH 02/13] fix: Update multi-region test in
 `avm/res/document-db/database-account` (#3601)

---
 .../document-db/database-account/README.md    |  4 +-
 .../document-db/database-account/main.bicep   |  2 +-
 .../document-db/database-account/main.json    |  4 +-
 .../tests/e2e/multiRegion/dependencies.bicep  | 49 -------------------
 .../tests/e2e/multiRegion/main.test.bicep     | 20 ++------
 5 files changed, 9 insertions(+), 70 deletions(-)
 delete mode 100644 avm/res/document-db/database-account/tests/e2e/multiRegion/dependencies.bicep

diff --git a/avm/res/document-db/database-account/README.md b/avm/res/document-db/database-account/README.md
index 0d9b956871..fc40151219 100644
--- a/avm/res/document-db/database-account/README.md
+++ b/avm/res/document-db/database-account/README.md
@@ -3408,7 +3408,7 @@ param tags = {
 | [`backupRetentionIntervalInHours`](#parameter-backupretentionintervalinhours) | int | Default to 8. An integer representing the time (in hours) that each backup is retained. Only applies to periodic backup type. |
 | [`backupStorageRedundancy`](#parameter-backupstorageredundancy) | string | Default to Local. Enum to indicate type of backup residency. Only applies to periodic backup type. |
 | [`capabilitiesToAdd`](#parameter-capabilitiestoadd) | array | List of Cosmos DB capabilities for the account. |
-| [`databaseAccountOfferType`](#parameter-databaseaccountoffertype) | string | Default to Standard. The offer type for the Cosmos DB database account. |
+| [`databaseAccountOfferType`](#parameter-databaseaccountoffertype) | string | Default to Standard. The offer type for the Azure Cosmos DB database account. |
 | [`defaultConsistencyLevel`](#parameter-defaultconsistencylevel) | string | Default to Session. The default consistency level of the Cosmos DB account. |
 | [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. |
 | [`disableKeyBasedMetadataWriteAccess`](#parameter-disablekeybasedmetadatawriteaccess) | bool | Disable write operations on metadata resources (databases, containers, throughput) via account keys. |
@@ -3535,7 +3535,7 @@ List of Cosmos DB capabilities for the account.
 
 ### Parameter: `databaseAccountOfferType`
 
-Default to Standard. The offer type for the Cosmos DB database account.
+Default to Standard. The offer type for the Azure Cosmos DB database account.
 
 - Required: No
 - Type: string
diff --git a/avm/res/document-db/database-account/main.bicep b/avm/res/document-db/database-account/main.bicep
index 5238c68a90..d4416ba211 100644
--- a/avm/res/document-db/database-account/main.bicep
+++ b/avm/res/document-db/database-account/main.bicep
@@ -14,7 +14,7 @@ param tags object?
 @description('Optional. The managed identity definition for this resource.')
 param managedIdentities managedIdentitiesType
 
-@description('Optional. Default to Standard. The offer type for the Cosmos DB database account.')
+@description('Optional. Default to Standard. The offer type for the Azure Cosmos DB database account.')
 @allowed([
   'Standard'
 ])
diff --git a/avm/res/document-db/database-account/main.json b/avm/res/document-db/database-account/main.json
index 11882b59ce..56cbfcda58 100644
--- a/avm/res/document-db/database-account/main.json
+++ b/avm/res/document-db/database-account/main.json
@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.30.23.60470",
-      "templateHash": "2886040651089761865"
+      "templateHash": "10132015257360023425"
     },
     "name": "DocumentDB Database Accounts",
     "description": "This module deploys a DocumentDB Database Account.",
@@ -892,7 +892,7 @@
         "Standard"
       ],
       "metadata": {
-        "description": "Optional. Default to Standard. The offer type for the Cosmos DB database account."
+        "description": "Optional. Default to Standard. The offer type for the Azure Cosmos DB database account."
       }
     },
     "locations": {
diff --git a/avm/res/document-db/database-account/tests/e2e/multiRegion/dependencies.bicep b/avm/res/document-db/database-account/tests/e2e/multiRegion/dependencies.bicep
deleted file mode 100644
index 9cce45a620..0000000000
--- a/avm/res/document-db/database-account/tests/e2e/multiRegion/dependencies.bicep
+++ /dev/null
@@ -1,49 +0,0 @@
-@description('Optional. The location to deploy to.')
-param location string = resourceGroup().location
-
-@description('Required. The name of the Managed Identity to create.')
-param managedIdentityName string
-
-@description('Required. The name of the Deployment Script to create to get the paired region name.')
-param pairedRegionScriptName string
-
-resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
-  name: managedIdentityName
-  location: location
-}
-
-resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
-  name: guid('msi-${location}-${managedIdentity.id}-Reader-RoleAssignment')
-  properties: {
-    principalId: managedIdentity.properties.principalId
-    roleDefinitionId: subscriptionResourceId(
-      'Microsoft.Authorization/roleDefinitions',
-      'acdd72a7-3385-48ef-bd42-f606fba81ae7'
-    ) // Reader
-    principalType: 'ServicePrincipal'
-  }
-}
-
-resource getPairedRegionScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
-  name: pairedRegionScriptName
-  location: location
-  kind: 'AzurePowerShell'
-  identity: {
-    type: 'UserAssigned'
-    userAssignedIdentities: {
-      '${managedIdentity.id}': {}
-    }
-  }
-  properties: {
-    azPowerShellVersion: '8.0'
-    retentionInterval: 'P1D'
-    arguments: '-Location \\"${location}\\"'
-    scriptContent: loadTextContent('../../../../../../utilities/e2e-template-assets/scripts/Get-PairedRegion.ps1')
-  }
-  dependsOn: [
-    roleAssignment
-  ]
-}
-
-@description('The name of the paired region.')
-output pairedRegionName string = getPairedRegionScript.properties.outputs.pairedRegionName
diff --git a/avm/res/document-db/database-account/tests/e2e/multiRegion/main.test.bicep b/avm/res/document-db/database-account/tests/e2e/multiRegion/main.test.bicep
index 21dcd19688..f7bd07e61b 100644
--- a/avm/res/document-db/database-account/tests/e2e/multiRegion/main.test.bicep
+++ b/avm/res/document-db/database-account/tests/e2e/multiRegion/main.test.bicep
@@ -19,21 +19,9 @@ param namePrefix string = '#_namePrefix_#'
 
 // The default pipeline is selecting random regions which don't have capacity for Azure Cosmos DB or support all Azure Cosmos DB features when creating new accounts.
 #disable-next-line no-hardcoded-location
-var enforcedLocation = 'eastus2'
-
-// ============ //
-// Dependencies //
-// ============ //
-
-module nestedDependencies 'dependencies.bicep' = {
-  scope: resourceGroup
-  name: '${uniqueString(deployment().name, enforcedLocation)}-nestedDependencies'
-  params: {
-    location: enforcedLocation
-    managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}'
-    pairedRegionScriptName: 'dep-${namePrefix}-ds-${serviceShort}'
-  }
-}
+var enforcedLocation = 'australiaeast'
+#disable-next-line no-hardcoded-location
+var enforcedPairedLocation = 'uksouth'
 
 // ============== //
 // General resources
@@ -68,7 +56,7 @@ module testDeployment '../../../main.bicep' = {
       {
         failoverPriority: 1
         isZoneRedundant: true
-        locationName: nestedDependencies.outputs.pairedRegionName
+        locationName: enforcedPairedLocation
       }
     ]
     sqlDatabases: [

From 30005a218ddc2fca97cfeb06d8de40753b6be1fc Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 23 Oct 2024 16:19:25 +0100
Subject: [PATCH 03/13] fix: bump github/codeql-action from 3.26.12 to 3.27.0
 (#3617)

Bumps [github/codeql-action](https://github.com/github/codeql-action)
from 3.26.12 to 3.27.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/releases">github/codeql-action's
releases</a>.</em></p>
<blockquote>
<h2>v3.27.0</h2>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<p>Note that the only difference between <code>v2</code> and
<code>v3</code> of the CodeQL Action is the node version they support,
with <code>v3</code> running on node 20 while we continue to release
<code>v2</code> to support running on node 16. For example
<code>3.22.11</code> was the first <code>v3</code> release and is
functionally identical to <code>2.22.11</code>. This approach ensures an
easy way to track exactly which features are included in different
versions, indicated by the minor and patch version numbers.</p>
<h2>3.27.0 - 22 Oct 2024</h2>
<ul>
<li>Bump the minimum CodeQL bundle version to 2.14.6. <a
href="https://redirect.github.com/github/codeql-action/pull/2549">#2549</a></li>
<li>Fix an issue where the <code>upload-sarif</code> Action would fail
with &quot;upload-sarif post-action step failed: Input required and not
supplied: token&quot; when called in a composite Action that had a
different set of inputs to the ones expected by the
<code>upload-sarif</code> Action. <a
href="https://redirect.github.com/github/codeql-action/pull/2557">#2557</a></li>
<li>Update default CodeQL bundle version to 2.19.2. <a
href="https://redirect.github.com/github/codeql-action/pull/2552">#2552</a></li>
</ul>
<p>See the full <a
href="https://github.com/github/codeql-action/blob/v3.27.0/CHANGELOG.md">CHANGELOG.md</a>
for more information.</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's
changelog</a>.</em></p>
<blockquote>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<p>Note that the only difference between <code>v2</code> and
<code>v3</code> of the CodeQL Action is the node version they support,
with <code>v3</code> running on node 20 while we continue to release
<code>v2</code> to support running on node 16. For example
<code>3.22.11</code> was the first <code>v3</code> release and is
functionally identical to <code>2.22.11</code>. This approach ensures an
easy way to track exactly which features are included in different
versions, indicated by the minor and patch version numbers.</p>
<h2>[UNRELEASED]</h2>
<p>No user facing changes.</p>
<h2>3.27.0 - 22 Oct 2024</h2>
<ul>
<li>Bump the minimum CodeQL bundle version to 2.14.6. <a
href="https://redirect.github.com/github/codeql-action/pull/2549">#2549</a></li>
<li>Fix an issue where the <code>upload-sarif</code> Action would fail
with &quot;upload-sarif post-action step failed: Input required and not
supplied: token&quot; when called in a composite Action that had a
different set of inputs to the ones expected by the
<code>upload-sarif</code> Action. <a
href="https://redirect.github.com/github/codeql-action/pull/2557">#2557</a></li>
<li>Update default CodeQL bundle version to 2.19.2. <a
href="https://redirect.github.com/github/codeql-action/pull/2552">#2552</a></li>
</ul>
<h2>3.26.13 - 14 Oct 2024</h2>
<p>No user facing changes.</p>
<h2>3.26.12 - 07 Oct 2024</h2>
<ul>
<li>
<p><em>Upcoming breaking change</em>: Add a deprecation warning for
customers using CodeQL version 2.14.5 and earlier. These versions of
CodeQL were discontinued on 24 September 2024 alongside GitHub
Enterprise Server 3.10, and will be unsupported by CodeQL Action
versions 3.27.0 and later and versions 2.27.0 and later. <a
href="https://redirect.github.com/github/codeql-action/pull/2520">#2520</a></p>
<ul>
<li>
<p>If you are using one of these versions, please update to CodeQL CLI
version 2.14.6 or later. For instance, if you have specified a custom
version of the CLI using the 'tools' input to the 'init' Action, you can
remove this input to use the default version.</p>
</li>
<li>
<p>Alternatively, if you want to continue using a version of the CodeQL
CLI between 2.13.5 and 2.14.5, you can replace
<code>github/codeql-action/*@v3</code> by
<code>github/codeql-action/*@v3.26.11</code> and
<code>github/codeql-action/*@v2</code> by
<code>github/codeql-action/*@v2.26.11</code> in your code scanning
workflow to ensure you continue using this version of the CodeQL
Action.</p>
</li>
</ul>
</li>
</ul>
<h2>3.26.11 - 03 Oct 2024</h2>
<ul>
<li>
<p><em>Upcoming breaking change</em>: Add support for using
<code>actions/download-artifact@v4</code> to programmatically consume
CodeQL Action debug artifacts.</p>
<p>Starting November 30, 2024, GitHub.com customers will <a
href="https://github.blog/changelog/2024-04-16-deprecation-notice-v3-of-the-artifact-actions/">no
longer be able to use <code>actions/download-artifact@v3</code></a>.
Therefore, to avoid breakage, customers who programmatically download
the CodeQL Action debug artifacts should set the
<code>CODEQL_ACTION_ARTIFACT_V4_UPGRADE</code> environment variable to
<code>true</code> and bump <code>actions/download-artifact@v3</code> to
<code>actions/download-artifact@v4</code> in their workflows. The CodeQL
Action will enable this behavior by default in early November and
workflows that have not yet bumped to
<code>actions/download-artifact@v3</code> to
<code>actions/download-artifact@v4</code> will begin failing then.</p>
<p>This change is currently unavailable for GitHub Enterprise Server
customers, as <code>actions/upload-artifact@v4</code> and
<code>actions/download-artifact@v4</code> are not yet compatible with
GHES.</p>
</li>
<li>
<p>Update default CodeQL bundle version to 2.19.1. <a
href="https://redirect.github.com/github/codeql-action/pull/2519">#2519</a></p>
</li>
</ul>
<h2>3.26.10 - 30 Sep 2024</h2>
<ul>
<li>We are rolling out a feature in September/October 2024 that sets up
CodeQL using a bundle compressed with <a
href="http://facebook.github.io/zstd/">Zstandard</a>. Our aim is to
improve the performance of setting up CodeQL. <a
href="https://redirect.github.com/github/codeql-action/pull/2502">#2502</a></li>
</ul>
<h2>3.26.9 - 24 Sep 2024</h2>
<p>No user facing changes.</p>
<h2>3.26.8 - 19 Sep 2024</h2>
<ul>
<li>Update default CodeQL bundle version to 2.19.0. <a
href="https://redirect.github.com/github/codeql-action/pull/2483">#2483</a></li>
</ul>
<h2>3.26.7 - 13 Sep 2024</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/github/codeql-action/commit/662472033e021d55d94146f66f6058822b0b39fd"><code>6624720</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2561">#2561</a>
from github/update-v3.27.0-b35b023d9</li>
<li><a
href="https://github.com/github/codeql-action/commit/ce7c2b560da6747133b72eb2f33503a6c4da9c15"><code>ce7c2b5</code></a>
Update changelog for v3.27.0</li>
<li><a
href="https://github.com/github/codeql-action/commit/b35b023d9b1296658ca1bcb95dcd0336f9d23f0b"><code>b35b023</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2552">#2552</a>
from github/update-bundle/codeql-bundle-v2.19.2</li>
<li><a
href="https://github.com/github/codeql-action/commit/dafc762411c1755f00abee84283eaa85d438af2e"><code>dafc762</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2560">#2560</a>
from github/aeisenberg/fix-required-checks</li>
<li><a
href="https://github.com/github/codeql-action/commit/0d1eb88b60733b6720210d591c48ebc9e961d42c"><code>0d1eb88</code></a>
Remove ESLint from required checks</li>
<li><a
href="https://github.com/github/codeql-action/commit/0a30541440699f21b772e5ef95c912f097514855"><code>0a30541</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2558">#2558</a>
from github/dependabot/npm_and_yarn/npm-6515e6e328</li>
<li><a
href="https://github.com/github/codeql-action/commit/2a6a6ad1c809216132b8a6a8c1f5873fff3f400a"><code>2a6a6ad</code></a>
Update checked-in dependencies</li>
<li><a
href="https://github.com/github/codeql-action/commit/26c18c2c1f382ccd402aec5dd18d9ff6d0097891"><code>26c18c2</code></a>
Bump the npm group with 3 updates</li>
<li><a
href="https://github.com/github/codeql-action/commit/7080a68cbca9319f3cf869f12f34acea853ad72d"><code>7080a68</code></a>
Merge branch 'main' into update-bundle/codeql-bundle-v2.19.2</li>
<li><a
href="https://github.com/github/codeql-action/commit/63eb7bbf1f65c025536b3e7d083d89c1c161043c"><code>63eb7bb</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2551">#2551</a>
from github/cklin/diff-informed-queries-feature</li>
<li>Additional commits viewable in <a
href="https://github.com/github/codeql-action/compare/c36620d31ac7c881962c3d9dd939c40ec9434f2b...662472033e021d55d94146f66f6058822b0b39fd">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github/codeql-action&package-manager=github_actions&previous-version=3.26.12&new-version=3.27.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/platform.ossf-scorecard.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/platform.ossf-scorecard.yml b/.github/workflows/platform.ossf-scorecard.yml
index b6f8d9fa50..0c8d06eada 100644
--- a/.github/workflows/platform.ossf-scorecard.yml
+++ b/.github/workflows/platform.ossf-scorecard.yml
@@ -68,6 +68,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12
+        uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
         with:
           sarif_file: results.sarif

From dce9c981f9a4cf9b5bf60c93d528afa7739d93d3 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 23 Oct 2024 16:20:03 +0100
Subject: [PATCH 04/13] fix: bump actions/upload-artifact from 4.4.2 to 4.4.3
 (#3502)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bumps
[actions/upload-artifact](https://github.com/actions/upload-artifact)
from 4.4.2 to 4.4.3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/upload-artifact/releases">actions/upload-artifact's
releases</a>.</em></p>
<blockquote>
<h2>v4.4.3</h2>
<h2>What's Changed</h2>
<ul>
<li>Undo indirect dependency updates from <a
href="https://redirect.github.com/actions/upload-artifact/issues/627">#627</a>
by <a href="https://github.com/joshmgross"><code>@​joshmgross</code></a>
in <a
href="https://redirect.github.com/actions/upload-artifact/pull/632">actions/upload-artifact#632</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/upload-artifact/compare/v4.4.2...v4.4.3">https://github.com/actions/upload-artifact/compare/v4.4.2...v4.4.3</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/actions/upload-artifact/commit/b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882"><code>b4b15b8</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/upload-artifact/issues/632">#632</a>
from actions/joshmgross/undo-dependency-changes</li>
<li><a
href="https://github.com/actions/upload-artifact/commit/92b01ebffaf2e2520c64ab2845d3f9bd5c06941a"><code>92b01eb</code></a>
Undo indirect dependency updates from <a
href="https://redirect.github.com/actions/upload-artifact/issues/627">#627</a></li>
<li>See full diff in <a
href="https://github.com/actions/upload-artifact/compare/v4.4.2...v4.4.3">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/upload-artifact&package-manager=github_actions&previous-version=4.4.2&new-version=4.4.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/platform.ossf-scorecard.yml            | 2 +-
 .github/workflows/platform.publish-module-index-json.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/platform.ossf-scorecard.yml b/.github/workflows/platform.ossf-scorecard.yml
index 0c8d06eada..f2b9ddba70 100644
--- a/.github/workflows/platform.ossf-scorecard.yml
+++ b/.github/workflows/platform.ossf-scorecard.yml
@@ -59,7 +59,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@84480863f228bb9747b473957fcc9e309aa96097 # v4.4.2
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: SARIF file
           path: results.sarif
diff --git a/.github/workflows/platform.publish-module-index-json.yml b/.github/workflows/platform.publish-module-index-json.yml
index 2d2d3eac69..cc3fc468b6 100644
--- a/.github/workflows/platform.publish-module-index-json.yml
+++ b/.github/workflows/platform.publish-module-index-json.yml
@@ -74,7 +74,7 @@ jobs:
           }
 
       - name: Upload artifacts
-        uses: actions/upload-artifact@v4.4.2
+        uses: actions/upload-artifact@v4.4.3
         with:
           name: publish-module-index-json-artifacts
           path: |

From 9fc212e4aa465b40894fabe5654c88f33b2e0e8b Mon Sep 17 00:00:00 2001
From: Kris Baranek <20225789+krbar@users.noreply.github.com>
Date: Wed, 23 Oct 2024 17:36:42 +0200
Subject: [PATCH 05/13] feat: `avm/res/network/firewall-policy` add missing
 interfaces  (#3181)

## Description

Adding RBAC and locks support in `avm/res/network/firewall-policy`

## Pipeline Reference

<!-- Insert your Pipeline Status Badge below -->

| Pipeline |
| -------- |
|
[![avm.res.network.firewall-policy](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.network.firewall-policy.yml/badge.svg?branch=users%2Fkrbar%2FfpRBAC)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.network.firewall-policy.yml)
|

## Type of Change

<!-- Use the checkboxes [x] on the options that are relevant. -->

- [ ] Update to CI Environment or utilities (Non-module affecting
changes)
- [x] Azure Verified Module updates:
- [x] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [ ] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [x] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [x] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [ ] Update to documentation

## Checklist

- [x] I'm sure there are no other open Pull Requests for the same
update/change
- [x] I have run `Set-AVMModule` locally to generate the supporting
module files.
- [ x] My corresponding pipelines / checks run clean and green without
any errors or warnings

<!-- Please keep up to date with the contribution guide at
https://aka.ms/avm/contribute/bicep -->

---------

Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com>
---
 avm/res/network/firewall-policy/README.md     | 216 ++++++++++++++++++
 avm/res/network/firewall-policy/main.bicep    |  92 ++++++++
 avm/res/network/firewall-policy/main.json     | 170 +++++++++++++-
 .../rule-collection-group/main.json           |   4 +-
 .../tests/e2e/max/dependencies.bicep          |   3 +
 .../tests/e2e/max/main.test.bicep             |  26 +++
 avm/res/network/firewall-policy/version.json  |  10 +-
 7 files changed, 509 insertions(+), 12 deletions(-)

diff --git a/avm/res/network/firewall-policy/README.md b/avm/res/network/firewall-policy/README.md
index 067f1a3fe5..304e1f9755 100644
--- a/avm/res/network/firewall-policy/README.md
+++ b/avm/res/network/firewall-policy/README.md
@@ -14,6 +14,8 @@ This module deploys a Firewall Policy.
 
 | Resource Type | API Version |
 | :-- | :-- |
+| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) |
+| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
 | `Microsoft.Network/firewallPolicies` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/firewallPolicies) |
 | `Microsoft.Network/firewallPolicies/ruleCollectionGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/firewallPolicies/ruleCollectionGroups) |
 
@@ -112,12 +114,35 @@ module firewallPolicy 'br/public:avm/res/network/firewall-policy:<version>' = {
     allowSqlRedirect: true
     autoLearnPrivateRanges: 'Enabled'
     location: '<location>'
+    lock: {
+      kind: 'CanNotDelete'
+      name: 'myCustomLockName'
+    }
     managedIdentities: {
       userAssignedResourceIds: [
         '<managedIdentityResourceId>'
       ]
     }
     mode: 'Alert'
+    roleAssignments: [
+      {
+        name: 'c1c7fa14-5a90-4932-8781-fa91318b8858'
+        principalId: '<principalId>'
+        principalType: 'ServicePrincipal'
+        roleDefinitionIdOrName: 'Owner'
+      }
+      {
+        name: '<name>'
+        principalId: '<principalId>'
+        principalType: 'ServicePrincipal'
+        roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c'
+      }
+      {
+        principalId: '<principalId>'
+        principalType: 'ServicePrincipal'
+        roleDefinitionIdOrName: '<roleDefinitionIdOrName>'
+      }
+    ]
     ruleCollectionGroups: [
       {
         name: 'rule-001'
@@ -192,6 +217,12 @@ module firewallPolicy 'br/public:avm/res/network/firewall-policy:<version>' = {
     "location": {
       "value": "<location>"
     },
+    "lock": {
+      "value": {
+        "kind": "CanNotDelete",
+        "name": "myCustomLockName"
+      }
+    },
     "managedIdentities": {
       "value": {
         "userAssignedResourceIds": [
@@ -202,6 +233,27 @@ module firewallPolicy 'br/public:avm/res/network/firewall-policy:<version>' = {
     "mode": {
       "value": "Alert"
     },
+    "roleAssignments": {
+      "value": [
+        {
+          "name": "c1c7fa14-5a90-4932-8781-fa91318b8858",
+          "principalId": "<principalId>",
+          "principalType": "ServicePrincipal",
+          "roleDefinitionIdOrName": "Owner"
+        },
+        {
+          "name": "<name>",
+          "principalId": "<principalId>",
+          "principalType": "ServicePrincipal",
+          "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c"
+        },
+        {
+          "principalId": "<principalId>",
+          "principalType": "ServicePrincipal",
+          "roleDefinitionIdOrName": "<roleDefinitionIdOrName>"
+        }
+      ]
+    },
     "ruleCollectionGroups": {
       "value": [
         {
@@ -272,12 +324,35 @@ param name = 'nfpmax001'
 param allowSqlRedirect = true
 param autoLearnPrivateRanges = 'Enabled'
 param location = '<location>'
+param lock = {
+  kind: 'CanNotDelete'
+  name: 'myCustomLockName'
+}
 param managedIdentities = {
   userAssignedResourceIds: [
     '<managedIdentityResourceId>'
   ]
 }
 param mode = 'Alert'
+param roleAssignments = [
+  {
+    name: 'c1c7fa14-5a90-4932-8781-fa91318b8858'
+    principalId: '<principalId>'
+    principalType: 'ServicePrincipal'
+    roleDefinitionIdOrName: 'Owner'
+  }
+  {
+    name: '<name>'
+    principalId: '<principalId>'
+    principalType: 'ServicePrincipal'
+    roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c'
+  }
+  {
+    principalId: '<principalId>'
+    principalType: 'ServicePrincipal'
+    roleDefinitionIdOrName: '<roleDefinitionIdOrName>'
+  }
+]
 param ruleCollectionGroups = [
   {
     name: 'rule-001'
@@ -564,10 +639,12 @@ param threatIntelMode = 'Deny'
 | [`ipAddresses`](#parameter-ipaddresses) | array | List of IP addresses for the ThreatIntel Allowlist. |
 | [`keyVaultSecretId`](#parameter-keyvaultsecretid) | string | Secret ID of (base-64 encoded unencrypted PFX) Secret or Certificate object stored in KeyVault. |
 | [`location`](#parameter-location) | string | Location for all resources. |
+| [`lock`](#parameter-lock) | object | The lock settings of the service. |
 | [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. |
 | [`mode`](#parameter-mode) | string | The configuring of intrusion detection. |
 | [`privateRanges`](#parameter-privateranges) | array | List of private IP addresses/IP address ranges to not be SNAT. |
 | [`retentionDays`](#parameter-retentiondays) | int | Number of days the insights should be enabled on the policy. |
+| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. |
 | [`ruleCollectionGroups`](#parameter-rulecollectiongroups) | array | Rule collection groups. |
 | [`servers`](#parameter-servers) | array | List of Custom DNS Servers. |
 | [`signatureOverrides`](#parameter-signatureoverrides) | array | List of specific signatures states. |
@@ -687,6 +764,42 @@ Location for all resources.
 - Type: string
 - Default: `[resourceGroup().location]`
 
+### Parameter: `lock`
+
+The lock settings of the service.
+
+- Required: No
+- Type: object
+
+**Optional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`kind`](#parameter-lockkind) | string | Specify the type of lock. |
+| [`name`](#parameter-lockname) | string | Specify the name of lock. |
+
+### Parameter: `lock.kind`
+
+Specify the type of lock.
+
+- Required: No
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    'CanNotDelete'
+    'None'
+    'ReadOnly'
+  ]
+  ```
+
+### Parameter: `lock.name`
+
+Specify the name of lock.
+
+- Required: No
+- Type: string
+
 ### Parameter: `managedIdentities`
 
 The managed identity definition for this resource.
@@ -739,6 +852,109 @@ Number of days the insights should be enabled on the policy.
 - Type: int
 - Default: `365`
 
+### Parameter: `roleAssignments`
+
+Array of role assignments to create.
+
+- Required: No
+- Type: array
+- Roles configurable by name:
+  - `'Contributor'`
+  - `'Owner'`
+  - `'Reader'`
+  - `'Role Based Access Control Administrator'`
+  - `'User Access Administrator'`
+
+**Required parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. |
+| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. |
+
+**Optional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container". |
+| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. |
+| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. |
+| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. |
+| [`name`](#parameter-roleassignmentsname) | string | The name (as GUID) of the role assignment. If not provided, a GUID will be generated. |
+| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. |
+
+### Parameter: `roleAssignments.principalId`
+
+The principal ID of the principal (user/group/identity) to assign the role to.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `roleAssignments.roleDefinitionIdOrName`
+
+The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `roleAssignments.condition`
+
+The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".
+
+- Required: No
+- Type: string
+
+### Parameter: `roleAssignments.conditionVersion`
+
+Version of the condition.
+
+- Required: No
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    '2.0'
+  ]
+  ```
+
+### Parameter: `roleAssignments.delegatedManagedIdentityResourceId`
+
+The Resource Id of the delegated managed identity resource.
+
+- Required: No
+- Type: string
+
+### Parameter: `roleAssignments.description`
+
+The description of the role assignment.
+
+- Required: No
+- Type: string
+
+### Parameter: `roleAssignments.name`
+
+The name (as GUID) of the role assignment. If not provided, a GUID will be generated.
+
+- Required: No
+- Type: string
+
+### Parameter: `roleAssignments.principalType`
+
+The principal type of the assigned principal ID.
+
+- Required: No
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    'Device'
+    'ForeignGroup'
+    'Group'
+    'ServicePrincipal'
+    'User'
+  ]
+  ```
+
 ### Parameter: `ruleCollectionGroups`
 
 Rule collection groups.
diff --git a/avm/res/network/firewall-policy/main.bicep b/avm/res/network/firewall-policy/main.bicep
index 1c19610753..3b531e2387 100644
--- a/avm/res/network/firewall-policy/main.bicep
+++ b/avm/res/network/firewall-policy/main.bicep
@@ -97,6 +97,12 @@ param enableTelemetry bool = true
 @description('Optional. Rule collection groups.')
 param ruleCollectionGroups array?
 
+@description('Optional. The lock settings of the service.')
+param lock lockType
+
+@description('Optional. Array of role assignments to create.')
+param roleAssignments roleAssignmentType
+
 var formattedUserAssignedIdentities = reduce(
   map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }),
   {},
@@ -110,6 +116,31 @@ var identity = !empty(managedIdentities)
     }
   : null
 
+var builtInRoleNames = {
+  Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
+  Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
+  Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
+  'Role Based Access Control Administrator': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    'f58310d9-a9f6-439a-9e8d-f62e7b41a168'
+  )
+  'User Access Administrator': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9'
+  )
+}
+
+var formattedRoleAssignments = [
+  for (roleAssignment, index) in (roleAssignments ?? []): union(roleAssignment, {
+    roleDefinitionId: builtInRoleNames[?roleAssignment.roleDefinitionIdOrName] ?? (contains(
+        roleAssignment.roleDefinitionIdOrName,
+        '/providers/Microsoft.Authorization/roleDefinitions/'
+      )
+      ? roleAssignment.roleDefinitionIdOrName
+      : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName))
+  })
+]
+
 #disable-next-line no-deployments-resources
 resource avmTelemetry 'Microsoft.Resources/deployments@2024-03-01' = if (enableTelemetry) {
   name: '46d3xbcp.res.network-firewallpolicy.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}'
@@ -212,6 +243,33 @@ module firewallPolicy_ruleCollectionGroups 'rule-collection-group/main.bicep' =
   }
 ]
 
+resource firewallPolicy_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
+  for (roleAssignment, index) in (formattedRoleAssignments ?? []): {
+    name: roleAssignment.?name ?? guid(firewallPolicy.id, roleAssignment.principalId, roleAssignment.roleDefinitionId)
+    properties: {
+      roleDefinitionId: roleAssignment.roleDefinitionId
+      principalId: roleAssignment.principalId
+      description: roleAssignment.?description
+      principalType: roleAssignment.?principalType
+      condition: roleAssignment.?condition
+      conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set
+      delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId
+    }
+    scope: firewallPolicy
+  }
+]
+
+resource firewallPolicy_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') {
+  name: lock.?name ?? 'lock-${name}'
+  properties: {
+    level: lock.?kind ?? ''
+    notes: lock.?kind == 'CanNotDelete'
+      ? 'Cannot delete resource or child resources.'
+      : 'Cannot delete or modify the resource or child resources.'
+  }
+  scope: firewallPolicy
+}
+
 @description('The name of the deployed firewall policy.')
 output name string = firewallPolicy.name
 
@@ -232,3 +290,37 @@ type managedIdentitiesType = {
   @description('Optional. The resource ID(s) to assign to the resource.')
   userAssignedResourceIds: string[]
 }?
+
+type roleAssignmentType = {
+  @description('Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated.')
+  name: string?
+
+  @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.')
+  roleDefinitionIdOrName: string
+
+  @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.')
+  principalId: string
+
+  @description('Optional. The principal type of the assigned principal ID.')
+  principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')?
+
+  @description('Optional. The description of the role assignment.')
+  description: string?
+
+  @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".')
+  condition: string?
+
+  @description('Optional. Version of the condition.')
+  conditionVersion: '2.0'?
+
+  @description('Optional. The Resource Id of the delegated managed identity resource.')
+  delegatedManagedIdentityResourceId: string?
+}[]?
+
+type lockType = {
+  @description('Optional. Specify the name of lock.')
+  name: string?
+
+  @description('Optional. Specify the type of lock.')
+  kind: ('CanNotDelete' | 'ReadOnly' | 'None')?
+}?
diff --git a/avm/res/network/firewall-policy/main.json b/avm/res/network/firewall-policy/main.json
index c480fd3ed6..299b7947a5 100644
--- a/avm/res/network/firewall-policy/main.json
+++ b/avm/res/network/firewall-policy/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.28.1.47646",
-      "templateHash": "8226719913431972406"
+      "version": "0.30.23.60470",
+      "templateHash": "15412546608723758936"
     },
     "name": "Firewall Policies",
     "description": "This module deploys a Firewall Policy.",
@@ -27,6 +27,104 @@
         }
       },
       "nullable": true
+    },
+    "roleAssignmentType": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "properties": {
+          "name": {
+            "type": "string",
+            "nullable": true,
+            "metadata": {
+              "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated."
+            }
+          },
+          "roleDefinitionIdOrName": {
+            "type": "string",
+            "metadata": {
+              "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'."
+            }
+          },
+          "principalId": {
+            "type": "string",
+            "metadata": {
+              "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to."
+            }
+          },
+          "principalType": {
+            "type": "string",
+            "allowedValues": [
+              "Device",
+              "ForeignGroup",
+              "Group",
+              "ServicePrincipal",
+              "User"
+            ],
+            "nullable": true,
+            "metadata": {
+              "description": "Optional. The principal type of the assigned principal ID."
+            }
+          },
+          "description": {
+            "type": "string",
+            "nullable": true,
+            "metadata": {
+              "description": "Optional. The description of the role assignment."
+            }
+          },
+          "condition": {
+            "type": "string",
+            "nullable": true,
+            "metadata": {
+              "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"."
+            }
+          },
+          "conditionVersion": {
+            "type": "string",
+            "allowedValues": [
+              "2.0"
+            ],
+            "nullable": true,
+            "metadata": {
+              "description": "Optional. Version of the condition."
+            }
+          },
+          "delegatedManagedIdentityResourceId": {
+            "type": "string",
+            "nullable": true,
+            "metadata": {
+              "description": "Optional. The Resource Id of the delegated managed identity resource."
+            }
+          }
+        }
+      },
+      "nullable": true
+    },
+    "lockType": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Specify the name of lock."
+          }
+        },
+        "kind": {
+          "type": "string",
+          "allowedValues": [
+            "CanNotDelete",
+            "None",
+            "ReadOnly"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Specify the type of lock."
+          }
+        }
+      },
+      "nullable": true
     }
   },
   "parameters": {
@@ -221,11 +319,37 @@
       "metadata": {
         "description": "Optional. Rule collection groups."
       }
+    },
+    "lock": {
+      "$ref": "#/definitions/lockType",
+      "metadata": {
+        "description": "Optional. The lock settings of the service."
+      }
+    },
+    "roleAssignments": {
+      "$ref": "#/definitions/roleAssignmentType",
+      "metadata": {
+        "description": "Optional. Array of role assignments to create."
+      }
     }
   },
   "variables": {
+    "copy": [
+      {
+        "name": "formattedRoleAssignments",
+        "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]",
+        "input": "[union(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')], createObject('roleDefinitionId', coalesce(tryGet(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName), if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName)))))]"
+      }
+    ],
     "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]",
-    "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', 'UserAssigned', 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]"
+    "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', 'UserAssigned', 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]",
+    "builtInRoleNames": {
+      "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
+      "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
+      "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
+      "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]",
+      "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]"
+    }
   },
   "resources": {
     "avmTelemetry": {
@@ -275,6 +399,42 @@
         "transportSecurity": "[if(or(not(empty(coalesce(parameters('keyVaultSecretId'), createArray()))), not(empty(coalesce(parameters('certificateName'), '')))), createObject('certificateAuthority', createObject('keyVaultSecretId', parameters('keyVaultSecretId'), 'name', parameters('certificateName'))), null())]"
       }
     },
+    "firewallPolicy_roleAssignments": {
+      "copy": {
+        "name": "firewallPolicy_roleAssignments",
+        "count": "[length(coalesce(variables('formattedRoleAssignments'), createArray()))]"
+      },
+      "type": "Microsoft.Authorization/roleAssignments",
+      "apiVersion": "2022-04-01",
+      "scope": "[format('Microsoft.Network/firewallPolicies/{0}', parameters('name'))]",
+      "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Network/firewallPolicies', parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]",
+      "properties": {
+        "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]",
+        "principalId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId]",
+        "description": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'description')]",
+        "principalType": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'principalType')]",
+        "condition": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition')]",
+        "conditionVersion": "[if(not(empty(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]",
+        "delegatedManagedIdentityResourceId": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]"
+      },
+      "dependsOn": [
+        "firewallPolicy"
+      ]
+    },
+    "firewallPolicy_lock": {
+      "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]",
+      "type": "Microsoft.Authorization/locks",
+      "apiVersion": "2020-05-01",
+      "scope": "[format('Microsoft.Network/firewallPolicies/{0}', parameters('name'))]",
+      "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]",
+      "properties": {
+        "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]",
+        "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]"
+      },
+      "dependsOn": [
+        "firewallPolicy"
+      ]
+    },
     "firewallPolicy_ruleCollectionGroups": {
       "copy": {
         "name": "firewallPolicy_ruleCollectionGroups",
@@ -311,8 +471,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.28.1.47646",
-              "templateHash": "3312659149635915423"
+              "version": "0.30.23.60470",
+              "templateHash": "4286918441341976962"
             },
             "name": "Firewall Policy Rule Collection Groups",
             "description": "This module deploys a Firewall Policy Rule Collection Group.",
diff --git a/avm/res/network/firewall-policy/rule-collection-group/main.json b/avm/res/network/firewall-policy/rule-collection-group/main.json
index 8fd8a36653..c3276a62ed 100644
--- a/avm/res/network/firewall-policy/rule-collection-group/main.json
+++ b/avm/res/network/firewall-policy/rule-collection-group/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "15656278354863511578"
+      "version": "0.30.23.60470",
+      "templateHash": "4286918441341976962"
     },
     "name": "Firewall Policy Rule Collection Groups",
     "description": "This module deploys a Firewall Policy Rule Collection Group.",
diff --git a/avm/res/network/firewall-policy/tests/e2e/max/dependencies.bicep b/avm/res/network/firewall-policy/tests/e2e/max/dependencies.bicep
index 4fa0028b8a..544accb4a5 100644
--- a/avm/res/network/firewall-policy/tests/e2e/max/dependencies.bicep
+++ b/avm/res/network/firewall-policy/tests/e2e/max/dependencies.bicep
@@ -11,3 +11,6 @@ resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-
 
 @description('The resource ID of the created Managed Identity.')
 output managedIdentityResourceId string = managedIdentity.id
+
+@description('The principal ID of the created Managed Identity.')
+output managedIdentityPrincipalId string = managedIdentity.properties.principalId
diff --git a/avm/res/network/firewall-policy/tests/e2e/max/main.test.bicep b/avm/res/network/firewall-policy/tests/e2e/max/main.test.bicep
index b713f73fbf..d84b91d977 100644
--- a/avm/res/network/firewall-policy/tests/e2e/max/main.test.bicep
+++ b/avm/res/network/firewall-policy/tests/e2e/max/main.test.bicep
@@ -97,6 +97,32 @@ module testDeployment '../../../main.bicep' = [
           nestedDependencies.outputs.managedIdentityResourceId
         ]
       }
+      lock: {
+        kind: 'CanNotDelete'
+        name: 'myCustomLockName'
+      }
+      roleAssignments: [
+        {
+          name: 'c1c7fa14-5a90-4932-8781-fa91318b8858'
+          roleDefinitionIdOrName: 'Owner'
+          principalId: nestedDependencies.outputs.managedIdentityPrincipalId
+          principalType: 'ServicePrincipal'
+        }
+        {
+          name: guid('Custom seed ${namePrefix}${serviceShort}')
+          roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c'
+          principalId: nestedDependencies.outputs.managedIdentityPrincipalId
+          principalType: 'ServicePrincipal'
+        }
+        {
+          roleDefinitionIdOrName: subscriptionResourceId(
+            'Microsoft.Authorization/roleDefinitions',
+            'acdd72a7-3385-48ef-bd42-f606fba81ae7'
+          )
+          principalId: nestedDependencies.outputs.managedIdentityPrincipalId
+          principalType: 'ServicePrincipal'
+        }
+      ]
       tags: {
         'hidden-title': 'This is visible in the resource name'
         Environment: 'Non-Prod'
diff --git a/avm/res/network/firewall-policy/version.json b/avm/res/network/firewall-policy/version.json
index 83083db694..729ac87673 100644
--- a/avm/res/network/firewall-policy/version.json
+++ b/avm/res/network/firewall-policy/version.json
@@ -1,7 +1,7 @@
 {
-    "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#",
-    "version": "0.1",
-    "pathFilters": [
-        "./main.json"
-    ]
+  "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#",
+  "version": "0.2",
+  "pathFilters": [
+    "./main.json"
+  ]
 }
\ No newline at end of file

From a0c516bd1d7b34f4a09278df077a25f15a89a2c6 Mon Sep 17 00:00:00 2001
From: Erika Gressi <56914614+eriqua@users.noreply.github.com>
Date: Thu, 24 Oct 2024 12:36:43 +0200
Subject: [PATCH 06/13] ci: Update removal order for
 dev-ops-infrastructure/pool (#3623)

## Description

It's not possible to delete the pool if Network contributor
roleassignment gets removed first
Ref
https://github.com/Azure/bicep-registry-modules/actions/runs/11465550950/job/31913855578
The only option to remove manually was to reassign the network
contributor to the devopspool app and then remove the pool

## Pipeline Reference

<!-- Insert your Pipeline Status Badge below -->

| Pipeline |
| -------- |
|
[![avm.res.dev-ops-infrastructure.pool](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.dev-ops-infrastructure.pool.yml/badge.svg?branch=ado-removal-order)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.dev-ops-infrastructure.pool.yml)
|

## Type of Change

<!-- Use the checkboxes [x] on the options that are relevant. -->

- [ ] Update to CI Environment or utilities (Non-module affecting
changes)
- [ ] Azure Verified Module updates:
- [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [ ] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [ ] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [ ] Update to documentation

## Checklist

- [ ] I'm sure there are no other open Pull Requests for the same
update/change
- [ ] I have run `Set-AVMModule` locally to generate the supporting
module files.
- [ ] My corresponding pipelines / checks run clean and green without
any errors or warnings

<!-- Please keep up to date with the contribution guide at
https://aka.ms/avm/contribute/bicep -->
---
 .../resourceRemoval/Initialize-DeploymentRemoval.ps1            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/avm/utilities/pipelines/e2eValidation/resourceRemoval/Initialize-DeploymentRemoval.ps1 b/avm/utilities/pipelines/e2eValidation/resourceRemoval/Initialize-DeploymentRemoval.ps1
index a4a98b8e2d..0b1f425880 100644
--- a/avm/utilities/pipelines/e2eValidation/resourceRemoval/Initialize-DeploymentRemoval.ps1
+++ b/avm/utilities/pipelines/e2eValidation/resourceRemoval/Initialize-DeploymentRemoval.ps1
@@ -73,6 +73,7 @@ function Initialize-DeploymentRemoval {
         $RemoveFirstSequence = @(
             'Microsoft.Authorization/locks',
             'Microsoft.VirtualMachineImages/imageTemplates', # Must be removed before their MSI & should be removed before its entities permissions are removed
+            'Microsoft.DevOpsInfrastructure/pools' # Must be removed before vnet role assignments and other resources it depends on like a virtual network
             'Microsoft.Authorization/roleAssignments',
             'Microsoft.Insights/diagnosticSettings',
             'Microsoft.Network/privateEndpoints/privateDnsZoneGroups',
@@ -94,7 +95,6 @@ function Initialize-DeploymentRemoval {
             'Microsoft.ContainerInstance/containerGroups' # Must be removed before their MSI
             'Microsoft.ManagedIdentity/userAssignedIdentities',
             'Microsoft.Databricks/workspaces'
-            'Microsoft.DevOpsInfrastructure/pools' # Must be removed before other resources it depends on like a virtual network
             'Microsoft.Resources/resourceGroups'
         )
 

From 16c96cce92784cfb0f627ec8eadb97b58cfc26c7 Mon Sep 17 00:00:00 2001
From: Alexander Sehr <ASehr@hotmail.de>
Date: Thu, 24 Oct 2024 21:52:32 +0200
Subject: [PATCH 07/13] fix: Common Types - Added missing `export()` annotation
 (#3627)

## Description

- Added missing `export()` annotation

## Pipeline Reference

<!-- Insert your Pipeline Status Badge below -->

| Pipeline |
| -------- |
|
[![avm.utl.types.avm-common-types](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.utl.types.avm-common-types.yml/badge.svg?branch=users%2Falsehr%2FsecretExportFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.utl.types.avm-common-types.yml)
|

## Type of Change

<!-- Use the checkboxes [x] on the options that are relevant. -->

- [ ] Update to CI Environment or utilities (Non-module affecting
changes)
- [ ] Azure Verified Module updates:
- [x] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [ ] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [ ] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [ ] Update to documentation
---
 avm/utl/types/avm-common-types/README.md      |  6 +--
 avm/utl/types/avm-common-types/main.bicep     | 25 +++++-----
 avm/utl/types/avm-common-types/main.json      | 48 ++++++++++---------
 .../tests/e2e/import/main.test.bicep          |  6 +--
 avm/utl/types/avm-common-types/version.json   |  2 +-
 5 files changed, 46 insertions(+), 41 deletions(-)

diff --git a/avm/utl/types/avm-common-types/README.md b/avm/utl/types/avm-common-types/README.md
index 97107533ab..26bc5bfc2b 100644
--- a/avm/utl/types/avm-common-types/README.md
+++ b/avm/utl/types/avm-common-types/README.md
@@ -65,7 +65,7 @@ import {
   privateEndpointMultiServiceType
   privateEndpointSingleServiceType
   secretToSetType
-  secretSetType
+  secretSetOutputType
 } from '../../../main.bicep' // Would be: br/public:avm/utl/types/avm-common-types:<version>
 
 //  ====================== //
@@ -309,14 +309,14 @@ param secretToSet secretToSetType[] = [
 #disable-next-line outputs-should-not-contain-secrets // Does not contain a secret
 output secretToSetOutput secretToSetType[] = secretToSet
 
-param secretSet secretSetType[] = [
+param secretSet secretSetOutputType[] = [
   {
     secretResourceId: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRg/providers/Microsoft.KeyVault/vaults/myVault/secrets/mySecret'
     secretUri: 'https://myVault.${az.environment().suffixes.keyvaultDns}/secrets/mySecret'
     secretUriWithVersion: 'https://myVault.${az.environment().suffixes.keyvaultDns}/secrets/mySecret/2f4783701d724537a4e0c2d473c31846'
   }
 ]
-output secretSetOutput secretSetType[] = secretSet
+output secretSetOutput secretSetOutputType[] = secretSet
 ```
 
 </details>
diff --git a/avm/utl/types/avm-common-types/main.bicep b/avm/utl/types/avm-common-types/main.bicep
index 03d63d0611..01f8e79c97 100644
--- a/avm/utl/types/avm-common-types/main.bicep
+++ b/avm/utl/types/avm-common-types/main.bicep
@@ -380,10 +380,20 @@ type customerManagedKeyType = {
 // ================== //
 //   Secrets Export   //
 // ================== //
+@export()
+@description('An AVM-aligned type for the secret to set via the secrets export feature.')
+type secretToSetType = {
+  @description('Required. The name of the secret to set.')
+  name: string
+
+  @description('Required. The value of the secret to set.')
+  @secure()
+  value: string
+}
 
 @export()
 @description('An AVM-aligned type for the output of the secret set via the secrets export feature.')
-type secretSetType = {
+type secretSetOutputType = {
   @description('The resourceId of the exported secret.')
   secretResourceId: string
 
@@ -395,17 +405,8 @@ type secretSetType = {
 }
 
 @export()
-@description('An AVM-aligned type for the secret to set via the secrets export feature.')
-type secretToSetType = {
-  @description('Required. The name of the secret to set.')
-  name: string
-
-  @description('Required. The value of the secret to set.')
-  @secure()
-  value: string
-}
-
+@description('A map of the exported secrets')
 type secretsOutputType = {
   @description('An exported secret\'s references.')
-  *: secretSetType
+  *: secretSetOutputType
 }
diff --git a/avm/utl/types/avm-common-types/main.json b/avm/utl/types/avm-common-types/main.json
index d941a20021..34218bb4a6 100644
--- a/avm/utl/types/avm-common-types/main.json
+++ b/avm/utl/types/avm-common-types/main.json
@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.30.23.60470",
-      "templateHash": "3702359687684026662"
+      "templateHash": "16862752319174543465"
     },
     "name": "Default interface types for AVM modules",
     "description": "This module provides you with all common variants for AVM interfaces to be used in AVM modules.\n\nDetails for how to implement these interfaces can be found in the AVM documentation [here](https://azure.github.io/Azure-Verified-Modules/specs/shared/interfaces).\n",
@@ -885,62 +885,66 @@
         "description": "An AVM-aligned type for a customer-managed key."
       }
     },
-    "secretSetType": {
+    "secretToSetType": {
       "type": "object",
       "properties": {
-        "secretResourceId": {
-          "type": "string",
-          "metadata": {
-            "description": "The resourceId of the exported secret."
-          }
-        },
-        "secretUri": {
+        "name": {
           "type": "string",
           "metadata": {
-            "description": "The secret URI of the exported secret."
+            "description": "Required. The name of the secret to set."
           }
         },
-        "secretUriWithVersion": {
-          "type": "string",
+        "value": {
+          "type": "securestring",
           "metadata": {
-            "description": "The secret URI with version of the exported secret."
+            "description": "Required. The value of the secret to set."
           }
         }
       },
       "metadata": {
         "__bicep_export!": true,
-        "description": "An AVM-aligned type for the output of the secret set via the secrets export feature."
+        "description": "An AVM-aligned type for the secret to set via the secrets export feature."
       }
     },
-    "secretToSetType": {
+    "secretSetOutputType": {
       "type": "object",
       "properties": {
-        "name": {
+        "secretResourceId": {
           "type": "string",
           "metadata": {
-            "description": "Required. The name of the secret to set."
+            "description": "The resourceId of the exported secret."
           }
         },
-        "value": {
-          "type": "securestring",
+        "secretUri": {
+          "type": "string",
           "metadata": {
-            "description": "Required. The value of the secret to set."
+            "description": "The secret URI of the exported secret."
+          }
+        },
+        "secretUriWithVersion": {
+          "type": "string",
+          "metadata": {
+            "description": "The secret URI with version of the exported secret."
           }
         }
       },
       "metadata": {
         "__bicep_export!": true,
-        "description": "An AVM-aligned type for the secret to set via the secrets export feature."
+        "description": "An AVM-aligned type for the output of the secret set via the secrets export feature."
       }
     },
     "secretsOutputType": {
       "type": "object",
       "properties": {},
       "additionalProperties": {
-        "$ref": "#/definitions/secretSetType",
+        "$ref": "#/definitions/secretSetOutputType",
         "metadata": {
           "description": "An exported secret's references."
         }
+      },
+      "metadata": {
+        "__bicep_export!": true,
+        "description": "A map of the exported secrets"
       }
     }
   },
diff --git a/avm/utl/types/avm-common-types/tests/e2e/import/main.test.bicep b/avm/utl/types/avm-common-types/tests/e2e/import/main.test.bicep
index 1a087297a0..dd580dec93 100644
--- a/avm/utl/types/avm-common-types/tests/e2e/import/main.test.bicep
+++ b/avm/utl/types/avm-common-types/tests/e2e/import/main.test.bicep
@@ -24,7 +24,7 @@ import {
   privateEndpointMultiServiceType
   privateEndpointSingleServiceType
   secretToSetType
-  secretSetType
+  secretSetOutputType
 } from '../../../main.bicep' // Would be: br/public:avm/utl/types/avm-common-types:<version>
 
 //  ====================== //
@@ -268,11 +268,11 @@ param secretToSet secretToSetType[] = [
 #disable-next-line outputs-should-not-contain-secrets // Does not contain a secret
 output secretToSetOutput secretToSetType[] = secretToSet
 
-param secretSet secretSetType[] = [
+param secretSet secretSetOutputType[] = [
   {
     secretResourceId: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRg/providers/Microsoft.KeyVault/vaults/myVault/secrets/mySecret'
     secretUri: 'https://myVault.${az.environment().suffixes.keyvaultDns}/secrets/mySecret'
     secretUriWithVersion: 'https://myVault.${az.environment().suffixes.keyvaultDns}/secrets/mySecret/2f4783701d724537a4e0c2d473c31846'
   }
 ]
-output secretSetOutput secretSetType[] = secretSet
+output secretSetOutput secretSetOutputType[] = secretSet
diff --git a/avm/utl/types/avm-common-types/version.json b/avm/utl/types/avm-common-types/version.json
index 83083db694..1c035df49f 100644
--- a/avm/utl/types/avm-common-types/version.json
+++ b/avm/utl/types/avm-common-types/version.json
@@ -1,6 +1,6 @@
 {
     "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#",
-    "version": "0.1",
+    "version": "0.2",
     "pathFilters": [
         "./main.json"
     ]

From dff75dccd17a34f1621168600cddfc386ca2682f Mon Sep 17 00:00:00 2001
From: Alexander Sehr <ASehr@hotmail.de>
Date: Fri, 25 Oct 2024 01:44:34 +0200
Subject: [PATCH 08/13] fix: Fixed metadata fix & values across modules (#3615)

## Description

- Common-Types: Fixed incorrect parameter description: The FQDN
parameter is optional, yet the description said it was required.
- Diverse: Fixed metadata descriptions
- Fixed static test validating parameter descriptions
- It checked for a line that looke like ('Required. even though the
value of the $description variable at the time only has the
description's value, that is Required.
- Added test that tests the reverse, that is, that a parameter's
description starts with Required. in its title if it is required

> Linked to https://github.com/Azure/Azure-Verified-Modules/pull/1591

## Pipeline Reference


| Pipeline |
| -------- |

[![avm.ptn.ai-platform.baseline](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.ptn.ai-platform.baseline.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.ptn.ai-platform.baseline.yml)

[![avm.ptn.lz.sub-vending](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.ptn.lz.sub-vending.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.ptn.lz.sub-vending.yml)

[![avm.ptn.virtual-machine-images.azure-image-builder](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.ptn.virtual-machine-images.azure-image-builder.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.ptn.virtual-machine-images.azure-image-builder.yml)

[![avm.res.app-configuration.configuration-store](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.app-configuration.configuration-store.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.app-configuration.configuration-store.yml)

[![avm.res.app.job](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.app.job.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.app.job.yml)

[![avm.res.batch.batch-account](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.batch.batch-account.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.batch.batch-account.yml)

[![avm.res.cache.redis](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.cache.redis.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.cache.redis.yml)

[![avm.res.cdn.profile](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.cdn.profile.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.cdn.profile.yml)

[![avm.res.cognitive-services.account](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.cognitive-services.account.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.cognitive-services.account.yml)

[![avm.res.consumption.budget](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.consumption.budget.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.consumption.budget.yml)

[![avm.res.container-registry.registry](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.container-registry.registry.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.container-registry.registry.yml)

[![avm.res.container-service.managed-cluster](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.container-service.managed-cluster.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.container-service.managed-cluster.yml)

[![avm.res.data-factory.factory](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.data-factory.factory.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.data-factory.factory.yml)

[![avm.res.databricks.workspace](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.databricks.workspace.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.databricks.workspace.yml)

[![avm.res.desktop-virtualization.host-pool](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.desktop-virtualization.host-pool.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.desktop-virtualization.host-pool.yml)

[![avm.res.desktop-virtualization.workspace](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.desktop-virtualization.workspace.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.desktop-virtualization.workspace.yml)

[![avm.res.digital-twins.digital-twins-instance](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.digital-twins.digital-twins-instance.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.digital-twins.digital-twins-instance.yml)

[![avm.res.document-db.database-account](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.document-db.database-account.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.document-db.database-account.yml)

[![avm.res.document-db.mongo-cluster](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.document-db.mongo-cluster.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.document-db.mongo-cluster.yml)

[![avm.res.event-grid.domain](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.event-grid.domain.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.event-grid.domain.yml)

[![avm.res.event-grid.namespace](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.event-grid.namespace.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.event-grid.namespace.yml)

[![avm.res.event-grid.topic](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.event-grid.topic.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.event-grid.topic.yml)

[![avm.res.event-hub.namespace](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.event-hub.namespace.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.event-hub.namespace.yml)

[![avm.res.healthcare-apis.workspace](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.healthcare-apis.workspace.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.healthcare-apis.workspace.yml)

[![avm.res.insights.private-link-scope](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.insights.private-link-scope.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.insights.private-link-scope.yml)

[![avm.res.key-vault.vault](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.key-vault.vault.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.key-vault.vault.yml)

[![avm.res.kusto.cluster](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.kusto.cluster.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.kusto.cluster.yml)

[![avm.res.machine-learning-services.workspace](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.machine-learning-services.workspace.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.machine-learning-services.workspace.yml)

[![avm.res.net-app.net-app-account](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.net-app.net-app-account.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.net-app.net-app-account.yml)

[![avm.res.network.application-gateway](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.network.application-gateway.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.network.application-gateway.yml)

[![avm.res.network.private-endpoint](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.network.private-endpoint.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.network.private-endpoint.yml)

[![avm.res.operational-insights.workspace](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.operational-insights.workspace.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.operational-insights.workspace.yml)

[![avm.res.purview.account](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.purview.account.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.purview.account.yml)

[![avm.res.recovery-services.vault](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.recovery-services.vault.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.recovery-services.vault.yml)

[![avm.res.relay.namespace](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.relay.namespace.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.relay.namespace.yml)

[![avm.res.search.search-service](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.search.search-service.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.search.search-service.yml)

[![avm.res.service-bus.namespace](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.service-bus.namespace.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.service-bus.namespace.yml)

[![avm.res.signal-r-service.signal-r](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.signal-r-service.signal-r.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.signal-r-service.signal-r.yml)

[![avm.res.signal-r-service.web-pub-sub](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.signal-r-service.web-pub-sub.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.signal-r-service.web-pub-sub.yml)

[![avm.res.sql.server](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.sql.server.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.sql.server.yml)

[![avm.res.storage.storage-account](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.storage.storage-account.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.storage.storage-account.yml)

[![avm.res.synapse.private-link-hub](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.synapse.private-link-hub.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.synapse.private-link-hub.yml)

[![avm.res.synapse.workspace](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.synapse.workspace.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.synapse.workspace.yml)

[![avm.res.web.site](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.web.site.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.web.site.yml)

[![avm.res.web.static-site](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.web.static-site.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.web.static-site.yml)

[![avm.utl.types.avm-common-types](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.utl.types.avm-common-types.yml/badge.svg?branch=users%2Falsehr%2FmetaDataFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.utl.types.avm-common-types.yml)

## Type of Change

- [x] Update to CI Environment or utilities (Non-module affecting
changes)
- [ ] Azure Verified Module updates:
- [x] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [ ] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [ ] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [ ] Update to documentation

---------

Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com>
---
 avm/ptn/ai-platform/baseline/main.bicep       |   2 +-
 avm/ptn/ai-platform/baseline/main.json        |   4 +-
 avm/ptn/lz/sub-vending/README.md              |  21 +-
 avm/ptn/lz/sub-vending/main.json              |   8 +-
 .../modules/subResourceWrapper.bicep          |   2 +-
 .../azure-image-builder/README.md             |   5 +
 .../azure-image-builder/main.bicep            |   4 +-
 .../azure-image-builder/main.json             |   6 +-
 .../configuration-store/README.md             |  17 +-
 .../configuration-store/main.bicep            |   2 +-
 .../configuration-store/main.json             |  18 +-
 .../configuration-store/replicas/README.md    |  14 +-
 .../configuration-store/replicas/main.bicep   |   4 +-
 .../configuration-store/replicas/main.json    |   8 +-
 avm/res/app/job/README.md                     | 272 +++++-----
 avm/res/app/job/main.bicep                    |  20 +-
 avm/res/app/job/main.json                     |  24 +-
 avm/res/batch/batch-account/README.md         |  17 +-
 avm/res/batch/batch-account/main.bicep        |   2 +-
 avm/res/batch/batch-account/main.json         |   6 +-
 avm/res/cache/redis/README.md                 |  17 +-
 avm/res/cache/redis/main.bicep                |   2 +-
 avm/res/cache/redis/main.json                 |  12 +-
 avm/res/cdn/profile/main.json                 |   6 +-
 avm/res/cdn/profile/secret/README.md          |  36 +-
 avm/res/cdn/profile/secret/main.bicep         |   2 +-
 avm/res/cdn/profile/secret/main.json          |   4 +-
 avm/res/cognitive-services/account/README.md  |  17 +-
 avm/res/cognitive-services/account/main.bicep |   2 +-
 avm/res/cognitive-services/account/main.json  |   4 +-
 avm/res/consumption/budget/README.md          |  66 +--
 avm/res/consumption/budget/main.bicep         |   4 +-
 avm/res/consumption/budget/main.json          |   8 +-
 avm/res/container-registry/registry/README.md |  17 +-
 .../container-registry/registry/main.bicep    |   2 +-
 avm/res/container-registry/registry/main.json |  26 +-
 .../managed-cluster/README.md                 |  37 +-
 .../managed-cluster/main.bicep                |   6 +-
 .../managed-cluster/main.json                 |   8 +-
 avm/res/data-factory/factory/README.md        |  17 +-
 avm/res/data-factory/factory/main.bicep       |   2 +-
 avm/res/data-factory/factory/main.json        |   4 +-
 avm/res/databricks/workspace/README.md        |  34 +-
 avm/res/databricks/workspace/main.bicep       |   2 +-
 avm/res/databricks/workspace/main.json        |   4 +-
 .../host-pool/README.md                       |  17 +-
 .../host-pool/main.bicep                      |   2 +-
 .../host-pool/main.json                       |   6 +-
 .../workspace/README.md                       |  17 +-
 .../workspace/main.bicep                      |   2 +-
 .../workspace/main.json                       |   6 +-
 .../digital-twins-instance/README.md          |  17 +-
 .../digital-twins-instance/main.bicep         |   2 +-
 .../digital-twins-instance/main.json          |  18 +-
 .../document-db/database-account/README.md    |  72 +--
 .../gremlin-database/graph/main.json          |   4 +-
 .../gremlin-database/main.json                |   8 +-
 .../document-db/database-account/main.bicep   |   8 +-
 .../document-db/database-account/main.json    |  16 +-
 .../mongodb-database/collection/main.json     |   4 +-
 .../mongodb-database/main.json                |   8 +-
 .../sql-database/container/main.json          |   4 +-
 .../database-account/sql-database/main.json   |   8 +-
 .../database-account/sql-role/main.json       |  14 +-
 .../sql-role/sql-role-assignments/README.md   |  23 +-
 .../sql-role/sql-role-assignments/main.bicep  |   2 +-
 .../sql-role/sql-role-assignments/main.json   |   6 +-
 .../sql-role/sql-role-definitions/main.json   |   4 +-
 avm/res/document-db/mongo-cluster/README.md   |  17 +-
 avm/res/document-db/mongo-cluster/main.bicep  |   2 +-
 avm/res/document-db/mongo-cluster/main.json   |  14 +-
 avm/res/event-grid/domain/README.md           |  17 +-
 avm/res/event-grid/domain/main.bicep          |   2 +-
 avm/res/event-grid/domain/main.json           |  10 +-
 avm/res/event-grid/namespace/README.md        |  17 +-
 avm/res/event-grid/namespace/main.bicep       |   2 +-
 avm/res/event-grid/namespace/main.json        |  34 +-
 avm/res/event-grid/topic/README.md            |  17 +-
 avm/res/event-grid/topic/main.bicep           |   2 +-
 avm/res/event-grid/topic/main.json            |  10 +-
 avm/res/event-hub/namespace/README.md         |  17 +-
 avm/res/event-hub/namespace/main.bicep        |   2 +-
 avm/res/event-hub/namespace/main.json         |  30 +-
 .../workspace/dicomservice/README.md          |  16 +-
 .../workspace/dicomservice/main.bicep         |   2 +-
 .../workspace/dicomservice/main.json          |   6 +-
 .../workspace/fhirservice/main.json           |   4 +-
 .../workspace/iotconnector/README.md          |  30 +-
 .../iotconnector/fhirdestination/README.md    |  30 +-
 .../iotconnector/fhirdestination/main.bicep   |   2 +-
 .../iotconnector/fhirdestination/main.json    |   6 +-
 .../workspace/iotconnector/main.bicep         |   2 +-
 .../workspace/iotconnector/main.json          |  12 +-
 avm/res/healthcare-apis/workspace/main.json   |  26 +-
 avm/res/insights/private-link-scope/README.md |  17 +-
 .../insights/private-link-scope/main.bicep    |   2 +-
 avm/res/insights/private-link-scope/main.json |  10 +-
 avm/res/key-vault/vault/README.md             |  17 +-
 avm/res/key-vault/vault/main.bicep            |   2 +-
 avm/res/key-vault/vault/main.json             |   4 +-
 avm/res/kusto/cluster/README.md               |  21 +-
 avm/res/kusto/cluster/main.bicep              |   6 +-
 avm/res/kusto/cluster/main.json               |  13 +-
 .../workspace/README.md                       |  17 +-
 .../workspace/main.bicep                      |   2 +-
 .../workspace/main.json                       |   4 +-
 avm/res/net-app/net-app-account/README.md     |   2 +-
 .../net-app-account/backup-policies/README.md |  56 +--
 .../backup-policies/main.bicep                |  10 +-
 .../net-app-account/backup-policies/main.json |  14 +-
 .../net-app-account/capacity-pool/README.md   |   9 -
 .../net-app-account/capacity-pool/main.bicep  |   4 -
 .../net-app-account/capacity-pool/main.json   | 154 +++---
 .../capacity-pool/volume/README.md            | 470 +++++++++---------
 .../capacity-pool/volume/main.bicep           |  79 ++-
 .../capacity-pool/volume/main.json            | 140 +++---
 avm/res/net-app/net-app-account/main.bicep    |   4 +-
 avm/res/net-app/net-app-account/main.json     | 159 +++---
 .../snapshot-policies/README.md               |  63 +--
 .../snapshot-policies/main.bicep              |  36 +-
 .../snapshot-policies/main.json               |  40 +-
 avm/res/network/application-gateway/README.md |  19 +-
 .../network/application-gateway/main.bicep    |   4 +-
 avm/res/network/application-gateway/main.json |   7 +-
 avm/res/network/private-endpoint/README.md    |  19 +-
 avm/res/network/private-endpoint/main.bicep   |   6 +-
 avm/res/network/private-endpoint/main.json    |  12 +-
 .../workspace/data-export/main.json           |   4 +-
 .../workspace/data-source/README.md           |  44 +-
 .../workspace/data-source/main.bicep          |   2 +-
 .../workspace/data-source/main.json           |   6 +-
 .../workspace/linked-service/README.md        |  16 +-
 .../workspace/linked-service/main.bicep       |   2 +-
 .../workspace/linked-service/main.json        |   6 +-
 .../linked-storage-account/main.json          |   4 +-
 .../operational-insights/workspace/main.json  |  36 +-
 .../workspace/saved-search/main.json          |   4 +-
 .../storage-insight-config/main.json          |   4 +-
 .../workspace/table/main.json                 |   4 +-
 avm/res/purview/account/README.md             | 142 ++++--
 avm/res/purview/account/main.bicep            |  70 ++-
 avm/res/purview/account/main.json             | 115 +++--
 avm/res/recovery-services/vault/README.md     |  17 +-
 .../vault/backup-config/main.json             |   4 +-
 .../protection-container/main.json            |   8 +-
 .../protected-item/main.json                  |   4 +-
 .../vault/backup-policy/main.json             |   4 +-
 .../vault/backup-storage-config/main.json     |   4 +-
 avm/res/recovery-services/vault/main.bicep    |   2 +-
 avm/res/recovery-services/vault/main.json     |  76 +--
 .../vault/replication-alert-setting/main.json |   4 +-
 .../vault/replication-fabric/README.md        |  21 +-
 .../vault/replication-fabric/main.bicep       |   6 +-
 .../vault/replication-fabric/main.json        |  42 +-
 .../main.bicep                                |  16 +-
 .../main.json                                 |  32 +-
 .../main.json                                 |   4 +-
 .../vault/replication-policy/main.json        |   4 +-
 avm/res/relay/namespace/README.md             |  17 +-
 avm/res/relay/namespace/main.bicep            |   2 +-
 avm/res/relay/namespace/main.json             |  30 +-
 avm/res/search/search-service/README.md       |  17 +-
 avm/res/search/search-service/main.bicep      |   2 +-
 avm/res/search/search-service/main.json       |   4 +-
 avm/res/service-bus/namespace/README.md       | 115 +++--
 avm/res/service-bus/namespace/main.bicep      |   4 +-
 avm/res/service-bus/namespace/main.json       |  44 +-
 avm/res/signal-r-service/signal-r/README.md   |  17 +-
 avm/res/signal-r-service/signal-r/main.bicep  |   2 +-
 avm/res/signal-r-service/signal-r/main.json   |   6 +-
 .../signal-r-service/web-pub-sub/README.md    |  17 +-
 .../signal-r-service/web-pub-sub/main.bicep   |   2 +-
 .../signal-r-service/web-pub-sub/main.json    |   6 +-
 avm/res/sql/server/README.md                  |  17 +-
 avm/res/sql/server/main.bicep                 |   2 +-
 avm/res/sql/server/main.json                  |  62 +--
 avm/res/storage/storage-account/README.md     |  17 +-
 avm/res/storage/storage-account/main.bicep    |   2 +-
 avm/res/storage/storage-account/main.json     |  12 +-
 .../storage-account/queue-service/main.json   |   6 +-
 .../queue-service/queue/README.md             |  18 +-
 .../queue-service/queue/main.bicep            |   2 +-
 .../queue-service/queue/main.json             |   4 +-
 avm/res/synapse/private-link-hub/README.md    |  17 +-
 avm/res/synapse/private-link-hub/main.bicep   |   2 +-
 avm/res/synapse/private-link-hub/main.json    |   6 +-
 avm/res/synapse/workspace/README.md           |  19 +-
 avm/res/synapse/workspace/main.bicep          |   4 +-
 avm/res/synapse/workspace/main.json           |  27 +-
 avm/res/web/site/README.md                    |  17 +-
 .../main.json                                 |   4 +-
 .../web/site/config--appsettings/main.json    |   4 +-
 .../web/site/config--authsettingsv2/main.json |   4 +-
 avm/res/web/site/config--logs/README.md       |   5 +
 avm/res/web/site/config--logs/main.bicep      |   2 +-
 avm/res/web/site/config--logs/main.json       |   6 +-
 avm/res/web/site/config--web/README.md        |  17 +-
 avm/res/web/site/config--web/main.bicep       |   2 +-
 avm/res/web/site/config--web/main.json        |   6 +-
 .../web/site/extensions--msdeploy/README.md   |   5 +
 .../web/site/extensions--msdeploy/main.bicep  |   2 +-
 .../web/site/extensions--msdeploy/main.json   |   6 +-
 .../relay/main.json                           |   4 +-
 avm/res/web/site/main.bicep                   |   2 +-
 avm/res/web/site/main.json                    |  68 +--
 avm/res/web/site/slot/README.md               |  17 +-
 .../main.json                                 |   4 +-
 .../site/slot/config--appsettings/main.json   |   4 +-
 .../slot/config--authsettingsv2/main.json     |   4 +-
 .../site/slot/extensions--msdeploy/README.md  |   5 +
 .../site/slot/extensions--msdeploy/main.bicep |   2 +-
 .../site/slot/extensions--msdeploy/main.json  |   6 +-
 .../relay/main.json                           |   4 +-
 avm/res/web/site/slot/main.bicep              |   2 +-
 avm/res/web/site/slot/main.json               |  28 +-
 avm/res/web/static-site/README.md             |  17 +-
 avm/res/web/static-site/main.bicep            |   2 +-
 avm/res/web/static-site/main.json             |  22 +-
 avm/utl/types/avm-common-types/main.bicep     |   2 +-
 avm/utl/types/avm-common-types/main.json      |   4 +-
 220 files changed, 2272 insertions(+), 2028 deletions(-)

diff --git a/avm/ptn/ai-platform/baseline/main.bicep b/avm/ptn/ai-platform/baseline/main.bicep
index cfa8b0f7d7..7ba33c5974 100644
--- a/avm/ptn/ai-platform/baseline/main.bicep
+++ b/avm/ptn/ai-platform/baseline/main.bicep
@@ -798,7 +798,7 @@ type virtualMachineConfigurationType = {
   @description('Optional. The availability zone of the virtual machine. If set to 0, no availability zone is used (default).')
   zone: 0 | 1 | 2 | 3?
 
-  @description('Required. The virtual machine size. Defaults to \'Standard_D2s_v3\'.')
+  @description('Optional. The virtual machine size. Defaults to \'Standard_D2s_v3\'.')
   size: string?
 
   @description('Conditional. The username for the administrator account on the virtual machine. Required if a virtual machine is created as part of the module.')
diff --git a/avm/ptn/ai-platform/baseline/main.json b/avm/ptn/ai-platform/baseline/main.json
index cbb20a89d4..0729d56e61 100644
--- a/avm/ptn/ai-platform/baseline/main.json
+++ b/avm/ptn/ai-platform/baseline/main.json
@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.30.23.60470",
-      "templateHash": "14190804454906731332"
+      "templateHash": "8118431971207259255"
     },
     "name": "AI Platform Baseline",
     "description": "This module provides a secure and scalable environment for deploying AI applications on Azure.\nThe module encompasses all essential components required for building, managing, and observing AI solutions, including a machine learning workspace, observability tools, and necessary data management services.\nBy integrating with Microsoft Entra ID for secure identity management and utilizing private endpoints for services like Key Vault and Blob Storage, the module ensures secure communication and data access.",
@@ -470,7 +470,7 @@
           "type": "string",
           "nullable": true,
           "metadata": {
-            "description": "Required. The virtual machine size. Defaults to 'Standard_D2s_v3'."
+            "description": "Optional. The virtual machine size. Defaults to 'Standard_D2s_v3'."
           }
         },
         "adminUsername": {
diff --git a/avm/ptn/lz/sub-vending/README.md b/avm/ptn/lz/sub-vending/README.md
index 627959715f..471c80289f 100644
--- a/avm/ptn/lz/sub-vending/README.md
+++ b/avm/ptn/lz/sub-vending/README.md
@@ -1046,25 +1046,13 @@ The condition for the role assignment.
 - Required: No
 - Type: object
 
-**Required parameters**
-
-| Parameter | Type | Description |
-| :-- | :-- | :-- |
-| [`roleConditionType`](#parameter-roleassignmentsroleassignmentconditionroleconditiontype) | object | The type of template for the role assignment condition. |
-
 **Optional parameters**
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
 | [`conditionVersion`](#parameter-roleassignmentsroleassignmentconditionconditionversion) | string | The version of the condition template. |
 | [`delegationCode`](#parameter-roleassignmentsroleassignmentconditiondelegationcode) | string | The code for a custom condition if no template is used. The user should supply their own custom code if the available templates are not matching their requirements. If a value is provided, this will overwrite any added template. All single quotes needs to be skipped using '. |
-
-### Parameter: `roleAssignments.roleAssignmentCondition.roleConditionType`
-
-The type of template for the role assignment condition.
-
-- Required: No
-- Type: object
+| [`roleConditionType`](#parameter-roleassignmentsroleassignmentconditionroleconditiontype) | object | The type of template for the role assignment condition. |
 
 ### Parameter: `roleAssignments.roleAssignmentCondition.conditionVersion`
 
@@ -1086,6 +1074,13 @@ The code for a custom condition if no template is used. The user should supply t
 - Required: No
 - Type: string
 
+### Parameter: `roleAssignments.roleAssignmentCondition.roleConditionType`
+
+The type of template for the role assignment condition.
+
+- Required: No
+- Type: object
+
 ### Parameter: `subscriptionAliasEnabled`
 
 Whether to create a new Subscription using the Subscription Alias resource. If `false`, supply an existing Subscription''s ID in the parameter named `existingSubscriptionId` instead to deploy resources to an existing Subscription.
diff --git a/avm/ptn/lz/sub-vending/main.json b/avm/ptn/lz/sub-vending/main.json
index 6f96066ac4..752668dbf3 100644
--- a/avm/ptn/lz/sub-vending/main.json
+++ b/avm/ptn/lz/sub-vending/main.json
@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.30.23.60470",
-      "templateHash": "7041333731896478717"
+      "templateHash": "15801074137418249415"
     },
     "name": "Sub-vending",
     "description": "This module deploys a subscription to accelerate deployment of landing zones. For more information on how to use it, please visit this [Wiki](https://github.com/Azure/bicep-lz-vending/wiki).",
@@ -163,7 +163,7 @@
           "$ref": "#/definitions/_1.constrainedDelegationTemplatesType",
           "nullable": true,
           "metadata": {
-            "description": "Required. The type of template for the role assignment condition."
+            "description": "Optional. The type of template for the role assignment condition."
           }
         },
         "conditionVersion": {
@@ -881,7 +881,7 @@
             "_generator": {
               "name": "bicep",
               "version": "0.30.23.60470",
-              "templateHash": "1508834239626613483"
+              "templateHash": "17058377789394467622"
             },
             "name": "`/subResourcesWrapper/deploy.bicep` Parameters",
             "description": "This module is used by the [`bicep-lz-vending`](https://aka.ms/sub-vending/bicep) module to help orchestrate the deployment",
@@ -1063,7 +1063,7 @@
                   "$ref": "#/definitions/constrainedDelegationTemplatesType",
                   "nullable": true,
                   "metadata": {
-                    "description": "Required. The type of template for the role assignment condition."
+                    "description": "Optional. The type of template for the role assignment condition."
                   }
                 },
                 "conditionVersion": {
diff --git a/avm/ptn/lz/sub-vending/modules/subResourceWrapper.bicep b/avm/ptn/lz/sub-vending/modules/subResourceWrapper.bicep
index 30dc430b1c..5e16e204d6 100644
--- a/avm/ptn/lz/sub-vending/modules/subResourceWrapper.bicep
+++ b/avm/ptn/lz/sub-vending/modules/subResourceWrapper.bicep
@@ -767,7 +767,7 @@ type constrainedDelegationTemplatesType =
 // Role Assignment Condition type
 @export()
 type roleAssignmentConditionType = {
-  @description('Required. The type of template for the role assignment condition.')
+  @description('Optional. The type of template for the role assignment condition.')
   roleConditionType: constrainedDelegationTemplatesType?
 
   @description('Optional. The version of the condition template.')
diff --git a/avm/ptn/virtual-machine-images/azure-image-builder/README.md b/avm/ptn/virtual-machine-images/azure-image-builder/README.md
index 0ddfb123e2..9c2f97fa00 100644
--- a/avm/ptn/virtual-machine-images/azure-image-builder/README.md
+++ b/avm/ptn/virtual-machine-images/azure-image-builder/README.md
@@ -1180,6 +1180,11 @@ The files to upload to the Assets Storage Account.
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
 | [`name`](#parameter-storageaccountfilestouploadname) | string | The name of the environment variable. |
+
+**Optional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
 | [`secureValue`](#parameter-storageaccountfilestouploadsecurevalue) | securestring | The value of the secure environment variable. |
 | [`value`](#parameter-storageaccountfilestouploadvalue) | string | The value of the environment variable. |
 
diff --git a/avm/ptn/virtual-machine-images/azure-image-builder/main.bicep b/avm/ptn/virtual-machine-images/azure-image-builder/main.bicep
index 34d5a6048e..997353e120 100644
--- a/avm/ptn/virtual-machine-images/azure-image-builder/main.bicep
+++ b/avm/ptn/virtual-machine-images/azure-image-builder/main.bicep
@@ -597,10 +597,10 @@ type storageAccountFilesToUploadType = {
   @description('Required. The name of the environment variable.')
   name: string
 
-  @description('Required. The value of the secure environment variable.')
+  @description('Optional. The value of the secure environment variable.')
   @secure()
   secureValue: string?
 
-  @description('Required. The value of the environment variable.')
+  @description('Optional. The value of the environment variable.')
   value: string?
 }
diff --git a/avm/ptn/virtual-machine-images/azure-image-builder/main.json b/avm/ptn/virtual-machine-images/azure-image-builder/main.json
index e8e8b71562..7173f704ee 100644
--- a/avm/ptn/virtual-machine-images/azure-image-builder/main.json
+++ b/avm/ptn/virtual-machine-images/azure-image-builder/main.json
@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.30.23.60470",
-      "templateHash": "4580919221810730076"
+      "templateHash": "9111396630441610187"
     },
     "name": "Custom Images using Azure Image Builder",
     "description": "This module provides you with a packaged solution to create custom images using the Azure Image Builder service publishing to an Azure Compute Gallery.",
@@ -26,14 +26,14 @@
           "type": "securestring",
           "nullable": true,
           "metadata": {
-            "description": "Required. The value of the secure environment variable."
+            "description": "Optional. The value of the secure environment variable."
           }
         },
         "value": {
           "type": "string",
           "nullable": true,
           "metadata": {
-            "description": "Required. The value of the environment variable."
+            "description": "Optional. The value of the environment variable."
           }
         }
       },
diff --git a/avm/res/app-configuration/configuration-store/README.md b/avm/res/app-configuration/configuration-store/README.md
index e7a84828bf..1c56ccbbc6 100644
--- a/avm/res/app-configuration/configuration-store/README.md
+++ b/avm/res/app-configuration/configuration-store/README.md
@@ -1324,15 +1324,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint IP address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -1341,6 +1339,13 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `privateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
diff --git a/avm/res/app-configuration/configuration-store/main.bicep b/avm/res/app-configuration/configuration-store/main.bicep
index c989fc47a0..6c404d734e 100644
--- a/avm/res/app-configuration/configuration-store/main.bicep
+++ b/avm/res/app-configuration/configuration-store/main.bicep
@@ -447,7 +447,7 @@ type privateEndpointType = {
 
   @description('Optional. Custom DNS configurations.')
   customDnsConfigs: {
-    @description('Required. Fqdn that resolves to private endpoint IP address.')
+    @description('Optional. FQDN that resolves to private endpoint IP address.')
     fqdn: string?
 
     @description('Required. A list of private IP addresses of the private endpoint.')
diff --git a/avm/res/app-configuration/configuration-store/main.json b/avm/res/app-configuration/configuration-store/main.json
index acbc9026c6..e782f1670c 100644
--- a/avm/res/app-configuration/configuration-store/main.json
+++ b/avm/res/app-configuration/configuration-store/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "12024958859514872959"
+      "version": "0.30.23.60470",
+      "templateHash": "1061724596337882078"
     },
     "name": "App Configuration Stores",
     "description": "This module deploys an App Configuration Store.",
@@ -237,7 +237,7 @@
                   "type": "string",
                   "nullable": true,
                   "metadata": {
-                    "description": "Required. Fqdn that resolves to private endpoint IP address."
+                    "description": "Optional. FQDN that resolves to private endpoint IP address."
                   }
                 },
                 "ipAddresses": {
@@ -838,8 +838,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "11258786733278014615"
+              "version": "0.30.23.60470",
+              "templateHash": "7176115037834080970"
             },
             "name": "App Configuration Stores Key Values",
             "description": "This module deploys an App Configuration Store Key Value.",
@@ -959,8 +959,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "12501157551760596905"
+              "version": "0.30.23.60470",
+              "templateHash": "7558745915280433021"
             },
             "name": "App Configuration Replicas",
             "description": "This module deploys an App Configuration Replica.",
@@ -976,13 +976,13 @@
             "appConfigurationName": {
               "type": "string",
               "metadata": {
-                "description": "Optional. The name of the parent app configuration store."
+                "description": "Conditional. The name of the parent app configuration store. Required if the template is used in a standalone deployment."
               }
             },
             "replicaLocation": {
               "type": "string",
               "metadata": {
-                "description": "Optional. Location of the replica."
+                "description": "Required. Location of the replica."
               }
             }
           },
diff --git a/avm/res/app-configuration/configuration-store/replicas/README.md b/avm/res/app-configuration/configuration-store/replicas/README.md
index aedae3e7b8..dbfdc26d3f 100644
--- a/avm/res/app-configuration/configuration-store/replicas/README.md
+++ b/avm/res/app-configuration/configuration-store/replicas/README.md
@@ -21,13 +21,13 @@ This module deploys an App Configuration Replica.
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
 | [`name`](#parameter-name) | string | Name of the replica. |
+| [`replicaLocation`](#parameter-replicalocation) | string | Location of the replica. |
 
-**Optional parameters**
+**Conditional parameters**
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`appConfigurationName`](#parameter-appconfigurationname) | string | The name of the parent app configuration store. |
-| [`replicaLocation`](#parameter-replicalocation) | string | Location of the replica. |
+| [`appConfigurationName`](#parameter-appconfigurationname) | string | The name of the parent app configuration store. Required if the template is used in a standalone deployment. |
 
 ### Parameter: `name`
 
@@ -36,16 +36,16 @@ Name of the replica.
 - Required: Yes
 - Type: string
 
-### Parameter: `appConfigurationName`
+### Parameter: `replicaLocation`
 
-The name of the parent app configuration store.
+Location of the replica.
 
 - Required: Yes
 - Type: string
 
-### Parameter: `replicaLocation`
+### Parameter: `appConfigurationName`
 
-Location of the replica.
+The name of the parent app configuration store. Required if the template is used in a standalone deployment.
 
 - Required: Yes
 - Type: string
diff --git a/avm/res/app-configuration/configuration-store/replicas/main.bicep b/avm/res/app-configuration/configuration-store/replicas/main.bicep
index 43e37d6d8d..d78b06cc51 100644
--- a/avm/res/app-configuration/configuration-store/replicas/main.bicep
+++ b/avm/res/app-configuration/configuration-store/replicas/main.bicep
@@ -5,10 +5,10 @@ metadata owner = 'Azure/module-maintainers'
 @description('Required. Name of the replica.')
 param name string
 
-@description('Optional. The name of the parent app configuration store.')
+@description('Conditional. The name of the parent app configuration store. Required if the template is used in a standalone deployment.')
 param appConfigurationName string
 
-@description('Optional. Location of the replica.')
+@description('Required. Location of the replica.')
 param replicaLocation string
 
 resource appConfiguration 'Microsoft.AppConfiguration/configurationStores@2023-03-01' existing = {
diff --git a/avm/res/app-configuration/configuration-store/replicas/main.json b/avm/res/app-configuration/configuration-store/replicas/main.json
index 220da65163..e4c0a9dacb 100644
--- a/avm/res/app-configuration/configuration-store/replicas/main.json
+++ b/avm/res/app-configuration/configuration-store/replicas/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "12501157551760596905"
+      "version": "0.30.23.60470",
+      "templateHash": "7558745915280433021"
     },
     "name": "App Configuration Replicas",
     "description": "This module deploys an App Configuration Replica.",
@@ -21,13 +21,13 @@
     "appConfigurationName": {
       "type": "string",
       "metadata": {
-        "description": "Optional. The name of the parent app configuration store."
+        "description": "Conditional. The name of the parent app configuration store. Required if the template is used in a standalone deployment."
       }
     },
     "replicaLocation": {
       "type": "string",
       "metadata": {
-        "description": "Optional. Location of the replica."
+        "description": "Required. Location of the replica."
       }
     }
   },
diff --git a/avm/res/app/job/README.md b/avm/res/app/job/README.md
index 51e3119966..32d9a19e7b 100644
--- a/avm/res/app/job/README.md
+++ b/avm/res/app/job/README.md
@@ -1114,7 +1114,6 @@ HTTPGet specifies the http request to perform.
 | :-- | :-- | :-- |
 | [`path`](#parameter-containersprobeshttpgetpath) | string | Path to access on the HTTP server. |
 | [`port`](#parameter-containersprobeshttpgetport) | int | Name of the port to access on the container. If not specified, the containerPort is used. |
-| [`scheme`](#parameter-containersprobeshttpgetscheme) | string | Scheme to use for connecting to the host. Defaults to HTTP. |
 
 **Optional parameters**
 
@@ -1122,6 +1121,7 @@ HTTPGet specifies the http request to perform.
 | :-- | :-- | :-- |
 | [`host`](#parameter-containersprobeshttpgethost) | string | Host name to connect to, defaults to the pod IP. |
 | [`httpHeaders`](#parameter-containersprobeshttpgethttpheaders) | array | Custom headers to set in the request. |
+| [`scheme`](#parameter-containersprobeshttpgetscheme) | string | Scheme to use for connecting to the host. Defaults to HTTP. |
 
 ### Parameter: `containers.probes.httpGet.path`
 
@@ -1137,20 +1137,6 @@ Name of the port to access on the container. If not specified, the containerPort
 - Required: Yes
 - Type: int
 
-### Parameter: `containers.probes.httpGet.scheme`
-
-Scheme to use for connecting to the host. Defaults to HTTP.
-
-- Required: No
-- Type: string
-- Allowed:
-  ```Bicep
-  [
-    'HTTP'
-    'HTTPS'
-  ]
-  ```
-
 ### Parameter: `containers.probes.httpGet.host`
 
 Host name to connect to, defaults to the pod IP.
@@ -1186,6 +1172,20 @@ The header field value.
 - Required: Yes
 - Type: string
 
+### Parameter: `containers.probes.httpGet.scheme`
+
+Scheme to use for connecting to the host. Defaults to HTTP.
+
+- Required: No
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    'HTTP'
+    'HTTPS'
+  ]
+  ```
+
 ### Parameter: `containers.probes.initialDelaySeconds`
 
 Number of seconds after the container has started before liveness probes are initiated. Defaults to 0 seconds.
@@ -1218,13 +1218,15 @@ TCPSocket specifies an action involving a TCP port.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
+| [`host`](#parameter-containersprobestcpsockethost) | string | Host name to connect to, defaults to the pod IP. |
 | [`port`](#parameter-containersprobestcpsocketport) | int | Name of the port to access on the container. If not specified, the containerPort is used. |
 
-**Optional parameters**
+### Parameter: `containers.probes.tcpSocket.host`
 
-| Parameter | Type | Description |
-| :-- | :-- | :-- |
-| [`host`](#parameter-containersprobestcpsockethost) | string | Host name to connect to, defaults to the pod IP. |
+Host name to connect to, defaults to the pod IP.
+
+- Required: Yes
+- Type: string
 
 ### Parameter: `containers.probes.tcpSocket.port`
 
@@ -1233,13 +1235,6 @@ Name of the port to access on the container. If not specified, the containerPort
 - Required: Yes
 - Type: int
 
-### Parameter: `containers.probes.tcpSocket.host`
-
-Host name to connect to, defaults to the pod IP.
-
-- Required: Yes
-- Type: string
-
 ### Parameter: `containers.probes.terminationGracePeriodSeconds`
 
 Duration in seconds the pod needs to terminate gracefully upon probe failure. This is an alpha field and requires enabling ProbeTerminationGracePeriod feature gate.
@@ -1266,11 +1261,6 @@ The resources to allocate to the container.
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
 | [`cpu`](#parameter-containersresourcescpu) | string | The CPU limit of the container in cores. |
-
-**Optional parameters**
-
-| Parameter | Type | Description |
-| :-- | :-- | :-- |
 | [`memory`](#parameter-containersresourcesmemory) | string | The required memory. |
 
 ### Parameter: `containers.resources.cpu`
@@ -1395,6 +1385,12 @@ Scaling configurations for event driven jobs.
 - Required: Yes
 - Type: object
 
+**Required parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`rules`](#parameter-eventtriggerconfigscalerules) | array | Scaling rules for the job. |
+
 **Optional parameters**
 
 | Parameter | Type | Description |
@@ -1402,28 +1398,6 @@ Scaling configurations for event driven jobs.
 | [`maxExecutions`](#parameter-eventtriggerconfigscalemaxexecutions) | int | Maximum number of job executions that are created for a trigger, default 100. |
 | [`minExecutions`](#parameter-eventtriggerconfigscaleminexecutions) | int | Minimum number of job executions that are created for a trigger, default 0. |
 | [`pollingInterval`](#parameter-eventtriggerconfigscalepollinginterval) | int | Interval to check each event source in seconds. Defaults to 30s. |
-| [`rules`](#parameter-eventtriggerconfigscalerules) | array | Scaling rules for the job. |
-
-### Parameter: `eventTriggerConfig.scale.maxExecutions`
-
-Maximum number of job executions that are created for a trigger, default 100.
-
-- Required: No
-- Type: int
-
-### Parameter: `eventTriggerConfig.scale.minExecutions`
-
-Minimum number of job executions that are created for a trigger, default 0.
-
-- Required: No
-- Type: int
-
-### Parameter: `eventTriggerConfig.scale.pollingInterval`
-
-Interval to check each event source in seconds. Defaults to 30s.
-
-- Required: No
-- Type: int
 
 ### Parameter: `eventTriggerConfig.scale.rules`
 
@@ -1454,15 +1428,52 @@ Scaling rules for the job.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`auth`](#parameter-eventtriggerconfigscalerulesauth) | array | Authentication secrets for the scale rule. |
+| [`metadata`](#parameter-eventtriggerconfigscalerulesmetadata) | object | Metadata properties to describe the scale rule. |
 | [`name`](#parameter-eventtriggerconfigscalerulesname) | string | The name of the scale rule. |
+| [`type`](#parameter-eventtriggerconfigscalerulestype) | string | The type of the rule. |
 
 **Optional parameters**
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`metadata`](#parameter-eventtriggerconfigscalerulesmetadata) | object | Metadata properties to describe the scale rule. |
-| [`type`](#parameter-eventtriggerconfigscalerulestype) | string | The type of the rule. |
+| [`auth`](#parameter-eventtriggerconfigscalerulesauth) | array | Authentication secrets for the scale rule. |
+
+### Parameter: `eventTriggerConfig.scale.rules.metadata`
+
+Metadata properties to describe the scale rule.
+
+- Required: Yes
+- Type: object
+- Example:
+  ```Bicep
+  {
+    "// for type azure-queue
+    {
+      queueName: 'default'
+      storageAccountResourceId: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/myStorageAccount'
+    }"
+  }
+  ```
+
+### Parameter: `eventTriggerConfig.scale.rules.name`
+
+The name of the scale rule.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `eventTriggerConfig.scale.rules.type`
+
+The type of the rule.
+
+- Required: Yes
+- Type: string
+- Example:
+  ```Bicep
+  "azure-servicebus"
+  "azure-queue"
+  "redis"
+  ```
 
 ### Parameter: `eventTriggerConfig.scale.rules.auth`
 
@@ -1492,42 +1503,26 @@ Trigger Parameter that uses the secret.
 - Required: Yes
 - Type: string
 
-### Parameter: `eventTriggerConfig.scale.rules.name`
+### Parameter: `eventTriggerConfig.scale.maxExecutions`
 
-The name of the scale rule.
+Maximum number of job executions that are created for a trigger, default 100.
 
-- Required: Yes
-- Type: string
+- Required: No
+- Type: int
 
-### Parameter: `eventTriggerConfig.scale.rules.metadata`
+### Parameter: `eventTriggerConfig.scale.minExecutions`
 
-Metadata properties to describe the scale rule.
+Minimum number of job executions that are created for a trigger, default 0.
 
-- Required: Yes
-- Type: object
-- Example:
-  ```Bicep
-  {
-    "// for type azure-queue
-    {
-      queueName: 'default'
-      storageAccountResourceId: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/myStorageAccount'
-    }"
-  }
-  ```
+- Required: No
+- Type: int
 
-### Parameter: `eventTriggerConfig.scale.rules.type`
+### Parameter: `eventTriggerConfig.scale.pollingInterval`
 
-The type of the rule.
+Interval to check each event source in seconds. Defaults to 30s.
 
-- Required: Yes
-- Type: string
-- Example:
-  ```Bicep
-  "azure-servicebus"
-  "azure-queue"
-  "redis"
-  ```
+- Required: No
+- Type: int
 
 ### Parameter: `eventTriggerConfig.parallelism`
 
@@ -1636,90 +1631,46 @@ List of specialized containers that run before app containers.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
+| [`args`](#parameter-initcontainersargs) | array | Container start command arguments. |
+| [`command`](#parameter-initcontainerscommand) | array | Container start command. |
 | [`image`](#parameter-initcontainersimage) | string | The image of the container. |
 | [`name`](#parameter-initcontainersname) | string | The name of the container. |
-| [`resources`](#parameter-initcontainersresources) | object | Container resource requirements. |
 
 **Optional parameters**
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`args`](#parameter-initcontainersargs) | array | Container start command arguments. |
-| [`command`](#parameter-initcontainerscommand) | array | Container start command. |
 | [`env`](#parameter-initcontainersenv) | array | The environment variables to set in the container. |
+| [`resources`](#parameter-initcontainersresources) | object | Container resource requirements. |
 | [`volumeMounts`](#parameter-initcontainersvolumemounts) | array | The volume mounts to attach to the container. |
 
-### Parameter: `initContainers.image`
+### Parameter: `initContainers.args`
 
-The image of the container.
+Container start command arguments.
 
 - Required: Yes
-- Type: string
+- Type: array
 
-### Parameter: `initContainers.name`
+### Parameter: `initContainers.command`
 
-The name of the container.
+Container start command.
 
 - Required: Yes
-- Type: string
-
-### Parameter: `initContainers.resources`
-
-Container resource requirements.
-
-- Required: No
-- Type: object
-
-**Required parameters**
-
-| Parameter | Type | Description |
-| :-- | :-- | :-- |
-| [`cpu`](#parameter-initcontainersresourcescpu) | string | The CPU limit of the container in cores. |
-
-**Optional parameters**
-
-| Parameter | Type | Description |
-| :-- | :-- | :-- |
-| [`memory`](#parameter-initcontainersresourcesmemory) | string | The required memory. |
+- Type: array
 
-### Parameter: `initContainers.resources.cpu`
+### Parameter: `initContainers.image`
 
-The CPU limit of the container in cores.
+The image of the container.
 
 - Required: Yes
 - Type: string
-- Example:
-  ```Bicep
-  '0.25'
-  '1'
-  ```
 
-### Parameter: `initContainers.resources.memory`
+### Parameter: `initContainers.name`
 
-The required memory.
+The name of the container.
 
 - Required: Yes
 - Type: string
-- Example:
-  ```Bicep
-  '250Mb'
-  '1.5Gi'
-  '1500Mi'
-  ```
-
-### Parameter: `initContainers.args`
-
-Container start command arguments.
-
-- Required: Yes
-- Type: array
-
-### Parameter: `initContainers.command`
-
-Container start command.
-
-- Required: Yes
-- Type: array
 
 ### Parameter: `initContainers.env`
 
@@ -1775,6 +1726,45 @@ The environment variable value. Required if `secretRef` is null.
 - Required: No
 - Type: string
 
+### Parameter: `initContainers.resources`
+
+Container resource requirements.
+
+- Required: No
+- Type: object
+
+**Required parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`cpu`](#parameter-initcontainersresourcescpu) | string | The CPU limit of the container in cores. |
+| [`memory`](#parameter-initcontainersresourcesmemory) | string | The required memory. |
+
+### Parameter: `initContainers.resources.cpu`
+
+The CPU limit of the container in cores.
+
+- Required: Yes
+- Type: string
+- Example:
+  ```Bicep
+  '0.25'
+  '1'
+  ```
+
+### Parameter: `initContainers.resources.memory`
+
+The required memory.
+
+- Required: Yes
+- Type: string
+- Example:
+  ```Bicep
+  '250Mb'
+  '1.5Gi'
+  '1500Mi'
+  ```
+
 ### Parameter: `initContainers.volumeMounts`
 
 The volume mounts to attach to the container.
diff --git a/avm/res/app/job/main.bicep b/avm/res/app/job/main.bicep
index 974873afd2..b86b96a6ae 100644
--- a/avm/res/app/job/main.bicep
+++ b/avm/res/app/job/main.bicep
@@ -429,7 +429,7 @@ type containerProbeType = {
     @maxValue(65535)
     port: int
 
-    @description('Required. Scheme to use for connecting to the host. Defaults to HTTP.')
+    @description('Optional. Scheme to use for connecting to the host. Defaults to HTTP.')
     scheme: ('HTTP' | 'HTTPS')?
   }?
 
@@ -450,7 +450,7 @@ type containerProbeType = {
 
   @description('Optional. TCPSocket specifies an action involving a TCP port.')
   tcpSocket: {
-    @description('Optional. Host name to connect to, defaults to the pod IP.')
+    @description('Required. Host name to connect to, defaults to the pod IP.')
     host: string
 
     @description('Required. Name of the port to access on the container. If not specified, the containerPort is used.')
@@ -483,7 +483,7 @@ type containerResourceType = {
   })
   cpu: string
 
-  @description('Optional. The required memory.')
+  @description('Required. The required memory.')
   @metadata({
     example: '''
     '250Mb'
@@ -551,7 +551,7 @@ type jobScaleType = {
   @description('Optional. Interval to check each event source in seconds. Defaults to 30s.')
   pollingInterval: int?
 
-  @description('Optional. Scaling rules for the job.')
+  @description('Required. Scaling rules for the job.')
   @metadata({
     example: '''
     [
@@ -572,7 +572,7 @@ type jobScaleType = {
     '''
   })
   rules: {
-    @description('Required. Authentication secrets for the scale rule.')
+    @description('Optional. Authentication secrets for the scale rule.')
     auth: {
       @description('Required. Name of the secret from which to pull the auth params.')
       secretRef: string
@@ -581,7 +581,7 @@ type jobScaleType = {
       triggerParameter: string
     }[]?
 
-    @description('Optional. Metadata properties to describe the scale rule.')
+    @description('Required. Metadata properties to describe the scale rule.')
     @metadata({
       example: '''
     {
@@ -598,7 +598,7 @@ type jobScaleType = {
     @description('Required. The name of the scale rule.')
     name: string
 
-    @description('Optional. The type of the rule.')
+    @description('Required. The type of the rule.')
     @metadata({
       example: '''
       "azure-servicebus"
@@ -611,10 +611,10 @@ type jobScaleType = {
 }
 
 type initContainerType = {
-  @description('Optional. Container start command arguments.')
+  @description('Required. Container start command arguments.')
   args: string[]
 
-  @description('Optional. Container start command.')
+  @description('Required. Container start command.')
   command: string[]
 
   @description('Optional. The environment variables to set in the container.')
@@ -640,7 +640,7 @@ type initContainerType = {
   @description('Required. The name of the container.')
   name: string
 
-  @description('Required. Container resource requirements.')
+  @description('Optional. Container resource requirements.')
   resources: containerResourceType?
 
   @description('Optional. The volume mounts to attach to the container.')
diff --git a/avm/res/app/job/main.json b/avm/res/app/job/main.json
index b0a56e15a3..7a867b950f 100644
--- a/avm/res/app/job/main.json
+++ b/avm/res/app/job/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "15353778009725544189"
+      "version": "0.30.23.60470",
+      "templateHash": "12763012216760511641"
     },
     "name": "Container App Jobs",
     "description": "This module deploys a Container App Job.",
@@ -353,7 +353,7 @@
               ],
               "nullable": true,
               "metadata": {
-                "description": "Required. Scheme to use for connecting to the host. Defaults to HTTP."
+                "description": "Optional. Scheme to use for connecting to the host. Defaults to HTTP."
               }
             }
           },
@@ -395,7 +395,7 @@
             "host": {
               "type": "string",
               "metadata": {
-                "description": "Optional. Host name to connect to, defaults to the pod IP."
+                "description": "Required. Host name to connect to, defaults to the pod IP."
               }
             },
             "port": {
@@ -457,7 +457,7 @@
           "type": "string",
           "metadata": {
             "example": "    '250Mb'\n    '1.5Gi'\n    '1500Mi'\n    ",
-            "description": "Optional. The required memory."
+            "description": "Required. The required memory."
           }
         }
       }
@@ -606,14 +606,14 @@
                 },
                 "nullable": true,
                 "metadata": {
-                  "description": "Required. Authentication secrets for the scale rule."
+                  "description": "Optional. Authentication secrets for the scale rule."
                 }
               },
               "metadata": {
                 "type": "object",
                 "metadata": {
                   "example": "    {\n      \"// for type azure-queue\n      {\n        queueName: 'default'\n        storageAccountResourceId: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/myStorageAccount'\n      }\"\n    }\n    ",
-                  "description": "Optional. Metadata properties to describe the scale rule."
+                  "description": "Required. Metadata properties to describe the scale rule."
                 }
               },
               "name": {
@@ -626,14 +626,14 @@
                 "type": "string",
                 "metadata": {
                   "example": "      \"azure-servicebus\"\n      \"azure-queue\"\n      \"redis\"\n    ",
-                  "description": "Optional. The type of the rule."
+                  "description": "Required. The type of the rule."
                 }
               }
             }
           },
           "metadata": {
             "example": "    [\n      // for type azure-queue\n      {\n        name: 'myrule'\n        type: 'azure-queue'\n        metadata: {\n          queueName: 'default'\n          storageAccountResourceId: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/myStorageAccount'\n        }\n        auth: {\n          secretRef: 'mysecret'\n          triggerParameter: 'queueName'\n        }\n      }\n    ]\n    ",
-            "description": "Optional. Scaling rules for the job."
+            "description": "Required. Scaling rules for the job."
           }
         }
       }
@@ -647,7 +647,7 @@
             "type": "string"
           },
           "metadata": {
-            "description": "Optional. Container start command arguments."
+            "description": "Required. Container start command arguments."
           }
         },
         "command": {
@@ -656,7 +656,7 @@
             "type": "string"
           },
           "metadata": {
-            "description": "Optional. Container start command."
+            "description": "Required. Container start command."
           }
         },
         "env": {
@@ -686,7 +686,7 @@
           "$ref": "#/definitions/containerResourceType",
           "nullable": true,
           "metadata": {
-            "description": "Required. Container resource requirements."
+            "description": "Optional. Container resource requirements."
           }
         },
         "volumeMounts": {
diff --git a/avm/res/batch/batch-account/README.md b/avm/res/batch/batch-account/README.md
index 0cf0a66b37..1a6dcfffe6 100644
--- a/avm/res/batch/batch-account/README.md
+++ b/avm/res/batch/batch-account/README.md
@@ -1436,15 +1436,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint IP address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -1453,6 +1451,13 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `privateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
diff --git a/avm/res/batch/batch-account/main.bicep b/avm/res/batch/batch-account/main.bicep
index ab8e9a72eb..0bdc99ce3c 100644
--- a/avm/res/batch/batch-account/main.bicep
+++ b/avm/res/batch/batch-account/main.bicep
@@ -469,7 +469,7 @@ type privateEndpointType = {
 
   @description('Optional. Custom DNS configurations.')
   customDnsConfigs: {
-    @description('Required. Fqdn that resolves to private endpoint IP address.')
+    @description('Optional. FQDN that resolves to private endpoint IP address.')
     fqdn: string?
 
     @description('Required. A list of private IP addresses of the private endpoint.')
diff --git a/avm/res/batch/batch-account/main.json b/avm/res/batch/batch-account/main.json
index 59bd76bfef..fa12259d09 100644
--- a/avm/res/batch/batch-account/main.json
+++ b/avm/res/batch/batch-account/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "10214588768781913112"
+      "version": "0.30.23.60470",
+      "templateHash": "9326027237179724855"
     },
     "name": "Batch Accounts",
     "description": "This module deploys a Batch Account.",
@@ -308,7 +308,7 @@
                   "type": "string",
                   "nullable": true,
                   "metadata": {
-                    "description": "Required. Fqdn that resolves to private endpoint IP address."
+                    "description": "Optional. FQDN that resolves to private endpoint IP address."
                   }
                 },
                 "ipAddresses": {
diff --git a/avm/res/cache/redis/README.md b/avm/res/cache/redis/README.md
index de250d1472..322627a7e1 100644
--- a/avm/res/cache/redis/README.md
+++ b/avm/res/cache/redis/README.md
@@ -1370,15 +1370,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint IP address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -1387,6 +1385,13 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `privateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
diff --git a/avm/res/cache/redis/main.bicep b/avm/res/cache/redis/main.bicep
index 9e866bb89e..2eda0b9e71 100644
--- a/avm/res/cache/redis/main.bicep
+++ b/avm/res/cache/redis/main.bicep
@@ -421,7 +421,7 @@ type privateEndpointType = {
 
   @description('Optional. Custom DNS configurations.')
   customDnsConfigs: {
-    @description('Required. Fqdn that resolves to private endpoint IP address.')
+    @description('Optional. FQDN that resolves to private endpoint IP address.')
     fqdn: string?
 
     @description('Required. A list of private IP addresses of the private endpoint.')
diff --git a/avm/res/cache/redis/main.json b/avm/res/cache/redis/main.json
index 222f86491e..24322d1c3b 100644
--- a/avm/res/cache/redis/main.json
+++ b/avm/res/cache/redis/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "8427702382536251551"
+      "version": "0.30.23.60470",
+      "templateHash": "4783503622444970338"
     },
     "name": "Redis Cache",
     "description": "This module deploys a Redis Cache.",
@@ -164,7 +164,7 @@
                   "type": "string",
                   "nullable": true,
                   "metadata": {
-                    "description": "Required. Fqdn that resolves to private endpoint IP address."
+                    "description": "Optional. FQDN that resolves to private endpoint IP address."
                   }
                 },
                 "ipAddresses": {
@@ -1634,8 +1634,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "6993324639761594928"
+              "version": "0.30.23.60470",
+              "templateHash": "10405637679168200939"
             },
             "name": "Redis Cache Linked Servers",
             "description": "This module connects a primary and secondary Redis Cache together for geo-replication.",
@@ -1809,4 +1809,4 @@
       }
     }
   }
-}
+}
\ No newline at end of file
diff --git a/avm/res/cdn/profile/main.json b/avm/res/cdn/profile/main.json
index 479e17ece5..ff95fa664e 100644
--- a/avm/res/cdn/profile/main.json
+++ b/avm/res/cdn/profile/main.json
@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.30.23.60470",
-      "templateHash": "14447016685732236984"
+      "templateHash": "17027452417371199673"
     },
     "name": "CDN Profiles",
     "description": "This module deploys a CDN Profile.",
@@ -828,7 +828,7 @@
             "_generator": {
               "name": "bicep",
               "version": "0.30.23.60470",
-              "templateHash": "7661706938502506866"
+              "templateHash": "9127977884501208410"
             },
             "name": "CDN Profiles Secret",
             "description": "This module deploys a CDN Profile Secret.",
@@ -857,7 +857,7 @@
                 "UrlSigningKey"
               ],
               "metadata": {
-                "description": "Required. The type of the secrect."
+                "description": "Optional. The type of the secrect."
               }
             },
             "secretSourceResourceId": {
diff --git a/avm/res/cdn/profile/secret/README.md b/avm/res/cdn/profile/secret/README.md
index e599331771..b3048b8a2a 100644
--- a/avm/res/cdn/profile/secret/README.md
+++ b/avm/res/cdn/profile/secret/README.md
@@ -21,7 +21,6 @@ This module deploys a CDN Profile Secret.
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
 | [`name`](#parameter-name) | string | The name of the secrect. |
-| [`type`](#parameter-type) | string | The type of the secrect. |
 
 **Conditional parameters**
 
@@ -36,6 +35,7 @@ This module deploys a CDN Profile Secret.
 | :-- | :-- | :-- |
 | [`secretVersion`](#parameter-secretversion) | string | The version of the secret. |
 | [`subjectAlternativeNames`](#parameter-subjectalternativenames) | array | The subject alternative names of the secrect. |
+| [`type`](#parameter-type) | string | The type of the secrect. |
 | [`useLatestVersion`](#parameter-uselatestversion) | bool | Indicates whether to use the latest version of the secrect. |
 
 ### Parameter: `name`
@@ -45,23 +45,6 @@ The name of the secrect.
 - Required: Yes
 - Type: string
 
-### Parameter: `type`
-
-The type of the secrect.
-
-- Required: No
-- Type: string
-- Default: `'AzureFirstPartyManagedCertificate'`
-- Allowed:
-  ```Bicep
-  [
-    'AzureFirstPartyManagedCertificate'
-    'CustomerCertificate'
-    'ManagedCertificate'
-    'UrlSigningKey'
-  ]
-  ```
-
 ### Parameter: `profileName`
 
 The name of the parent CDN profile. Required if the template is used in a standalone deployment.
@@ -93,6 +76,23 @@ The subject alternative names of the secrect.
 - Type: array
 - Default: `[]`
 
+### Parameter: `type`
+
+The type of the secrect.
+
+- Required: No
+- Type: string
+- Default: `'AzureFirstPartyManagedCertificate'`
+- Allowed:
+  ```Bicep
+  [
+    'AzureFirstPartyManagedCertificate'
+    'CustomerCertificate'
+    'ManagedCertificate'
+    'UrlSigningKey'
+  ]
+  ```
+
 ### Parameter: `useLatestVersion`
 
 Indicates whether to use the latest version of the secrect.
diff --git a/avm/res/cdn/profile/secret/main.bicep b/avm/res/cdn/profile/secret/main.bicep
index e4278f4057..064586b436 100644
--- a/avm/res/cdn/profile/secret/main.bicep
+++ b/avm/res/cdn/profile/secret/main.bicep
@@ -14,7 +14,7 @@ param profileName string
   'ManagedCertificate'
   'UrlSigningKey'
 ])
-@description('Required. The type of the secrect.')
+@description('Optional. The type of the secrect.')
 param type string = 'AzureFirstPartyManagedCertificate'
 
 @description('Conditional. The resource ID of the secret source. Required if the `type` is "CustomerCertificate".')
diff --git a/avm/res/cdn/profile/secret/main.json b/avm/res/cdn/profile/secret/main.json
index 6c300587db..77dc6a600b 100644
--- a/avm/res/cdn/profile/secret/main.json
+++ b/avm/res/cdn/profile/secret/main.json
@@ -5,7 +5,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.30.23.60470",
-      "templateHash": "7661706938502506866"
+      "templateHash": "9127977884501208410"
     },
     "name": "CDN Profiles Secret",
     "description": "This module deploys a CDN Profile Secret.",
@@ -34,7 +34,7 @@
         "UrlSigningKey"
       ],
       "metadata": {
-        "description": "Required. The type of the secrect."
+        "description": "Optional. The type of the secrect."
       }
     },
     "secretSourceResourceId": {
diff --git a/avm/res/cognitive-services/account/README.md b/avm/res/cognitive-services/account/README.md
index c4316e2e52..3cc1613e68 100644
--- a/avm/res/cognitive-services/account/README.md
+++ b/avm/res/cognitive-services/account/README.md
@@ -2260,15 +2260,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint IP address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -2277,6 +2275,13 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `privateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
diff --git a/avm/res/cognitive-services/account/main.bicep b/avm/res/cognitive-services/account/main.bicep
index e7d426a344..f8378c75fa 100644
--- a/avm/res/cognitive-services/account/main.bicep
+++ b/avm/res/cognitive-services/account/main.bicep
@@ -652,7 +652,7 @@ type privateEndpointType = {
 
   @description('Optional. Custom DNS configurations.')
   customDnsConfigs: {
-    @description('Required. Fqdn that resolves to private endpoint IP address.')
+    @description('Optional. FQDN that resolves to private endpoint IP address.')
     fqdn: string?
 
     @description('Required. A list of private IP addresses of the private endpoint.')
diff --git a/avm/res/cognitive-services/account/main.json b/avm/res/cognitive-services/account/main.json
index c2ce82cbd8..1d4e6730fc 100644
--- a/avm/res/cognitive-services/account/main.json
+++ b/avm/res/cognitive-services/account/main.json
@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.30.23.60470",
-      "templateHash": "11788701359615687264"
+      "templateHash": "10707676565122599824"
     },
     "name": "Cognitive Services",
     "description": "This module deploys a Cognitive Service.",
@@ -309,7 +309,7 @@
                   "type": "string",
                   "nullable": true,
                   "metadata": {
-                    "description": "Required. Fqdn that resolves to private endpoint IP address."
+                    "description": "Optional. FQDN that resolves to private endpoint IP address."
                   }
                 },
                 "ipAddresses": {
diff --git a/avm/res/consumption/budget/README.md b/avm/res/consumption/budget/README.md
index a72051517a..0116781b9d 100644
--- a/avm/res/consumption/budget/README.md
+++ b/avm/res/consumption/budget/README.md
@@ -422,8 +422,6 @@ param thresholds = [
 | :-- | :-- | :-- |
 | [`amount`](#parameter-amount) | int | The total amount of cost or usage to track with the budget. |
 | [`name`](#parameter-name) | string | The name of the budget. |
-| [`operator`](#parameter-operator) | string | The comparison operator. The operator can be either `EqualTo`, `GreaterThan`, or `GreaterThanOrEqualTo`. |
-| [`thresholdType`](#parameter-thresholdtype) | string | The type of threshold to use for the budget. The threshold type can be either `Actual` or `Forecasted`. |
 
 **Conditional parameters**
 
@@ -442,10 +440,12 @@ param thresholds = [
 | [`endDate`](#parameter-enddate) | string | The end date for the budget. If not provided, it will default to 10 years from the start date. |
 | [`filter`](#parameter-filter) | object | The filter to use for restricting which resources are considered within the budget. |
 | [`location`](#parameter-location) | string | Location deployment metadata. |
+| [`operator`](#parameter-operator) | string | The comparison operator. The operator can be either `EqualTo`, `GreaterThan`, or `GreaterThanOrEqualTo`. |
 | [`resetPeriod`](#parameter-resetperiod) | string | The time covered by a budget. Tracking of the amount will be reset based on the time grain. BillingMonth, BillingQuarter, and BillingAnnual are only supported by WD customers. |
 | [`resourceGroupFilter`](#parameter-resourcegroupfilter) | array | The list of resource groups that contain the resources that are to be considered within the budget. |
 | [`startDate`](#parameter-startdate) | string | The start date for the budget. Start date should be the first day of the month and cannot be in the past (except for the current month). |
 | [`thresholds`](#parameter-thresholds) | array | Percent thresholds of budget for when to get a notification. Can be up to 5 thresholds, where each must be between 1 and 1000. |
+| [`thresholdType`](#parameter-thresholdtype) | string | The type of threshold to use for the budget. The threshold type can be either `Actual` or `Forecasted`. |
 
 ### Parameter: `amount`
 
@@ -461,37 +461,6 @@ The name of the budget.
 - Required: Yes
 - Type: string
 
-### Parameter: `operator`
-
-The comparison operator. The operator can be either `EqualTo`, `GreaterThan`, or `GreaterThanOrEqualTo`.
-
-- Required: No
-- Type: string
-- Default: `'GreaterThan'`
-- Allowed:
-  ```Bicep
-  [
-    'EqualTo'
-    'GreaterThan'
-    'GreaterThanOrEqualTo'
-  ]
-  ```
-
-### Parameter: `thresholdType`
-
-The type of threshold to use for the budget. The threshold type can be either `Actual` or `Forecasted`.
-
-- Required: No
-- Type: string
-- Default: `'Actual'`
-- Allowed:
-  ```Bicep
-  [
-    'Actual'
-    'Forecasted'
-  ]
-  ```
-
 ### Parameter: `actionGroups`
 
 List of action group resource IDs that will receive the alert. Required if neither `contactEmails` nor `contactEmails` was provided.
@@ -559,6 +528,22 @@ Location deployment metadata.
 - Type: string
 - Default: `[deployment().location]`
 
+### Parameter: `operator`
+
+The comparison operator. The operator can be either `EqualTo`, `GreaterThan`, or `GreaterThanOrEqualTo`.
+
+- Required: No
+- Type: string
+- Default: `'GreaterThan'`
+- Allowed:
+  ```Bicep
+  [
+    'EqualTo'
+    'GreaterThan'
+    'GreaterThanOrEqualTo'
+  ]
+  ```
+
 ### Parameter: `resetPeriod`
 
 The time covered by a budget. Tracking of the amount will be reset based on the time grain. BillingMonth, BillingQuarter, and BillingAnnual are only supported by WD customers.
@@ -611,6 +596,21 @@ Percent thresholds of budget for when to get a notification. Can be up to 5 thre
   ]
   ```
 
+### Parameter: `thresholdType`
+
+The type of threshold to use for the budget. The threshold type can be either `Actual` or `Forecasted`.
+
+- Required: No
+- Type: string
+- Default: `'Actual'`
+- Allowed:
+  ```Bicep
+  [
+    'Actual'
+    'Forecasted'
+  ]
+  ```
+
 ## Outputs
 
 | Output | Type | Description |
diff --git a/avm/res/consumption/budget/main.bicep b/avm/res/consumption/budget/main.bicep
index caa88053ae..4123efcb95 100644
--- a/avm/res/consumption/budget/main.bicep
+++ b/avm/res/consumption/budget/main.bicep
@@ -39,7 +39,7 @@ param endDate string = ''
   'GreaterThan'
   'GreaterThanOrEqualTo'
 ])
-@description('Required. The comparison operator. The operator can be either `EqualTo`, `GreaterThan`, or `GreaterThanOrEqualTo`.')
+@description('Optional. The comparison operator. The operator can be either `EqualTo`, `GreaterThan`, or `GreaterThanOrEqualTo`.')
 param operator string = 'GreaterThan'
 
 @maxLength(5)
@@ -65,7 +65,7 @@ param actionGroups array?
   'Actual'
   'Forecasted'
 ])
-@description('Required. The type of threshold to use for the budget. The threshold type can be either `Actual` or `Forecasted`.')
+@description('Optional. The type of threshold to use for the budget. The threshold type can be either `Actual` or `Forecasted`.')
 param thresholdType string = 'Actual'
 
 @description('Optional. The filter to use for restricting which resources are considered within the budget.')
diff --git a/avm/res/consumption/budget/main.json b/avm/res/consumption/budget/main.json
index b68ced8a2d..3a0eed79e9 100644
--- a/avm/res/consumption/budget/main.json
+++ b/avm/res/consumption/budget/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "9899827298268482806"
+      "version": "0.30.23.60470",
+      "templateHash": "14721330685806821575"
     },
     "name": "Consumption Budgets",
     "description": "This module deploys a Consumption Budget for Subscriptions.",
@@ -74,7 +74,7 @@
         "GreaterThanOrEqualTo"
       ],
       "metadata": {
-        "description": "Required. The comparison operator. The operator can be either `EqualTo`, `GreaterThan`, or `GreaterThanOrEqualTo`."
+        "description": "Optional. The comparison operator. The operator can be either `EqualTo`, `GreaterThan`, or `GreaterThanOrEqualTo`."
       }
     },
     "thresholds": {
@@ -120,7 +120,7 @@
         "Forecasted"
       ],
       "metadata": {
-        "description": "Required. The type of threshold to use for the budget. The threshold type can be either `Actual` or `Forecasted`."
+        "description": "Optional. The type of threshold to use for the budget. The threshold type can be either `Actual` or `Forecasted`."
       }
     },
     "filter": {
diff --git a/avm/res/container-registry/registry/README.md b/avm/res/container-registry/registry/README.md
index 4be75ae21b..4c2f170db8 100644
--- a/avm/res/container-registry/registry/README.md
+++ b/avm/res/container-registry/registry/README.md
@@ -1580,15 +1580,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint IP address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -1597,6 +1595,13 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `privateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
diff --git a/avm/res/container-registry/registry/main.bicep b/avm/res/container-registry/registry/main.bicep
index e164a1be14..9319bf65da 100644
--- a/avm/res/container-registry/registry/main.bicep
+++ b/avm/res/container-registry/registry/main.bicep
@@ -620,7 +620,7 @@ type privateEndpointType = {
 
   @description('Optional. Custom DNS configurations.')
   customDnsConfigs: {
-    @description('Required. Fqdn that resolves to private endpoint IP address.')
+    @description('Optional. FQDN that resolves to private endpoint IP address.')
     fqdn: string?
 
     @description('Required. A list of private IP addresses of the private endpoint.')
diff --git a/avm/res/container-registry/registry/main.json b/avm/res/container-registry/registry/main.json
index a54cb59fe1..5e42d035ac 100644
--- a/avm/res/container-registry/registry/main.json
+++ b/avm/res/container-registry/registry/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.3.12046",
-      "templateHash": "14769734612544320664"
+      "version": "0.30.23.60470",
+      "templateHash": "2277340268999354626"
     },
     "name": "Azure Container Registries (ACR)",
     "description": "This module deploys an Azure Container Registry (ACR).",
@@ -237,7 +237,7 @@
                   "type": "string",
                   "nullable": true,
                   "metadata": {
-                    "description": "Required. Fqdn that resolves to private endpoint IP address."
+                    "description": "Optional. FQDN that resolves to private endpoint IP address."
                   }
                 },
                 "ipAddresses": {
@@ -1028,8 +1028,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.3.12046",
-              "templateHash": "17045733538280748766"
+              "version": "0.30.23.60470",
+              "templateHash": "17963190751439748514"
             },
             "name": "Container Registries scopeMaps",
             "description": "This module deploys an Azure Container Registry (ACR) scopeMap.",
@@ -1155,8 +1155,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.3.12046",
-              "templateHash": "11507205381257602922"
+              "version": "0.30.23.60470",
+              "templateHash": "4997004041066797666"
             },
             "name": "Azure Container Registry (ACR) Replications",
             "description": "This module deploys an Azure Container Registry (ACR) Replication.",
@@ -1303,8 +1303,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.3.12046",
-              "templateHash": "13281764602355848660"
+              "version": "0.30.23.60470",
+              "templateHash": "7759513970094711275"
             },
             "name": "Container Registries Credential Sets",
             "description": "This module deploys an ACR Credential Set.",
@@ -1478,8 +1478,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.3.12046",
-              "templateHash": "17205938486061573561"
+              "version": "0.30.23.60470",
+              "templateHash": "1396902957012921251"
             },
             "name": "Container Registries Cache",
             "description": "Cache for Azure Container Registry (Preview) feature allows users to cache container images in a private container registry. Cache for ACR, is a preview feature available in Basic, Standard, and Premium service tiers ([ref](https://learn.microsoft.com/en-us/azure/container-registry/tutorial-registry-cache)).",
@@ -1610,8 +1610,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.3.12046",
-              "templateHash": "3542060088842117365"
+              "version": "0.30.23.60470",
+              "templateHash": "10216591470402784498"
             },
             "name": "Azure Container Registry (ACR) Webhooks",
             "description": "This module deploys an Azure Container Registry (ACR) Webhook.",
diff --git a/avm/res/container-service/managed-cluster/README.md b/avm/res/container-service/managed-cluster/README.md
index 27d80860c1..7dbf508317 100644
--- a/avm/res/container-service/managed-cluster/README.md
+++ b/avm/res/container-service/managed-cluster/README.md
@@ -3973,13 +3973,6 @@ Settings and configurations for the flux extension.
 - Required: No
 - Type: object
 
-**Required parameters**
-
-| Parameter | Type | Description |
-| :-- | :-- | :-- |
-| [`name`](#parameter-fluxextensionname) | string | The name of the extension. |
-| [`releaseTrain`](#parameter-fluxextensionreleasetrain) | string | The release train of the extension. |
-
 **Optional parameters**
 
 | Parameter | Type | Description |
@@ -3987,24 +3980,12 @@ Settings and configurations for the flux extension.
 | [`configurationProtectedSettings`](#parameter-fluxextensionconfigurationprotectedsettings) | object | The configuration protected settings of the extension. |
 | [`configurations`](#parameter-fluxextensionconfigurations) | array | The flux configurations of the extension. |
 | [`configurationSettings`](#parameter-fluxextensionconfigurationsettings) | object | The configuration settings of the extension. |
+| [`name`](#parameter-fluxextensionname) | string | The name of the extension. |
 | [`releaseNamespace`](#parameter-fluxextensionreleasenamespace) | string | Namespace where the extension Release must be placed. |
+| [`releaseTrain`](#parameter-fluxextensionreleasetrain) | string | The release train of the extension. |
 | [`targetNamespace`](#parameter-fluxextensiontargetnamespace) | string | Namespace where the extension will be created for an Namespace scoped extension. |
 | [`version`](#parameter-fluxextensionversion) | string | The version of the extension. |
 
-### Parameter: `fluxExtension.name`
-
-The name of the extension.
-
-- Required: No
-- Type: string
-
-### Parameter: `fluxExtension.releaseTrain`
-
-The release train of the extension.
-
-- Required: No
-- Type: string
-
 ### Parameter: `fluxExtension.configurationProtectedSettings`
 
 The configuration protected settings of the extension.
@@ -4039,6 +4020,13 @@ The configuration settings of the extension.
 - Required: No
 - Type: object
 
+### Parameter: `fluxExtension.name`
+
+The name of the extension.
+
+- Required: No
+- Type: string
+
 ### Parameter: `fluxExtension.releaseNamespace`
 
 Namespace where the extension Release must be placed.
@@ -4046,6 +4034,13 @@ Namespace where the extension Release must be placed.
 - Required: No
 - Type: string
 
+### Parameter: `fluxExtension.releaseTrain`
+
+The release train of the extension.
+
+- Required: No
+- Type: string
+
 ### Parameter: `fluxExtension.targetNamespace`
 
 Namespace where the extension will be created for an Namespace scoped extension.
diff --git a/avm/res/container-service/managed-cluster/main.bicep b/avm/res/container-service/managed-cluster/main.bicep
index 88a8d6a89b..0daebb5fd5 100644
--- a/avm/res/container-service/managed-cluster/main.bicep
+++ b/avm/res/container-service/managed-cluster/main.bicep
@@ -879,7 +879,7 @@ module managedCluster_extension 'br/public:avm/res/kubernetes-configuration/exte
     extensionType: 'microsoft.flux'
     fluxConfigurations: fluxExtension.?configurations
     location: location
-    name: 'flux'
+    name: fluxExtension.?name ?? 'flux'
     releaseNamespace: fluxExtension.?releaseNamespace ?? 'flux-system'
     releaseTrain: fluxExtension.?releaseTrain ?? 'Stable'
     version: fluxExtension.?version
@@ -1229,7 +1229,7 @@ type fluxConfigurationProtectedSettingsType = {
 
 @export()
 type extensionType = {
-  @description('Required. The name of the extension.')
+  @description('Optional. The name of the extension.')
   name: string?
 
   @description('Optional. Namespace where the extension Release must be placed.')
@@ -1238,7 +1238,7 @@ type extensionType = {
   @description('Optional. Namespace where the extension will be created for an Namespace scoped extension.')
   targetNamespace: string?
 
-  @description('Required. The release train of the extension.')
+  @description('Optional. The release train of the extension.')
   releaseTrain: string?
 
   @description('Optional. The configuration protected settings of the extension.')
diff --git a/avm/res/container-service/managed-cluster/main.json b/avm/res/container-service/managed-cluster/main.json
index c0c9f95d89..99f7c919ea 100644
--- a/avm/res/container-service/managed-cluster/main.json
+++ b/avm/res/container-service/managed-cluster/main.json
@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.30.23.60470",
-      "templateHash": "14675004991337717729"
+      "templateHash": "17374623663141250391"
     },
     "name": "Azure Kubernetes Service (AKS) Managed Clusters",
     "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster.",
@@ -591,7 +591,7 @@
           "type": "string",
           "nullable": true,
           "metadata": {
-            "description": "Required. The name of the extension."
+            "description": "Optional. The name of the extension."
           }
         },
         "releaseNamespace": {
@@ -612,7 +612,7 @@
           "type": "string",
           "nullable": true,
           "metadata": {
-            "description": "Required. The release train of the extension."
+            "description": "Optional. The release train of the extension."
           }
         },
         "configurationProtectedSettings": {
@@ -2523,7 +2523,7 @@
             "value": "[parameters('location')]"
           },
           "name": {
-            "value": "flux"
+            "value": "[coalesce(tryGet(parameters('fluxExtension'), 'name'), 'flux')]"
           },
           "releaseNamespace": {
             "value": "[coalesce(tryGet(parameters('fluxExtension'), 'releaseNamespace'), 'flux-system')]"
diff --git a/avm/res/data-factory/factory/README.md b/avm/res/data-factory/factory/README.md
index 6ac0a9c7ce..2db45286df 100644
--- a/avm/res/data-factory/factory/README.md
+++ b/avm/res/data-factory/factory/README.md
@@ -1401,15 +1401,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint IP address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -1418,6 +1416,13 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `privateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
diff --git a/avm/res/data-factory/factory/main.bicep b/avm/res/data-factory/factory/main.bicep
index 5bb934d5a0..a398a32aab 100644
--- a/avm/res/data-factory/factory/main.bicep
+++ b/avm/res/data-factory/factory/main.bicep
@@ -483,7 +483,7 @@ type privateEndpointType = {
 
   @description('Optional. Custom DNS configurations.')
   customDnsConfigs: {
-    @description('Required. Fqdn that resolves to private endpoint IP address.')
+    @description('Optional. FQDN that resolves to private endpoint IP address.')
     fqdn: string?
 
     @description('Required. A list of private IP addresses of the private endpoint.')
diff --git a/avm/res/data-factory/factory/main.json b/avm/res/data-factory/factory/main.json
index 5e8ffea4e0..aef90082e0 100644
--- a/avm/res/data-factory/factory/main.json
+++ b/avm/res/data-factory/factory/main.json
@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.30.23.60470",
-      "templateHash": "15687596888855868361"
+      "templateHash": "16698009861031821081"
     },
     "name": "Data Factories",
     "description": "This module deploys a Data Factory.",
@@ -237,7 +237,7 @@
                   "type": "string",
                   "nullable": true,
                   "metadata": {
-                    "description": "Required. Fqdn that resolves to private endpoint IP address."
+                    "description": "Optional. FQDN that resolves to private endpoint IP address."
                   }
                 },
                 "ipAddresses": {
diff --git a/avm/res/databricks/workspace/README.md b/avm/res/databricks/workspace/README.md
index 1514771878..e8c32dccc9 100644
--- a/avm/res/databricks/workspace/README.md
+++ b/avm/res/databricks/workspace/README.md
@@ -1520,15 +1520,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint IP address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -1537,6 +1535,13 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `privateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
@@ -2115,15 +2120,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-storageaccountprivateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-storageaccountprivateendpointscustomdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-### Parameter: `storageAccountPrivateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint IP address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-storageaccountprivateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `storageAccountPrivateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -2132,6 +2135,13 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `storageAccountPrivateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `storageAccountPrivateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
diff --git a/avm/res/databricks/workspace/main.bicep b/avm/res/databricks/workspace/main.bicep
index a1fc0584e8..7b0ae9c266 100644
--- a/avm/res/databricks/workspace/main.bicep
+++ b/avm/res/databricks/workspace/main.bicep
@@ -649,7 +649,7 @@ type privateEndpointType = {
 
   @description('Optional. Custom DNS configurations.')
   customDnsConfigs: {
-    @description('Required. Fqdn that resolves to private endpoint IP address.')
+    @description('Optional. FQDN that resolves to private endpoint IP address.')
     fqdn: string?
 
     @description('Required. A list of private IP addresses of the private endpoint.')
diff --git a/avm/res/databricks/workspace/main.json b/avm/res/databricks/workspace/main.json
index 58505dab07..ab507bd0a7 100644
--- a/avm/res/databricks/workspace/main.json
+++ b/avm/res/databricks/workspace/main.json
@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.30.23.60470",
-      "templateHash": "13951883117687020314"
+      "templateHash": "17989186567226192844"
     },
     "name": "Azure Databricks Workspaces",
     "description": "This module deploys an Azure Databricks Workspace.",
@@ -140,7 +140,7 @@
                   "type": "string",
                   "nullable": true,
                   "metadata": {
-                    "description": "Required. Fqdn that resolves to private endpoint IP address."
+                    "description": "Optional. FQDN that resolves to private endpoint IP address."
                   }
                 },
                 "ipAddresses": {
diff --git a/avm/res/desktop-virtualization/host-pool/README.md b/avm/res/desktop-virtualization/host-pool/README.md
index 094d7b8fad..2bc40f79dd 100644
--- a/avm/res/desktop-virtualization/host-pool/README.md
+++ b/avm/res/desktop-virtualization/host-pool/README.md
@@ -1006,15 +1006,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint IP address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -1023,6 +1021,13 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `privateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
diff --git a/avm/res/desktop-virtualization/host-pool/main.bicep b/avm/res/desktop-virtualization/host-pool/main.bicep
index 2084a17dd9..0f5292b6f2 100644
--- a/avm/res/desktop-virtualization/host-pool/main.bicep
+++ b/avm/res/desktop-virtualization/host-pool/main.bicep
@@ -447,7 +447,7 @@ type privateEndpointType = {
 
   @sys.description('Optional. Custom DNS configurations.')
   customDnsConfigs: {
-    @sys.description('Required. Fqdn that resolves to private endpoint IP address.')
+    @sys.description('Optional. FQDN that resolves to private endpoint IP address.')
     fqdn: string?
 
     @sys.description('Required. A list of private IP addresses of the private endpoint.')
diff --git a/avm/res/desktop-virtualization/host-pool/main.json b/avm/res/desktop-virtualization/host-pool/main.json
index d11ccd0220..a15765d75b 100644
--- a/avm/res/desktop-virtualization/host-pool/main.json
+++ b/avm/res/desktop-virtualization/host-pool/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "988183823258334261"
+      "version": "0.30.23.60470",
+      "templateHash": "15143229112798242850"
     },
     "name": "Azure Virtual Desktop Host Pool",
     "description": "This module deploys an Azure Virtual Desktop Host Pool",
@@ -284,7 +284,7 @@
                   "type": "string",
                   "nullable": true,
                   "metadata": {
-                    "description": "Required. Fqdn that resolves to private endpoint IP address."
+                    "description": "Optional. FQDN that resolves to private endpoint IP address."
                   }
                 },
                 "ipAddresses": {
diff --git a/avm/res/desktop-virtualization/workspace/README.md b/avm/res/desktop-virtualization/workspace/README.md
index bc71f372f4..48551acfb4 100644
--- a/avm/res/desktop-virtualization/workspace/README.md
+++ b/avm/res/desktop-virtualization/workspace/README.md
@@ -924,15 +924,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint IP address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -941,6 +939,13 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `privateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
diff --git a/avm/res/desktop-virtualization/workspace/main.bicep b/avm/res/desktop-virtualization/workspace/main.bicep
index b491177c31..b333a5316c 100644
--- a/avm/res/desktop-virtualization/workspace/main.bicep
+++ b/avm/res/desktop-virtualization/workspace/main.bicep
@@ -330,7 +330,7 @@ type privateEndpointType = {
 
   @sys.description('Optional. Custom DNS configurations.')
   customDnsConfigs: {
-    @sys.description('Required. Fqdn that resolves to private endpoint IP address.')
+    @sys.description('Optional. FQDN that resolves to private endpoint IP address.')
     fqdn: string?
 
     @sys.description('Required. A list of private IP addresses of the private endpoint.')
diff --git a/avm/res/desktop-virtualization/workspace/main.json b/avm/res/desktop-virtualization/workspace/main.json
index de5bdd06a4..8245d8ae67 100644
--- a/avm/res/desktop-virtualization/workspace/main.json
+++ b/avm/res/desktop-virtualization/workspace/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "8425031488997615382"
+      "version": "0.30.23.60470",
+      "templateHash": "4950797341752129951"
     },
     "name": "Workspace",
     "description": "This module deploys an Azure Virtual Desktop Workspace.",
@@ -277,7 +277,7 @@
                   "type": "string",
                   "nullable": true,
                   "metadata": {
-                    "description": "Required. Fqdn that resolves to private endpoint IP address."
+                    "description": "Optional. FQDN that resolves to private endpoint IP address."
                   }
                 },
                 "ipAddresses": {
diff --git a/avm/res/digital-twins/digital-twins-instance/README.md b/avm/res/digital-twins/digital-twins-instance/README.md
index 1cb5feb1f6..ac4beeb9a4 100644
--- a/avm/res/digital-twins/digital-twins-instance/README.md
+++ b/avm/res/digital-twins/digital-twins-instance/README.md
@@ -988,15 +988,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint IP address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -1005,6 +1003,13 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `privateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
diff --git a/avm/res/digital-twins/digital-twins-instance/main.bicep b/avm/res/digital-twins/digital-twins-instance/main.bicep
index a05e44eb8a..6ebafb65f6 100644
--- a/avm/res/digital-twins/digital-twins-instance/main.bicep
+++ b/avm/res/digital-twins/digital-twins-instance/main.bicep
@@ -385,7 +385,7 @@ type privateEndpointType = {
 
   @description('Optional. Custom DNS configurations.')
   customDnsConfigs: {
-    @description('Required. Fqdn that resolves to private endpoint IP address.')
+    @description('Optional. FQDN that resolves to private endpoint IP address.')
     fqdn: string?
 
     @description('Required. A list of private IP addresses of the private endpoint.')
diff --git a/avm/res/digital-twins/digital-twins-instance/main.json b/avm/res/digital-twins/digital-twins-instance/main.json
index ea549b4b6a..ee05f0f0bd 100644
--- a/avm/res/digital-twins/digital-twins-instance/main.json
+++ b/avm/res/digital-twins/digital-twins-instance/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.28.1.47646",
-      "templateHash": "6681425649721370761"
+      "version": "0.30.23.60470",
+      "templateHash": "11503001274179673847"
     },
     "name": "Digital Twins Instances",
     "description": "This module deploys an Azure Digital Twins Instance.",
@@ -207,7 +207,7 @@
                   "type": "string",
                   "nullable": true,
                   "metadata": {
-                    "description": "Required. Fqdn that resolves to private endpoint IP address."
+                    "description": "Optional. FQDN that resolves to private endpoint IP address."
                   }
                 },
                 "ipAddresses": {
@@ -695,8 +695,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.28.1.47646",
-              "templateHash": "13720195975702696848"
+              "version": "0.30.23.60470",
+              "templateHash": "16914787878954195877"
             },
             "name": "Digital Twins Instance EventHub Endpoint",
             "description": "This module deploys a Digital Twins Instance EventHub Endpoint.",
@@ -893,8 +893,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.28.1.47646",
-              "templateHash": "17105935055209854005"
+              "version": "0.30.23.60470",
+              "templateHash": "17261842587165157796"
             },
             "name": "Digital Twins Instance Event Grid Endpoints",
             "description": "This module deploys a Digital Twins Instance Event Grid Endpoint.",
@@ -1020,8 +1020,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.28.1.47646",
-              "templateHash": "13764805272277592098"
+              "version": "0.30.23.60470",
+              "templateHash": "843606537345038481"
             },
             "name": "Digital Twins Instance ServiceBus Endpoint",
             "description": "This module deploys a Digital Twins Instance ServiceBus Endpoint.",
diff --git a/avm/res/document-db/database-account/README.md b/avm/res/document-db/database-account/README.md
index fc40151219..b7b6f578cf 100644
--- a/avm/res/document-db/database-account/README.md
+++ b/avm/res/document-db/database-account/README.md
@@ -3426,7 +3426,7 @@ param tags = {
 | [`maxStalenessPrefix`](#parameter-maxstalenessprefix) | int | Default to 100000. Max stale requests. Required for BoundedStaleness. Valid ranges, Single Region: 10 to 1000000. Multi Region: 100000 to 1000000. |
 | [`minimumTlsVersion`](#parameter-minimumtlsversion) | string | Default to TLS 1.2. Enum to indicate the minimum allowed TLS version. Azure Cosmos DB for MongoDB RU and Apache Cassandra only work with TLS 1.2 or later. |
 | [`mongodbDatabases`](#parameter-mongodbdatabases) | array | MongoDB Databases configurations. |
-| [`networkRestrictions`](#parameter-networkrestrictions) | object | The network configuration of this module. |
+| [`networkRestrictions`](#parameter-networkrestrictions) | object | The network configuration of this module. Defaults to `{ ipRules: [], virtualNetworkRules: [], publicNetworkAccess: 'Disabled' }`. |
 | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. |
 | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. |
 | [`secretsExportConfiguration`](#parameter-secretsexportconfiguration) | object | Key vault reference and secret settings for the module's secrets export. |
@@ -3923,7 +3923,7 @@ MongoDB Databases configurations.
 
 ### Parameter: `networkRestrictions`
 
-The network configuration of this module.
+The network configuration of this module. Defaults to `{ ipRules: [], virtualNetworkRules: [], publicNetworkAccess: 'Disabled' }`.
 
 - Required: No
 - Type: object
@@ -3936,22 +3936,47 @@ The network configuration of this module.
   }
   ```
 
+**Required parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`ipRules`](#parameter-networkrestrictionsiprules) | array | A single IPv4 address or a single IPv4 address range in CIDR format. Provided IPs must be well-formatted and cannot be contained in one of the following ranges: 10.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12, 192.168.0.0/16, since these are not enforceable by the IP address filter. Example of valid inputs: "23.40.210.245" or "23.40.210.0/8". |
+| [`virtualNetworkRules`](#parameter-networkrestrictionsvirtualnetworkrules) | array | List of Virtual Network ACL rules configured for the Cosmos DB account.. |
+
 **Optional parameters**
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`ipRules`](#parameter-networkrestrictionsiprules) | array | Default to []. A single IPv4 address or a single IPv4 address range in CIDR format. Provided IPs must be well-formatted and cannot be contained in one of the following ranges: 10.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12, 192.168.0.0/16, since these are not enforceable by the IP address filter. Example of valid inputs: "23.40.210.245" or "23.40.210.0/8". |
 | [`networkAclBypass`](#parameter-networkrestrictionsnetworkaclbypass) | string | Default to AzureServices. Specifies the network ACL bypass for Azure services. |
 | [`publicNetworkAccess`](#parameter-networkrestrictionspublicnetworkaccess) | string | Default to Enabled. Whether requests from Public Network are allowed. |
-| [`virtualNetworkRules`](#parameter-networkrestrictionsvirtualnetworkrules) | array | Default to []. List of Virtual Network ACL rules configured for the Cosmos DB account.. |
 
 ### Parameter: `networkRestrictions.ipRules`
 
-Default to []. A single IPv4 address or a single IPv4 address range in CIDR format. Provided IPs must be well-formatted and cannot be contained in one of the following ranges: 10.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12, 192.168.0.0/16, since these are not enforceable by the IP address filter. Example of valid inputs: "23.40.210.245" or "23.40.210.0/8".
+A single IPv4 address or a single IPv4 address range in CIDR format. Provided IPs must be well-formatted and cannot be contained in one of the following ranges: 10.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12, 192.168.0.0/16, since these are not enforceable by the IP address filter. Example of valid inputs: "23.40.210.245" or "23.40.210.0/8".
+
+- Required: Yes
+- Type: array
+
+### Parameter: `networkRestrictions.virtualNetworkRules`
+
+List of Virtual Network ACL rules configured for the Cosmos DB account..
 
 - Required: Yes
 - Type: array
 
+**Required parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`subnetResourceId`](#parameter-networkrestrictionsvirtualnetworkrulessubnetresourceid) | string | Resource ID of a subnet. |
+
+### Parameter: `networkRestrictions.virtualNetworkRules.subnetResourceId`
+
+Resource ID of a subnet.
+
+- Required: Yes
+- Type: string
+
 ### Parameter: `networkRestrictions.networkAclBypass`
 
 Default to AzureServices. Specifies the network ACL bypass for Azure services.
@@ -3980,26 +4005,6 @@ Default to Enabled. Whether requests from Public Network are allowed.
   ]
   ```
 
-### Parameter: `networkRestrictions.virtualNetworkRules`
-
-Default to []. List of Virtual Network ACL rules configured for the Cosmos DB account..
-
-- Required: Yes
-- Type: array
-
-**Required parameters**
-
-| Parameter | Type | Description |
-| :-- | :-- | :-- |
-| [`subnetResourceId`](#parameter-networkrestrictionsvirtualnetworkrulessubnetresourceid) | string | Resource ID of a subnet. |
-
-### Parameter: `networkRestrictions.virtualNetworkRules.subnetResourceId`
-
-Resource ID of a subnet.
-
-- Required: Yes
-- Type: string
-
 ### Parameter: `privateEndpoints`
 
 Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.
@@ -4066,15 +4071,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint ip address. |
 | [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | array | A list of private ip addresses of the private endpoint. |
 
-### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint ip address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -4083,6 +4086,13 @@ A list of private ip addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `privateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
diff --git a/avm/res/document-db/database-account/gremlin-database/graph/main.json b/avm/res/document-db/database-account/gremlin-database/graph/main.json
index 13655f07f3..96761953b4 100644
--- a/avm/res/document-db/database-account/gremlin-database/graph/main.json
+++ b/avm/res/document-db/database-account/gremlin-database/graph/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "9917502444704809829"
+      "version": "0.30.23.60470",
+      "templateHash": "5396990720772518636"
     },
     "name": "DocumentDB Database Accounts Gremlin Databases Graphs",
     "description": "This module deploys a DocumentDB Database Accounts Gremlin Database Graph.",
diff --git a/avm/res/document-db/database-account/gremlin-database/main.json b/avm/res/document-db/database-account/gremlin-database/main.json
index 4f38214e0d..5dcde760ef 100644
--- a/avm/res/document-db/database-account/gremlin-database/main.json
+++ b/avm/res/document-db/database-account/gremlin-database/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "7926803681315745584"
+      "version": "0.30.23.60470",
+      "templateHash": "14612267479855031826"
     },
     "name": "DocumentDB Database Account Gremlin Databases",
     "description": "This module deploys a Gremlin Database within a CosmosDB Account.",
@@ -111,8 +111,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "9917502444704809829"
+              "version": "0.30.23.60470",
+              "templateHash": "5396990720772518636"
             },
             "name": "DocumentDB Database Accounts Gremlin Databases Graphs",
             "description": "This module deploys a DocumentDB Database Accounts Gremlin Database Graph.",
diff --git a/avm/res/document-db/database-account/main.bicep b/avm/res/document-db/database-account/main.bicep
index d4416ba211..d5a168c79b 100644
--- a/avm/res/document-db/database-account/main.bicep
+++ b/avm/res/document-db/database-account/main.bicep
@@ -149,7 +149,7 @@ param privateEndpoints privateEndpointType
 @description('Optional. Key vault reference and secret settings for the module\'s secrets export.')
 param secretsExportConfiguration secretsExportConfigurationType?
 
-@description('Optional. The network configuration of this module.')
+@description('Optional. The network configuration of this module. Defaults to `{ ipRules: [], virtualNetworkRules: [], publicNetworkAccess: \'Disabled\' }`.')
 param networkRestrictions networkRestrictionsType = {
   ipRules: []
   virtualNetworkRules: []
@@ -742,7 +742,7 @@ type privateEndpointType = {
 
   @description('Optional. Custom DNS configurations.')
   customDnsConfigs: {
-    @description('Required. Fqdn that resolves to private endpoint ip address.')
+    @description('Optional. FQDN that resolves to private endpoint IP address.')
     fqdn: string?
 
     @description('Required. A list of private ip addresses of the private endpoint.')
@@ -958,7 +958,7 @@ type secretsOutputType = {
 }
 
 type networkRestrictionsType = {
-  @description('Optional. Default to []. A single IPv4 address or a single IPv4 address range in CIDR format. Provided IPs must be well-formatted and cannot be contained in one of the following ranges: 10.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12, 192.168.0.0/16, since these are not enforceable by the IP address filter. Example of valid inputs: "23.40.210.245" or "23.40.210.0/8".')
+  @description('Required. A single IPv4 address or a single IPv4 address range in CIDR format. Provided IPs must be well-formatted and cannot be contained in one of the following ranges: 10.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12, 192.168.0.0/16, since these are not enforceable by the IP address filter. Example of valid inputs: "23.40.210.245" or "23.40.210.0/8".')
   ipRules: string[]
 
   @description('Optional. Default to AzureServices. Specifies the network ACL bypass for Azure services.')
@@ -967,7 +967,7 @@ type networkRestrictionsType = {
   @description('Optional. Default to Enabled. Whether requests from Public Network are allowed.')
   publicNetworkAccess: ('Enabled' | 'Disabled')?
 
-  @description('Optional. Default to []. List of Virtual Network ACL rules configured for the Cosmos DB account..')
+  @description('Required. List of Virtual Network ACL rules configured for the Cosmos DB account..')
   virtualNetworkRules: {
     @description('Required. Resource ID of a subnet.')
     subnetResourceId: string
diff --git a/avm/res/document-db/database-account/main.json b/avm/res/document-db/database-account/main.json
index 56cbfcda58..5d7b90ae1a 100644
--- a/avm/res/document-db/database-account/main.json
+++ b/avm/res/document-db/database-account/main.json
@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.30.23.60470",
-      "templateHash": "10132015257360023425"
+      "templateHash": "13300542630733457081"
     },
     "name": "DocumentDB Database Accounts",
     "description": "This module deploys a DocumentDB Database Account.",
@@ -236,7 +236,7 @@
                   "type": "string",
                   "nullable": true,
                   "metadata": {
-                    "description": "Required. Fqdn that resolves to private endpoint ip address."
+                    "description": "Optional. FQDN that resolves to private endpoint IP address."
                   }
                 },
                 "ipAddresses": {
@@ -791,7 +791,7 @@
             "type": "string"
           },
           "metadata": {
-            "description": "Optional. Default to []. A single IPv4 address or a single IPv4 address range in CIDR format. Provided IPs must be well-formatted and cannot be contained in one of the following ranges: 10.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12, 192.168.0.0/16, since these are not enforceable by the IP address filter. Example of valid inputs: \"23.40.210.245\" or \"23.40.210.0/8\"."
+            "description": "Required. A single IPv4 address or a single IPv4 address range in CIDR format. Provided IPs must be well-formatted and cannot be contained in one of the following ranges: 10.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12, 192.168.0.0/16, since these are not enforceable by the IP address filter. Example of valid inputs: \"23.40.210.245\" or \"23.40.210.0/8\"."
           }
         },
         "networkAclBypass": {
@@ -830,7 +830,7 @@
             }
           },
           "metadata": {
-            "description": "Optional. Default to []. List of Virtual Network ACL rules configured for the Cosmos DB account.."
+            "description": "Required. List of Virtual Network ACL rules configured for the Cosmos DB account.."
           }
         }
       }
@@ -1152,7 +1152,7 @@
         "publicNetworkAccess": "Disabled"
       },
       "metadata": {
-        "description": "Optional. The network configuration of this module."
+        "description": "Optional. The network configuration of this module. Defaults to `{ ipRules: [], virtualNetworkRules: [], publicNetworkAccess: 'Disabled' }`."
       }
     },
     "minimumTlsVersion": {
@@ -1787,7 +1787,7 @@
             "_generator": {
               "name": "bicep",
               "version": "0.30.23.60470",
-              "templateHash": "2916914405670681340"
+              "templateHash": "13088569006752107887"
             },
             "name": "DocumentDB Database Account SQL Role.",
             "description": "This module deploys SQL Role Definision and Assignment in a CosmosDB Account.",
@@ -1995,7 +1995,7 @@
                     "_generator": {
                       "name": "bicep",
                       "version": "0.30.23.60470",
-                      "templateHash": "14629860270436011718"
+                      "templateHash": "4561927123418147924"
                     },
                     "name": "DocumentDB Database Account SQL Role Assignments.",
                     "description": "This module deploys a SQL Role Assignment in a CosmosDB Account.",
@@ -2018,7 +2018,7 @@
                       "type": "string",
                       "defaultValue": "",
                       "metadata": {
-                        "description": "Required. Id needs to be granted."
+                        "description": "Optional. Id needs to be granted."
                       }
                     },
                     "roleDefinitionId": {
diff --git a/avm/res/document-db/database-account/mongodb-database/collection/main.json b/avm/res/document-db/database-account/mongodb-database/collection/main.json
index 7ab4316f20..f40b7ac4c3 100644
--- a/avm/res/document-db/database-account/mongodb-database/collection/main.json
+++ b/avm/res/document-db/database-account/mongodb-database/collection/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "2005645426653376123"
+      "version": "0.30.23.60470",
+      "templateHash": "1358778299011674509"
     },
     "name": "DocumentDB Database Account MongoDB Database Collections",
     "description": "This module deploys a MongoDB Database Collection.",
diff --git a/avm/res/document-db/database-account/mongodb-database/main.json b/avm/res/document-db/database-account/mongodb-database/main.json
index 5f89eca19e..dd4a34ab45 100644
--- a/avm/res/document-db/database-account/mongodb-database/main.json
+++ b/avm/res/document-db/database-account/mongodb-database/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "5589296472144391886"
+      "version": "0.30.23.60470",
+      "templateHash": "1169635175830874795"
     },
     "name": "DocumentDB Database Account MongoDB Databases",
     "description": "This module deploys a MongoDB Database within a CosmosDB Account.",
@@ -108,8 +108,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "2005645426653376123"
+              "version": "0.30.23.60470",
+              "templateHash": "1358778299011674509"
             },
             "name": "DocumentDB Database Account MongoDB Database Collections",
             "description": "This module deploys a MongoDB Database Collection.",
diff --git a/avm/res/document-db/database-account/sql-database/container/main.json b/avm/res/document-db/database-account/sql-database/container/main.json
index 2f20bcd666..8cac0c2a0e 100644
--- a/avm/res/document-db/database-account/sql-database/container/main.json
+++ b/avm/res/document-db/database-account/sql-database/container/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "15811275148784494613"
+      "version": "0.30.23.60470",
+      "templateHash": "165408036680070575"
     },
     "name": "DocumentDB Database Account SQL Database Containers",
     "description": "This module deploys a SQL Database Container in a CosmosDB Account.",
diff --git a/avm/res/document-db/database-account/sql-database/main.json b/avm/res/document-db/database-account/sql-database/main.json
index 4bf3ca6f3c..f2458dc625 100644
--- a/avm/res/document-db/database-account/sql-database/main.json
+++ b/avm/res/document-db/database-account/sql-database/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "17028659150619761460"
+      "version": "0.30.23.60470",
+      "templateHash": "10274585444287252550"
     },
     "name": "DocumentDB Database Account SQL Databases",
     "description": "This module deploys a SQL Database in a CosmosDB Account.",
@@ -138,8 +138,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "15811275148784494613"
+              "version": "0.30.23.60470",
+              "templateHash": "165408036680070575"
             },
             "name": "DocumentDB Database Account SQL Database Containers",
             "description": "This module deploys a SQL Database Container in a CosmosDB Account.",
diff --git a/avm/res/document-db/database-account/sql-role/main.json b/avm/res/document-db/database-account/sql-role/main.json
index 071740e45e..9aed15aeb5 100644
--- a/avm/res/document-db/database-account/sql-role/main.json
+++ b/avm/res/document-db/database-account/sql-role/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "8574173933379504173"
+      "version": "0.30.23.60470",
+      "templateHash": "13088569006752107887"
     },
     "name": "DocumentDB Database Account SQL Role.",
     "description": "This module deploys SQL Role Definision and Assignment in a CosmosDB Account.",
@@ -91,8 +91,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "13173648139881140212"
+              "version": "0.30.23.60470",
+              "templateHash": "5054354703268051893"
             },
             "name": "DocumentDB Database Account SQL Role Definitions.",
             "description": "This module deploys a SQL Role Definision in a CosmosDB Account.",
@@ -212,8 +212,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "16344872287220693060"
+              "version": "0.30.23.60470",
+              "templateHash": "4561927123418147924"
             },
             "name": "DocumentDB Database Account SQL Role Assignments.",
             "description": "This module deploys a SQL Role Assignment in a CosmosDB Account.",
@@ -236,7 +236,7 @@
               "type": "string",
               "defaultValue": "",
               "metadata": {
-                "description": "Required. Id needs to be granted."
+                "description": "Optional. Id needs to be granted."
               }
             },
             "roleDefinitionId": {
diff --git a/avm/res/document-db/database-account/sql-role/sql-role-assignments/README.md b/avm/res/document-db/database-account/sql-role/sql-role-assignments/README.md
index 5b694cd973..7697dc6a3e 100644
--- a/avm/res/document-db/database-account/sql-role/sql-role-assignments/README.md
+++ b/avm/res/document-db/database-account/sql-role/sql-role-assignments/README.md
@@ -21,7 +21,6 @@ This module deploys a SQL Role Assignment in a CosmosDB Account.
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
 | [`name`](#parameter-name) | string | Name of the SQL Role Assignment. |
-| [`principalId`](#parameter-principalid) | string | Id needs to be granted. |
 | [`roleDefinitionId`](#parameter-roledefinitionid) | string | Id of the SQL Role Definition. |
 
 **Conditional parameters**
@@ -30,6 +29,12 @@ This module deploys a SQL Role Assignment in a CosmosDB Account.
 | :-- | :-- | :-- |
 | [`databaseAccountName`](#parameter-databaseaccountname) | string | The name of the parent Database Account. Required if the template is used in a standalone deployment. |
 
+**Optional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`principalId`](#parameter-principalid) | string | Id needs to be granted. |
+
 ### Parameter: `name`
 
 Name of the SQL Role Assignment.
@@ -37,14 +42,6 @@ Name of the SQL Role Assignment.
 - Required: Yes
 - Type: string
 
-### Parameter: `principalId`
-
-Id needs to be granted.
-
-- Required: No
-- Type: string
-- Default: `''`
-
 ### Parameter: `roleDefinitionId`
 
 Id of the SQL Role Definition.
@@ -59,6 +56,14 @@ The name of the parent Database Account. Required if the template is used in a s
 - Required: Yes
 - Type: string
 
+### Parameter: `principalId`
+
+Id needs to be granted.
+
+- Required: No
+- Type: string
+- Default: `''`
+
 ## Outputs
 
 | Output | Type | Description |
diff --git a/avm/res/document-db/database-account/sql-role/sql-role-assignments/main.bicep b/avm/res/document-db/database-account/sql-role/sql-role-assignments/main.bicep
index 32c24742a9..871197381b 100644
--- a/avm/res/document-db/database-account/sql-role/sql-role-assignments/main.bicep
+++ b/avm/res/document-db/database-account/sql-role/sql-role-assignments/main.bicep
@@ -8,7 +8,7 @@ param databaseAccountName string
 @description('Required. Name of the SQL Role Assignment.')
 param name string
 
-@description('Required. Id needs to be granted.')
+@description('Optional. Id needs to be granted.')
 param principalId string = ''
 
 @description('Required. Id of the SQL Role Definition.')
diff --git a/avm/res/document-db/database-account/sql-role/sql-role-assignments/main.json b/avm/res/document-db/database-account/sql-role/sql-role-assignments/main.json
index 59ecc153e1..cb563bafe6 100644
--- a/avm/res/document-db/database-account/sql-role/sql-role-assignments/main.json
+++ b/avm/res/document-db/database-account/sql-role/sql-role-assignments/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "16344872287220693060"
+      "version": "0.30.23.60470",
+      "templateHash": "4561927123418147924"
     },
     "name": "DocumentDB Database Account SQL Role Assignments.",
     "description": "This module deploys a SQL Role Assignment in a CosmosDB Account.",
@@ -28,7 +28,7 @@
       "type": "string",
       "defaultValue": "",
       "metadata": {
-        "description": "Required. Id needs to be granted."
+        "description": "Optional. Id needs to be granted."
       }
     },
     "roleDefinitionId": {
diff --git a/avm/res/document-db/database-account/sql-role/sql-role-definitions/main.json b/avm/res/document-db/database-account/sql-role/sql-role-definitions/main.json
index 2b240d1905..6a2e1eee82 100644
--- a/avm/res/document-db/database-account/sql-role/sql-role-definitions/main.json
+++ b/avm/res/document-db/database-account/sql-role/sql-role-definitions/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "13173648139881140212"
+      "version": "0.30.23.60470",
+      "templateHash": "5054354703268051893"
     },
     "name": "DocumentDB Database Account SQL Role Definitions.",
     "description": "This module deploys a SQL Role Definision in a CosmosDB Account.",
diff --git a/avm/res/document-db/mongo-cluster/README.md b/avm/res/document-db/mongo-cluster/README.md
index 2ebb5f8479..e72f325a63 100644
--- a/avm/res/document-db/mongo-cluster/README.md
+++ b/avm/res/document-db/mongo-cluster/README.md
@@ -1039,15 +1039,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint ip address. |
 | [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | array | A list of private ip addresses of the private endpoint. |
 
-### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint ip address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -1056,6 +1054,13 @@ A list of private ip addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `privateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
diff --git a/avm/res/document-db/mongo-cluster/main.bicep b/avm/res/document-db/mongo-cluster/main.bicep
index d4612a2a44..a06b406e0e 100644
--- a/avm/res/document-db/mongo-cluster/main.bicep
+++ b/avm/res/document-db/mongo-cluster/main.bicep
@@ -447,7 +447,7 @@ type privateEndpointType = {
 
   @description('Optional. Custom DNS configurations.')
   customDnsConfigs: {
-    @description('Required. Fqdn that resolves to private endpoint ip address.')
+    @description('Optional. FQDN that resolves to private endpoint IP address.')
     fqdn: string?
 
     @description('Required. A list of private ip addresses of the private endpoint.')
diff --git a/avm/res/document-db/mongo-cluster/main.json b/avm/res/document-db/mongo-cluster/main.json
index 9d963be7d0..e132b34995 100644
--- a/avm/res/document-db/mongo-cluster/main.json
+++ b/avm/res/document-db/mongo-cluster/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.27.1.19265",
-      "templateHash": "289094531739005234"
+      "version": "0.30.23.60470",
+      "templateHash": "11382084554700938270"
     },
     "name": "Azure Cosmos DB MongoDB vCore cluster",
     "description": "This module deploys a Azure Cosmos DB MongoDB vCore cluster.\n\n**Note:** This module is not intended for broad, generic use, as it was designed to cater for the requirements of the AZD CLI product. Feature requests and bug fix requests are welcome if they support the development of the AZD CLI but may not be incorporated if they aim to make this module more generic than what it needs to be for its primary use case.",
@@ -329,7 +329,7 @@
                   "type": "string",
                   "nullable": true,
                   "metadata": {
-                    "description": "Required. Fqdn that resolves to private endpoint ip address."
+                    "description": "Optional. FQDN that resolves to private endpoint IP address."
                   }
                 },
                 "ipAddresses": {
@@ -845,8 +845,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.27.1.19265",
-              "templateHash": "11076682219298980277"
+              "version": "0.30.23.60470",
+              "templateHash": "2708665515541247345"
             },
             "name": "Azure Cosmos DB MongoDB vCore Cluster Config FireWall Rules",
             "description": "This module config firewall rules for the Azure Cosmos DB MongoDB vCore cluster.",
@@ -945,8 +945,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.27.1.19265",
-              "templateHash": "4835482779180953345"
+              "version": "0.30.23.60470",
+              "templateHash": "16142913599202614386"
             }
           },
           "definitions": {
diff --git a/avm/res/event-grid/domain/README.md b/avm/res/event-grid/domain/README.md
index 7e0ec765a4..50092475ea 100644
--- a/avm/res/event-grid/domain/README.md
+++ b/avm/res/event-grid/domain/README.md
@@ -973,15 +973,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint IP address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -990,6 +988,13 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `privateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
diff --git a/avm/res/event-grid/domain/main.bicep b/avm/res/event-grid/domain/main.bicep
index ddd2595ac3..117f7435a7 100644
--- a/avm/res/event-grid/domain/main.bicep
+++ b/avm/res/event-grid/domain/main.bicep
@@ -376,7 +376,7 @@ type privateEndpointType = {
 
   @description('Optional. Custom DNS configurations.')
   customDnsConfigs: {
-    @description('Required. Fqdn that resolves to private endpoint IP address.')
+    @description('Optional. FQDN that resolves to private endpoint IP address.')
     fqdn: string?
 
     @description('Required. A list of private IP addresses of the private endpoint.')
diff --git a/avm/res/event-grid/domain/main.json b/avm/res/event-grid/domain/main.json
index f53f2e65df..cd3e750ab9 100644
--- a/avm/res/event-grid/domain/main.json
+++ b/avm/res/event-grid/domain/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "5221715648004087997"
+      "version": "0.30.23.60470",
+      "templateHash": "16159576400841812362"
     },
     "name": "Event Grid Domains",
     "description": "This module deploys an Event Grid Domain.",
@@ -237,7 +237,7 @@
                   "type": "string",
                   "nullable": true,
                   "metadata": {
-                    "description": "Required. Fqdn that resolves to private endpoint IP address."
+                    "description": "Optional. FQDN that resolves to private endpoint IP address."
                   }
                 },
                 "ipAddresses": {
@@ -743,8 +743,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "18115448694482617097"
+              "version": "0.30.23.60470",
+              "templateHash": "1238304487498835186"
             },
             "name": "Event Grid Domain Topics",
             "description": "This module deploys an Event Grid Domain Topic.",
diff --git a/avm/res/event-grid/namespace/README.md b/avm/res/event-grid/namespace/README.md
index 664aad8ec0..6c706e3a71 100644
--- a/avm/res/event-grid/namespace/README.md
+++ b/avm/res/event-grid/namespace/README.md
@@ -2356,15 +2356,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint IP address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -2373,6 +2371,13 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `privateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
diff --git a/avm/res/event-grid/namespace/main.bicep b/avm/res/event-grid/namespace/main.bicep
index 29c68aeddc..b54cba6421 100644
--- a/avm/res/event-grid/namespace/main.bicep
+++ b/avm/res/event-grid/namespace/main.bicep
@@ -543,7 +543,7 @@ type privateEndpointType = {
 
   @description('Optional. Custom DNS configurations.')
   customDnsConfigs: {
-    @description('Required. Fqdn that resolves to private endpoint IP address.')
+    @description('Optional. FQDN that resolves to private endpoint IP address.')
     fqdn: string?
 
     @description('Required. A list of private IP addresses of the private endpoint.')
diff --git a/avm/res/event-grid/namespace/main.json b/avm/res/event-grid/namespace/main.json
index 740f8c02be..cc71b84a53 100644
--- a/avm/res/event-grid/namespace/main.json
+++ b/avm/res/event-grid/namespace/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "12641353733245664102"
+      "version": "0.30.23.60470",
+      "templateHash": "5783764026071462654"
     },
     "name": "Event Grid Namespaces",
     "description": "This module deploys an Event Grid Namespace.",
@@ -237,7 +237,7 @@
                   "type": "string",
                   "nullable": true,
                   "metadata": {
-                    "description": "Required. Fqdn that resolves to private endpoint IP address."
+                    "description": "Optional. FQDN that resolves to private endpoint IP address."
                   }
                 },
                 "ipAddresses": {
@@ -1615,8 +1615,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "2384224485883500454"
+              "version": "0.30.23.60470",
+              "templateHash": "13432369313513953808"
             },
             "name": "Eventgrid Namespace Topics",
             "description": "This module deploys an Eventgrid Namespace Topic.",
@@ -1901,8 +1901,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.29.47.4906",
-                      "templateHash": "484752655079146569"
+                      "version": "0.30.23.60470",
+                      "templateHash": "17089589089044607764"
                     },
                     "name": "Event Subscriptions",
                     "description": "This module deploys an Event Subscription.",
@@ -2201,8 +2201,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "12750364857938782710"
+              "version": "0.30.23.60470",
+              "templateHash": "10521341575239164612"
             },
             "name": "Eventgrid Namespace CA Certificates",
             "description": "This module deploys an Eventgrid Namespace CA Certificate.",
@@ -2331,8 +2331,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "10456542411882263533"
+              "version": "0.30.23.60470",
+              "templateHash": "18108409387147428195"
             },
             "name": "Eventgrid Namespace Clients",
             "description": "This module deploys an Eventgrid Namespace Client.",
@@ -2497,8 +2497,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "16551042161872604300"
+              "version": "0.30.23.60470",
+              "templateHash": "16390720769511049629"
             },
             "name": "Eventgrid Namespace Client Groups",
             "description": "This module deploys an Eventgrid Namespace Client Group.",
@@ -2618,8 +2618,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "13412075546334276790"
+              "version": "0.30.23.60470",
+              "templateHash": "9421201119756189566"
             },
             "name": "Eventgrid Namespace Topic Spaces",
             "description": "This module deploys an Eventgrid Namespace Topic Space.",
@@ -2870,8 +2870,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "8789192089964505787"
+              "version": "0.30.23.60470",
+              "templateHash": "1634258312310183641"
             },
             "name": "Eventgrid Namespace Permissions Bindings",
             "description": "This module deploys an Eventgrid Namespace Permission Binding.",
diff --git a/avm/res/event-grid/topic/README.md b/avm/res/event-grid/topic/README.md
index fcb7a52ee0..078e4194ad 100644
--- a/avm/res/event-grid/topic/README.md
+++ b/avm/res/event-grid/topic/README.md
@@ -1119,15 +1119,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint IP address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -1136,6 +1134,13 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `privateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
diff --git a/avm/res/event-grid/topic/main.bicep b/avm/res/event-grid/topic/main.bicep
index 9b0a660f01..1954647fa1 100644
--- a/avm/res/event-grid/topic/main.bicep
+++ b/avm/res/event-grid/topic/main.bicep
@@ -386,7 +386,7 @@ type privateEndpointType = {
 
   @description('Optional. Custom DNS configurations.')
   customDnsConfigs: {
-    @description('Required. Fqdn that resolves to private endpoint IP address.')
+    @description('Optional. FQDN that resolves to private endpoint IP address.')
     fqdn: string?
 
     @description('Required. A list of private IP addresses of the private endpoint.')
diff --git a/avm/res/event-grid/topic/main.json b/avm/res/event-grid/topic/main.json
index a0b065e629..301669185f 100644
--- a/avm/res/event-grid/topic/main.json
+++ b/avm/res/event-grid/topic/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "12405995366615613618"
+      "version": "0.30.23.60470",
+      "templateHash": "2810622723572048404"
     },
     "name": "Event Grid Topics",
     "description": "This module deploys an Event Grid Topic.",
@@ -237,7 +237,7 @@
                   "type": "string",
                   "nullable": true,
                   "metadata": {
-                    "description": "Required. Fqdn that resolves to private endpoint IP address."
+                    "description": "Optional. FQDN that resolves to private endpoint IP address."
                   }
                 },
                 "ipAddresses": {
@@ -738,8 +738,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "2521126347714866146"
+              "version": "0.30.23.60470",
+              "templateHash": "1060516343519365885"
             },
             "name": "EventGrid Topic Event Subscriptions",
             "description": "This module deploys an Event Grid Topic Event Subscription.",
diff --git a/avm/res/event-hub/namespace/README.md b/avm/res/event-hub/namespace/README.md
index 03faa22348..6aa3f6cbc8 100644
--- a/avm/res/event-hub/namespace/README.md
+++ b/avm/res/event-hub/namespace/README.md
@@ -1777,15 +1777,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint IP address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -1794,6 +1792,13 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `privateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
diff --git a/avm/res/event-hub/namespace/main.bicep b/avm/res/event-hub/namespace/main.bicep
index 9f203c5398..3d68d8b9e1 100644
--- a/avm/res/event-hub/namespace/main.bicep
+++ b/avm/res/event-hub/namespace/main.bicep
@@ -578,7 +578,7 @@ type privateEndpointType = {
 
   @description('Optional. Custom DNS configurations.')
   customDnsConfigs: {
-    @description('Required. Fqdn that resolves to private endpoint IP address.')
+    @description('Optional. FQDN that resolves to private endpoint IP address.')
     fqdn: string?
 
     @description('Required. A list of private IP addresses of the private endpoint.')
diff --git a/avm/res/event-hub/namespace/main.json b/avm/res/event-hub/namespace/main.json
index e16a166f74..1142ef52f0 100644
--- a/avm/res/event-hub/namespace/main.json
+++ b/avm/res/event-hub/namespace/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "15332291729708806177"
+      "version": "0.30.23.60470",
+      "templateHash": "5695254204931774513"
     },
     "name": "Event Hub Namespaces",
     "description": "This module deploys an Event Hub Namespace.",
@@ -237,7 +237,7 @@
                   "type": "string",
                   "nullable": true,
                   "metadata": {
-                    "description": "Required. Fqdn that resolves to private endpoint IP address."
+                    "description": "Optional. FQDN that resolves to private endpoint IP address."
                   }
                 },
                 "ipAddresses": {
@@ -905,8 +905,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "10257599829745692462"
+              "version": "0.30.23.60470",
+              "templateHash": "4370778315266456162"
             },
             "name": "Event Hub Namespace Authorization Rule",
             "description": "This module deploys an Event Hub Namespace Authorization Rule.",
@@ -1002,8 +1002,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "11417529326547724260"
+              "version": "0.30.23.60470",
+              "templateHash": "60777592128484407"
             },
             "name": "Event Hub Namespace Disaster Recovery Configs",
             "description": "This module deploys an Event Hub Namespace Disaster Recovery Config.",
@@ -1118,8 +1118,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "11002403097253998911"
+              "version": "0.30.23.60470",
+              "templateHash": "8801225791166116780"
             },
             "name": "Event Hub Namespace Event Hubs",
             "description": "This module deploys an Event Hub Namespace Event Hub.",
@@ -1543,8 +1543,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.29.47.4906",
-                      "templateHash": "3193397457060310848"
+                      "version": "0.30.23.60470",
+                      "templateHash": "3600583163344820893"
                     },
                     "name": "Event Hub Namespace Event Hub Consumer Groups",
                     "description": "This module deploys an Event Hub Namespace Event Hub Consumer Group.",
@@ -1647,8 +1647,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.29.47.4906",
-                      "templateHash": "15510112090713187287"
+                      "version": "0.30.23.60470",
+                      "templateHash": "5255101507494543017"
                     },
                     "name": "Event Hub Namespace Event Hub Authorization Rules",
                     "description": "This module deploys an Event Hub Namespace Event Hub Authorization Rule.",
@@ -1783,8 +1783,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "10667940256299428520"
+              "version": "0.30.23.60470",
+              "templateHash": "11642938165424421063"
             },
             "name": "Event Hub Namespace Network Rule Sets",
             "description": "This module deploys an Event Hub Namespace Network Rule Set.",
diff --git a/avm/res/healthcare-apis/workspace/dicomservice/README.md b/avm/res/healthcare-apis/workspace/dicomservice/README.md
index f558bdc101..eefac6dcf6 100644
--- a/avm/res/healthcare-apis/workspace/dicomservice/README.md
+++ b/avm/res/healthcare-apis/workspace/dicomservice/README.md
@@ -22,6 +22,7 @@ This module deploys a Healthcare API Workspace DICOM Service.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
+| [`corsHeaders`](#parameter-corsheaders) | array | Specify HTTP headers which can be used during the request. Use "*" for any header. |
 | [`name`](#parameter-name) | string | The name of the DICOM service. |
 
 **Conditional parameters**
@@ -35,7 +36,6 @@ This module deploys a Healthcare API Workspace DICOM Service.
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
 | [`corsAllowCredentials`](#parameter-corsallowcredentials) | bool | Use this setting to indicate that cookies should be included in CORS requests. |
-| [`corsHeaders`](#parameter-corsheaders) | array | Specify HTTP headers which can be used during the request. Use "*" for any header. |
 | [`corsMaxAge`](#parameter-corsmaxage) | int | Specify how long a result from a request can be cached in seconds. Example: 600 means 10 minutes. |
 | [`corsMethods`](#parameter-corsmethods) | array | Specify the allowed HTTP methods. |
 | [`corsOrigins`](#parameter-corsorigins) | array | Specify URLs of origin sites that can access this API, or use "*" to allow access from any site. |
@@ -46,6 +46,13 @@ This module deploys a Healthcare API Workspace DICOM Service.
 | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Control permission for data plane traffic coming from public networks while private endpoint is enabled. |
 | [`tags`](#parameter-tags) | object | Tags of the resource. |
 
+### Parameter: `corsHeaders`
+
+Specify HTTP headers which can be used during the request. Use "*" for any header.
+
+- Required: Yes
+- Type: array
+
 ### Parameter: `name`
 
 The name of the DICOM service.
@@ -68,13 +75,6 @@ Use this setting to indicate that cookies should be included in CORS requests.
 - Type: bool
 - Default: `False`
 
-### Parameter: `corsHeaders`
-
-Specify HTTP headers which can be used during the request. Use "*" for any header.
-
-- Required: Yes
-- Type: array
-
 ### Parameter: `corsMaxAge`
 
 Specify how long a result from a request can be cached in seconds. Example: 600 means 10 minutes.
diff --git a/avm/res/healthcare-apis/workspace/dicomservice/main.bicep b/avm/res/healthcare-apis/workspace/dicomservice/main.bicep
index 8717b91e8f..3e970883fd 100644
--- a/avm/res/healthcare-apis/workspace/dicomservice/main.bicep
+++ b/avm/res/healthcare-apis/workspace/dicomservice/main.bicep
@@ -13,7 +13,7 @@ param workspaceName string
 @description('Optional. Specify URLs of origin sites that can access this API, or use "*" to allow access from any site.')
 param corsOrigins array?
 
-@description('Optional. Specify HTTP headers which can be used during the request. Use "*" for any header.')
+@description('Required. Specify HTTP headers which can be used during the request. Use "*" for any header.')
 param corsHeaders array
 
 @allowed([
diff --git a/avm/res/healthcare-apis/workspace/dicomservice/main.json b/avm/res/healthcare-apis/workspace/dicomservice/main.json
index b08d7fd0df..337cdf0ae8 100644
--- a/avm/res/healthcare-apis/workspace/dicomservice/main.json
+++ b/avm/res/healthcare-apis/workspace/dicomservice/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "1751217677948929755"
+      "version": "0.30.23.60470",
+      "templateHash": "8075255504556528583"
     },
     "name": "Healthcare API Workspace DICOM Services",
     "description": "This module deploys a Healthcare API Workspace DICOM Service.",
@@ -207,7 +207,7 @@
     "corsHeaders": {
       "type": "array",
       "metadata": {
-        "description": "Optional. Specify HTTP headers which can be used during the request. Use \"*\" for any header."
+        "description": "Required. Specify HTTP headers which can be used during the request. Use \"*\" for any header."
       }
     },
     "corsMethods": {
diff --git a/avm/res/healthcare-apis/workspace/fhirservice/main.json b/avm/res/healthcare-apis/workspace/fhirservice/main.json
index eb0c2c801c..2b8bc41785 100644
--- a/avm/res/healthcare-apis/workspace/fhirservice/main.json
+++ b/avm/res/healthcare-apis/workspace/fhirservice/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "17664239331720913904"
+      "version": "0.30.23.60470",
+      "templateHash": "14455646643849754189"
     },
     "name": "Healthcare API Workspace FHIR Services",
     "description": "This module deploys a Healthcare API Workspace FHIR Service.",
diff --git a/avm/res/healthcare-apis/workspace/iotconnector/README.md b/avm/res/healthcare-apis/workspace/iotconnector/README.md
index 94dc443d08..3d44d39eb2 100644
--- a/avm/res/healthcare-apis/workspace/iotconnector/README.md
+++ b/avm/res/healthcare-apis/workspace/iotconnector/README.md
@@ -24,7 +24,6 @@ This module deploys a Healthcare API Workspace IoT Connector.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`deviceMapping`](#parameter-devicemapping) | object | The mapping JSON that determines how incoming device data is normalized. |
 | [`eventHubName`](#parameter-eventhubname) | string | Event Hub name to connect to. |
 | [`eventHubNamespaceName`](#parameter-eventhubnamespacename) | string | Namespace of the Event Hub to connect to. |
 | [`name`](#parameter-name) | string | The name of the MedTech service. |
@@ -40,6 +39,7 @@ This module deploys a Healthcare API Workspace IoT Connector.
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
 | [`consumerGroup`](#parameter-consumergroup) | string | Consumer group of the event hub to connected to. |
+| [`deviceMapping`](#parameter-devicemapping) | object | The mapping JSON that determines how incoming device data is normalized. |
 | [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. |
 | [`fhirdestination`](#parameter-fhirdestination) | object | FHIR Destination. |
 | [`location`](#parameter-location) | string | Location for all resources. |
@@ -47,20 +47,6 @@ This module deploys a Healthcare API Workspace IoT Connector.
 | [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. |
 | [`tags`](#parameter-tags) | object | Tags of the resource. |
 
-### Parameter: `deviceMapping`
-
-The mapping JSON that determines how incoming device data is normalized.
-
-- Required: No
-- Type: object
-- Default:
-  ```Bicep
-  {
-      template: []
-      templateType: 'CollectionContent'
-  }
-  ```
-
 ### Parameter: `eventHubName`
 
 Event Hub name to connect to.
@@ -97,6 +83,20 @@ Consumer group of the event hub to connected to.
 - Type: string
 - Default: `[parameters('name')]`
 
+### Parameter: `deviceMapping`
+
+The mapping JSON that determines how incoming device data is normalized.
+
+- Required: No
+- Type: object
+- Default:
+  ```Bicep
+  {
+      template: []
+      templateType: 'CollectionContent'
+  }
+  ```
+
 ### Parameter: `diagnosticSettings`
 
 The diagnostic settings of the service.
diff --git a/avm/res/healthcare-apis/workspace/iotconnector/fhirdestination/README.md b/avm/res/healthcare-apis/workspace/iotconnector/fhirdestination/README.md
index c27c07ed13..e3417245d4 100644
--- a/avm/res/healthcare-apis/workspace/iotconnector/fhirdestination/README.md
+++ b/avm/res/healthcare-apis/workspace/iotconnector/fhirdestination/README.md
@@ -21,7 +21,6 @@ This module deploys a Healthcare API Workspace IoT Connector FHIR Destination.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`destinationMapping`](#parameter-destinationmapping) | object | The mapping JSON that determines how normalized data is converted to FHIR Observations. |
 | [`fhirServiceResourceId`](#parameter-fhirserviceresourceid) | string | The resource identifier of the FHIR Service to connect to. |
 | [`name`](#parameter-name) | string | The name of the FHIR destination. |
 
@@ -36,23 +35,10 @@ This module deploys a Healthcare API Workspace IoT Connector FHIR Destination.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
+| [`destinationMapping`](#parameter-destinationmapping) | object | The mapping JSON that determines how normalized data is converted to FHIR Observations. |
 | [`location`](#parameter-location) | string | Location for all resources. |
 | [`resourceIdentityResolutionType`](#parameter-resourceidentityresolutiontype) | string | Determines how resource identity is resolved on the destination. |
 
-### Parameter: `destinationMapping`
-
-The mapping JSON that determines how normalized data is converted to FHIR Observations.
-
-- Required: No
-- Type: object
-- Default:
-  ```Bicep
-  {
-      template: []
-      templateType: 'CollectionFhir'
-  }
-  ```
-
 ### Parameter: `fhirServiceResourceId`
 
 The resource identifier of the FHIR Service to connect to.
@@ -81,6 +67,20 @@ The name of the parent health data services workspace. Required if the template
 - Required: Yes
 - Type: string
 
+### Parameter: `destinationMapping`
+
+The mapping JSON that determines how normalized data is converted to FHIR Observations.
+
+- Required: No
+- Type: object
+- Default:
+  ```Bicep
+  {
+      template: []
+      templateType: 'CollectionFhir'
+  }
+  ```
+
 ### Parameter: `location`
 
 Location for all resources.
diff --git a/avm/res/healthcare-apis/workspace/iotconnector/fhirdestination/main.bicep b/avm/res/healthcare-apis/workspace/iotconnector/fhirdestination/main.bicep
index d42720678b..bfb87636ed 100644
--- a/avm/res/healthcare-apis/workspace/iotconnector/fhirdestination/main.bicep
+++ b/avm/res/healthcare-apis/workspace/iotconnector/fhirdestination/main.bicep
@@ -6,7 +6,7 @@ metadata owner = 'Azure/module-maintainers'
 @maxLength(24)
 param name string
 
-@description('Required. The mapping JSON that determines how normalized data is converted to FHIR Observations.')
+@description('Optional. The mapping JSON that determines how normalized data is converted to FHIR Observations.')
 param destinationMapping object = {
   templateType: 'CollectionFhir'
   template: []
diff --git a/avm/res/healthcare-apis/workspace/iotconnector/fhirdestination/main.json b/avm/res/healthcare-apis/workspace/iotconnector/fhirdestination/main.json
index 87612193cc..dd32895bd1 100644
--- a/avm/res/healthcare-apis/workspace/iotconnector/fhirdestination/main.json
+++ b/avm/res/healthcare-apis/workspace/iotconnector/fhirdestination/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "12659357611219228021"
+      "version": "0.30.23.60470",
+      "templateHash": "9211958556323045062"
     },
     "name": "Healthcare API Workspace IoT Connector FHIR Destinations",
     "description": "This module deploys a Healthcare API Workspace IoT Connector FHIR Destination.",
@@ -26,7 +26,7 @@
         "template": []
       },
       "metadata": {
-        "description": "Required. The mapping JSON that determines how normalized data is converted to FHIR Observations."
+        "description": "Optional. The mapping JSON that determines how normalized data is converted to FHIR Observations."
       }
     },
     "iotConnectorName": {
diff --git a/avm/res/healthcare-apis/workspace/iotconnector/main.bicep b/avm/res/healthcare-apis/workspace/iotconnector/main.bicep
index 11fbb1192d..6653f1b627 100644
--- a/avm/res/healthcare-apis/workspace/iotconnector/main.bicep
+++ b/avm/res/healthcare-apis/workspace/iotconnector/main.bicep
@@ -19,7 +19,7 @@ param consumerGroup string = name
 @description('Required. Namespace of the Event Hub to connect to.')
 param eventHubNamespaceName string
 
-@description('Required. The mapping JSON that determines how incoming device data is normalized.')
+@description('Optional. The mapping JSON that determines how incoming device data is normalized.')
 param deviceMapping object = {
   templateType: 'CollectionContent'
   template: []
diff --git a/avm/res/healthcare-apis/workspace/iotconnector/main.json b/avm/res/healthcare-apis/workspace/iotconnector/main.json
index 8b9a9c6bd5..c8865cad8b 100644
--- a/avm/res/healthcare-apis/workspace/iotconnector/main.json
+++ b/avm/res/healthcare-apis/workspace/iotconnector/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "13346867265471851551"
+      "version": "0.30.23.60470",
+      "templateHash": "960125802721112117"
     },
     "name": "Healthcare API Workspace IoT Connectors",
     "description": "This module deploys a Healthcare API Workspace IoT Connector.",
@@ -223,7 +223,7 @@
         "template": []
       },
       "metadata": {
-        "description": "Required. The mapping JSON that determines how incoming device data is normalized."
+        "description": "Optional. The mapping JSON that determines how incoming device data is normalized."
       }
     },
     "fhirdestination": {
@@ -392,8 +392,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "12659357611219228021"
+              "version": "0.30.23.60470",
+              "templateHash": "9211958556323045062"
             },
             "name": "Healthcare API Workspace IoT Connector FHIR Destinations",
             "description": "This module deploys a Healthcare API Workspace IoT Connector FHIR Destination.",
@@ -414,7 +414,7 @@
                 "template": []
               },
               "metadata": {
-                "description": "Required. The mapping JSON that determines how normalized data is converted to FHIR Observations."
+                "description": "Optional. The mapping JSON that determines how normalized data is converted to FHIR Observations."
               }
             },
             "iotConnectorName": {
diff --git a/avm/res/healthcare-apis/workspace/main.json b/avm/res/healthcare-apis/workspace/main.json
index 12635c0fb4..eaee54c542 100644
--- a/avm/res/healthcare-apis/workspace/main.json
+++ b/avm/res/healthcare-apis/workspace/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "17512289027426655191"
+      "version": "0.30.23.60470",
+      "templateHash": "2224027190177398808"
     },
     "name": "Healthcare API Workspaces",
     "description": "This module deploys a Healthcare API Workspace.",
@@ -382,8 +382,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "17664239331720913904"
+              "version": "0.30.23.60470",
+              "templateHash": "14455646643849754189"
             },
             "name": "Healthcare API Workspace FHIR Services",
             "description": "This module deploys a Healthcare API Workspace FHIR Service.",
@@ -1116,8 +1116,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "1751217677948929755"
+              "version": "0.30.23.60470",
+              "templateHash": "8075255504556528583"
             },
             "name": "Healthcare API Workspace DICOM Services",
             "description": "This module deploys a Healthcare API Workspace DICOM Service.",
@@ -1318,7 +1318,7 @@
             "corsHeaders": {
               "type": "array",
               "metadata": {
-                "description": "Optional. Specify HTTP headers which can be used during the request. Use \"*\" for any header."
+                "description": "Required. Specify HTTP headers which can be used during the request. Use \"*\" for any header."
               }
             },
             "corsMethods": {
@@ -1583,8 +1583,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "13346867265471851551"
+              "version": "0.30.23.60470",
+              "templateHash": "960125802721112117"
             },
             "name": "Healthcare API Workspace IoT Connectors",
             "description": "This module deploys a Healthcare API Workspace IoT Connector.",
@@ -1801,7 +1801,7 @@
                 "template": []
               },
               "metadata": {
-                "description": "Required. The mapping JSON that determines how incoming device data is normalized."
+                "description": "Optional. The mapping JSON that determines how incoming device data is normalized."
               }
             },
             "fhirdestination": {
@@ -1970,8 +1970,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.29.47.4906",
-                      "templateHash": "12659357611219228021"
+                      "version": "0.30.23.60470",
+                      "templateHash": "9211958556323045062"
                     },
                     "name": "Healthcare API Workspace IoT Connector FHIR Destinations",
                     "description": "This module deploys a Healthcare API Workspace IoT Connector FHIR Destination.",
@@ -1992,7 +1992,7 @@
                         "template": []
                       },
                       "metadata": {
-                        "description": "Required. The mapping JSON that determines how normalized data is converted to FHIR Observations."
+                        "description": "Optional. The mapping JSON that determines how normalized data is converted to FHIR Observations."
                       }
                     },
                     "iotConnectorName": {
diff --git a/avm/res/insights/private-link-scope/README.md b/avm/res/insights/private-link-scope/README.md
index 82c8c5da93..4f0d01138d 100644
--- a/avm/res/insights/private-link-scope/README.md
+++ b/avm/res/insights/private-link-scope/README.md
@@ -1319,15 +1319,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint IP address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -1336,6 +1334,13 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `privateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
diff --git a/avm/res/insights/private-link-scope/main.bicep b/avm/res/insights/private-link-scope/main.bicep
index a6666eec33..5826589e02 100644
--- a/avm/res/insights/private-link-scope/main.bicep
+++ b/avm/res/insights/private-link-scope/main.bicep
@@ -326,7 +326,7 @@ type privateEndpointType = {
 
   @description('Optional. Custom DNS configurations.')
   customDnsConfigs: {
-    @description('Required. Fqdn that resolves to private endpoint IP address.')
+    @description('Optional. FQDN that resolves to private endpoint IP address.')
     fqdn: string?
 
     @description('Required. A list of private IP addresses of the private endpoint.')
diff --git a/avm/res/insights/private-link-scope/main.json b/avm/res/insights/private-link-scope/main.json
index ecb92303a1..289199a4d8 100644
--- a/avm/res/insights/private-link-scope/main.json
+++ b/avm/res/insights/private-link-scope/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.3.12046",
-      "templateHash": "5947451992668490696"
+      "version": "0.30.23.60470",
+      "templateHash": "11811489211976276991"
     },
     "name": "Azure Monitor Private Link Scopes",
     "description": "This module deploys an Azure Monitor Private Link Scope.",
@@ -214,7 +214,7 @@
                   "type": "string",
                   "nullable": true,
                   "metadata": {
-                    "description": "Required. Fqdn that resolves to private endpoint IP address."
+                    "description": "Optional. FQDN that resolves to private endpoint IP address."
                   }
                 },
                 "ipAddresses": {
@@ -601,8 +601,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.3.12046",
-              "templateHash": "16277811786602972091"
+              "version": "0.30.23.60470",
+              "templateHash": "2722460902727903283"
             },
             "name": "Private Link Scope Scoped Resources",
             "description": "This module deploys a Private Link Scope Scoped Resource.",
diff --git a/avm/res/key-vault/vault/README.md b/avm/res/key-vault/vault/README.md
index 1155d01736..db1f083092 100644
--- a/avm/res/key-vault/vault/README.md
+++ b/avm/res/key-vault/vault/README.md
@@ -2477,15 +2477,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint IP address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -2494,6 +2492,13 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `privateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
diff --git a/avm/res/key-vault/vault/main.bicep b/avm/res/key-vault/vault/main.bicep
index 12df3e45a3..03b79b0c01 100644
--- a/avm/res/key-vault/vault/main.bicep
+++ b/avm/res/key-vault/vault/main.bicep
@@ -512,7 +512,7 @@ type privateEndpointType = {
 
   @description('Optional. Custom DNS configurations.')
   customDnsConfigs: {
-    @description('Required. Fqdn that resolves to private endpoint IP address.')
+    @description('Optional. FQDN that resolves to private endpoint IP address.')
     fqdn: string?
 
     @description('Required. A list of private IP addresses of the private endpoint.')
diff --git a/avm/res/key-vault/vault/main.json b/avm/res/key-vault/vault/main.json
index a6769b9cb6..f772624dfc 100644
--- a/avm/res/key-vault/vault/main.json
+++ b/avm/res/key-vault/vault/main.json
@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.30.23.60470",
-      "templateHash": "4499855760252174192"
+      "templateHash": "16644955327529459184"
     },
     "name": "Key Vaults",
     "description": "This module deploys a Key Vault.",
@@ -309,7 +309,7 @@
                   "type": "string",
                   "nullable": true,
                   "metadata": {
-                    "description": "Required. Fqdn that resolves to private endpoint IP address."
+                    "description": "Optional. FQDN that resolves to private endpoint IP address."
                   }
                 },
                 "ipAddresses": {
diff --git a/avm/res/kusto/cluster/README.md b/avm/res/kusto/cluster/README.md
index 6c6e0b22ed..407f17b4fa 100644
--- a/avm/res/kusto/cluster/README.md
+++ b/avm/res/kusto/cluster/README.md
@@ -798,7 +798,7 @@ The Kusto Cluster's accepted audiences.
 - Type: array
 - Default: `[]`
 
-**Optional parameters**
+**Required parameters**
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
@@ -1264,7 +1264,7 @@ Enables system assigned managed identity on the resource.
 
 The resource id(s) to assign to the resource.
 
-- Required: Yes
+- Required: No
 - Type: array
 
 ### Parameter: `principalAssignments`
@@ -1341,15 +1341,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint IP address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -1358,6 +1356,13 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `privateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
diff --git a/avm/res/kusto/cluster/main.bicep b/avm/res/kusto/cluster/main.bicep
index e1372dca57..01c343a0d5 100644
--- a/avm/res/kusto/cluster/main.bicep
+++ b/avm/res/kusto/cluster/main.bicep
@@ -391,7 +391,7 @@ output privateEndpoints array = [
 // =============== //
 
 type acceptedAudienceType = {
-  @description('Optional. GUID or valid URL representing an accepted audience.')
+  @description('Required. GUID or valid URL representing an accepted audience.')
   value: string
 }?
 
@@ -488,7 +488,7 @@ type managedIdentitiesType = {
   systemAssigned: bool?
 
   @description('Optional. The resource id(s) to assign to the resource.')
-  userAssignedResourceIds: string[]
+  userAssignedResourceIds: string[]?
 }?
 
 type privateEndpointType = {
@@ -531,7 +531,7 @@ type privateEndpointType = {
 
   @description('Optional. Custom DNS configurations.')
   customDnsConfigs: {
-    @description('Required. Fqdn that resolves to private endpoint IP address.')
+    @description('Optional. FQDN that resolves to private endpoint IP address.')
     fqdn: string?
 
     @description('Required. A list of private IP addresses of the private endpoint.')
diff --git a/avm/res/kusto/cluster/main.json b/avm/res/kusto/cluster/main.json
index 2c06ed215d..edb61b98fe 100644
--- a/avm/res/kusto/cluster/main.json
+++ b/avm/res/kusto/cluster/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "17272299626990757362"
+      "version": "0.30.23.60470",
+      "templateHash": "8362793153324787983"
     },
     "name": "Kusto Cluster",
     "description": "This module deploys a Kusto Cluster.",
@@ -19,7 +19,7 @@
         "value": {
           "type": "string",
           "metadata": {
-            "description": "Optional. GUID or valid URL representing an accepted audience."
+            "description": "Required. GUID or valid URL representing an accepted audience."
           }
         }
       },
@@ -264,6 +264,7 @@
           "items": {
             "type": "string"
           },
+          "nullable": true,
           "metadata": {
             "description": "Optional. The resource id(s) to assign to the resource."
           }
@@ -373,7 +374,7 @@
                   "type": "string",
                   "nullable": true,
                   "metadata": {
-                    "description": "Required. Fqdn that resolves to private endpoint IP address."
+                    "description": "Optional. FQDN that resolves to private endpoint IP address."
                   }
                 },
                 "ipAddresses": {
@@ -1079,8 +1080,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "15388375145433684348"
+              "version": "0.30.23.60470",
+              "templateHash": "157221949480329840"
             },
             "name": "Kusto Cluster Principal Assignments",
             "description": "This module deploys a Kusto Cluster Principal Assignment.",
diff --git a/avm/res/machine-learning-services/workspace/README.md b/avm/res/machine-learning-services/workspace/README.md
index 5257a24585..310e4097f9 100644
--- a/avm/res/machine-learning-services/workspace/README.md
+++ b/avm/res/machine-learning-services/workspace/README.md
@@ -2174,15 +2174,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint IP address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -2191,6 +2189,13 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `privateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
diff --git a/avm/res/machine-learning-services/workspace/main.bicep b/avm/res/machine-learning-services/workspace/main.bicep
index beadb6aa63..7ec6ee71d0 100644
--- a/avm/res/machine-learning-services/workspace/main.bicep
+++ b/avm/res/machine-learning-services/workspace/main.bicep
@@ -540,7 +540,7 @@ type privateEndpointType = {
 
   @sys.description('Optional. Custom DNS configurations.')
   customDnsConfigs: {
-    @sys.description('Required. Fqdn that resolves to private endpoint IP address.')
+    @sys.description('Optional. FQDN that resolves to private endpoint IP address.')
     fqdn: string?
 
     @sys.description('Required. A list of private IP addresses of the private endpoint.')
diff --git a/avm/res/machine-learning-services/workspace/main.json b/avm/res/machine-learning-services/workspace/main.json
index 188ff7e44c..54b4c5b3f5 100644
--- a/avm/res/machine-learning-services/workspace/main.json
+++ b/avm/res/machine-learning-services/workspace/main.json
@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.30.23.60470",
-      "templateHash": "13428062064493278756"
+      "templateHash": "1720825561395705058"
     },
     "name": "Machine Learning Services Workspaces",
     "description": "This module deploys a Machine Learning Services Workspace.",
@@ -236,7 +236,7 @@
                   "type": "string",
                   "nullable": true,
                   "metadata": {
-                    "description": "Required. Fqdn that resolves to private endpoint IP address."
+                    "description": "Optional. FQDN that resolves to private endpoint IP address."
                   }
                 },
                 "ipAddresses": {
diff --git a/avm/res/net-app/net-app-account/README.md b/avm/res/net-app/net-app-account/README.md
index 3a41e6dc96..2cfd330976 100644
--- a/avm/res/net-app/net-app-account/README.md
+++ b/avm/res/net-app/net-app-account/README.md
@@ -1226,7 +1226,7 @@ The managed identity definition for this resource.
 
 The resource ID(s) to assign to the resource.
 
-- Required: Yes
+- Required: No
 - Type: array
 
 ### Parameter: `roleAssignments`
diff --git a/avm/res/net-app/net-app-account/backup-policies/README.md b/avm/res/net-app/net-app-account/backup-policies/README.md
index 6756951c04..16fed5137d 100644
--- a/avm/res/net-app/net-app-account/backup-policies/README.md
+++ b/avm/res/net-app/net-app-account/backup-policies/README.md
@@ -20,7 +20,10 @@ This module deploys a Backup Policy for Azure NetApp File.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`backupPolicyName`](#parameter-backuppolicyname) | string | The name of the backup policy. |
+| [`backupPolicyLocation`](#parameter-backuppolicylocation) | string | The location of the backup policy. Required if the template is used in a standalone deployment. |
+| [`dailyBackupsToKeep`](#parameter-dailybackupstokeep) | int | The daily backups to keep. |
+| [`monthlyBackupsToKeep`](#parameter-monthlybackupstokeep) | int | The monthly backups to keep. |
+| [`weeklyBackupsToKeep`](#parameter-weeklybackupstokeep) | int | The weekly backups to keep. |
 
 **Conditional parameters**
 
@@ -33,33 +36,7 @@ This module deploys a Backup Policy for Azure NetApp File.
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
 | [`backupEnabled`](#parameter-backupenabled) | bool | Indicates whether the backup policy is enabled. |
-| [`backupPolicyLocation`](#parameter-backuppolicylocation) | string | The location of the backup policy. Required if the template is used in a standalone deployment. |
-| [`dailyBackupsToKeep`](#parameter-dailybackupstokeep) | int | The daily backups to keep. |
-| [`monthlyBackupsToKeep`](#parameter-monthlybackupstokeep) | int | The monthly backups to keep. |
-| [`weeklyBackupsToKeep`](#parameter-weeklybackupstokeep) | int | The weekly backups to keep. |
-
-### Parameter: `backupPolicyName`
-
-The name of the backup policy.
-
-- Required: No
-- Type: string
-- Default: `'backupPolicy'`
-
-### Parameter: `netAppAccountName`
-
-The name of the parent NetApp account. Required if the template is used in a standalone deployment.
-
-- Required: Yes
-- Type: string
-
-### Parameter: `backupEnabled`
-
-Indicates whether the backup policy is enabled.
-
-- Required: No
-- Type: bool
-- Default: `False`
+| [`backupPolicyName`](#parameter-backuppolicyname) | string | The name of the backup policy. |
 
 ### Parameter: `backupPolicyLocation`
 
@@ -89,6 +66,29 @@ The weekly backups to keep.
 - Required: Yes
 - Type: int
 
+### Parameter: `netAppAccountName`
+
+The name of the parent NetApp account. Required if the template is used in a standalone deployment.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `backupEnabled`
+
+Indicates whether the backup policy is enabled.
+
+- Required: No
+- Type: bool
+- Default: `False`
+
+### Parameter: `backupPolicyName`
+
+The name of the backup policy.
+
+- Required: No
+- Type: string
+- Default: `'backupPolicy'`
+
 ## Outputs
 
 | Output | Type | Description |
diff --git a/avm/res/net-app/net-app-account/backup-policies/main.bicep b/avm/res/net-app/net-app-account/backup-policies/main.bicep
index 5a254eadfb..6fa1fe7f74 100644
--- a/avm/res/net-app/net-app-account/backup-policies/main.bicep
+++ b/avm/res/net-app/net-app-account/backup-policies/main.bicep
@@ -5,19 +5,19 @@ metadata owner = 'Azure/module-maintainers'
 @description('Conditional. The name of the parent NetApp account. Required if the template is used in a standalone deployment.')
 param netAppAccountName string
 
-@description('Required. The name of the backup policy.')
+@description('Optional. The name of the backup policy.')
 param backupPolicyName string = 'backupPolicy'
 
-@description('Optional. The location of the backup policy. Required if the template is used in a standalone deployment.')
+@description('Required. The location of the backup policy. Required if the template is used in a standalone deployment.')
 param backupPolicyLocation string
 
-@description('Optional. The daily backups to keep.')
+@description('Required. The daily backups to keep.')
 param dailyBackupsToKeep int
 
-@description('Optional. The monthly backups to keep.')
+@description('Required. The monthly backups to keep.')
 param monthlyBackupsToKeep int
 
-@description('Optional. The weekly backups to keep.')
+@description('Required. The weekly backups to keep.')
 param weeklyBackupsToKeep int
 
 @description('Optional. Indicates whether the backup policy is enabled.')
diff --git a/avm/res/net-app/net-app-account/backup-policies/main.json b/avm/res/net-app/net-app-account/backup-policies/main.json
index 315e53cdee..0f68e10321 100644
--- a/avm/res/net-app/net-app-account/backup-policies/main.json
+++ b/avm/res/net-app/net-app-account/backup-policies/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.3.12046",
-      "templateHash": "16399924782439066553"
+      "version": "0.30.23.60470",
+      "templateHash": "13036318518380500677"
     },
     "name": "Azure NetApp Files Backup Policy",
     "description": "This module deploys a Backup Policy for Azure NetApp File.",
@@ -22,31 +22,31 @@
       "type": "string",
       "defaultValue": "backupPolicy",
       "metadata": {
-        "description": "Required. The name of the backup policy."
+        "description": "Optional. The name of the backup policy."
       }
     },
     "backupPolicyLocation": {
       "type": "string",
       "metadata": {
-        "description": "Optional. The location of the backup policy. Required if the template is used in a standalone deployment."
+        "description": "Required. The location of the backup policy. Required if the template is used in a standalone deployment."
       }
     },
     "dailyBackupsToKeep": {
       "type": "int",
       "metadata": {
-        "description": "Optional. The daily backups to keep."
+        "description": "Required. The daily backups to keep."
       }
     },
     "monthlyBackupsToKeep": {
       "type": "int",
       "metadata": {
-        "description": "Optional. The monthly backups to keep."
+        "description": "Required. The monthly backups to keep."
       }
     },
     "weeklyBackupsToKeep": {
       "type": "int",
       "metadata": {
-        "description": "Optional. The weekly backups to keep."
+        "description": "Required. The weekly backups to keep."
       }
     },
     "backupEnabled": {
diff --git a/avm/res/net-app/net-app-account/capacity-pool/README.md b/avm/res/net-app/net-app-account/capacity-pool/README.md
index 888ae5f9ef..ce4e635136 100644
--- a/avm/res/net-app/net-app-account/capacity-pool/README.md
+++ b/avm/res/net-app/net-app-account/capacity-pool/README.md
@@ -28,7 +28,6 @@ This module deploys an Azure NetApp Files Capacity Pool.
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
 | [`name`](#parameter-name) | string | The name of the capacity pool. |
-| [`networkFeatures`](#parameter-networkfeatures) | string | Network features available to the volume, or current state of update (Basic/Standard). |
 | [`size`](#parameter-size) | int | Provisioned size of the pool (in bytes). Allowed values are in 4TiB chunks (value must be multiply of 4398046511104). |
 
 **Conditional parameters**
@@ -57,14 +56,6 @@ The name of the capacity pool.
 - Required: Yes
 - Type: string
 
-### Parameter: `networkFeatures`
-
-Network features available to the volume, or current state of update (Basic/Standard).
-
-- Required: No
-- Type: string
-- Default: `'Standard'`
-
 ### Parameter: `size`
 
 Provisioned size of the pool (in bytes). Allowed values are in 4TiB chunks (value must be multiply of 4398046511104).
diff --git a/avm/res/net-app/net-app-account/capacity-pool/main.bicep b/avm/res/net-app/net-app-account/capacity-pool/main.bicep
index 05ee747227..c8fa6c36f5 100644
--- a/avm/res/net-app/net-app-account/capacity-pool/main.bicep
+++ b/avm/res/net-app/net-app-account/capacity-pool/main.bicep
@@ -23,9 +23,6 @@ param tags object?
 ])
 param serviceLevel string = 'Standard'
 
-@description('Required. Network features available to the volume, or current state of update (Basic/Standard).')
-param networkFeatures string = 'Standard'
-
 @description('Required. Provisioned size of the pool (in bytes). Allowed values are in 4TiB chunks (value must be multiply of 4398046511104).')
 param size int
 
@@ -122,7 +119,6 @@ module capacityPool_volumes 'volume/main.bicep' = [
       remoteVolumeRegion: volume.?remoteVolumeRegion ?? ''
       remoteVolumeResourceId: volume.?remoteVolumeResourceId ?? ''
       replicationSchedule: volume.?replicationSchedule ?? ''
-      snapshotPolicyId: volume.?snapshotPolicyId ?? ''
       snapshotPolicyName: volume.?snapshotPolicyName ?? 'snapshotPolicy'
       snapshotPolicyLocation: volume.?snapshotPolicyLocation ?? ''
       snapEnabled: volume.?snapEnabled ?? false
diff --git a/avm/res/net-app/net-app-account/capacity-pool/main.json b/avm/res/net-app/net-app-account/capacity-pool/main.json
index 51024b061a..6266575c14 100644
--- a/avm/res/net-app/net-app-account/capacity-pool/main.json
+++ b/avm/res/net-app/net-app-account/capacity-pool/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.3.12046",
-      "templateHash": "5120059204101466005"
+      "version": "0.30.23.60470",
+      "templateHash": "1966206032457552782"
     },
     "name": "Azure NetApp Files Capacity Pools",
     "description": "This module deploys an Azure NetApp Files Capacity Pool.",
@@ -127,13 +127,6 @@
         "description": "Optional. The pool service level."
       }
     },
-    "networkFeatures": {
-      "type": "string",
-      "defaultValue": "Standard",
-      "metadata": {
-        "description": "Required. Network features available to the volume, or current state of update (Basic/Standard)."
-      }
-    },
     "size": {
       "type": "int",
       "metadata": {
@@ -327,9 +320,6 @@
           "replicationSchedule": {
             "value": "[coalesce(tryGet(parameters('volumes')[copyIndex()], 'replicationSchedule'), '')]"
           },
-          "snapshotPolicyId": {
-            "value": "[coalesce(tryGet(parameters('volumes')[copyIndex()], 'snapshotPolicyId'), '')]"
-          },
           "snapshotPolicyName": {
             "value": "[coalesce(tryGet(parameters('volumes')[copyIndex()], 'snapshotPolicyName'), 'snapshotPolicy')]"
           },
@@ -446,8 +436,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.3.12046",
-              "templateHash": "3878108397799577614"
+              "version": "0.30.23.60470",
+              "templateHash": "7267638032222261061"
             },
             "name": "Azure NetApp Files Capacity Pool Volumes",
             "description": "This module deploys an Azure NetApp Files Capacity Pool Volume.",
@@ -544,13 +534,13 @@
             "coolAccess": {
               "type": "bool",
               "metadata": {
-                "description": "Optional. If enabled (true) the pool can contain cool Access enabled volumes."
+                "description": "Required. If enabled (true) the pool can contain cool Access enabled volumes."
               }
             },
             "coolnessPeriod": {
               "type": "int",
               "metadata": {
-                "description": "Optional. Specifies the number of days after which data that is not accessed by clients will be tiered."
+                "description": "Required. Specifies the number of days after which data that is not accessed by clients will be tiered."
               }
             },
             "coolAccessRetrievalPolicy": {
@@ -563,37 +553,37 @@
             "encryptionKeySource": {
               "type": "string",
               "metadata": {
-                "description": "Optional. The source of the encryption key."
+                "description": "Required. The source of the encryption key."
               }
             },
             "keyVaultPrivateEndpointResourceId": {
               "type": "string",
               "metadata": {
-                "description": "Optional. The resource ID of the key vault private endpoint."
+                "description": "Required. The resource ID of the key vault private endpoint."
               }
             },
             "endpointType": {
               "type": "string",
               "metadata": {
-                "description": "Optional. Indicates whether the local volume is the source or destination for the Volume Replication (src/dst)."
+                "description": "Required. Indicates whether the local volume is the source or destination for the Volume Replication (src/dst)."
               }
             },
             "remoteVolumeRegion": {
               "type": "string",
               "metadata": {
-                "description": "Optional. The remote region for the other end of the Volume Replication."
+                "description": "Required. The remote region for the other end of the Volume Replication."
               }
             },
             "remoteVolumeResourceId": {
               "type": "string",
               "metadata": {
-                "description": "Optional. The resource ID of the remote volume."
+                "description": "Required. The resource ID of the remote volume."
               }
             },
             "replicationSchedule": {
               "type": "string",
               "metadata": {
-                "description": "Optional. The replication schedule for the volume."
+                "description": "Required. The replication schedule for the volume."
               }
             },
             "backupEnabled": {
@@ -613,103 +603,103 @@
             "dailyHour": {
               "type": "int",
               "metadata": {
-                "description": "Optional. The daily snapshot hour."
+                "description": "Required. The daily snapshot hour."
               }
             },
             "dailyMinute": {
               "type": "int",
               "metadata": {
-                "description": "Optional. The daily snapshot minute."
+                "description": "Required. The daily snapshot minute."
               }
             },
             "dailySnapshotsToKeep": {
               "type": "int",
               "metadata": {
-                "description": "Optional. Daily snapshot count to keep."
+                "description": "Required. Daily snapshot count to keep."
               }
             },
             "dailyUsedBytes": {
               "type": "int",
               "metadata": {
-                "description": "Optional. Daily snapshot used bytes."
+                "description": "Required. Daily snapshot used bytes."
               }
             },
             "hourlyMinute": {
               "type": "int",
               "metadata": {
-                "description": "Optional. The hourly snapshot minute."
+                "description": "Required. The hourly snapshot minute."
               }
             },
             "hourlySnapshotsToKeep": {
               "type": "int",
               "metadata": {
-                "description": "Optional. Hourly snapshot count to keep."
+                "description": "Required. Hourly snapshot count to keep."
               }
             },
             "hourlyUsedBytes": {
               "type": "int",
               "metadata": {
-                "description": "Optional. Hourly snapshot used bytes."
+                "description": "Required. Hourly snapshot used bytes."
               }
             },
             "daysOfMonth": {
               "type": "string",
               "metadata": {
-                "description": "Optional. The monthly snapshot day."
+                "description": "Required. The monthly snapshot day."
               }
             },
             "monthlyHour": {
               "type": "int",
               "metadata": {
-                "description": "Optional. The monthly snapshot hour."
+                "description": "Required. The monthly snapshot hour."
               }
             },
             "monthlyMinute": {
               "type": "int",
               "metadata": {
-                "description": "Optional. The monthly snapshot minute."
+                "description": "Required. The monthly snapshot minute."
               }
             },
             "monthlySnapshotsToKeep": {
               "type": "int",
               "metadata": {
-                "description": "Optional. Monthly snapshot count to keep."
+                "description": "Required. Monthly snapshot count to keep."
               }
             },
             "monthlyUsedBytes": {
               "type": "int",
               "metadata": {
-                "description": "Optional. Monthly snapshot used bytes."
+                "description": "Required. Monthly snapshot used bytes."
               }
             },
             "weeklyDay": {
               "type": "string",
               "metadata": {
-                "description": "Optional. The weekly snapshot day."
+                "description": "Required. The weekly snapshot day."
               }
             },
             "weeklyHour": {
               "type": "int",
               "metadata": {
-                "description": "Optional. The weekly snapshot hour."
+                "description": "Required. The weekly snapshot hour."
               }
             },
             "weeklyMinute": {
               "type": "int",
               "metadata": {
-                "description": "Optional. The weekly snapshot minute."
+                "description": "Required. The weekly snapshot minute."
               }
             },
             "weeklySnapshotsToKeep": {
               "type": "int",
               "metadata": {
-                "description": "Optional. Weekly snapshot count to keep."
+                "description": "Required. Weekly snapshot count to keep."
               }
             },
             "weeklyUsedBytes": {
               "type": "int",
               "metadata": {
-                "description": "Optional. Weekly snapshot used bytes."
+                "description": "Required. Weekly snapshot used bytes."
               }
             },
             "snapEnabled": {
@@ -722,25 +712,25 @@
             "snapshotPolicyName": {
               "type": "string",
               "metadata": {
-                "description": "Optional. The name of the snapshot policy."
+                "description": "Required. The name of the snapshot policy."
               }
             },
             "dailyBackupsToKeep": {
               "type": "int",
               "metadata": {
-                "description": "Optional. The daily backups to keep."
+                "description": "Required. The daily backups to keep."
               }
             },
             "monthlyBackupsToKeep": {
               "type": "int",
               "metadata": {
-                "description": "Optional. The monthly backups to keep."
+                "description": "Required. The monthly backups to keep."
               }
             },
             "weeklyBackupsToKeep": {
               "type": "int",
               "metadata": {
-                "description": "Optional. The weekly backups to keep."
+                "description": "Required. The weekly backups to keep."
               }
             },
             "backupVaultName": {
@@ -760,43 +750,37 @@
             "backupName": {
               "type": "string",
               "metadata": {
-                "description": "Optional. The name of the backup."
+                "description": "Required. The name of the backup."
               }
             },
             "backupLabel": {
               "type": "string",
               "metadata": {
-                "description": "Optional. The label of the backup."
+                "description": "Required. The label of the backup."
               }
             },
             "useExistingSnapshot": {
               "type": "bool",
               "metadata": {
-                "description": "Optional. Indicates whether to use an existing snapshot."
+                "description": "Required. Indicates whether to use an existing snapshot."
               }
             },
             "snapshotName": {
               "type": "string",
               "metadata": {
-                "description": "Optional. The name of the snapshot."
-              }
-            },
-            "snapshotPolicyId": {
-              "type": "string",
-              "metadata": {
-                "description": "Optional. The snapshot Policy id."
+                "description": "Required. The name of the snapshot."
               }
             },
             "volumeResourceId": {
               "type": "string",
               "metadata": {
-                "description": "Optional. The resource ID of the volume."
+                "description": "Required. The resource ID of the volume."
               }
             },
             "volumeType": {
               "type": "string",
               "metadata": {
-                "description": "Optional. The type of the volume. DataProtection volumes are used for replication."
+                "description": "Required. The type of the volume. DataProtection volumes are used for replication."
               }
             },
             "name": {
@@ -831,13 +815,13 @@
             "backupPolicyLocation": {
               "type": "string",
               "metadata": {
-                "description": "Optional. The backup policy location."
+                "description": "Required. The backup policy location."
               }
             },
             "snapshotPolicyLocation": {
               "type": "string",
               "metadata": {
-                "description": "Optional. The location of snashot policies."
+                "description": "Required. The location of snashot policies."
               }
             },
             "serviceLevel": {
@@ -908,7 +892,7 @@
             "backupVaultId": {
               "type": "string",
               "metadata": {
-                "description": "Optional. The Id of the Backup Vault."
+                "description": "Required. The Id of the Backup Vault."
               }
             },
             "replicationEnabled": {
@@ -1045,8 +1029,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.30.3.12046",
-                      "templateHash": "16399924782439066553"
+                      "version": "0.30.23.60470",
+                      "templateHash": "13036318518380500677"
                     },
                     "name": "Azure NetApp Files Backup Policy",
                     "description": "This module deploys a Backup Policy for Azure NetApp File.",
@@ -1063,31 +1047,31 @@
                       "type": "string",
                       "defaultValue": "backupPolicy",
                       "metadata": {
-                        "description": "Required. The name of the backup policy."
+                        "description": "Optional. The name of the backup policy."
                       }
                     },
                     "backupPolicyLocation": {
                       "type": "string",
                       "metadata": {
-                        "description": "Optional. The location of the backup policy. Required if the template is used in a standalone deployment."
+                        "description": "Required. The location of the backup policy. Required if the template is used in a standalone deployment."
                       }
                     },
                     "dailyBackupsToKeep": {
                       "type": "int",
                       "metadata": {
-                        "description": "Optional. The daily backups to keep."
+                        "description": "Required. The daily backups to keep."
                       }
                     },
                     "monthlyBackupsToKeep": {
                       "type": "int",
                       "metadata": {
-                        "description": "Optional. The monthly backups to keep."
+                        "description": "Required. The monthly backups to keep."
                       }
                     },
                     "weeklyBackupsToKeep": {
                       "type": "int",
                       "metadata": {
-                        "description": "Optional. The weekly backups to keep."
+                        "description": "Required. The weekly backups to keep."
                       }
                     },
                     "backupEnabled": {
@@ -1216,8 +1200,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.30.3.12046",
-                      "templateHash": "17076752505050697613"
+                      "version": "0.30.23.60470",
+                      "templateHash": "12832989826838310090"
                     },
                     "name": "Azure NetApp Files Snapshot Policy",
                     "description": "This module deploys a Snapshot Policy for an Azure NetApp File.",
@@ -1233,7 +1217,7 @@
                     "snapshotPolicyName": {
                       "type": "string",
                       "metadata": {
-                        "description": "Optional. The name of the snapshot policy."
+                        "description": "Required. The name of the snapshot policy."
                       }
                     },
                     "snapshotPolicyLocation": {
@@ -1246,103 +1230,103 @@
                     "dailyHour": {
                       "type": "int",
                       "metadata": {
-                        "description": "Optional. The daily snapshot hour."
+                        "description": "Required. The daily snapshot hour."
                       }
                     },
                     "dailyMinute": {
                       "type": "int",
                       "metadata": {
-                        "description": "Optional. The daily snapshot minute."
+                        "description": "Required. The daily snapshot minute."
                       }
                     },
                     "dailySnapshotsToKeep": {
                       "type": "int",
                       "metadata": {
-                        "description": "Optional. Daily snapshot count to keep."
+                        "description": "Required. Daily snapshot count to keep."
                       }
                     },
                     "dailyUsedBytes": {
                       "type": "int",
                       "metadata": {
-                        "description": "Optional. Daily snapshot used bytes."
+                        "description": "Required. Daily snapshot used bytes."
                       }
                     },
                     "hourlyMinute": {
                       "type": "int",
                       "metadata": {
-                        "description": "Optional. The hourly snapshot minute."
+                        "description": "Required. The hourly snapshot minute."
                       }
                     },
                     "hourlySnapshotsToKeep": {
                       "type": "int",
                       "metadata": {
-                        "description": "Optional. Hourly snapshot count to keep."
+                        "description": "Required. Hourly snapshot count to keep."
                       }
                     },
                     "hourlyUsedBytes": {
                       "type": "int",
                       "metadata": {
-                        "description": "Optional. Hourly snapshot used bytes."
+                        "description": "Required. Hourly snapshot used bytes."
                       }
                     },
                     "daysOfMonth": {
                       "type": "string",
                       "metadata": {
-                        "description": "Optional. The monthly snapshot day."
+                        "description": "Required. The monthly snapshot day."
                       }
                     },
                     "monthlyHour": {
                       "type": "int",
                       "metadata": {
-                        "description": "Optional. The monthly snapshot hour."
+                        "description": "Required. The monthly snapshot hour."
                       }
                     },
                     "monthlyMinute": {
                       "type": "int",
                       "metadata": {
-                        "description": "Optional. The monthly snapshot minute."
+                        "description": "Required. The monthly snapshot minute."
                       }
                     },
                     "monthlySnapshotsToKeep": {
                       "type": "int",
                       "metadata": {
-                        "description": "Optional. Monthly snapshot count to keep."
+                        "description": "Required. Monthly snapshot count to keep."
                       }
                     },
                     "monthlyUsedBytes": {
                       "type": "int",
                       "metadata": {
-                        "description": "Optional. Monthly snapshot used bytes."
+                        "description": "Required. Monthly snapshot used bytes."
                       }
                     },
                     "weeklyDay": {
                       "type": "string",
                       "metadata": {
-                        "description": "Optional. The weekly snapshot day."
+                        "description": "Required. The weekly snapshot day."
                       }
                     },
                     "weeklyHour": {
                       "type": "int",
                       "metadata": {
-                        "description": "Optional. The weekly snapshot hour."
+                        "description": "Required. The weekly snapshot hour."
                       }
                     },
                     "weeklyMinute": {
                       "type": "int",
                       "metadata": {
-                        "description": "Optional. The weekly snapshot minute."
+                        "description": "Required. The weekly snapshot minute."
                       }
                     },
                     "weeklySnapshotsToKeep": {
                       "type": "int",
                       "metadata": {
-                        "description": "Optional. Weekly snapshot count to keep."
+                        "description": "Required. Weekly snapshot count to keep."
                       }
                     },
                     "weeklyUsedBytes": {
                       "type": "int",
                       "metadata": {
-                        "description": "Optional. Weekly snapshot used bytes."
+                        "description": "Required. Weekly snapshot used bytes."
                       }
                     },
                     "snapEnabled": {
diff --git a/avm/res/net-app/net-app-account/capacity-pool/volume/README.md b/avm/res/net-app/net-app-account/capacity-pool/volume/README.md
index de7e5a1c46..a1f27ddbfd 100644
--- a/avm/res/net-app/net-app-account/capacity-pool/volume/README.md
+++ b/avm/res/net-app/net-app-account/capacity-pool/volume/README.md
@@ -26,33 +26,12 @@ This module deploys an Azure NetApp Files Capacity Pool Volume.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`name`](#parameter-name) | string | The name of the pool volume. |
-| [`subnetResourceId`](#parameter-subnetresourceid) | string | The Azure Resource URI for a delegated subnet. Must have the delegation Microsoft.NetApp/volumes. |
-| [`usageThreshold`](#parameter-usagethreshold) | int | Maximum storage quota allowed for a file system in bytes. |
-
-**Conditional parameters**
-
-| Parameter | Type | Description |
-| :-- | :-- | :-- |
-| [`capacityPoolName`](#parameter-capacitypoolname) | string | The name of the parent capacity pool. Required if the template is used in a standalone deployment. |
-| [`netAppAccountName`](#parameter-netappaccountname) | string | The name of the parent NetApp account. Required if the template is used in a standalone deployment. |
-
-**Optional parameters**
-
-| Parameter | Type | Description |
-| :-- | :-- | :-- |
-| [`backupEnabled`](#parameter-backupenabled) | bool | Indicates whether the backup policy is enabled. |
 | [`backupLabel`](#parameter-backuplabel) | string | The label of the backup. |
 | [`backupName`](#parameter-backupname) | string | The name of the backup. |
 | [`backupPolicyLocation`](#parameter-backuppolicylocation) | string | The backup policy location. |
-| [`backupPolicyName`](#parameter-backuppolicyname) | string | The name of the backup policy. |
 | [`backupVaultId`](#parameter-backupvaultid) | string | The Id of the Backup Vault. |
-| [`backupVaultLocation`](#parameter-backupvaultlocation) | string | The location of the backup vault. |
-| [`backupVaultName`](#parameter-backupvaultname) | string | The name of the backup vault. |
 | [`coolAccess`](#parameter-coolaccess) | bool | If enabled (true) the pool can contain cool Access enabled volumes. |
-| [`coolAccessRetrievalPolicy`](#parameter-coolaccessretrievalpolicy) | string | determines the data retrieval behavior from the cool tier to standard storage based on the read pattern for cool access enabled volumes (Default/Never/Read). |
 | [`coolnessPeriod`](#parameter-coolnessperiod) | int | Specifies the number of days after which data that is not accessed by clients will be tiered. |
-| [`creationToken`](#parameter-creationtoken) | string | A unique file path for the volume. This is the name of the volume export. A volume is mounted using the export path. File path must start with an alphabetical character and be unique within the subscription. |
 | [`dailyBackupsToKeep`](#parameter-dailybackupstokeep) | int | The daily backups to keep. |
 | [`dailyHour`](#parameter-dailyhour) | int | The daily snapshot hour. |
 | [`dailyMinute`](#parameter-dailyminute) | int | The daily snapshot minute. |
@@ -61,31 +40,24 @@ This module deploys an Azure NetApp Files Capacity Pool Volume.
 | [`daysOfMonth`](#parameter-daysofmonth) | string | The monthly snapshot day. |
 | [`encryptionKeySource`](#parameter-encryptionkeysource) | string | The source of the encryption key. |
 | [`endpointType`](#parameter-endpointtype) | string | Indicates whether the local volume is the source or destination for the Volume Replication (src/dst). |
-| [`exportPolicyRules`](#parameter-exportpolicyrules) | array | Export policy rules. |
 | [`hourlyMinute`](#parameter-hourlyminute) | int | The hourly snapshot minute. |
 | [`hourlySnapshotsToKeep`](#parameter-hourlysnapshotstokeep) | int | Hourly snapshot count to keep. |
 | [`hourlyUsedBytes`](#parameter-hourlyusedbytes) | int | Hourly snapshot used bytes. |
 | [`keyVaultPrivateEndpointResourceId`](#parameter-keyvaultprivateendpointresourceid) | string | The resource ID of the key vault private endpoint. |
-| [`location`](#parameter-location) | string | Location of the pool volume. |
 | [`monthlyBackupsToKeep`](#parameter-monthlybackupstokeep) | int | The monthly backups to keep. |
 | [`monthlyHour`](#parameter-monthlyhour) | int | The monthly snapshot hour. |
 | [`monthlyMinute`](#parameter-monthlyminute) | int | The monthly snapshot minute. |
 | [`monthlySnapshotsToKeep`](#parameter-monthlysnapshotstokeep) | int | Monthly snapshot count to keep. |
 | [`monthlyUsedBytes`](#parameter-monthlyusedbytes) | int | Monthly snapshot used bytes. |
-| [`networkFeatures`](#parameter-networkfeatures) | string | Network feature for the volume. |
-| [`policyEnforced`](#parameter-policyenforced) | bool | If Backup policy is enforced. |
-| [`protocolTypes`](#parameter-protocoltypes) | array | Set of protocol types. |
+| [`name`](#parameter-name) | string | The name of the pool volume. |
 | [`remoteVolumeRegion`](#parameter-remotevolumeregion) | string | The remote region for the other end of the Volume Replication. |
 | [`remoteVolumeResourceId`](#parameter-remotevolumeresourceid) | string | The resource ID of the remote volume. |
-| [`replicationEnabled`](#parameter-replicationenabled) | bool | Boolean to enable replication. |
 | [`replicationSchedule`](#parameter-replicationschedule) | string | The replication schedule for the volume. |
-| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. |
-| [`serviceLevel`](#parameter-servicelevel) | string | The pool service level. Must match the one of the parent capacity pool. |
-| [`snapEnabled`](#parameter-snapenabled) | bool | Indicates whether the snapshot policy is enabled. |
 | [`snapshotName`](#parameter-snapshotname) | string | The name of the snapshot. |
-| [`snapshotPolicyId`](#parameter-snapshotpolicyid) | string | The snapshot Policy id. |
 | [`snapshotPolicyLocation`](#parameter-snapshotpolicylocation) | string | The location of snashot policies. |
 | [`snapshotPolicyName`](#parameter-snapshotpolicyname) | string | The name of the snapshot policy. |
+| [`subnetResourceId`](#parameter-subnetresourceid) | string | The Azure Resource URI for a delegated subnet. Must have the delegation Microsoft.NetApp/volumes. |
+| [`usageThreshold`](#parameter-usagethreshold) | int | Maximum storage quota allowed for a file system in bytes. |
 | [`useExistingSnapshot`](#parameter-useexistingsnapshot) | bool | Indicates whether to use an existing snapshot. |
 | [`volumeResourceId`](#parameter-volumeresourceid) | string | The resource ID of the volume. |
 | [`volumeType`](#parameter-volumetype) | string | The type of the volume. DataProtection volumes are used for replication. |
@@ -95,50 +67,34 @@ This module deploys an Azure NetApp Files Capacity Pool Volume.
 | [`weeklyMinute`](#parameter-weeklyminute) | int | The weekly snapshot minute. |
 | [`weeklySnapshotsToKeep`](#parameter-weeklysnapshotstokeep) | int | Weekly snapshot count to keep. |
 | [`weeklyUsedBytes`](#parameter-weeklyusedbytes) | int | Weekly snapshot used bytes. |
-| [`zones`](#parameter-zones) | array | Zone where the volume will be placed. |
-
-### Parameter: `name`
-
-The name of the pool volume.
-
-- Required: Yes
-- Type: string
-
-### Parameter: `subnetResourceId`
-
-The Azure Resource URI for a delegated subnet. Must have the delegation Microsoft.NetApp/volumes.
-
-- Required: Yes
-- Type: string
-
-### Parameter: `usageThreshold`
-
-Maximum storage quota allowed for a file system in bytes.
-
-- Required: Yes
-- Type: int
-
-### Parameter: `capacityPoolName`
-
-The name of the parent capacity pool. Required if the template is used in a standalone deployment.
 
-- Required: Yes
-- Type: string
-
-### Parameter: `netAppAccountName`
-
-The name of the parent NetApp account. Required if the template is used in a standalone deployment.
-
-- Required: Yes
-- Type: string
+**Conditional parameters**
 
-### Parameter: `backupEnabled`
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`capacityPoolName`](#parameter-capacitypoolname) | string | The name of the parent capacity pool. Required if the template is used in a standalone deployment. |
+| [`netAppAccountName`](#parameter-netappaccountname) | string | The name of the parent NetApp account. Required if the template is used in a standalone deployment. |
 
-Indicates whether the backup policy is enabled.
+**Optional parameters**
 
-- Required: No
-- Type: bool
-- Default: `False`
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`backupEnabled`](#parameter-backupenabled) | bool | Indicates whether the backup policy is enabled. |
+| [`backupPolicyName`](#parameter-backuppolicyname) | string | The name of the backup policy. |
+| [`backupVaultLocation`](#parameter-backupvaultlocation) | string | The location of the backup vault. |
+| [`backupVaultName`](#parameter-backupvaultname) | string | The name of the backup vault. |
+| [`coolAccessRetrievalPolicy`](#parameter-coolaccessretrievalpolicy) | string | determines the data retrieval behavior from the cool tier to standard storage based on the read pattern for cool access enabled volumes (Default/Never/Read). |
+| [`creationToken`](#parameter-creationtoken) | string | A unique file path for the volume. This is the name of the volume export. A volume is mounted using the export path. File path must start with an alphabetical character and be unique within the subscription. |
+| [`exportPolicyRules`](#parameter-exportpolicyrules) | array | Export policy rules. |
+| [`location`](#parameter-location) | string | Location of the pool volume. |
+| [`networkFeatures`](#parameter-networkfeatures) | string | Network feature for the volume. |
+| [`policyEnforced`](#parameter-policyenforced) | bool | If Backup policy is enforced. |
+| [`protocolTypes`](#parameter-protocoltypes) | array | Set of protocol types. |
+| [`replicationEnabled`](#parameter-replicationenabled) | bool | Boolean to enable replication. |
+| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. |
+| [`serviceLevel`](#parameter-servicelevel) | string | The pool service level. Must match the one of the parent capacity pool. |
+| [`snapEnabled`](#parameter-snapenabled) | bool | Indicates whether the snapshot policy is enabled. |
+| [`zones`](#parameter-zones) | array | Zone where the volume will be placed. |
 
 ### Parameter: `backupLabel`
 
@@ -161,14 +117,6 @@ The backup policy location.
 - Required: Yes
 - Type: string
 
-### Parameter: `backupPolicyName`
-
-The name of the backup policy.
-
-- Required: No
-- Type: string
-- Default: `'backupPolicy'`
-
 ### Parameter: `backupVaultId`
 
 The Id of the Backup Vault.
@@ -176,22 +124,6 @@ The Id of the Backup Vault.
 - Required: Yes
 - Type: string
 
-### Parameter: `backupVaultLocation`
-
-The location of the backup vault.
-
-- Required: No
-- Type: string
-- Default: `[resourceGroup().location]`
-
-### Parameter: `backupVaultName`
-
-The name of the backup vault.
-
-- Required: No
-- Type: string
-- Default: `'vault'`
-
 ### Parameter: `coolAccess`
 
 If enabled (true) the pool can contain cool Access enabled volumes.
@@ -199,14 +131,6 @@ If enabled (true) the pool can contain cool Access enabled volumes.
 - Required: Yes
 - Type: bool
 
-### Parameter: `coolAccessRetrievalPolicy`
-
-determines the data retrieval behavior from the cool tier to standard storage based on the read pattern for cool access enabled volumes (Default/Never/Read).
-
-- Required: No
-- Type: string
-- Default: `'Default'`
-
 ### Parameter: `coolnessPeriod`
 
 Specifies the number of days after which data that is not accessed by clients will be tiered.
@@ -214,14 +138,6 @@ Specifies the number of days after which data that is not accessed by clients wi
 - Required: Yes
 - Type: int
 
-### Parameter: `creationToken`
-
-A unique file path for the volume. This is the name of the volume export. A volume is mounted using the export path. File path must start with an alphabetical character and be unique within the subscription.
-
-- Required: No
-- Type: string
-- Default: `[parameters('name')]`
-
 ### Parameter: `dailyBackupsToKeep`
 
 The daily backups to keep.
@@ -278,14 +194,6 @@ Indicates whether the local volume is the source or destination for the Volume R
 - Required: Yes
 - Type: string
 
-### Parameter: `exportPolicyRules`
-
-Export policy rules.
-
-- Required: No
-- Type: array
-- Default: `[]`
-
 ### Parameter: `hourlyMinute`
 
 The hourly snapshot minute.
@@ -314,14 +222,6 @@ The resource ID of the key vault private endpoint.
 - Required: Yes
 - Type: string
 
-### Parameter: `location`
-
-Location of the pool volume.
-
-- Required: No
-- Type: string
-- Default: `[resourceGroup().location]`
-
 ### Parameter: `monthlyBackupsToKeep`
 
 The monthly backups to keep.
@@ -357,6 +257,210 @@ Monthly snapshot used bytes.
 - Required: Yes
 - Type: int
 
+### Parameter: `name`
+
+The name of the pool volume.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `remoteVolumeRegion`
+
+The remote region for the other end of the Volume Replication.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `remoteVolumeResourceId`
+
+The resource ID of the remote volume.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `replicationSchedule`
+
+The replication schedule for the volume.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `snapshotName`
+
+The name of the snapshot.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `snapshotPolicyLocation`
+
+The location of snashot policies.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `snapshotPolicyName`
+
+The name of the snapshot policy.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `subnetResourceId`
+
+The Azure Resource URI for a delegated subnet. Must have the delegation Microsoft.NetApp/volumes.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `usageThreshold`
+
+Maximum storage quota allowed for a file system in bytes.
+
+- Required: Yes
+- Type: int
+
+### Parameter: `useExistingSnapshot`
+
+Indicates whether to use an existing snapshot.
+
+- Required: Yes
+- Type: bool
+
+### Parameter: `volumeResourceId`
+
+The resource ID of the volume.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `volumeType`
+
+The type of the volume. DataProtection volumes are used for replication.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `weeklyBackupsToKeep`
+
+The weekly backups to keep.
+
+- Required: Yes
+- Type: int
+
+### Parameter: `weeklyDay`
+
+The weekly snapshot day.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `weeklyHour`
+
+The weekly snapshot hour.
+
+- Required: Yes
+- Type: int
+
+### Parameter: `weeklyMinute`
+
+The weekly snapshot minute.
+
+- Required: Yes
+- Type: int
+
+### Parameter: `weeklySnapshotsToKeep`
+
+Weekly snapshot count to keep.
+
+- Required: Yes
+- Type: int
+
+### Parameter: `weeklyUsedBytes`
+
+Weekly snapshot used bytes.
+
+- Required: Yes
+- Type: int
+
+### Parameter: `capacityPoolName`
+
+The name of the parent capacity pool. Required if the template is used in a standalone deployment.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `netAppAccountName`
+
+The name of the parent NetApp account. Required if the template is used in a standalone deployment.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `backupEnabled`
+
+Indicates whether the backup policy is enabled.
+
+- Required: No
+- Type: bool
+- Default: `False`
+
+### Parameter: `backupPolicyName`
+
+The name of the backup policy.
+
+- Required: No
+- Type: string
+- Default: `'backupPolicy'`
+
+### Parameter: `backupVaultLocation`
+
+The location of the backup vault.
+
+- Required: No
+- Type: string
+- Default: `[resourceGroup().location]`
+
+### Parameter: `backupVaultName`
+
+The name of the backup vault.
+
+- Required: No
+- Type: string
+- Default: `'vault'`
+
+### Parameter: `coolAccessRetrievalPolicy`
+
+determines the data retrieval behavior from the cool tier to standard storage based on the read pattern for cool access enabled volumes (Default/Never/Read).
+
+- Required: No
+- Type: string
+- Default: `'Default'`
+
+### Parameter: `creationToken`
+
+A unique file path for the volume. This is the name of the volume export. A volume is mounted using the export path. File path must start with an alphabetical character and be unique within the subscription.
+
+- Required: No
+- Type: string
+- Default: `[parameters('name')]`
+
+### Parameter: `exportPolicyRules`
+
+Export policy rules.
+
+- Required: No
+- Type: array
+- Default: `[]`
+
+### Parameter: `location`
+
+Location of the pool volume.
+
+- Required: No
+- Type: string
+- Default: `[resourceGroup().location]`
+
 ### Parameter: `networkFeatures`
 
 Network feature for the volume.
@@ -390,20 +494,6 @@ Set of protocol types.
 - Type: array
 - Default: `[]`
 
-### Parameter: `remoteVolumeRegion`
-
-The remote region for the other end of the Volume Replication.
-
-- Required: Yes
-- Type: string
-
-### Parameter: `remoteVolumeResourceId`
-
-The resource ID of the remote volume.
-
-- Required: Yes
-- Type: string
-
 ### Parameter: `replicationEnabled`
 
 Boolean to enable replication.
@@ -412,13 +502,6 @@ Boolean to enable replication.
 - Type: bool
 - Default: `True`
 
-### Parameter: `replicationSchedule`
-
-The replication schedule for the volume.
-
-- Required: Yes
-- Type: string
-
 ### Parameter: `roleAssignments`
 
 Array of role assignments to create.
@@ -547,97 +630,6 @@ Indicates whether the snapshot policy is enabled.
 - Type: bool
 - Default: `True`
 
-### Parameter: `snapshotName`
-
-The name of the snapshot.
-
-- Required: Yes
-- Type: string
-
-### Parameter: `snapshotPolicyId`
-
-The snapshot Policy id.
-
-- Required: Yes
-- Type: string
-
-### Parameter: `snapshotPolicyLocation`
-
-The location of snashot policies.
-
-- Required: Yes
-- Type: string
-
-### Parameter: `snapshotPolicyName`
-
-The name of the snapshot policy.
-
-- Required: Yes
-- Type: string
-
-### Parameter: `useExistingSnapshot`
-
-Indicates whether to use an existing snapshot.
-
-- Required: Yes
-- Type: bool
-
-### Parameter: `volumeResourceId`
-
-The resource ID of the volume.
-
-- Required: Yes
-- Type: string
-
-### Parameter: `volumeType`
-
-The type of the volume. DataProtection volumes are used for replication.
-
-- Required: Yes
-- Type: string
-
-### Parameter: `weeklyBackupsToKeep`
-
-The weekly backups to keep.
-
-- Required: Yes
-- Type: int
-
-### Parameter: `weeklyDay`
-
-The weekly snapshot day.
-
-- Required: Yes
-- Type: string
-
-### Parameter: `weeklyHour`
-
-The weekly snapshot hour.
-
-- Required: Yes
-- Type: int
-
-### Parameter: `weeklyMinute`
-
-The weekly snapshot minute.
-
-- Required: Yes
-- Type: int
-
-### Parameter: `weeklySnapshotsToKeep`
-
-Weekly snapshot count to keep.
-
-- Required: Yes
-- Type: int
-
-### Parameter: `weeklyUsedBytes`
-
-Weekly snapshot used bytes.
-
-- Required: Yes
-- Type: int
-
 ### Parameter: `zones`
 
 Zone where the volume will be placed.
diff --git a/avm/res/net-app/net-app-account/capacity-pool/volume/main.bicep b/avm/res/net-app/net-app-account/capacity-pool/volume/main.bicep
index ce5de13b21..e304428137 100644
--- a/avm/res/net-app/net-app-account/capacity-pool/volume/main.bicep
+++ b/avm/res/net-app/net-app-account/capacity-pool/volume/main.bicep
@@ -8,31 +8,31 @@ param netAppAccountName string
 @description('Conditional. The name of the parent capacity pool. Required if the template is used in a standalone deployment.')
 param capacityPoolName string
 
-@description('Optional. If enabled (true) the pool can contain cool Access enabled volumes.')
+@description('Required. If enabled (true) the pool can contain cool Access enabled volumes.')
 param coolAccess bool
 
-@description('Optional. Specifies the number of days after which data that is not accessed by clients will be tiered.')
+@description('Required. Specifies the number of days after which data that is not accessed by clients will be tiered.')
 param coolnessPeriod int
 
 @description('Optional. determines the data retrieval behavior from the cool tier to standard storage based on the read pattern for cool access enabled volumes (Default/Never/Read).')
 param coolAccessRetrievalPolicy string = 'Default'
 
-@description('Optional. The source of the encryption key.')
+@description('Required. The source of the encryption key.')
 param encryptionKeySource string
 
-@description('Optional. The resource ID of the key vault private endpoint.')
+@description('Required. The resource ID of the key vault private endpoint.')
 param keyVaultPrivateEndpointResourceId string
 
-@description('Optional. Indicates whether the local volume is the source or destination for the Volume Replication (src/dst).')
+@description('Required. Indicates whether the local volume is the source or destination for the Volume Replication (src/dst).')
 param endpointType string
 
-@description('Optional. The remote region for the other end of the Volume Replication.')
+@description('Required. The remote region for the other end of the Volume Replication.')
 param remoteVolumeRegion string
 
-@description('Optional. The resource ID of the remote volume.')
+@description('Required. The resource ID of the remote volume.')
 param remoteVolumeResourceId string
 
-@description('Optional. The replication schedule for the volume.')
+@description('Required. The replication schedule for the volume.')
 param replicationSchedule string
 
 @description('Optional. Indicates whether the backup policy is enabled.')
@@ -41,70 +41,70 @@ param backupEnabled bool = false
 @description('Optional. The name of the backup policy.')
 param backupPolicyName string = 'backupPolicy'
 
-@description('Optional. The daily snapshot hour.')
+@description('Required. The daily snapshot hour.')
 param dailyHour int
 
-@description('Optional. The daily snapshot minute.')
+@description('Required. The daily snapshot minute.')
 param dailyMinute int
 
-@description('Optional. Daily snapshot count to keep.')
+@description('Required. Daily snapshot count to keep.')
 param dailySnapshotsToKeep int
 
-@description('Optional. Daily snapshot used bytes.')
+@description('Required. Daily snapshot used bytes.')
 param dailyUsedBytes int
 
-@description('Optional. The hourly snapshot minute.')
+@description('Required. The hourly snapshot minute.')
 param hourlyMinute int
 
-@description('Optional. Hourly snapshot count to keep.')
+@description('Required. Hourly snapshot count to keep.')
 param hourlySnapshotsToKeep int
 
-@description('Optional. Hourly snapshot used bytes.')
+@description('Required. Hourly snapshot used bytes.')
 param hourlyUsedBytes int
 
-@description('Optional. The monthly snapshot day.')
+@description('Required. The monthly snapshot day.')
 param daysOfMonth string
 
-@description('Optional. The monthly snapshot hour.')
+@description('Required. The monthly snapshot hour.')
 param monthlyHour int
 
-@description('Optional. The monthly snapshot minute.')
+@description('Required. The monthly snapshot minute.')
 param monthlyMinute int
 
-@description('Optional. Monthly snapshot count to keep.')
+@description('Required. Monthly snapshot count to keep.')
 param monthlySnapshotsToKeep int
 
-@description('Optional. Monthly snapshot used bytes.')
+@description('Required. Monthly snapshot used bytes.')
 param monthlyUsedBytes int
 
-@description('Optional. The weekly snapshot day.')
+@description('Required. The weekly snapshot day.')
 param weeklyDay string
 
-@description('Optional. The weekly snapshot hour.')
+@description('Required. The weekly snapshot hour.')
 param weeklyHour int
 
-@description('Optional. The weekly snapshot minute.')
+@description('Required. The weekly snapshot minute.')
 param weeklyMinute int
 
-@description('Optional. Weekly snapshot count to keep.')
+@description('Required. Weekly snapshot count to keep.')
 param weeklySnapshotsToKeep int
 
-@description('Optional. Weekly snapshot used bytes.')
+@description('Required. Weekly snapshot used bytes.')
 param weeklyUsedBytes int
 
 @description('Optional. Indicates whether the snapshot policy is enabled.')
 param snapEnabled bool = true
 
-@description('Optional. The name of the snapshot policy.')
+@description('Required. The name of the snapshot policy.')
 param snapshotPolicyName string
 
-@description('Optional. The daily backups to keep.')
+@description('Required. The daily backups to keep.')
 param dailyBackupsToKeep int
 
-@description('Optional. The monthly backups to keep.')
+@description('Required. The monthly backups to keep.')
 param monthlyBackupsToKeep int
 
-@description('Optional. The weekly backups to keep.')
+@description('Required. The weekly backups to keep.')
 param weeklyBackupsToKeep int
 
 @description('Optional. The name of the backup vault.')
@@ -113,25 +113,22 @@ param backupVaultName string = 'vault'
 @description('Optional. The location of the backup vault.')
 param backupVaultLocation string = resourceGroup().location
 
-@description('Optional. The name of the backup.')
+@description('Required. The name of the backup.')
 param backupName string
 
-@description('Optional. The label of the backup.')
+@description('Required. The label of the backup.')
 param backupLabel string
 
-@description('Optional. Indicates whether to use an existing snapshot.')
+@description('Required. Indicates whether to use an existing snapshot.')
 param useExistingSnapshot bool
 
-@description('Optional. The name of the snapshot.')
+@description('Required. The name of the snapshot.')
 param snapshotName string
 
-@description('Optional. The snapshot Policy id.')
-param snapshotPolicyId string
-
-@description('Optional. The resource ID of the volume.')
+@description('Required. The resource ID of the volume.')
 param volumeResourceId string
 
-@description('Optional. The type of the volume. DataProtection volumes are used for replication.')
+@description('Required. The type of the volume. DataProtection volumes are used for replication.')
 param volumeType string
 
 @description('Required. The name of the pool volume.')
@@ -146,10 +143,10 @@ param zones array = ['1']
 @description('Optional. If Backup policy is enforced.')
 param policyEnforced bool = false
 
-@description('Optional. The backup policy location.')
+@description('Required. The backup policy location.')
 param backupPolicyLocation string
 
-@description('Optional. The location of snashot policies.')
+@description('Required. The location of snashot policies.')
 param snapshotPolicyLocation string
 
 @description('Optional. The pool service level. Must match the one of the parent capacity pool.')
@@ -188,7 +185,7 @@ param exportPolicyRules array = []
 @description('Optional. Array of role assignments to create.')
 param roleAssignments roleAssignmentType
 
-@description('Optional. The Id of the Backup Vault.')
+@description('Required. The Id of the Backup Vault.')
 param backupVaultId string
 
 @description('Optional. Boolean to enable replication.')
diff --git a/avm/res/net-app/net-app-account/capacity-pool/volume/main.json b/avm/res/net-app/net-app-account/capacity-pool/volume/main.json
index dbbbaa682f..943207bfdd 100644
--- a/avm/res/net-app/net-app-account/capacity-pool/volume/main.json
+++ b/avm/res/net-app/net-app-account/capacity-pool/volume/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.3.12046",
-      "templateHash": "3878108397799577614"
+      "version": "0.30.23.60470",
+      "templateHash": "7267638032222261061"
     },
     "name": "Azure NetApp Files Capacity Pool Volumes",
     "description": "This module deploys an Azure NetApp Files Capacity Pool Volume.",
@@ -103,13 +103,13 @@
     "coolAccess": {
       "type": "bool",
       "metadata": {
-        "description": "Optional. If enabled (true) the pool can contain cool Access enabled volumes."
+        "description": "Required. If enabled (true) the pool can contain cool Access enabled volumes."
       }
     },
     "coolnessPeriod": {
       "type": "int",
       "metadata": {
-        "description": "Optional. Specifies the number of days after which data that is not accessed by clients will be tiered."
+        "description": "Required. Specifies the number of days after which data that is not accessed by clients will be tiered."
       }
     },
     "coolAccessRetrievalPolicy": {
@@ -122,37 +122,37 @@
     "encryptionKeySource": {
       "type": "string",
       "metadata": {
-        "description": "Optional. The source of the encryption key."
+        "description": "Required. The source of the encryption key."
       }
     },
     "keyVaultPrivateEndpointResourceId": {
       "type": "string",
       "metadata": {
-        "description": "Optional. The resource ID of the key vault private endpoint."
+        "description": "Required. The resource ID of the key vault private endpoint."
       }
     },
     "endpointType": {
       "type": "string",
       "metadata": {
-        "description": "Optional. Indicates whether the local volume is the source or destination for the Volume Replication (src/dst)."
+        "description": "Required. Indicates whether the local volume is the source or destination for the Volume Replication (src/dst)."
       }
     },
     "remoteVolumeRegion": {
       "type": "string",
       "metadata": {
-        "description": "Optional. The remote region for the other end of the Volume Replication."
+        "description": "Required. The remote region for the other end of the Volume Replication."
       }
     },
     "remoteVolumeResourceId": {
       "type": "string",
       "metadata": {
-        "description": "Optional. The resource ID of the remote volume."
+        "description": "Required. The resource ID of the remote volume."
       }
     },
     "replicationSchedule": {
       "type": "string",
       "metadata": {
-        "description": "Optional. The replication schedule for the volume."
+        "description": "Required. The replication schedule for the volume."
       }
     },
     "backupEnabled": {
@@ -172,103 +172,103 @@
     "dailyHour": {
       "type": "int",
       "metadata": {
-        "description": "Optional. The daily snapshot hour."
+        "description": "Required. The daily snapshot hour."
       }
     },
     "dailyMinute": {
       "type": "int",
       "metadata": {
-        "description": "Optional. The daily snapshot minute."
+        "description": "Required. The daily snapshot minute."
       }
     },
     "dailySnapshotsToKeep": {
       "type": "int",
       "metadata": {
-        "description": "Optional. Daily snapshot count to keep."
+        "description": "Required. Daily snapshot count to keep."
       }
     },
     "dailyUsedBytes": {
       "type": "int",
       "metadata": {
-        "description": "Optional. Daily snapshot used bytes."
+        "description": "Required. Daily snapshot used bytes."
       }
     },
     "hourlyMinute": {
       "type": "int",
       "metadata": {
-        "description": "Optional. The hourly snapshot minute."
+        "description": "Required. The hourly snapshot minute."
       }
     },
     "hourlySnapshotsToKeep": {
       "type": "int",
       "metadata": {
-        "description": "Optional. Hourly snapshot count to keep."
+        "description": "Required. Hourly snapshot count to keep."
       }
     },
     "hourlyUsedBytes": {
       "type": "int",
       "metadata": {
-        "description": "Optional. Hourly snapshot used bytes."
+        "description": "Required. Hourly snapshot used bytes."
       }
     },
     "daysOfMonth": {
       "type": "string",
       "metadata": {
-        "description": "Optional. The monthly snapshot day."
+        "description": "Required. The monthly snapshot day."
       }
     },
     "monthlyHour": {
       "type": "int",
       "metadata": {
-        "description": "Optional. The monthly snapshot hour."
+        "description": "Required. The monthly snapshot hour."
       }
     },
     "monthlyMinute": {
       "type": "int",
       "metadata": {
-        "description": "Optional. The monthly snapshot minute."
+        "description": "Required. The monthly snapshot minute."
       }
     },
     "monthlySnapshotsToKeep": {
       "type": "int",
       "metadata": {
-        "description": "Optional. Monthly snapshot count to keep."
+        "description": "Required. Monthly snapshot count to keep."
       }
     },
     "monthlyUsedBytes": {
       "type": "int",
       "metadata": {
-        "description": "Optional. Monthly snapshot used bytes."
+        "description": "Required. Monthly snapshot used bytes."
       }
     },
     "weeklyDay": {
       "type": "string",
       "metadata": {
-        "description": "Optional. The weekly snapshot day."
+        "description": "Required. The weekly snapshot day."
       }
     },
     "weeklyHour": {
       "type": "int",
       "metadata": {
-        "description": "Optional. The weekly snapshot hour."
+        "description": "Required. The weekly snapshot hour."
       }
     },
     "weeklyMinute": {
       "type": "int",
       "metadata": {
-        "description": "Optional. The weekly snapshot minute."
+        "description": "Required. The weekly snapshot minute."
       }
     },
     "weeklySnapshotsToKeep": {
       "type": "int",
       "metadata": {
-        "description": "Optional. Weekly snapshot count to keep."
+        "description": "Required. Weekly snapshot count to keep."
       }
     },
     "weeklyUsedBytes": {
       "type": "int",
       "metadata": {
-        "description": "Optional. Weekly snapshot used bytes."
+        "description": "Required. Weekly snapshot used bytes."
       }
     },
     "snapEnabled": {
@@ -281,25 +281,25 @@
     "snapshotPolicyName": {
       "type": "string",
       "metadata": {
-        "description": "Optional. The name of the snapshot policy."
+        "description": "Required. The name of the snapshot policy."
       }
     },
     "dailyBackupsToKeep": {
       "type": "int",
       "metadata": {
-        "description": "Optional. The daily backups to keep."
+        "description": "Required. The daily backups to keep."
       }
     },
     "monthlyBackupsToKeep": {
       "type": "int",
       "metadata": {
-        "description": "Optional. The monthly backups to keep."
+        "description": "Required. The monthly backups to keep."
       }
     },
     "weeklyBackupsToKeep": {
       "type": "int",
       "metadata": {
-        "description": "Optional. The weekly backups to keep."
+        "description": "Required. The weekly backups to keep."
       }
     },
     "backupVaultName": {
@@ -319,43 +319,37 @@
     "backupName": {
       "type": "string",
       "metadata": {
-        "description": "Optional. The name of the backup."
+        "description": "Required. The name of the backup."
       }
     },
     "backupLabel": {
       "type": "string",
       "metadata": {
-        "description": "Optional. The label of the backup."
+        "description": "Required. The label of the backup."
       }
     },
     "useExistingSnapshot": {
       "type": "bool",
       "metadata": {
-        "description": "Optional. Indicates whether to use an existing snapshot."
+        "description": "Required. Indicates whether to use an existing snapshot."
       }
     },
     "snapshotName": {
       "type": "string",
       "metadata": {
-        "description": "Optional. The name of the snapshot."
-      }
-    },
-    "snapshotPolicyId": {
-      "type": "string",
-      "metadata": {
-        "description": "Optional. The snapshot Policy id."
+        "description": "Required. The name of the snapshot."
       }
     },
     "volumeResourceId": {
       "type": "string",
       "metadata": {
-        "description": "Optional. The resource ID of the volume."
+        "description": "Required. The resource ID of the volume."
       }
     },
     "volumeType": {
       "type": "string",
       "metadata": {
-        "description": "Optional. The type of the volume. DataProtection volumes are used for replication."
+        "description": "Required. The type of the volume. DataProtection volumes are used for replication."
       }
     },
     "name": {
@@ -390,13 +384,13 @@
     "backupPolicyLocation": {
       "type": "string",
       "metadata": {
-        "description": "Optional. The backup policy location."
+        "description": "Required. The backup policy location."
       }
     },
     "snapshotPolicyLocation": {
       "type": "string",
       "metadata": {
-        "description": "Optional. The location of snashot policies."
+        "description": "Required. The location of snashot policies."
       }
     },
     "serviceLevel": {
@@ -467,7 +461,7 @@
     "backupVaultId": {
       "type": "string",
       "metadata": {
-        "description": "Optional. The Id of the Backup Vault."
+        "description": "Required. The Id of the Backup Vault."
       }
     },
     "replicationEnabled": {
@@ -604,8 +598,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.3.12046",
-              "templateHash": "16399924782439066553"
+              "version": "0.30.23.60470",
+              "templateHash": "13036318518380500677"
             },
             "name": "Azure NetApp Files Backup Policy",
             "description": "This module deploys a Backup Policy for Azure NetApp File.",
@@ -622,31 +616,31 @@
               "type": "string",
               "defaultValue": "backupPolicy",
               "metadata": {
-                "description": "Required. The name of the backup policy."
+                "description": "Optional. The name of the backup policy."
               }
             },
             "backupPolicyLocation": {
               "type": "string",
               "metadata": {
-                "description": "Optional. The location of the backup policy. Required if the template is used in a standalone deployment."
+                "description": "Required. The location of the backup policy. Required if the template is used in a standalone deployment."
               }
             },
             "dailyBackupsToKeep": {
               "type": "int",
               "metadata": {
-                "description": "Optional. The daily backups to keep."
+                "description": "Required. The daily backups to keep."
               }
             },
             "monthlyBackupsToKeep": {
               "type": "int",
               "metadata": {
-                "description": "Optional. The monthly backups to keep."
+                "description": "Required. The monthly backups to keep."
               }
             },
             "weeklyBackupsToKeep": {
               "type": "int",
               "metadata": {
-                "description": "Optional. The weekly backups to keep."
+                "description": "Required. The weekly backups to keep."
               }
             },
             "backupEnabled": {
@@ -775,8 +769,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.3.12046",
-              "templateHash": "17076752505050697613"
+              "version": "0.30.23.60470",
+              "templateHash": "12832989826838310090"
             },
             "name": "Azure NetApp Files Snapshot Policy",
             "description": "This module deploys a Snapshot Policy for an Azure NetApp File.",
@@ -792,7 +786,7 @@
             "snapshotPolicyName": {
               "type": "string",
               "metadata": {
-                "description": "Optional. The name of the snapshot policy."
+                "description": "Required. The name of the snapshot policy."
               }
             },
             "snapshotPolicyLocation": {
@@ -805,103 +799,103 @@
             "dailyHour": {
               "type": "int",
               "metadata": {
-                "description": "Optional. The daily snapshot hour."
+                "description": "Required. The daily snapshot hour."
               }
             },
             "dailyMinute": {
               "type": "int",
               "metadata": {
-                "description": "Optional. The daily snapshot minute."
+                "description": "Required. The daily snapshot minute."
               }
             },
             "dailySnapshotsToKeep": {
               "type": "int",
               "metadata": {
-                "description": "Optional. Daily snapshot count to keep."
+                "description": "Required. Daily snapshot count to keep."
               }
             },
             "dailyUsedBytes": {
               "type": "int",
               "metadata": {
-                "description": "Optional. Daily snapshot used bytes."
+                "description": "Required. Daily snapshot used bytes."
               }
             },
             "hourlyMinute": {
               "type": "int",
               "metadata": {
-                "description": "Optional. The hourly snapshot minute."
+                "description": "Required. The hourly snapshot minute."
               }
             },
             "hourlySnapshotsToKeep": {
               "type": "int",
               "metadata": {
-                "description": "Optional. Hourly snapshot count to keep."
+                "description": "Required. Hourly snapshot count to keep."
               }
             },
             "hourlyUsedBytes": {
               "type": "int",
               "metadata": {
-                "description": "Optional. Hourly snapshot used bytes."
+                "description": "Required. Hourly snapshot used bytes."
               }
             },
             "daysOfMonth": {
               "type": "string",
               "metadata": {
-                "description": "Optional. The monthly snapshot day."
+                "description": "Required. The monthly snapshot day."
               }
             },
             "monthlyHour": {
               "type": "int",
               "metadata": {
-                "description": "Optional. The monthly snapshot hour."
+                "description": "Required. The monthly snapshot hour."
               }
             },
             "monthlyMinute": {
               "type": "int",
               "metadata": {
-                "description": "Optional. The monthly snapshot minute."
+                "description": "Required. The monthly snapshot minute."
               }
             },
             "monthlySnapshotsToKeep": {
               "type": "int",
               "metadata": {
-                "description": "Optional. Monthly snapshot count to keep."
+                "description": "Required. Monthly snapshot count to keep."
               }
             },
             "monthlyUsedBytes": {
               "type": "int",
               "metadata": {
-                "description": "Optional. Monthly snapshot used bytes."
+                "description": "Required. Monthly snapshot used bytes."
               }
             },
             "weeklyDay": {
               "type": "string",
               "metadata": {
-                "description": "Optional. The weekly snapshot day."
+                "description": "Required. The weekly snapshot day."
               }
             },
             "weeklyHour": {
               "type": "int",
               "metadata": {
-                "description": "Optional. The weekly snapshot hour."
+                "description": "Required. The weekly snapshot hour."
               }
             },
             "weeklyMinute": {
               "type": "int",
               "metadata": {
-                "description": "Optional. The weekly snapshot minute."
+                "description": "Required. The weekly snapshot minute."
               }
             },
             "weeklySnapshotsToKeep": {
               "type": "int",
               "metadata": {
-                "description": "Optional. Weekly snapshot count to keep."
+                "description": "Required. Weekly snapshot count to keep."
               }
             },
             "weeklyUsedBytes": {
               "type": "int",
               "metadata": {
-                "description": "Optional. Weekly snapshot used bytes."
+                "description": "Required. Weekly snapshot used bytes."
               }
             },
             "snapEnabled": {
diff --git a/avm/res/net-app/net-app-account/main.bicep b/avm/res/net-app/net-app-account/main.bicep
index d4f0a33392..b6d51f4962 100644
--- a/avm/res/net-app/net-app-account/main.bicep
+++ b/avm/res/net-app/net-app-account/main.bicep
@@ -124,8 +124,8 @@ var formattedRoleAssignments = [
       : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName))
   })
 ]
-#disable-next-line no-deployments-resources
 
+#disable-next-line no-deployments-resources
 resource avmTelemetry 'Microsoft.Resources/deployments@2023-07-01' = if (enableTelemetry) {
   name: '46d3xbcp.res.netapp-netappaccount.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}'
   properties: {
@@ -256,7 +256,7 @@ output volumeResourceId string = (capacityPools != []) ? netAppAccount_capacityP
 
 type managedIdentitiesType = {
   @description('Optional. The resource ID(s) to assign to the resource.')
-  userAssignedResourceIds: string[]
+  userAssignedResourceIds: string[]?
 }?
 
 type lockType = {
diff --git a/avm/res/net-app/net-app-account/main.json b/avm/res/net-app/net-app-account/main.json
index c260cb81ba..6a272ecb4d 100644
--- a/avm/res/net-app/net-app-account/main.json
+++ b/avm/res/net-app/net-app-account/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.3.12046",
-      "templateHash": "6577593938028395411"
+      "version": "0.30.23.60470",
+      "templateHash": "7902576739801527066"
     },
     "name": "Azure NetApp Files",
     "description": "This module deploys an Azure NetApp File.",
@@ -21,6 +21,7 @@
           "items": {
             "type": "string"
           },
+          "nullable": true,
           "metadata": {
             "description": "Optional. The resource ID(s) to assign to the resource."
           }
@@ -503,8 +504,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.3.12046",
-              "templateHash": "5120059204101466005"
+              "version": "0.30.23.60470",
+              "templateHash": "1966206032457552782"
             },
             "name": "Azure NetApp Files Capacity Pools",
             "description": "This module deploys an Azure NetApp Files Capacity Pool.",
@@ -625,13 +626,6 @@
                 "description": "Optional. The pool service level."
               }
             },
-            "networkFeatures": {
-              "type": "string",
-              "defaultValue": "Standard",
-              "metadata": {
-                "description": "Required. Network features available to the volume, or current state of update (Basic/Standard)."
-              }
-            },
             "size": {
               "type": "int",
               "metadata": {
@@ -825,9 +819,6 @@
                   "replicationSchedule": {
                     "value": "[coalesce(tryGet(parameters('volumes')[copyIndex()], 'replicationSchedule'), '')]"
                   },
-                  "snapshotPolicyId": {
-                    "value": "[coalesce(tryGet(parameters('volumes')[copyIndex()], 'snapshotPolicyId'), '')]"
-                  },
                   "snapshotPolicyName": {
                     "value": "[coalesce(tryGet(parameters('volumes')[copyIndex()], 'snapshotPolicyName'), 'snapshotPolicy')]"
                   },
@@ -944,8 +935,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.30.3.12046",
-                      "templateHash": "3878108397799577614"
+                      "version": "0.30.23.60470",
+                      "templateHash": "7267638032222261061"
                     },
                     "name": "Azure NetApp Files Capacity Pool Volumes",
                     "description": "This module deploys an Azure NetApp Files Capacity Pool Volume.",
@@ -1042,13 +1033,13 @@
                     "coolAccess": {
                       "type": "bool",
                       "metadata": {
-                        "description": "Optional. If enabled (true) the pool can contain cool Access enabled volumes."
+                        "description": "Required. If enabled (true) the pool can contain cool Access enabled volumes."
                       }
                     },
                     "coolnessPeriod": {
                       "type": "int",
                       "metadata": {
-                        "description": "Optional. Specifies the number of days after which data that is not accessed by clients will be tiered."
+                        "description": "Required. Specifies the number of days after which data that is not accessed by clients will be tiered."
                       }
                     },
                     "coolAccessRetrievalPolicy": {
@@ -1061,37 +1052,37 @@
                     "encryptionKeySource": {
                       "type": "string",
                       "metadata": {
-                        "description": "Optional. The source of the encryption key."
+                        "description": "Required. The source of the encryption key."
                       }
                     },
                     "keyVaultPrivateEndpointResourceId": {
                       "type": "string",
                       "metadata": {
-                        "description": "Optional. The resource ID of the key vault private endpoint."
+                        "description": "Required. The resource ID of the key vault private endpoint."
                       }
                     },
                     "endpointType": {
                       "type": "string",
                       "metadata": {
-                        "description": "Optional. Indicates whether the local volume is the source or destination for the Volume Replication (src/dst)."
+                        "description": "Required. Indicates whether the local volume is the source or destination for the Volume Replication (src/dst)."
                       }
                     },
                     "remoteVolumeRegion": {
                       "type": "string",
                       "metadata": {
-                        "description": "Optional. The remote region for the other end of the Volume Replication."
+                        "description": "Required. The remote region for the other end of the Volume Replication."
                       }
                     },
                     "remoteVolumeResourceId": {
                       "type": "string",
                       "metadata": {
-                        "description": "Optional. The resource ID of the remote volume."
+                        "description": "Required. The resource ID of the remote volume."
                       }
                     },
                     "replicationSchedule": {
                       "type": "string",
                       "metadata": {
-                        "description": "Optional. The replication schedule for the volume."
+                        "description": "Required. The replication schedule for the volume."
                       }
                     },
                     "backupEnabled": {
@@ -1111,103 +1102,103 @@
                     "dailyHour": {
                       "type": "int",
                       "metadata": {
-                        "description": "Optional. The daily snapshot hour."
+                        "description": "Required. The daily snapshot hour."
                       }
                     },
                     "dailyMinute": {
                       "type": "int",
                       "metadata": {
-                        "description": "Optional. The daily snapshot minute."
+                        "description": "Required. The daily snapshot minute."
                       }
                     },
                     "dailySnapshotsToKeep": {
                       "type": "int",
                       "metadata": {
-                        "description": "Optional. Daily snapshot count to keep."
+                        "description": "Required. Daily snapshot count to keep."
                       }
                     },
                     "dailyUsedBytes": {
                       "type": "int",
                       "metadata": {
-                        "description": "Optional. Daily snapshot used bytes."
+                        "description": "Required. Daily snapshot used bytes."
                       }
                     },
                     "hourlyMinute": {
                       "type": "int",
                       "metadata": {
-                        "description": "Optional. The hourly snapshot minute."
+                        "description": "Required. The hourly snapshot minute."
                       }
                     },
                     "hourlySnapshotsToKeep": {
                       "type": "int",
                       "metadata": {
-                        "description": "Optional. Hourly snapshot count to keep."
+                        "description": "Required. Hourly snapshot count to keep."
                       }
                     },
                     "hourlyUsedBytes": {
                       "type": "int",
                       "metadata": {
-                        "description": "Optional. Hourly snapshot used bytes."
+                        "description": "Required. Hourly snapshot used bytes."
                       }
                     },
                     "daysOfMonth": {
                       "type": "string",
                       "metadata": {
-                        "description": "Optional. The monthly snapshot day."
+                        "description": "Required. The monthly snapshot day."
                       }
                     },
                     "monthlyHour": {
                       "type": "int",
                       "metadata": {
-                        "description": "Optional. The monthly snapshot hour."
+                        "description": "Required. The monthly snapshot hour."
                       }
                     },
                     "monthlyMinute": {
                       "type": "int",
                       "metadata": {
-                        "description": "Optional. The monthly snapshot minute."
+                        "description": "Required. The monthly snapshot minute."
                       }
                     },
                     "monthlySnapshotsToKeep": {
                       "type": "int",
                       "metadata": {
-                        "description": "Optional. Monthly snapshot count to keep."
+                        "description": "Required. Monthly snapshot count to keep."
                       }
                     },
                     "monthlyUsedBytes": {
                       "type": "int",
                       "metadata": {
-                        "description": "Optional. Monthly snapshot used bytes."
+                        "description": "Required. Monthly snapshot used bytes."
                       }
                     },
                     "weeklyDay": {
                       "type": "string",
                       "metadata": {
-                        "description": "Optional. The weekly snapshot day."
+                        "description": "Required. The weekly snapshot day."
                       }
                     },
                     "weeklyHour": {
                       "type": "int",
                       "metadata": {
-                        "description": "Optional. The weekly snapshot hour."
+                        "description": "Required. The weekly snapshot hour."
                       }
                     },
                     "weeklyMinute": {
                       "type": "int",
                       "metadata": {
-                        "description": "Optional. The weekly snapshot minute."
+                        "description": "Required. The weekly snapshot minute."
                       }
                     },
                     "weeklySnapshotsToKeep": {
                       "type": "int",
                       "metadata": {
-                        "description": "Optional. Weekly snapshot count to keep."
+                        "description": "Required. Weekly snapshot count to keep."
                       }
                     },
                     "weeklyUsedBytes": {
                       "type": "int",
                       "metadata": {
-                        "description": "Optional. Weekly snapshot used bytes."
+                        "description": "Required. Weekly snapshot used bytes."
                       }
                     },
                     "snapEnabled": {
@@ -1220,25 +1211,25 @@
                     "snapshotPolicyName": {
                       "type": "string",
                       "metadata": {
-                        "description": "Optional. The name of the snapshot policy."
+                        "description": "Required. The name of the snapshot policy."
                       }
                     },
                     "dailyBackupsToKeep": {
                       "type": "int",
                       "metadata": {
-                        "description": "Optional. The daily backups to keep."
+                        "description": "Required. The daily backups to keep."
                       }
                     },
                     "monthlyBackupsToKeep": {
                       "type": "int",
                       "metadata": {
-                        "description": "Optional. The monthly backups to keep."
+                        "description": "Required. The monthly backups to keep."
                       }
                     },
                     "weeklyBackupsToKeep": {
                       "type": "int",
                       "metadata": {
-                        "description": "Optional. The weekly backups to keep."
+                        "description": "Required. The weekly backups to keep."
                       }
                     },
                     "backupVaultName": {
@@ -1258,43 +1249,37 @@
                     "backupName": {
                       "type": "string",
                       "metadata": {
-                        "description": "Optional. The name of the backup."
+                        "description": "Required. The name of the backup."
                       }
                     },
                     "backupLabel": {
                       "type": "string",
                       "metadata": {
-                        "description": "Optional. The label of the backup."
+                        "description": "Required. The label of the backup."
                       }
                     },
                     "useExistingSnapshot": {
                       "type": "bool",
                       "metadata": {
-                        "description": "Optional. Indicates whether to use an existing snapshot."
+                        "description": "Required. Indicates whether to use an existing snapshot."
                       }
                     },
                     "snapshotName": {
                       "type": "string",
                       "metadata": {
-                        "description": "Optional. The name of the snapshot."
-                      }
-                    },
-                    "snapshotPolicyId": {
-                      "type": "string",
-                      "metadata": {
-                        "description": "Optional. The snapshot Policy id."
+                        "description": "Required. The name of the snapshot."
                       }
                     },
                     "volumeResourceId": {
                       "type": "string",
                       "metadata": {
-                        "description": "Optional. The resource ID of the volume."
+                        "description": "Required. The resource ID of the volume."
                       }
                     },
                     "volumeType": {
                       "type": "string",
                       "metadata": {
-                        "description": "Optional. The type of the volume. DataProtection volumes are used for replication."
+                        "description": "Required. The type of the volume. DataProtection volumes are used for replication."
                       }
                     },
                     "name": {
@@ -1329,13 +1314,13 @@
                     "backupPolicyLocation": {
                       "type": "string",
                       "metadata": {
-                        "description": "Optional. The backup policy location."
+                        "description": "Required. The backup policy location."
                       }
                     },
                     "snapshotPolicyLocation": {
                       "type": "string",
                       "metadata": {
-                        "description": "Optional. The location of snashot policies."
+                        "description": "Required. The location of snashot policies."
                       }
                     },
                     "serviceLevel": {
@@ -1406,7 +1391,7 @@
                     "backupVaultId": {
                       "type": "string",
                       "metadata": {
-                        "description": "Optional. The Id of the Backup Vault."
+                        "description": "Required. The Id of the Backup Vault."
                       }
                     },
                     "replicationEnabled": {
@@ -1543,8 +1528,8 @@
                           "metadata": {
                             "_generator": {
                               "name": "bicep",
-                              "version": "0.30.3.12046",
-                              "templateHash": "16399924782439066553"
+                              "version": "0.30.23.60470",
+                              "templateHash": "13036318518380500677"
                             },
                             "name": "Azure NetApp Files Backup Policy",
                             "description": "This module deploys a Backup Policy for Azure NetApp File.",
@@ -1561,31 +1546,31 @@
                               "type": "string",
                               "defaultValue": "backupPolicy",
                               "metadata": {
-                                "description": "Required. The name of the backup policy."
+                                "description": "Optional. The name of the backup policy."
                               }
                             },
                             "backupPolicyLocation": {
                               "type": "string",
                               "metadata": {
-                                "description": "Optional. The location of the backup policy. Required if the template is used in a standalone deployment."
+                                "description": "Required. The location of the backup policy. Required if the template is used in a standalone deployment."
                               }
                             },
                             "dailyBackupsToKeep": {
                               "type": "int",
                               "metadata": {
-                                "description": "Optional. The daily backups to keep."
+                                "description": "Required. The daily backups to keep."
                               }
                             },
                             "monthlyBackupsToKeep": {
                               "type": "int",
                               "metadata": {
-                                "description": "Optional. The monthly backups to keep."
+                                "description": "Required. The monthly backups to keep."
                               }
                             },
                             "weeklyBackupsToKeep": {
                               "type": "int",
                               "metadata": {
-                                "description": "Optional. The weekly backups to keep."
+                                "description": "Required. The weekly backups to keep."
                               }
                             },
                             "backupEnabled": {
@@ -1714,8 +1699,8 @@
                           "metadata": {
                             "_generator": {
                               "name": "bicep",
-                              "version": "0.30.3.12046",
-                              "templateHash": "17076752505050697613"
+                              "version": "0.30.23.60470",
+                              "templateHash": "12832989826838310090"
                             },
                             "name": "Azure NetApp Files Snapshot Policy",
                             "description": "This module deploys a Snapshot Policy for an Azure NetApp File.",
@@ -1731,7 +1716,7 @@
                             "snapshotPolicyName": {
                               "type": "string",
                               "metadata": {
-                                "description": "Optional. The name of the snapshot policy."
+                                "description": "Required. The name of the snapshot policy."
                               }
                             },
                             "snapshotPolicyLocation": {
@@ -1744,103 +1729,103 @@
                             "dailyHour": {
                               "type": "int",
                               "metadata": {
-                                "description": "Optional. The daily snapshot hour."
+                                "description": "Required. The daily snapshot hour."
                               }
                             },
                             "dailyMinute": {
                               "type": "int",
                               "metadata": {
-                                "description": "Optional. The daily snapshot minute."
+                                "description": "Required. The daily snapshot minute."
                               }
                             },
                             "dailySnapshotsToKeep": {
                               "type": "int",
                               "metadata": {
-                                "description": "Optional. Daily snapshot count to keep."
+                                "description": "Required. Daily snapshot count to keep."
                               }
                             },
                             "dailyUsedBytes": {
                               "type": "int",
                               "metadata": {
-                                "description": "Optional. Daily snapshot used bytes."
+                                "description": "Required. Daily snapshot used bytes."
                               }
                             },
                             "hourlyMinute": {
                               "type": "int",
                               "metadata": {
-                                "description": "Optional. The hourly snapshot minute."
+                                "description": "Required. The hourly snapshot minute."
                               }
                             },
                             "hourlySnapshotsToKeep": {
                               "type": "int",
                               "metadata": {
-                                "description": "Optional. Hourly snapshot count to keep."
+                                "description": "Required. Hourly snapshot count to keep."
                               }
                             },
                             "hourlyUsedBytes": {
                               "type": "int",
                               "metadata": {
-                                "description": "Optional. Hourly snapshot used bytes."
+                                "description": "Required. Hourly snapshot used bytes."
                               }
                             },
                             "daysOfMonth": {
                               "type": "string",
                               "metadata": {
-                                "description": "Optional. The monthly snapshot day."
+                                "description": "Required. The monthly snapshot day."
                               }
                             },
                             "monthlyHour": {
                               "type": "int",
                               "metadata": {
-                                "description": "Optional. The monthly snapshot hour."
+                                "description": "Required. The monthly snapshot hour."
                               }
                             },
                             "monthlyMinute": {
                               "type": "int",
                               "metadata": {
-                                "description": "Optional. The monthly snapshot minute."
+                                "description": "Required. The monthly snapshot minute."
                               }
                             },
                             "monthlySnapshotsToKeep": {
                               "type": "int",
                               "metadata": {
-                                "description": "Optional. Monthly snapshot count to keep."
+                                "description": "Required. Monthly snapshot count to keep."
                               }
                             },
                             "monthlyUsedBytes": {
                               "type": "int",
                               "metadata": {
-                                "description": "Optional. Monthly snapshot used bytes."
+                                "description": "Required. Monthly snapshot used bytes."
                               }
                             },
                             "weeklyDay": {
                               "type": "string",
                               "metadata": {
-                                "description": "Optional. The weekly snapshot day."
+                                "description": "Required. The weekly snapshot day."
                               }
                             },
                             "weeklyHour": {
                               "type": "int",
                               "metadata": {
-                                "description": "Optional. The weekly snapshot hour."
+                                "description": "Required. The weekly snapshot hour."
                               }
                             },
                             "weeklyMinute": {
                               "type": "int",
                               "metadata": {
-                                "description": "Optional. The weekly snapshot minute."
+                                "description": "Required. The weekly snapshot minute."
                               }
                             },
                             "weeklySnapshotsToKeep": {
                               "type": "int",
                               "metadata": {
-                                "description": "Optional. Weekly snapshot count to keep."
+                                "description": "Required. Weekly snapshot count to keep."
                               }
                             },
                             "weeklyUsedBytes": {
                               "type": "int",
                               "metadata": {
-                                "description": "Optional. Weekly snapshot used bytes."
+                                "description": "Required. Weekly snapshot used bytes."
                               }
                             },
                             "snapEnabled": {
diff --git a/avm/res/net-app/net-app-account/snapshot-policies/README.md b/avm/res/net-app/net-app-account/snapshot-policies/README.md
index 3fc4b313e2..d059bf9769 100644
--- a/avm/res/net-app/net-app-account/snapshot-policies/README.md
+++ b/avm/res/net-app/net-app-account/snapshot-policies/README.md
@@ -16,13 +16,7 @@ This module deploys a Snapshot Policy for an Azure NetApp File.
 
 ## Parameters
 
-**Conditional parameters**
-
-| Parameter | Type | Description |
-| :-- | :-- | :-- |
-| [`netAppAccountName`](#parameter-netappaccountname) | string | The name of the parent NetApp account. Required if the template is used in a standalone deployment. |
-
-**Optional parameters**
+**Required parameters**
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
@@ -38,8 +32,6 @@ This module deploys a Snapshot Policy for an Azure NetApp File.
 | [`monthlyMinute`](#parameter-monthlyminute) | int | The monthly snapshot minute. |
 | [`monthlySnapshotsToKeep`](#parameter-monthlysnapshotstokeep) | int | Monthly snapshot count to keep. |
 | [`monthlyUsedBytes`](#parameter-monthlyusedbytes) | int | Monthly snapshot used bytes. |
-| [`snapEnabled`](#parameter-snapenabled) | bool | Indicates whether the snapshot policy is enabled. |
-| [`snapshotPolicyLocation`](#parameter-snapshotpolicylocation) | string | The location of the snapshot policy. |
 | [`snapshotPolicyName`](#parameter-snapshotpolicyname) | string | The name of the snapshot policy. |
 | [`weeklyDay`](#parameter-weeklyday) | string | The weekly snapshot day. |
 | [`weeklyHour`](#parameter-weeklyhour) | int | The weekly snapshot hour. |
@@ -47,12 +39,18 @@ This module deploys a Snapshot Policy for an Azure NetApp File.
 | [`weeklySnapshotsToKeep`](#parameter-weeklysnapshotstokeep) | int | Weekly snapshot count to keep. |
 | [`weeklyUsedBytes`](#parameter-weeklyusedbytes) | int | Weekly snapshot used bytes. |
 
-### Parameter: `netAppAccountName`
+**Conditional parameters**
 
-The name of the parent NetApp account. Required if the template is used in a standalone deployment.
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`netAppAccountName`](#parameter-netappaccountname) | string | The name of the parent NetApp account. Required if the template is used in a standalone deployment. |
 
-- Required: Yes
-- Type: string
+**Optional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`snapEnabled`](#parameter-snapenabled) | bool | Indicates whether the snapshot policy is enabled. |
+| [`snapshotPolicyLocation`](#parameter-snapshotpolicylocation) | string | The location of the snapshot policy. |
 
 ### Parameter: `dailyHour`
 
@@ -138,22 +136,6 @@ Monthly snapshot used bytes.
 - Required: Yes
 - Type: int
 
-### Parameter: `snapEnabled`
-
-Indicates whether the snapshot policy is enabled.
-
-- Required: No
-- Type: bool
-- Default: `True`
-
-### Parameter: `snapshotPolicyLocation`
-
-The location of the snapshot policy.
-
-- Required: No
-- Type: string
-- Default: `[resourceGroup().location]`
-
 ### Parameter: `snapshotPolicyName`
 
 The name of the snapshot policy.
@@ -196,6 +178,29 @@ Weekly snapshot used bytes.
 - Required: Yes
 - Type: int
 
+### Parameter: `netAppAccountName`
+
+The name of the parent NetApp account. Required if the template is used in a standalone deployment.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `snapEnabled`
+
+Indicates whether the snapshot policy is enabled.
+
+- Required: No
+- Type: bool
+- Default: `True`
+
+### Parameter: `snapshotPolicyLocation`
+
+The location of the snapshot policy.
+
+- Required: No
+- Type: string
+- Default: `[resourceGroup().location]`
+
 ## Outputs
 
 | Output | Type | Description |
diff --git a/avm/res/net-app/net-app-account/snapshot-policies/main.bicep b/avm/res/net-app/net-app-account/snapshot-policies/main.bicep
index 66eaca3163..5fc4783aa9 100644
--- a/avm/res/net-app/net-app-account/snapshot-policies/main.bicep
+++ b/avm/res/net-app/net-app-account/snapshot-policies/main.bicep
@@ -5,61 +5,61 @@ metadata owner = 'Azure/module-maintainers'
 @description('Conditional. The name of the parent NetApp account. Required if the template is used in a standalone deployment.')
 param netAppAccountName string
 
-@description('Optional. The name of the snapshot policy.')
+@description('Required. The name of the snapshot policy.')
 param snapshotPolicyName string
 
 @description('Optional. The location of the snapshot policy.')
 param snapshotPolicyLocation string = resourceGroup().location
 
-@description('Optional. The daily snapshot hour.')
+@description('Required. The daily snapshot hour.')
 param dailyHour int
 
-@description('Optional. The daily snapshot minute.')
+@description('Required. The daily snapshot minute.')
 param dailyMinute int
 
-@description('Optional. Daily snapshot count to keep.')
+@description('Required. Daily snapshot count to keep.')
 param dailySnapshotsToKeep int
 
-@description('Optional. Daily snapshot used bytes.')
+@description('Required. Daily snapshot used bytes.')
 param dailyUsedBytes int
 
-@description('Optional. The hourly snapshot minute.')
+@description('Required. The hourly snapshot minute.')
 param hourlyMinute int
 
-@description('Optional. Hourly snapshot count to keep.')
+@description('Required. Hourly snapshot count to keep.')
 param hourlySnapshotsToKeep int
 
-@description('Optional. Hourly snapshot used bytes.')
+@description('Required. Hourly snapshot used bytes.')
 param hourlyUsedBytes int
 
-@description('Optional. The monthly snapshot day.')
+@description('Required. The monthly snapshot day.')
 param daysOfMonth string
 
-@description('Optional. The monthly snapshot hour.')
+@description('Required. The monthly snapshot hour.')
 param monthlyHour int
 
-@description('Optional. The monthly snapshot minute.')
+@description('Required. The monthly snapshot minute.')
 param monthlyMinute int
 
-@description('Optional. Monthly snapshot count to keep.')
+@description('Required. Monthly snapshot count to keep.')
 param monthlySnapshotsToKeep int
 
-@description('Optional. Monthly snapshot used bytes.')
+@description('Required. Monthly snapshot used bytes.')
 param monthlyUsedBytes int
 
-@description('Optional. The weekly snapshot day.')
+@description('Required. The weekly snapshot day.')
 param weeklyDay string
 
-@description('Optional. The weekly snapshot hour.')
+@description('Required. The weekly snapshot hour.')
 param weeklyHour int
 
-@description('Optional. The weekly snapshot minute.')
+@description('Required. The weekly snapshot minute.')
 param weeklyMinute int
 
-@description('Optional. Weekly snapshot count to keep.')
+@description('Required. Weekly snapshot count to keep.')
 param weeklySnapshotsToKeep int
 
-@description('Optional. Weekly snapshot used bytes.')
+@description('Required. Weekly snapshot used bytes.')
 param weeklyUsedBytes int
 
 @description('Optional. Indicates whether the snapshot policy is enabled.')
diff --git a/avm/res/net-app/net-app-account/snapshot-policies/main.json b/avm/res/net-app/net-app-account/snapshot-policies/main.json
index d92af406dd..b41e85b2cb 100644
--- a/avm/res/net-app/net-app-account/snapshot-policies/main.json
+++ b/avm/res/net-app/net-app-account/snapshot-policies/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.3.12046",
-      "templateHash": "17076752505050697613"
+      "version": "0.30.23.60470",
+      "templateHash": "12832989826838310090"
     },
     "name": "Azure NetApp Files Snapshot Policy",
     "description": "This module deploys a Snapshot Policy for an Azure NetApp File.",
@@ -21,7 +21,7 @@
     "snapshotPolicyName": {
       "type": "string",
       "metadata": {
-        "description": "Optional. The name of the snapshot policy."
+        "description": "Required. The name of the snapshot policy."
       }
     },
     "snapshotPolicyLocation": {
@@ -34,103 +34,103 @@
     "dailyHour": {
       "type": "int",
       "metadata": {
-        "description": "Optional. The daily snapshot hour."
+        "description": "Required. The daily snapshot hour."
       }
     },
     "dailyMinute": {
       "type": "int",
       "metadata": {
-        "description": "Optional. The daily snapshot minute."
+        "description": "Required. The daily snapshot minute."
       }
     },
     "dailySnapshotsToKeep": {
       "type": "int",
       "metadata": {
-        "description": "Optional. Daily snapshot count to keep."
+        "description": "Required. Daily snapshot count to keep."
       }
     },
     "dailyUsedBytes": {
       "type": "int",
       "metadata": {
-        "description": "Optional. Daily snapshot used bytes."
+        "description": "Required. Daily snapshot used bytes."
       }
     },
     "hourlyMinute": {
       "type": "int",
       "metadata": {
-        "description": "Optional. The hourly snapshot minute."
+        "description": "Required. The hourly snapshot minute."
       }
     },
     "hourlySnapshotsToKeep": {
       "type": "int",
       "metadata": {
-        "description": "Optional. Hourly snapshot count to keep."
+        "description": "Required. Hourly snapshot count to keep."
       }
     },
     "hourlyUsedBytes": {
       "type": "int",
       "metadata": {
-        "description": "Optional. Hourly snapshot used bytes."
+        "description": "Required. Hourly snapshot used bytes."
       }
     },
     "daysOfMonth": {
       "type": "string",
       "metadata": {
-        "description": "Optional. The monthly snapshot day."
+        "description": "Required. The monthly snapshot day."
       }
     },
     "monthlyHour": {
       "type": "int",
       "metadata": {
-        "description": "Optional. The monthly snapshot hour."
+        "description": "Required. The monthly snapshot hour."
       }
     },
     "monthlyMinute": {
       "type": "int",
       "metadata": {
-        "description": "Optional. The monthly snapshot minute."
+        "description": "Required. The monthly snapshot minute."
       }
     },
     "monthlySnapshotsToKeep": {
       "type": "int",
       "metadata": {
-        "description": "Optional. Monthly snapshot count to keep."
+        "description": "Required. Monthly snapshot count to keep."
       }
     },
     "monthlyUsedBytes": {
       "type": "int",
       "metadata": {
-        "description": "Optional. Monthly snapshot used bytes."
+        "description": "Required. Monthly snapshot used bytes."
       }
     },
     "weeklyDay": {
       "type": "string",
       "metadata": {
-        "description": "Optional. The weekly snapshot day."
+        "description": "Required. The weekly snapshot day."
       }
     },
     "weeklyHour": {
       "type": "int",
       "metadata": {
-        "description": "Optional. The weekly snapshot hour."
+        "description": "Required. The weekly snapshot hour."
       }
     },
     "weeklyMinute": {
       "type": "int",
       "metadata": {
-        "description": "Optional. The weekly snapshot minute."
+        "description": "Required. The weekly snapshot minute."
       }
     },
     "weeklySnapshotsToKeep": {
       "type": "int",
       "metadata": {
-        "description": "Optional. Weekly snapshot count to keep."
+        "description": "Required. Weekly snapshot count to keep."
       }
     },
     "weeklyUsedBytes": {
       "type": "int",
       "metadata": {
-        "description": "Optional. Weekly snapshot used bytes."
+        "description": "Required. Weekly snapshot used bytes."
       }
     },
     "snapEnabled": {
diff --git a/avm/res/network/application-gateway/README.md b/avm/res/network/application-gateway/README.md
index fb363e99f3..89c85ce918 100644
--- a/avm/res/network/application-gateway/README.md
+++ b/avm/res/network/application-gateway/README.md
@@ -3502,7 +3502,7 @@ The managed identity definition for this resource.
 
 The resource ID(s) to assign to the resource.
 
-- Required: Yes
+- Required: No
 - Type: array
 
 ### Parameter: `privateEndpoints`
@@ -3571,15 +3571,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint IP address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -3588,6 +3586,13 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `privateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
diff --git a/avm/res/network/application-gateway/main.bicep b/avm/res/network/application-gateway/main.bicep
index ee99759960..ae1a98e018 100644
--- a/avm/res/network/application-gateway/main.bicep
+++ b/avm/res/network/application-gateway/main.bicep
@@ -483,7 +483,7 @@ output privateEndpoints array = [
 
 type managedIdentitiesType = {
   @description('Optional. The resource ID(s) to assign to the resource.')
-  userAssignedResourceIds: string[]
+  userAssignedResourceIds: string[]?
 }?
 
 type lockType = {
@@ -560,7 +560,7 @@ type privateEndpointType = {
 
   @description('Optional. Custom DNS configurations.')
   customDnsConfigs: {
-    @description('Required. Fqdn that resolves to private endpoint IP address.')
+    @description('Optional. FQDN that resolves to private endpoint IP address.')
     fqdn: string?
 
     @description('Required. A list of private IP addresses of the private endpoint.')
diff --git a/avm/res/network/application-gateway/main.json b/avm/res/network/application-gateway/main.json
index 9d6559c609..e6246e62f3 100644
--- a/avm/res/network/application-gateway/main.json
+++ b/avm/res/network/application-gateway/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "17187265964548508241"
+      "version": "0.30.23.60470",
+      "templateHash": "8237956651125434199"
     },
     "name": "Network Application Gateways",
     "description": "This module deploys a Network Application Gateway.",
@@ -21,6 +21,7 @@
           "items": {
             "type": "string"
           },
+          "nullable": true,
           "metadata": {
             "description": "Optional. The resource ID(s) to assign to the resource."
           }
@@ -228,7 +229,7 @@
                   "type": "string",
                   "nullable": true,
                   "metadata": {
-                    "description": "Required. Fqdn that resolves to private endpoint IP address."
+                    "description": "Optional. FQDN that resolves to private endpoint IP address."
                   }
                 },
                 "ipAddresses": {
diff --git a/avm/res/network/private-endpoint/README.md b/avm/res/network/private-endpoint/README.md
index 3db54f7e96..50bf332c43 100644
--- a/avm/res/network/private-endpoint/README.md
+++ b/avm/res/network/private-endpoint/README.md
@@ -830,15 +830,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-customdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-customdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-### Parameter: `customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint IP address.
+**Optional parameters**
 
-- Required: Yes
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-customdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `customDnsConfigs.ipAddresses`
 
@@ -847,6 +845,13 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
@@ -1022,7 +1027,7 @@ The resource id of private link service.
 
 A message passed to the owner of the remote resource with this connection request. Restricted to 140 chars.
 
-- Required: Yes
+- Required: No
 - Type: string
 
 ### Parameter: `privateDnsZoneGroup`
diff --git a/avm/res/network/private-endpoint/main.bicep b/avm/res/network/private-endpoint/main.bicep
index 8cc557c687..b87d740733 100644
--- a/avm/res/network/private-endpoint/main.bicep
+++ b/avm/res/network/private-endpoint/main.bicep
@@ -268,7 +268,7 @@ type manualPrivateLinkServiceConnectionsType = {
     privateLinkServiceId: string
 
     @description('Optional. A message passed to the owner of the remote resource with this connection request. Restricted to 140 chars.')
-    requestMessage: string
+    requestMessage: string?
   }
 }[]?
 
@@ -290,8 +290,8 @@ type privateLinkServiceConnectionsType = {
 }[]?
 
 type customDnsConfigType = {
-  @description('Required. Fqdn that resolves to private endpoint IP address.')
-  fqdn: string
+  @description('Optional. FQDN that resolves to private endpoint IP address.')
+  fqdn: string?
 
   @description('Required. A list of private IP addresses of the private endpoint.')
   ipAddresses: string[]
diff --git a/avm/res/network/private-endpoint/main.json b/avm/res/network/private-endpoint/main.json
index 3ccb1b2a1a..3eb5403130 100644
--- a/avm/res/network/private-endpoint/main.json
+++ b/avm/res/network/private-endpoint/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "2004143709646884954"
+      "version": "0.30.23.60470",
+      "templateHash": "9475287345712156585"
     },
     "name": "Private Endpoints",
     "description": "This module deploys a Private Endpoint.",
@@ -204,6 +204,7 @@
               },
               "requestMessage": {
                 "type": "string",
+                "nullable": true,
                 "metadata": {
                   "description": "Optional. A message passed to the owner of the remote resource with this connection request. Restricted to 140 chars."
                 }
@@ -269,8 +270,9 @@
         "properties": {
           "fqdn": {
             "type": "string",
+            "nullable": true,
             "metadata": {
-              "description": "Required. Fqdn that resolves to private endpoint IP address."
+              "description": "Optional. FQDN that resolves to private endpoint IP address."
             }
           },
           "ipAddresses": {
@@ -534,8 +536,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "5805178546717255803"
+              "version": "0.30.23.60470",
+              "templateHash": "12329174801198479603"
             },
             "name": "Private Endpoint Private DNS Zone Groups",
             "description": "This module deploys a Private Endpoint Private DNS Zone Group.",
diff --git a/avm/res/operational-insights/workspace/data-export/main.json b/avm/res/operational-insights/workspace/data-export/main.json
index 93d4ebbfff..baaf6389a0 100644
--- a/avm/res/operational-insights/workspace/data-export/main.json
+++ b/avm/res/operational-insights/workspace/data-export/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "5765609820817623497"
+      "version": "0.30.23.60470",
+      "templateHash": "8816832199581598050"
     },
     "name": "Log Analytics Workspace Data Exports",
     "description": "This module deploys a Log Analytics Workspace Data Export.",
diff --git a/avm/res/operational-insights/workspace/data-source/README.md b/avm/res/operational-insights/workspace/data-source/README.md
index 9bd1009d80..cc2fa72ccb 100644
--- a/avm/res/operational-insights/workspace/data-source/README.md
+++ b/avm/res/operational-insights/workspace/data-source/README.md
@@ -20,7 +20,6 @@ This module deploys a Log Analytics Workspace Data Source.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`kind`](#parameter-kind) | string | The kind of the DataSource. |
 | [`name`](#parameter-name) | string | Name of the solution. |
 
 **Conditional parameters**
@@ -38,6 +37,7 @@ This module deploys a Log Analytics Workspace Data Source.
 | [`eventTypes`](#parameter-eventtypes) | array | Windows event types to configure when kind is WindowsEvent. |
 | [`instanceName`](#parameter-instancename) | string | Name of the instance to configure when kind is WindowsPerformanceCounter or LinuxPerformanceObject. |
 | [`intervalSeconds`](#parameter-intervalseconds) | int | Interval in seconds to configure when kind is WindowsPerformanceCounter or LinuxPerformanceObject. |
+| [`kind`](#parameter-kind) | string | The kind of the DataSource. |
 | [`linkedResourceId`](#parameter-linkedresourceid) | string | Resource ID of the resource to be linked. |
 | [`objectName`](#parameter-objectname) | string | Name of the object to configure when kind is WindowsPerformanceCounter or LinuxPerformanceObject. |
 | [`performanceCounters`](#parameter-performancecounters) | array | List of counters to configure when the kind is LinuxPerformanceObject. |
@@ -46,27 +46,6 @@ This module deploys a Log Analytics Workspace Data Source.
 | [`syslogSeverities`](#parameter-syslogseverities) | array | Severities to configure when kind is LinuxSyslog. |
 | [`tags`](#parameter-tags) | object | Tags to configure in the resource. |
 
-### Parameter: `kind`
-
-The kind of the DataSource.
-
-- Required: No
-- Type: string
-- Default: `'AzureActivityLog'`
-- Allowed:
-  ```Bicep
-  [
-    'AzureActivityLog'
-    'IISLogs'
-    'LinuxPerformanceCollection'
-    'LinuxPerformanceObject'
-    'LinuxSyslog'
-    'LinuxSyslogCollection'
-    'WindowsEvent'
-    'WindowsPerformanceCounter'
-  ]
-  ```
-
 ### Parameter: `name`
 
 Name of the solution.
@@ -121,6 +100,27 @@ Interval in seconds to configure when kind is WindowsPerformanceCounter or Linux
 - Type: int
 - Default: `60`
 
+### Parameter: `kind`
+
+The kind of the DataSource.
+
+- Required: No
+- Type: string
+- Default: `'AzureActivityLog'`
+- Allowed:
+  ```Bicep
+  [
+    'AzureActivityLog'
+    'IISLogs'
+    'LinuxPerformanceCollection'
+    'LinuxPerformanceObject'
+    'LinuxSyslog'
+    'LinuxSyslogCollection'
+    'WindowsEvent'
+    'WindowsPerformanceCounter'
+  ]
+  ```
+
 ### Parameter: `linkedResourceId`
 
 Resource ID of the resource to be linked.
diff --git a/avm/res/operational-insights/workspace/data-source/main.bicep b/avm/res/operational-insights/workspace/data-source/main.bicep
index 905ff55e0e..e0e468df37 100644
--- a/avm/res/operational-insights/workspace/data-source/main.bicep
+++ b/avm/res/operational-insights/workspace/data-source/main.bicep
@@ -8,7 +8,7 @@ param logAnalyticsWorkspaceName string
 @description('Required. Name of the solution.')
 param name string
 
-@description('Required. The kind of the DataSource.')
+@description('Optional. The kind of the DataSource.')
 @allowed([
   'AzureActivityLog'
   'WindowsEvent'
diff --git a/avm/res/operational-insights/workspace/data-source/main.json b/avm/res/operational-insights/workspace/data-source/main.json
index 947d1fb8c0..e559599820 100644
--- a/avm/res/operational-insights/workspace/data-source/main.json
+++ b/avm/res/operational-insights/workspace/data-source/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "13460038983765020046"
+      "version": "0.30.23.60470",
+      "templateHash": "10275938611959517944"
     },
     "name": "Log Analytics Workspace Datasources",
     "description": "This module deploys a Log Analytics Workspace Data Source.",
@@ -39,7 +39,7 @@
         "LinuxPerformanceCollection"
       ],
       "metadata": {
-        "description": "Required. The kind of the DataSource."
+        "description": "Optional. The kind of the DataSource."
       }
     },
     "tags": {
diff --git a/avm/res/operational-insights/workspace/linked-service/README.md b/avm/res/operational-insights/workspace/linked-service/README.md
index 4ee91e39ec..aa79236364 100644
--- a/avm/res/operational-insights/workspace/linked-service/README.md
+++ b/avm/res/operational-insights/workspace/linked-service/README.md
@@ -21,7 +21,6 @@ This module deploys a Log Analytics Workspace Linked Service.
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
 | [`name`](#parameter-name) | string | Name of the link. |
-| [`resourceId`](#parameter-resourceid) | string | The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require read access. |
 
 **Conditional parameters**
 
@@ -33,6 +32,7 @@ This module deploys a Log Analytics Workspace Linked Service.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
+| [`resourceId`](#parameter-resourceid) | string | The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require read access. |
 | [`tags`](#parameter-tags) | object | Tags to configure in the resource. |
 | [`writeAccessResourceId`](#parameter-writeaccessresourceid) | string | The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require write access. |
 
@@ -43,20 +43,20 @@ Name of the link.
 - Required: Yes
 - Type: string
 
-### Parameter: `resourceId`
+### Parameter: `logAnalyticsWorkspaceName`
 
-The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require read access.
+The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment.
 
-- Required: No
+- Required: Yes
 - Type: string
-- Default: `''`
 
-### Parameter: `logAnalyticsWorkspaceName`
+### Parameter: `resourceId`
 
-The name of the parent Log Analytics workspace. Required if the template is used in a standalone deployment.
+The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require read access.
 
-- Required: Yes
+- Required: No
 - Type: string
+- Default: `''`
 
 ### Parameter: `tags`
 
diff --git a/avm/res/operational-insights/workspace/linked-service/main.bicep b/avm/res/operational-insights/workspace/linked-service/main.bicep
index ffe1bc4c99..1278279992 100644
--- a/avm/res/operational-insights/workspace/linked-service/main.bicep
+++ b/avm/res/operational-insights/workspace/linked-service/main.bicep
@@ -8,7 +8,7 @@ param logAnalyticsWorkspaceName string
 @description('Required. Name of the link.')
 param name string
 
-@description('Required. The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require read access.')
+@description('Optional. The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require read access.')
 param resourceId string = ''
 
 @description('Optional. The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require write access.')
diff --git a/avm/res/operational-insights/workspace/linked-service/main.json b/avm/res/operational-insights/workspace/linked-service/main.json
index 7235c7ef1b..6bf582c2f8 100644
--- a/avm/res/operational-insights/workspace/linked-service/main.json
+++ b/avm/res/operational-insights/workspace/linked-service/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "12032441371027552374"
+      "version": "0.30.23.60470",
+      "templateHash": "1524032160953098939"
     },
     "name": "Log Analytics Workspace Linked Services",
     "description": "This module deploys a Log Analytics Workspace Linked Service.",
@@ -29,7 +29,7 @@
       "type": "string",
       "defaultValue": "",
       "metadata": {
-        "description": "Required. The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require read access."
+        "description": "Optional. The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require read access."
       }
     },
     "writeAccessResourceId": {
diff --git a/avm/res/operational-insights/workspace/linked-storage-account/main.json b/avm/res/operational-insights/workspace/linked-storage-account/main.json
index 7c3b81ed2d..b3493c8095 100644
--- a/avm/res/operational-insights/workspace/linked-storage-account/main.json
+++ b/avm/res/operational-insights/workspace/linked-storage-account/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "12623216644328477682"
+      "version": "0.30.23.60470",
+      "templateHash": "16040380910189891293"
     },
     "name": "Log Analytics Workspace Linked Storage Accounts",
     "description": "This module deploys a Log Analytics Workspace Linked Storage Account.",
diff --git a/avm/res/operational-insights/workspace/main.json b/avm/res/operational-insights/workspace/main.json
index 61d489e40d..f9386570de 100644
--- a/avm/res/operational-insights/workspace/main.json
+++ b/avm/res/operational-insights/workspace/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "15059379956726052447"
+      "version": "0.30.23.60470",
+      "templateHash": "2112385645205183034"
     },
     "name": "Log Analytics Workspaces",
     "description": "This module deploys a Log Analytics Workspace.",
@@ -631,8 +631,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "1745671120474305926"
+              "version": "0.30.23.60470",
+              "templateHash": "8028201980853199520"
             },
             "name": "Log Analytics Workspace Storage Insight Configs",
             "description": "This module deploys a Log Analytics Workspace Storage Insight Config.",
@@ -775,8 +775,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "12032441371027552374"
+              "version": "0.30.23.60470",
+              "templateHash": "1524032160953098939"
             },
             "name": "Log Analytics Workspace Linked Services",
             "description": "This module deploys a Log Analytics Workspace Linked Service.",
@@ -799,7 +799,7 @@
               "type": "string",
               "defaultValue": "",
               "metadata": {
-                "description": "Required. The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require read access."
+                "description": "Optional. The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require read access."
               }
             },
             "writeAccessResourceId": {
@@ -897,8 +897,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "12623216644328477682"
+              "version": "0.30.23.60470",
+              "templateHash": "16040380910189891293"
             },
             "name": "Log Analytics Workspace Linked Storage Accounts",
             "description": "This module deploys a Log Analytics Workspace Linked Storage Account.",
@@ -1020,8 +1020,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "7683333179440464721"
+              "version": "0.30.23.60470",
+              "templateHash": "7572266675487147820"
             },
             "name": "Log Analytics Workspace Saved Searches",
             "description": "This module deploys a Log Analytics Workspace Saved Search.",
@@ -1186,8 +1186,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "5765609820817623497"
+              "version": "0.30.23.60470",
+              "templateHash": "8816832199581598050"
             },
             "name": "Log Analytics Workspace Data Exports",
             "description": "This module deploys a Log Analytics Workspace Data Export.",
@@ -1335,8 +1335,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "13460038983765020046"
+              "version": "0.30.23.60470",
+              "templateHash": "10275938611959517944"
             },
             "name": "Log Analytics Workspace Datasources",
             "description": "This module deploys a Log Analytics Workspace Data Source.",
@@ -1369,7 +1369,7 @@
                 "LinuxPerformanceCollection"
               ],
               "metadata": {
-                "description": "Required. The kind of the DataSource."
+                "description": "Optional. The kind of the DataSource."
               }
             },
             "tags": {
@@ -1566,8 +1566,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "10380077652898392916"
+              "version": "0.30.23.60470",
+              "templateHash": "2417830359794202602"
             },
             "name": "Log Analytics Workspace Tables",
             "description": "This module deploys a Log Analytics Workspace Table.",
diff --git a/avm/res/operational-insights/workspace/saved-search/main.json b/avm/res/operational-insights/workspace/saved-search/main.json
index 88711e3f27..40406ef502 100644
--- a/avm/res/operational-insights/workspace/saved-search/main.json
+++ b/avm/res/operational-insights/workspace/saved-search/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "7683333179440464721"
+      "version": "0.30.23.60470",
+      "templateHash": "7572266675487147820"
     },
     "name": "Log Analytics Workspace Saved Searches",
     "description": "This module deploys a Log Analytics Workspace Saved Search.",
diff --git a/avm/res/operational-insights/workspace/storage-insight-config/main.json b/avm/res/operational-insights/workspace/storage-insight-config/main.json
index 2c3b360f01..39a0d3e3f5 100644
--- a/avm/res/operational-insights/workspace/storage-insight-config/main.json
+++ b/avm/res/operational-insights/workspace/storage-insight-config/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "1745671120474305926"
+      "version": "0.30.23.60470",
+      "templateHash": "8028201980853199520"
     },
     "name": "Log Analytics Workspace Storage Insight Configs",
     "description": "This module deploys a Log Analytics Workspace Storage Insight Config.",
diff --git a/avm/res/operational-insights/workspace/table/main.json b/avm/res/operational-insights/workspace/table/main.json
index 6a1e1e11a6..9c038008cd 100644
--- a/avm/res/operational-insights/workspace/table/main.json
+++ b/avm/res/operational-insights/workspace/table/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "10380077652898392916"
+      "version": "0.30.23.60470",
+      "templateHash": "2417830359794202602"
     },
     "name": "Log Analytics Workspace Tables",
     "description": "This module deploys a Log Analytics Workspace Table.",
diff --git a/avm/res/purview/account/README.md b/avm/res/purview/account/README.md
index 7585844571..cb24aad194 100644
--- a/avm/res/purview/account/README.md
+++ b/avm/res/purview/account/README.md
@@ -1078,15 +1078,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-accountprivateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-accountprivateendpointscustomdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-### Parameter: `accountPrivateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint IP address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-accountprivateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `accountPrivateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -1095,6 +1093,13 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `accountPrivateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `accountPrivateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
@@ -1309,6 +1314,17 @@ Array of role assignments to create.
 
 - Required: No
 - Type: array
+- Roles configurable by name:
+  - `'Contributor'`
+  - `'DNS Resolver Contributor'`
+  - `'DNS Zone Contributor'`
+  - `'Domain Services Contributor'`
+  - `'Domain Services Reader'`
+  - `'Network Contributor'`
+  - `'Owner'`
+  - `'Private DNS Zone Contributor'`
+  - `'Reader'`
+  - `'Role Based Access Control Administrator (Preview)'`
 
 **Required parameters**
 
@@ -1627,15 +1643,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-eventhubprivateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-eventhubprivateendpointscustomdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-### Parameter: `eventHubPrivateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint IP address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-eventhubprivateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `eventHubPrivateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -1644,6 +1658,13 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `eventHubPrivateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `eventHubPrivateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
@@ -1858,6 +1879,17 @@ Array of role assignments to create.
 
 - Required: No
 - Type: array
+- Roles configurable by name:
+  - `'Contributor'`
+  - `'DNS Resolver Contributor'`
+  - `'DNS Zone Contributor'`
+  - `'Domain Services Contributor'`
+  - `'Domain Services Reader'`
+  - `'Network Contributor'`
+  - `'Owner'`
+  - `'Private DNS Zone Contributor'`
+  - `'Reader'`
+  - `'Role Based Access Control Administrator (Preview)'`
 
 **Required parameters**
 
@@ -2018,13 +2050,13 @@ The managed identity definition for this resource.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. |
+| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. |
 
 ### Parameter: `managedIdentities.userAssignedResourceIds`
 
-The resource ID(s) to assign to the resource.
+The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption.
 
-- Required: Yes
+- Required: No
 - Type: array
 
 ### Parameter: `managedResourceGroupName`
@@ -2094,15 +2126,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-portalprivateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-portalprivateendpointscustomdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-### Parameter: `portalPrivateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint IP address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-portalprivateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `portalPrivateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -2111,6 +2141,13 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `portalPrivateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `portalPrivateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
@@ -2325,6 +2362,17 @@ Array of role assignments to create.
 
 - Required: No
 - Type: array
+- Roles configurable by name:
+  - `'Contributor'`
+  - `'DNS Resolver Contributor'`
+  - `'DNS Zone Contributor'`
+  - `'Domain Services Contributor'`
+  - `'Domain Services Reader'`
+  - `'Network Contributor'`
+  - `'Owner'`
+  - `'Private DNS Zone Contributor'`
+  - `'Reader'`
+  - `'Role Based Access Control Administrator (Preview)'`
 
 **Required parameters**
 
@@ -2608,15 +2656,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-storageblobprivateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-storageblobprivateendpointscustomdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-### Parameter: `storageBlobPrivateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint IP address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-storageblobprivateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `storageBlobPrivateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -2625,6 +2671,13 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `storageBlobPrivateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `storageBlobPrivateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
@@ -2841,10 +2894,15 @@ Array of role assignments to create.
 - Type: array
 - Roles configurable by name:
   - `'Contributor'`
+  - `'DNS Resolver Contributor'`
+  - `'DNS Zone Contributor'`
+  - `'Domain Services Contributor'`
+  - `'Domain Services Reader'`
+  - `'Network Contributor'`
   - `'Owner'`
+  - `'Private DNS Zone Contributor'`
   - `'Reader'`
-  - `'Role Based Access Control Administrator'`
-  - `'User Access Administrator'`
+  - `'Role Based Access Control Administrator (Preview)'`
 
 **Required parameters**
 
@@ -3009,15 +3067,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-storagequeueprivateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-storagequeueprivateendpointscustomdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-### Parameter: `storageQueuePrivateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint IP address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-storagequeueprivateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `storageQueuePrivateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -3026,6 +3082,13 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `storageQueuePrivateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `storageQueuePrivateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
@@ -3242,10 +3305,15 @@ Array of role assignments to create.
 - Type: array
 - Roles configurable by name:
   - `'Contributor'`
+  - `'DNS Resolver Contributor'`
+  - `'DNS Zone Contributor'`
+  - `'Domain Services Contributor'`
+  - `'Domain Services Reader'`
+  - `'Network Contributor'`
   - `'Owner'`
+  - `'Private DNS Zone Contributor'`
   - `'Reader'`
-  - `'Role Based Access Control Administrator'`
-  - `'User Access Administrator'`
+  - `'Role Based Access Control Administrator (Preview)'`
 
 **Required parameters**
 
diff --git a/avm/res/purview/account/main.bicep b/avm/res/purview/account/main.bicep
index e0d408fdb1..025b0371b0 100644
--- a/avm/res/purview/account/main.bicep
+++ b/avm/res/purview/account/main.bicep
@@ -13,8 +13,9 @@ param location string = resourceGroup().location
 @description('Optional. Tags of the resource.')
 param tags object?
 
+import { managedIdentityOnlyUserAssignedType } from 'br/public:avm/utl/types/avm-common-types:0.1.0'
 @description('Optional. The managed identity definition for this resource.')
-param managedIdentities managedIdentitiesType
+param managedIdentities managedIdentityOnlyUserAssignedType?
 
 @description('Optional. The Managed Resource Group Name. A managed Storage Account, and an Event Hubs will be created in the selected subscription for catalog ingestion scenarios. Default is \'managed-rg-<purview-account-name>\'.')
 param managedResourceGroupName string = 'managed-rg-${name}'
@@ -165,7 +166,7 @@ resource account_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-
   }
 ]
 
-module account_privateEndpoints 'br/public:avm/res/network/private-endpoint:0.7.1' = [
+module account_accountPrivateEndpoints 'br/public:avm/res/network/private-endpoint:0.7.1' = [
   for (privateEndpoint, index) in (accountPrivateEndpoints ?? []): {
     name: '${uniqueString(deployment().name, location)}-account-PrivateEndpoint-${index}'
     scope: resourceGroup(privateEndpoint.?resourceGroupName ?? '')
@@ -217,7 +218,7 @@ module account_privateEndpoints 'br/public:avm/res/network/private-endpoint:0.7.
   }
 ]
 
-module portal_privateEndpoints 'br/public:avm/res/network/private-endpoint:0.7.1' = [
+module account_portalPrivateEndpoints 'br/public:avm/res/network/private-endpoint:0.7.1' = [
   for (privateEndpoint, index) in (portalPrivateEndpoints ?? []): {
     name: '${uniqueString(deployment().name, location)}-portal-PrivateEndpoint-${index}'
     scope: resourceGroup(privateEndpoint.?resourceGroupName ?? '')
@@ -269,7 +270,7 @@ module portal_privateEndpoints 'br/public:avm/res/network/private-endpoint:0.7.1
   }
 ]
 
-module blob_privateEndpoints 'br/public:avm/res/network/private-endpoint:0.7.1' = [
+module account_storageBlobPrivateEndpoints 'br/public:avm/res/network/private-endpoint:0.7.1' = [
   for (privateEndpoint, index) in (storageBlobPrivateEndpoints ?? []): {
     name: '${uniqueString(deployment().name, location)}-blob-PrivateEndpoint-${index}'
     scope: resourceGroup(privateEndpoint.?resourceGroupName ?? '')
@@ -321,7 +322,7 @@ module blob_privateEndpoints 'br/public:avm/res/network/private-endpoint:0.7.1'
   }
 ]
 
-module queue_privateEndpoints 'br/public:avm/res/network/private-endpoint:0.7.1' = [
+module account_storageQueuePrivateEndpoints 'br/public:avm/res/network/private-endpoint:0.7.1' = [
   for (privateEndpoint, index) in (storageQueuePrivateEndpoints ?? []): {
     name: '${uniqueString(deployment().name, location)}-queue-PrivateEndpoint-${index}'
     scope: resourceGroup(privateEndpoint.?resourceGroupName ?? '')
@@ -373,7 +374,7 @@ module queue_privateEndpoints 'br/public:avm/res/network/private-endpoint:0.7.1'
   }
 ]
 
-module eventHub_privateEndpoints 'br/public:avm/res/network/private-endpoint:0.7.1' = [
+module account_eventHubPrivateEndpoints 'br/public:avm/res/network/private-endpoint:0.7.1' = [
   for (privateEndpoint, index) in (eventHubPrivateEndpoints ?? []): {
     name: '${uniqueString(deployment().name, location)}-eventHub-PrivateEndpoint-${index}'
     scope: resourceGroup(privateEndpoint.?resourceGroupName ?? '')
@@ -471,55 +472,55 @@ output systemAssignedMIPrincipalId string = account.?identity.?principalId ?? ''
 @description('The private endpoints of the Purview Account.')
 output accountPrivateEndpoints array = [
   for (pe, i) in (!empty(accountPrivateEndpoints) ? array(accountPrivateEndpoints) : []): {
-    name: account_privateEndpoints[i].outputs.name
-    resourceId: account_privateEndpoints[i].outputs.resourceId
-    groupId: account_privateEndpoints[i].outputs.groupId
-    customDnsConfig: account_privateEndpoints[i].outputs.customDnsConfig
-    networkInterfaceIds: account_privateEndpoints[i].outputs.networkInterfaceIds
+    name: account_accountPrivateEndpoints[i].outputs.name
+    resourceId: account_accountPrivateEndpoints[i].outputs.resourceId
+    groupId: account_accountPrivateEndpoints[i].outputs.groupId
+    customDnsConfig: account_accountPrivateEndpoints[i].outputs.customDnsConfig
+    networkInterfaceIds: account_accountPrivateEndpoints[i].outputs.networkInterfaceIds
   }
 ]
 
 @description('The private endpoints of the Purview Account Portal.')
 output portalPrivateEndpoints array = [
   for (pe, i) in (!empty(portalPrivateEndpoints) ? array(portalPrivateEndpoints) : []): {
-    name: portal_privateEndpoints[i].outputs.name
-    resourceId: portal_privateEndpoints[i].outputs.resourceId
-    groupId: portal_privateEndpoints[i].outputs.groupId
-    customDnsConfig: portal_privateEndpoints[i].outputs.customDnsConfig
-    networkInterfaceIds: portal_privateEndpoints[i].outputs.networkInterfaceIds
+    name: account_portalPrivateEndpoints[i].outputs.name
+    resourceId: account_portalPrivateEndpoints[i].outputs.resourceId
+    groupId: account_portalPrivateEndpoints[i].outputs.groupId
+    customDnsConfig: account_portalPrivateEndpoints[i].outputs.customDnsConfig
+    networkInterfaceIds: account_portalPrivateEndpoints[i].outputs.networkInterfaceIds
   }
 ]
 
 @description('The private endpoints of the managed storage account blob service.')
 output storageBlobPrivateEndpoints array = [
   for (pe, i) in (!empty(storageBlobPrivateEndpoints) ? array(storageBlobPrivateEndpoints) : []): {
-    name: blob_privateEndpoints[i].outputs.name
-    resourceId: blob_privateEndpoints[i].outputs.resourceId
-    groupId: blob_privateEndpoints[i].outputs.groupId
-    customDnsConfig: blob_privateEndpoints[i].outputs.customDnsConfig
-    networkInterfaceIds: blob_privateEndpoints[i].outputs.networkInterfaceIds
+    name: account_storageBlobPrivateEndpoints[i].outputs.name
+    resourceId: account_storageBlobPrivateEndpoints[i].outputs.resourceId
+    groupId: account_storageBlobPrivateEndpoints[i].outputs.groupId
+    customDnsConfig: account_storageBlobPrivateEndpoints[i].outputs.customDnsConfig
+    networkInterfaceIds: account_storageBlobPrivateEndpoints[i].outputs.networkInterfaceIds
   }
 ]
 
 @description('The private endpoints of the managed storage account queue service.')
 output storageQueuePrivateEndpoints array = [
   for (pe, i) in (!empty(storageQueuePrivateEndpoints) ? array(storageQueuePrivateEndpoints) : []): {
-    name: queue_privateEndpoints[i].outputs.name
-    resourceId: queue_privateEndpoints[i].outputs.resourceId
-    groupId: queue_privateEndpoints[i].outputs.groupId
-    customDnsConfig: queue_privateEndpoints[i].outputs.customDnsConfig
-    networkInterfaceIds: queue_privateEndpoints[i].outputs.networkInterfaceIds
+    name: account_storageQueuePrivateEndpoints[i].outputs.name
+    resourceId: account_storageQueuePrivateEndpoints[i].outputs.resourceId
+    groupId: account_storageQueuePrivateEndpoints[i].outputs.groupId
+    customDnsConfig: account_storageQueuePrivateEndpoints[i].outputs.customDnsConfig
+    networkInterfaceIds: account_storageQueuePrivateEndpoints[i].outputs.networkInterfaceIds
   }
 ]
 
 @description('The private endpoints of the managed Event Hub Namespace.')
 output eventHubPrivateEndpoints array = [
   for (pe, i) in (!empty(eventHubPrivateEndpoints) ? array(eventHubPrivateEndpoints) : []): {
-    name: eventHub_privateEndpoints[i].outputs.name
-    resourceId: eventHub_privateEndpoints[i].outputs.resourceId
-    groupId: eventHub_privateEndpoints[i].outputs.groupId
-    customDnsConfig: eventHub_privateEndpoints[i].outputs.customDnsConfig
-    networkInterfaceIds: eventHub_privateEndpoints[i].outputs.networkInterfaceIds
+    name: account_eventHubPrivateEndpoints[i].outputs.name
+    resourceId: account_eventHubPrivateEndpoints[i].outputs.resourceId
+    groupId: account_eventHubPrivateEndpoints[i].outputs.groupId
+    customDnsConfig: account_eventHubPrivateEndpoints[i].outputs.customDnsConfig
+    networkInterfaceIds: account_eventHubPrivateEndpoints[i].outputs.networkInterfaceIds
   }
 ]
 
@@ -527,11 +528,6 @@ output eventHubPrivateEndpoints array = [
 //   Definitions   //
 // =============== //
 
-type managedIdentitiesType = {
-  @description('Optional. The resource ID(s) to assign to the resource.')
-  userAssignedResourceIds: string[]
-}?
-
 type lockType = {
   @description('Optional. Specify the name of lock.')
   name: string?
@@ -650,7 +646,7 @@ type privateEndpointType = {
 
   @description('Optional. Custom DNS configurations.')
   customDnsConfigs: {
-    @description('Required. Fqdn that resolves to private endpoint IP address.')
+    @description('Optional. FQDN that resolves to private endpoint IP address.')
     fqdn: string?
 
     @description('Required. A list of private IP addresses of the private endpoint.')
diff --git a/avm/res/purview/account/main.json b/avm/res/purview/account/main.json
index 34bd78df71..1b147c97ac 100644
--- a/avm/res/purview/account/main.json
+++ b/avm/res/purview/account/main.json
@@ -5,29 +5,14 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "14495497067965615328"
+      "version": "0.30.23.60470",
+      "templateHash": "3897776991818014507"
     },
     "name": "Purview Accounts",
     "description": "This module deploys a Purview Account.",
     "owner": "Azure/module-maintainers"
   },
   "definitions": {
-    "managedIdentitiesType": {
-      "type": "object",
-      "properties": {
-        "userAssignedResourceIds": {
-          "type": "array",
-          "items": {
-            "type": "string"
-          },
-          "metadata": {
-            "description": "Optional. The resource ID(s) to assign to the resource."
-          }
-        }
-      },
-      "nullable": true
-    },
     "lockType": {
       "type": "object",
       "properties": {
@@ -349,7 +334,7 @@
                   "type": "string",
                   "nullable": true,
                   "metadata": {
-                    "description": "Required. Fqdn that resolves to private endpoint IP address."
+                    "description": "Optional. FQDN that resolves to private endpoint IP address."
                   }
                 },
                 "ipAddresses": {
@@ -465,6 +450,27 @@
         }
       },
       "nullable": true
+    },
+    "managedIdentityOnlyUserAssignedType": {
+      "type": "object",
+      "properties": {
+        "userAssignedResourceIds": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption."
+          }
+        }
+      },
+      "metadata": {
+        "description": "An AVM-aligned type for a managed identity configuration. To be used if only user-assigned identities are supported by the resource provider.",
+        "__bicep_imported_from!": {
+          "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.1.0"
+        }
+      }
     }
   },
   "parameters": {
@@ -491,7 +497,8 @@
       }
     },
     "managedIdentities": {
-      "$ref": "#/definitions/managedIdentitiesType",
+      "$ref": "#/definitions/managedIdentityOnlyUserAssignedType",
+      "nullable": true,
       "metadata": {
         "description": "Optional. The managed identity definition for this resource."
       }
@@ -703,9 +710,9 @@
         "account"
       ]
     },
-    "account_privateEndpoints": {
+    "account_accountPrivateEndpoints": {
       "copy": {
-        "name": "account_privateEndpoints",
+        "name": "account_accountPrivateEndpoints",
         "count": "[length(coalesce(parameters('accountPrivateEndpoints'), createArray()))]"
       },
       "type": "Microsoft.Resources/deployments",
@@ -1469,9 +1476,9 @@
         "account"
       ]
     },
-    "portal_privateEndpoints": {
+    "account_portalPrivateEndpoints": {
       "copy": {
-        "name": "portal_privateEndpoints",
+        "name": "account_portalPrivateEndpoints",
         "count": "[length(coalesce(parameters('portalPrivateEndpoints'), createArray()))]"
       },
       "type": "Microsoft.Resources/deployments",
@@ -2235,9 +2242,9 @@
         "account"
       ]
     },
-    "blob_privateEndpoints": {
+    "account_storageBlobPrivateEndpoints": {
       "copy": {
-        "name": "blob_privateEndpoints",
+        "name": "account_storageBlobPrivateEndpoints",
         "count": "[length(coalesce(parameters('storageBlobPrivateEndpoints'), createArray()))]"
       },
       "type": "Microsoft.Resources/deployments",
@@ -3001,9 +3008,9 @@
         "account"
       ]
     },
-    "queue_privateEndpoints": {
+    "account_storageQueuePrivateEndpoints": {
       "copy": {
-        "name": "queue_privateEndpoints",
+        "name": "account_storageQueuePrivateEndpoints",
         "count": "[length(coalesce(parameters('storageQueuePrivateEndpoints'), createArray()))]"
       },
       "type": "Microsoft.Resources/deployments",
@@ -3767,9 +3774,9 @@
         "account"
       ]
     },
-    "eventHub_privateEndpoints": {
+    "account_eventHubPrivateEndpoints": {
       "copy": {
-        "name": "eventHub_privateEndpoints",
+        "name": "account_eventHubPrivateEndpoints",
         "count": "[length(coalesce(parameters('eventHubPrivateEndpoints'), createArray()))]"
       },
       "type": "Microsoft.Resources/deployments",
@@ -4606,11 +4613,11 @@
       "copy": {
         "count": "[length(if(not(empty(parameters('accountPrivateEndpoints'))), array(parameters('accountPrivateEndpoints')), createArray()))]",
         "input": {
-          "name": "[reference(format('account_privateEndpoints[{0}]', copyIndex())).outputs.name.value]",
-          "resourceId": "[reference(format('account_privateEndpoints[{0}]', copyIndex())).outputs.resourceId.value]",
-          "groupId": "[reference(format('account_privateEndpoints[{0}]', copyIndex())).outputs.groupId.value]",
-          "customDnsConfig": "[reference(format('account_privateEndpoints[{0}]', copyIndex())).outputs.customDnsConfig.value]",
-          "networkInterfaceIds": "[reference(format('account_privateEndpoints[{0}]', copyIndex())).outputs.networkInterfaceIds.value]"
+          "name": "[reference(format('account_accountPrivateEndpoints[{0}]', copyIndex())).outputs.name.value]",
+          "resourceId": "[reference(format('account_accountPrivateEndpoints[{0}]', copyIndex())).outputs.resourceId.value]",
+          "groupId": "[reference(format('account_accountPrivateEndpoints[{0}]', copyIndex())).outputs.groupId.value]",
+          "customDnsConfig": "[reference(format('account_accountPrivateEndpoints[{0}]', copyIndex())).outputs.customDnsConfig.value]",
+          "networkInterfaceIds": "[reference(format('account_accountPrivateEndpoints[{0}]', copyIndex())).outputs.networkInterfaceIds.value]"
         }
       }
     },
@@ -4622,11 +4629,11 @@
       "copy": {
         "count": "[length(if(not(empty(parameters('portalPrivateEndpoints'))), array(parameters('portalPrivateEndpoints')), createArray()))]",
         "input": {
-          "name": "[reference(format('portal_privateEndpoints[{0}]', copyIndex())).outputs.name.value]",
-          "resourceId": "[reference(format('portal_privateEndpoints[{0}]', copyIndex())).outputs.resourceId.value]",
-          "groupId": "[reference(format('portal_privateEndpoints[{0}]', copyIndex())).outputs.groupId.value]",
-          "customDnsConfig": "[reference(format('portal_privateEndpoints[{0}]', copyIndex())).outputs.customDnsConfig.value]",
-          "networkInterfaceIds": "[reference(format('portal_privateEndpoints[{0}]', copyIndex())).outputs.networkInterfaceIds.value]"
+          "name": "[reference(format('account_portalPrivateEndpoints[{0}]', copyIndex())).outputs.name.value]",
+          "resourceId": "[reference(format('account_portalPrivateEndpoints[{0}]', copyIndex())).outputs.resourceId.value]",
+          "groupId": "[reference(format('account_portalPrivateEndpoints[{0}]', copyIndex())).outputs.groupId.value]",
+          "customDnsConfig": "[reference(format('account_portalPrivateEndpoints[{0}]', copyIndex())).outputs.customDnsConfig.value]",
+          "networkInterfaceIds": "[reference(format('account_portalPrivateEndpoints[{0}]', copyIndex())).outputs.networkInterfaceIds.value]"
         }
       }
     },
@@ -4638,11 +4645,11 @@
       "copy": {
         "count": "[length(if(not(empty(parameters('storageBlobPrivateEndpoints'))), array(parameters('storageBlobPrivateEndpoints')), createArray()))]",
         "input": {
-          "name": "[reference(format('blob_privateEndpoints[{0}]', copyIndex())).outputs.name.value]",
-          "resourceId": "[reference(format('blob_privateEndpoints[{0}]', copyIndex())).outputs.resourceId.value]",
-          "groupId": "[reference(format('blob_privateEndpoints[{0}]', copyIndex())).outputs.groupId.value]",
-          "customDnsConfig": "[reference(format('blob_privateEndpoints[{0}]', copyIndex())).outputs.customDnsConfig.value]",
-          "networkInterfaceIds": "[reference(format('blob_privateEndpoints[{0}]', copyIndex())).outputs.networkInterfaceIds.value]"
+          "name": "[reference(format('account_storageBlobPrivateEndpoints[{0}]', copyIndex())).outputs.name.value]",
+          "resourceId": "[reference(format('account_storageBlobPrivateEndpoints[{0}]', copyIndex())).outputs.resourceId.value]",
+          "groupId": "[reference(format('account_storageBlobPrivateEndpoints[{0}]', copyIndex())).outputs.groupId.value]",
+          "customDnsConfig": "[reference(format('account_storageBlobPrivateEndpoints[{0}]', copyIndex())).outputs.customDnsConfig.value]",
+          "networkInterfaceIds": "[reference(format('account_storageBlobPrivateEndpoints[{0}]', copyIndex())).outputs.networkInterfaceIds.value]"
         }
       }
     },
@@ -4654,11 +4661,11 @@
       "copy": {
         "count": "[length(if(not(empty(parameters('storageQueuePrivateEndpoints'))), array(parameters('storageQueuePrivateEndpoints')), createArray()))]",
         "input": {
-          "name": "[reference(format('queue_privateEndpoints[{0}]', copyIndex())).outputs.name.value]",
-          "resourceId": "[reference(format('queue_privateEndpoints[{0}]', copyIndex())).outputs.resourceId.value]",
-          "groupId": "[reference(format('queue_privateEndpoints[{0}]', copyIndex())).outputs.groupId.value]",
-          "customDnsConfig": "[reference(format('queue_privateEndpoints[{0}]', copyIndex())).outputs.customDnsConfig.value]",
-          "networkInterfaceIds": "[reference(format('queue_privateEndpoints[{0}]', copyIndex())).outputs.networkInterfaceIds.value]"
+          "name": "[reference(format('account_storageQueuePrivateEndpoints[{0}]', copyIndex())).outputs.name.value]",
+          "resourceId": "[reference(format('account_storageQueuePrivateEndpoints[{0}]', copyIndex())).outputs.resourceId.value]",
+          "groupId": "[reference(format('account_storageQueuePrivateEndpoints[{0}]', copyIndex())).outputs.groupId.value]",
+          "customDnsConfig": "[reference(format('account_storageQueuePrivateEndpoints[{0}]', copyIndex())).outputs.customDnsConfig.value]",
+          "networkInterfaceIds": "[reference(format('account_storageQueuePrivateEndpoints[{0}]', copyIndex())).outputs.networkInterfaceIds.value]"
         }
       }
     },
@@ -4670,11 +4677,11 @@
       "copy": {
         "count": "[length(if(not(empty(parameters('eventHubPrivateEndpoints'))), array(parameters('eventHubPrivateEndpoints')), createArray()))]",
         "input": {
-          "name": "[reference(format('eventHub_privateEndpoints[{0}]', copyIndex())).outputs.name.value]",
-          "resourceId": "[reference(format('eventHub_privateEndpoints[{0}]', copyIndex())).outputs.resourceId.value]",
-          "groupId": "[reference(format('eventHub_privateEndpoints[{0}]', copyIndex())).outputs.groupId.value]",
-          "customDnsConfig": "[reference(format('eventHub_privateEndpoints[{0}]', copyIndex())).outputs.customDnsConfig.value]",
-          "networkInterfaceIds": "[reference(format('eventHub_privateEndpoints[{0}]', copyIndex())).outputs.networkInterfaceIds.value]"
+          "name": "[reference(format('account_eventHubPrivateEndpoints[{0}]', copyIndex())).outputs.name.value]",
+          "resourceId": "[reference(format('account_eventHubPrivateEndpoints[{0}]', copyIndex())).outputs.resourceId.value]",
+          "groupId": "[reference(format('account_eventHubPrivateEndpoints[{0}]', copyIndex())).outputs.groupId.value]",
+          "customDnsConfig": "[reference(format('account_eventHubPrivateEndpoints[{0}]', copyIndex())).outputs.customDnsConfig.value]",
+          "networkInterfaceIds": "[reference(format('account_eventHubPrivateEndpoints[{0}]', copyIndex())).outputs.networkInterfaceIds.value]"
         }
       }
     }
diff --git a/avm/res/recovery-services/vault/README.md b/avm/res/recovery-services/vault/README.md
index 65477a4986..e9ade080e0 100644
--- a/avm/res/recovery-services/vault/README.md
+++ b/avm/res/recovery-services/vault/README.md
@@ -3061,15 +3061,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint IP address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -3078,6 +3076,13 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `privateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
diff --git a/avm/res/recovery-services/vault/backup-config/main.json b/avm/res/recovery-services/vault/backup-config/main.json
index acb2cb784e..cea379ce42 100644
--- a/avm/res/recovery-services/vault/backup-config/main.json
+++ b/avm/res/recovery-services/vault/backup-config/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "16706009499329717813"
+      "version": "0.30.23.60470",
+      "templateHash": "11104609825546301514"
     },
     "name": "Recovery Services Vault Backup Config",
     "description": "This module deploys a Recovery Services Vault Backup Config.",
diff --git a/avm/res/recovery-services/vault/backup-fabric/protection-container/main.json b/avm/res/recovery-services/vault/backup-fabric/protection-container/main.json
index b85b737445..10c19edb29 100644
--- a/avm/res/recovery-services/vault/backup-fabric/protection-container/main.json
+++ b/avm/res/recovery-services/vault/backup-fabric/protection-container/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "7107776981403889232"
+      "version": "0.30.23.60470",
+      "templateHash": "3738002202831366506"
     },
     "name": "Recovery Services Vault Protection Container",
     "description": "This module deploys a Recovery Services Vault Protection Container.",
@@ -144,8 +144,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "4676289166883418684"
+              "version": "0.30.23.60470",
+              "templateHash": "12193073774274736616"
             },
             "name": "Recovery Service Vaults Protection Container Protected Item",
             "description": "This module deploys a Recovery Services Vault Protection Container Protected Item.",
diff --git a/avm/res/recovery-services/vault/backup-fabric/protection-container/protected-item/main.json b/avm/res/recovery-services/vault/backup-fabric/protection-container/protected-item/main.json
index f337cc9f66..9aa95b7b17 100644
--- a/avm/res/recovery-services/vault/backup-fabric/protection-container/protected-item/main.json
+++ b/avm/res/recovery-services/vault/backup-fabric/protection-container/protected-item/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "4676289166883418684"
+      "version": "0.30.23.60470",
+      "templateHash": "12193073774274736616"
     },
     "name": "Recovery Service Vaults Protection Container Protected Item",
     "description": "This module deploys a Recovery Services Vault Protection Container Protected Item.",
diff --git a/avm/res/recovery-services/vault/backup-policy/main.json b/avm/res/recovery-services/vault/backup-policy/main.json
index 64efc19007..44dc4765ba 100644
--- a/avm/res/recovery-services/vault/backup-policy/main.json
+++ b/avm/res/recovery-services/vault/backup-policy/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "3484552475575852642"
+      "version": "0.30.23.60470",
+      "templateHash": "2997233827023702889"
     },
     "name": "Recovery Services Vault Backup Policies",
     "description": "This module deploys a Recovery Services Vault Backup Policy.",
diff --git a/avm/res/recovery-services/vault/backup-storage-config/main.json b/avm/res/recovery-services/vault/backup-storage-config/main.json
index d4257df69b..2fad6d1a98 100644
--- a/avm/res/recovery-services/vault/backup-storage-config/main.json
+++ b/avm/res/recovery-services/vault/backup-storage-config/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "15771571961904697298"
+      "version": "0.30.23.60470",
+      "templateHash": "8831096651733297926"
     },
     "name": "Recovery Services Vault Backup Storage Config",
     "description": "This module deploys a Recovery Service Vault Backup Storage Configuration.",
diff --git a/avm/res/recovery-services/vault/main.bicep b/avm/res/recovery-services/vault/main.bicep
index 6f984370b8..49a85c68b8 100644
--- a/avm/res/recovery-services/vault/main.bicep
+++ b/avm/res/recovery-services/vault/main.bicep
@@ -493,7 +493,7 @@ type privateEndpointType = {
 
   @description('Optional. Custom DNS configurations.')
   customDnsConfigs: {
-    @description('Required. Fqdn that resolves to private endpoint IP address.')
+    @description('Optional. FQDN that resolves to private endpoint IP address.')
     fqdn: string?
 
     @description('Required. A list of private IP addresses of the private endpoint.')
diff --git a/avm/res/recovery-services/vault/main.json b/avm/res/recovery-services/vault/main.json
index f05335967c..edda40c893 100644
--- a/avm/res/recovery-services/vault/main.json
+++ b/avm/res/recovery-services/vault/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "11169688111946598929"
+      "version": "0.30.23.60470",
+      "templateHash": "1168094723641222476"
     },
     "name": "Recovery Services Vaults",
     "description": "This module deploys a Recovery Services Vault.",
@@ -237,7 +237,7 @@
                   "type": "string",
                   "nullable": true,
                   "metadata": {
-                    "description": "Required. Fqdn that resolves to private endpoint IP address."
+                    "description": "Optional. FQDN that resolves to private endpoint IP address."
                   }
                 },
                 "ipAddresses": {
@@ -776,8 +776,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "14351620305513283067"
+              "version": "0.30.23.60470",
+              "templateHash": "16298384162352496224"
             },
             "name": "Recovery Services Vault Replication Fabrics",
             "description": "This module deploys a Replication Fabric for Azure to Azure disaster recovery scenario of Azure Site Recovery.\n\n> Note: this module currently support only the `instanceType: 'Azure'` scenario.",
@@ -794,7 +794,7 @@
               "type": "string",
               "defaultValue": "[resourceGroup().location]",
               "metadata": {
-                "description": "Required. The recovery location the fabric represents."
+                "description": "Optional. The recovery location the fabric represents."
               }
             },
             "name": {
@@ -847,7 +847,9 @@
                   "replicationFabricName": {
                     "value": "[parameters('name')]"
                   },
-                  "replicationContainerMappings": "[if(contains(parameters('replicationContainers')[copyIndex()], 'replicationContainerMappings'), createObject('value', parameters('replicationContainers')[copyIndex()].replicationContainerMappings), createObject('value', createArray()))]"
+                  "replicationContainerMappings": {
+                    "value": "[tryGet(parameters('replicationContainers')[copyIndex()], 'replicationContainerMappings')]"
+                  }
                 },
                 "template": {
                   "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
@@ -855,8 +857,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.29.47.4906",
-                      "templateHash": "10179392610574660553"
+                      "version": "0.30.23.60470",
+                      "templateHash": "17558710415740898922"
                     },
                     "name": "Recovery Services Vault Replication Fabric Replication Protection Containers",
                     "description": "This module deploys a Recovery Services Vault Replication Protection Container.\n\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.",
@@ -916,9 +918,15 @@
                         },
                         "mode": "Incremental",
                         "parameters": {
-                          "name": "[if(contains(parameters('replicationContainerMappings')[copyIndex()], 'name'), createObject('value', parameters('replicationContainerMappings')[copyIndex()].name), createObject('value', ''))]",
-                          "policyId": "[if(contains(parameters('replicationContainerMappings')[copyIndex()], 'policyId'), createObject('value', parameters('replicationContainerMappings')[copyIndex()].policyId), createObject('value', ''))]",
-                          "policyName": "[if(contains(parameters('replicationContainerMappings')[copyIndex()], 'policyName'), createObject('value', parameters('replicationContainerMappings')[copyIndex()].policyName), createObject('value', ''))]",
+                          "name": {
+                            "value": "[tryGet(parameters('replicationContainerMappings')[copyIndex()], 'name')]"
+                          },
+                          "policyId": {
+                            "value": "[tryGet(parameters('replicationContainerMappings')[copyIndex()], 'policyId')]"
+                          },
+                          "policyName": {
+                            "value": "[tryGet(parameters('replicationContainerMappings')[copyIndex()], 'policyName')]"
+                          },
                           "recoveryVaultName": {
                             "value": "[parameters('recoveryVaultName')]"
                           },
@@ -928,9 +936,15 @@
                           "sourceProtectionContainerName": {
                             "value": "[parameters('name')]"
                           },
-                          "targetProtectionContainerId": "[if(contains(parameters('replicationContainerMappings')[copyIndex()], 'targetProtectionContainerId'), createObject('value', parameters('replicationContainerMappings')[copyIndex()].targetProtectionContainerId), createObject('value', ''))]",
-                          "targetContainerFabricName": "[if(contains(parameters('replicationContainerMappings')[copyIndex()], 'targetContainerFabricName'), createObject('value', parameters('replicationContainerMappings')[copyIndex()].targetContainerFabricName), createObject('value', parameters('replicationFabricName')))]",
-                          "targetContainerName": "[if(contains(parameters('replicationContainerMappings')[copyIndex()], 'targetContainerName'), createObject('value', parameters('replicationContainerMappings')[copyIndex()].targetContainerName), createObject('value', ''))]"
+                          "targetProtectionContainerId": {
+                            "value": "[tryGet(parameters('replicationContainerMappings')[copyIndex()], 'targetProtectionContainerId')]"
+                          },
+                          "targetContainerFabricName": {
+                            "value": "[tryGet(parameters('replicationContainerMappings')[copyIndex()], 'targetContainerFabricName')]"
+                          },
+                          "targetContainerName": {
+                            "value": "[tryGet(parameters('replicationContainerMappings')[copyIndex()], 'targetContainerName')]"
+                          }
                         },
                         "template": {
                           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
@@ -938,8 +952,8 @@
                           "metadata": {
                             "_generator": {
                               "name": "bicep",
-                              "version": "0.29.47.4906",
-                              "templateHash": "9091386051733041821"
+                              "version": "0.30.23.60470",
+                              "templateHash": "5738551771802324865"
                             },
                             "name": "Recovery Services Vault Replication Fabric Replication Protection Container Replication Protection Container Mappings",
                             "description": "This module deploys a Recovery Services Vault (RSV) Replication Protection Container Mapping.\n\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.",
@@ -1147,8 +1161,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "14083088922027127333"
+              "version": "0.30.23.60470",
+              "templateHash": "15732147582012031147"
             },
             "name": "Recovery Services Vault Replication Policies",
             "description": "This module deploys a Recovery Services Vault Replication Policy for Disaster Recovery scenario.\n\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.",
@@ -1272,8 +1286,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "15771571961904697298"
+              "version": "0.30.23.60470",
+              "templateHash": "8831096651733297926"
             },
             "name": "Recovery Services Vault Backup Storage Config",
             "description": "This module deploys a Recovery Service Vault Backup Storage Configuration.",
@@ -1398,8 +1412,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "7107776981403889232"
+              "version": "0.30.23.60470",
+              "templateHash": "3738002202831366506"
             },
             "name": "Recovery Services Vault Protection Container",
             "description": "This module deploys a Recovery Services Vault Protection Container.",
@@ -1537,8 +1551,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.29.47.4906",
-                      "templateHash": "4676289166883418684"
+                      "version": "0.30.23.60470",
+                      "templateHash": "12193073774274736616"
                     },
                     "name": "Recovery Service Vaults Protection Container Protected Item",
                     "description": "This module deploys a Recovery Services Vault Protection Container Protected Item.",
@@ -1703,8 +1717,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "3484552475575852642"
+              "version": "0.30.23.60470",
+              "templateHash": "2997233827023702889"
             },
             "name": "Recovery Services Vault Backup Policies",
             "description": "This module deploys a Recovery Services Vault Backup Policy.",
@@ -1796,8 +1810,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "16706009499329717813"
+              "version": "0.30.23.60470",
+              "templateHash": "11104609825546301514"
             },
             "name": "Recovery Services Vault Backup Config",
             "description": "This module deploys a Recovery Services Vault Backup Config.",
@@ -1963,8 +1977,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "14356935491527849801"
+              "version": "0.30.23.60470",
+              "templateHash": "7857651426193262933"
             },
             "name": "Recovery Services Vault Replication Alert Settings",
             "description": "This module deploys a Recovery Services Vault Replication Alert Settings.",
diff --git a/avm/res/recovery-services/vault/replication-alert-setting/main.json b/avm/res/recovery-services/vault/replication-alert-setting/main.json
index ef2755c71e..0ae5a022eb 100644
--- a/avm/res/recovery-services/vault/replication-alert-setting/main.json
+++ b/avm/res/recovery-services/vault/replication-alert-setting/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "14356935491527849801"
+      "version": "0.30.23.60470",
+      "templateHash": "7857651426193262933"
     },
     "name": "Recovery Services Vault Replication Alert Settings",
     "description": "This module deploys a Recovery Services Vault Replication Alert Settings.",
diff --git a/avm/res/recovery-services/vault/replication-fabric/README.md b/avm/res/recovery-services/vault/replication-fabric/README.md
index 26ebf9b2a1..c363361733 100644
--- a/avm/res/recovery-services/vault/replication-fabric/README.md
+++ b/avm/res/recovery-services/vault/replication-fabric/README.md
@@ -20,12 +20,6 @@ This module deploys a Replication Fabric for Azure to Azure disaster recovery sc
 
 ## Parameters
 
-**Required parameters**
-
-| Parameter | Type | Description |
-| :-- | :-- | :-- |
-| [`location`](#parameter-location) | string | The recovery location the fabric represents. |
-
 **Conditional parameters**
 
 | Parameter | Type | Description |
@@ -36,23 +30,24 @@ This module deploys a Replication Fabric for Azure to Azure disaster recovery sc
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
+| [`location`](#parameter-location) | string | The recovery location the fabric represents. |
 | [`name`](#parameter-name) | string | The name of the fabric. |
 | [`replicationContainers`](#parameter-replicationcontainers) | array | Replication containers to create. |
 
-### Parameter: `location`
+### Parameter: `recoveryVaultName`
 
-The recovery location the fabric represents.
+The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment.
 
-- Required: No
+- Required: Yes
 - Type: string
-- Default: `[resourceGroup().location]`
 
-### Parameter: `recoveryVaultName`
+### Parameter: `location`
 
-The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment.
+The recovery location the fabric represents.
 
-- Required: Yes
+- Required: No
 - Type: string
+- Default: `[resourceGroup().location]`
 
 ### Parameter: `name`
 
diff --git a/avm/res/recovery-services/vault/replication-fabric/main.bicep b/avm/res/recovery-services/vault/replication-fabric/main.bicep
index e7b7f91869..180d13b90b 100644
--- a/avm/res/recovery-services/vault/replication-fabric/main.bicep
+++ b/avm/res/recovery-services/vault/replication-fabric/main.bicep
@@ -7,7 +7,7 @@ metadata owner = 'Azure/module-maintainers'
 @description('Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment.')
 param recoveryVaultName string
 
-@description('Required. The recovery location the fabric represents.')
+@description('Optional. The recovery location the fabric represents.')
 param location string = resourceGroup().location
 
 @description('Optional. The name of the fabric.')
@@ -33,9 +33,7 @@ module fabric_replicationContainers 'replication-protection-container/main.bicep
       name: container.name
       recoveryVaultName: recoveryVaultName
       replicationFabricName: name
-      replicationContainerMappings: contains(container, 'replicationContainerMappings')
-        ? container.replicationContainerMappings
-        : []
+      replicationContainerMappings: container.?replicationContainerMappings
     }
     dependsOn: [
       replicationFabric
diff --git a/avm/res/recovery-services/vault/replication-fabric/main.json b/avm/res/recovery-services/vault/replication-fabric/main.json
index 62b645b48d..d55ea53bcb 100644
--- a/avm/res/recovery-services/vault/replication-fabric/main.json
+++ b/avm/res/recovery-services/vault/replication-fabric/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "14351620305513283067"
+      "version": "0.30.23.60470",
+      "templateHash": "16298384162352496224"
     },
     "name": "Recovery Services Vault Replication Fabrics",
     "description": "This module deploys a Replication Fabric for Azure to Azure disaster recovery scenario of Azure Site Recovery.\n\n> Note: this module currently support only the `instanceType: 'Azure'` scenario.",
@@ -22,7 +22,7 @@
       "type": "string",
       "defaultValue": "[resourceGroup().location]",
       "metadata": {
-        "description": "Required. The recovery location the fabric represents."
+        "description": "Optional. The recovery location the fabric represents."
       }
     },
     "name": {
@@ -75,7 +75,9 @@
           "replicationFabricName": {
             "value": "[parameters('name')]"
           },
-          "replicationContainerMappings": "[if(contains(parameters('replicationContainers')[copyIndex()], 'replicationContainerMappings'), createObject('value', parameters('replicationContainers')[copyIndex()].replicationContainerMappings), createObject('value', createArray()))]"
+          "replicationContainerMappings": {
+            "value": "[tryGet(parameters('replicationContainers')[copyIndex()], 'replicationContainerMappings')]"
+          }
         },
         "template": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
@@ -83,8 +85,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "10179392610574660553"
+              "version": "0.30.23.60470",
+              "templateHash": "17558710415740898922"
             },
             "name": "Recovery Services Vault Replication Fabric Replication Protection Containers",
             "description": "This module deploys a Recovery Services Vault Replication Protection Container.\n\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.",
@@ -144,9 +146,15 @@
                 },
                 "mode": "Incremental",
                 "parameters": {
-                  "name": "[if(contains(parameters('replicationContainerMappings')[copyIndex()], 'name'), createObject('value', parameters('replicationContainerMappings')[copyIndex()].name), createObject('value', ''))]",
-                  "policyId": "[if(contains(parameters('replicationContainerMappings')[copyIndex()], 'policyId'), createObject('value', parameters('replicationContainerMappings')[copyIndex()].policyId), createObject('value', ''))]",
-                  "policyName": "[if(contains(parameters('replicationContainerMappings')[copyIndex()], 'policyName'), createObject('value', parameters('replicationContainerMappings')[copyIndex()].policyName), createObject('value', ''))]",
+                  "name": {
+                    "value": "[tryGet(parameters('replicationContainerMappings')[copyIndex()], 'name')]"
+                  },
+                  "policyId": {
+                    "value": "[tryGet(parameters('replicationContainerMappings')[copyIndex()], 'policyId')]"
+                  },
+                  "policyName": {
+                    "value": "[tryGet(parameters('replicationContainerMappings')[copyIndex()], 'policyName')]"
+                  },
                   "recoveryVaultName": {
                     "value": "[parameters('recoveryVaultName')]"
                   },
@@ -156,9 +164,15 @@
                   "sourceProtectionContainerName": {
                     "value": "[parameters('name')]"
                   },
-                  "targetProtectionContainerId": "[if(contains(parameters('replicationContainerMappings')[copyIndex()], 'targetProtectionContainerId'), createObject('value', parameters('replicationContainerMappings')[copyIndex()].targetProtectionContainerId), createObject('value', ''))]",
-                  "targetContainerFabricName": "[if(contains(parameters('replicationContainerMappings')[copyIndex()], 'targetContainerFabricName'), createObject('value', parameters('replicationContainerMappings')[copyIndex()].targetContainerFabricName), createObject('value', parameters('replicationFabricName')))]",
-                  "targetContainerName": "[if(contains(parameters('replicationContainerMappings')[copyIndex()], 'targetContainerName'), createObject('value', parameters('replicationContainerMappings')[copyIndex()].targetContainerName), createObject('value', ''))]"
+                  "targetProtectionContainerId": {
+                    "value": "[tryGet(parameters('replicationContainerMappings')[copyIndex()], 'targetProtectionContainerId')]"
+                  },
+                  "targetContainerFabricName": {
+                    "value": "[tryGet(parameters('replicationContainerMappings')[copyIndex()], 'targetContainerFabricName')]"
+                  },
+                  "targetContainerName": {
+                    "value": "[tryGet(parameters('replicationContainerMappings')[copyIndex()], 'targetContainerName')]"
+                  }
                 },
                 "template": {
                   "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
@@ -166,8 +180,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.29.47.4906",
-                      "templateHash": "9091386051733041821"
+                      "version": "0.30.23.60470",
+                      "templateHash": "5738551771802324865"
                     },
                     "name": "Recovery Services Vault Replication Fabric Replication Protection Container Replication Protection Container Mappings",
                     "description": "This module deploys a Recovery Services Vault (RSV) Replication Protection Container Mapping.\n\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.",
diff --git a/avm/res/recovery-services/vault/replication-fabric/replication-protection-container/main.bicep b/avm/res/recovery-services/vault/replication-fabric/replication-protection-container/main.bicep
index 95114d9bcb..ca5b907491 100644
--- a/avm/res/recovery-services/vault/replication-fabric/replication-protection-container/main.bicep
+++ b/avm/res/recovery-services/vault/replication-fabric/replication-protection-container/main.bicep
@@ -31,19 +31,15 @@ module fabric_container_containerMappings 'replication-protection-container-mapp
   for (mapping, index) in replicationContainerMappings: {
     name: '${deployment().name}-Map-${index}'
     params: {
-      name: contains(mapping, 'name') ? mapping.name : ''
-      policyId: contains(mapping, 'policyId') ? mapping.policyId : ''
-      policyName: contains(mapping, 'policyName') ? mapping.policyName : ''
+      name: mapping.?name
+      policyId: mapping.?policyId
+      policyName: mapping.?policyName
       recoveryVaultName: recoveryVaultName
       replicationFabricName: replicationFabricName
       sourceProtectionContainerName: name
-      targetProtectionContainerId: contains(mapping, 'targetProtectionContainerId')
-        ? mapping.targetProtectionContainerId
-        : ''
-      targetContainerFabricName: contains(mapping, 'targetContainerFabricName')
-        ? mapping.targetContainerFabricName
-        : replicationFabricName
-      targetContainerName: contains(mapping, 'targetContainerName') ? mapping.targetContainerName : ''
+      targetProtectionContainerId: mapping.?targetProtectionContainerId
+      targetContainerFabricName: mapping.?targetContainerFabricName
+      targetContainerName: mapping.?targetContainerName
     }
     dependsOn: [
       replicationContainer
diff --git a/avm/res/recovery-services/vault/replication-fabric/replication-protection-container/main.json b/avm/res/recovery-services/vault/replication-fabric/replication-protection-container/main.json
index 691ec1374c..f6ce642852 100644
--- a/avm/res/recovery-services/vault/replication-fabric/replication-protection-container/main.json
+++ b/avm/res/recovery-services/vault/replication-fabric/replication-protection-container/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "10179392610574660553"
+      "version": "0.30.23.60470",
+      "templateHash": "17558710415740898922"
     },
     "name": "Recovery Services Vault Replication Fabric Replication Protection Containers",
     "description": "This module deploys a Recovery Services Vault Replication Protection Container.\n\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.",
@@ -65,9 +65,15 @@
         },
         "mode": "Incremental",
         "parameters": {
-          "name": "[if(contains(parameters('replicationContainerMappings')[copyIndex()], 'name'), createObject('value', parameters('replicationContainerMappings')[copyIndex()].name), createObject('value', ''))]",
-          "policyId": "[if(contains(parameters('replicationContainerMappings')[copyIndex()], 'policyId'), createObject('value', parameters('replicationContainerMappings')[copyIndex()].policyId), createObject('value', ''))]",
-          "policyName": "[if(contains(parameters('replicationContainerMappings')[copyIndex()], 'policyName'), createObject('value', parameters('replicationContainerMappings')[copyIndex()].policyName), createObject('value', ''))]",
+          "name": {
+            "value": "[tryGet(parameters('replicationContainerMappings')[copyIndex()], 'name')]"
+          },
+          "policyId": {
+            "value": "[tryGet(parameters('replicationContainerMappings')[copyIndex()], 'policyId')]"
+          },
+          "policyName": {
+            "value": "[tryGet(parameters('replicationContainerMappings')[copyIndex()], 'policyName')]"
+          },
           "recoveryVaultName": {
             "value": "[parameters('recoveryVaultName')]"
           },
@@ -77,9 +83,15 @@
           "sourceProtectionContainerName": {
             "value": "[parameters('name')]"
           },
-          "targetProtectionContainerId": "[if(contains(parameters('replicationContainerMappings')[copyIndex()], 'targetProtectionContainerId'), createObject('value', parameters('replicationContainerMappings')[copyIndex()].targetProtectionContainerId), createObject('value', ''))]",
-          "targetContainerFabricName": "[if(contains(parameters('replicationContainerMappings')[copyIndex()], 'targetContainerFabricName'), createObject('value', parameters('replicationContainerMappings')[copyIndex()].targetContainerFabricName), createObject('value', parameters('replicationFabricName')))]",
-          "targetContainerName": "[if(contains(parameters('replicationContainerMappings')[copyIndex()], 'targetContainerName'), createObject('value', parameters('replicationContainerMappings')[copyIndex()].targetContainerName), createObject('value', ''))]"
+          "targetProtectionContainerId": {
+            "value": "[tryGet(parameters('replicationContainerMappings')[copyIndex()], 'targetProtectionContainerId')]"
+          },
+          "targetContainerFabricName": {
+            "value": "[tryGet(parameters('replicationContainerMappings')[copyIndex()], 'targetContainerFabricName')]"
+          },
+          "targetContainerName": {
+            "value": "[tryGet(parameters('replicationContainerMappings')[copyIndex()], 'targetContainerName')]"
+          }
         },
         "template": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
@@ -87,8 +99,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "9091386051733041821"
+              "version": "0.30.23.60470",
+              "templateHash": "5738551771802324865"
             },
             "name": "Recovery Services Vault Replication Fabric Replication Protection Container Replication Protection Container Mappings",
             "description": "This module deploys a Recovery Services Vault (RSV) Replication Protection Container Mapping.\n\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.",
diff --git a/avm/res/recovery-services/vault/replication-fabric/replication-protection-container/replication-protection-container-mapping/main.json b/avm/res/recovery-services/vault/replication-fabric/replication-protection-container/replication-protection-container-mapping/main.json
index 211070c849..a3439ebaac 100644
--- a/avm/res/recovery-services/vault/replication-fabric/replication-protection-container/replication-protection-container-mapping/main.json
+++ b/avm/res/recovery-services/vault/replication-fabric/replication-protection-container/replication-protection-container-mapping/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "9091386051733041821"
+      "version": "0.30.23.60470",
+      "templateHash": "5738551771802324865"
     },
     "name": "Recovery Services Vault Replication Fabric Replication Protection Container Replication Protection Container Mappings",
     "description": "This module deploys a Recovery Services Vault (RSV) Replication Protection Container Mapping.\n\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.",
diff --git a/avm/res/recovery-services/vault/replication-policy/main.json b/avm/res/recovery-services/vault/replication-policy/main.json
index 5e8f6eda48..a2aadac452 100644
--- a/avm/res/recovery-services/vault/replication-policy/main.json
+++ b/avm/res/recovery-services/vault/replication-policy/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "14083088922027127333"
+      "version": "0.30.23.60470",
+      "templateHash": "15732147582012031147"
     },
     "name": "Recovery Services Vault Replication Policies",
     "description": "This module deploys a Recovery Services Vault Replication Policy for Disaster Recovery scenario.\n\n> **Note**: this version of the module only supports the `instanceType: 'A2A'` scenario.",
diff --git a/avm/res/relay/namespace/README.md b/avm/res/relay/namespace/README.md
index 4059dd7c06..026971ecfd 100644
--- a/avm/res/relay/namespace/README.md
+++ b/avm/res/relay/namespace/README.md
@@ -1250,15 +1250,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint IP address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -1267,6 +1265,13 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `privateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
diff --git a/avm/res/relay/namespace/main.bicep b/avm/res/relay/namespace/main.bicep
index 9758646370..c3afc10479 100644
--- a/avm/res/relay/namespace/main.bicep
+++ b/avm/res/relay/namespace/main.bicep
@@ -433,7 +433,7 @@ type privateEndpointType = {
 
   @description('Optional. Custom DNS configurations.')
   customDnsConfigs: {
-    @description('Required. Fqdn that resolves to private endpoint IP address.')
+    @description('Optional. FQDN that resolves to private endpoint IP address.')
     fqdn: string?
 
     @description('Required. A list of private IP addresses of the private endpoint.')
diff --git a/avm/res/relay/namespace/main.json b/avm/res/relay/namespace/main.json
index dab21e582d..8c8228f6fc 100644
--- a/avm/res/relay/namespace/main.json
+++ b/avm/res/relay/namespace/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "10748276001217770184"
+      "version": "0.30.23.60470",
+      "templateHash": "7064419851782803288"
     },
     "name": "Relay Namespaces",
     "description": "This module deploys a Relay Namespace",
@@ -214,7 +214,7 @@
                   "type": "string",
                   "nullable": true,
                   "metadata": {
-                    "description": "Required. Fqdn that resolves to private endpoint IP address."
+                    "description": "Optional. FQDN that resolves to private endpoint IP address."
                   }
                 },
                 "ipAddresses": {
@@ -710,8 +710,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "13234316448276715063"
+              "version": "0.30.23.60470",
+              "templateHash": "9137586793857005081"
             },
             "name": "Relay Namespace Authorization Rules",
             "description": "This module deploys a Relay Namespace Authorization Rule.",
@@ -809,8 +809,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "13158990350519912635"
+              "version": "0.30.23.60470",
+              "templateHash": "9578854855013298380"
             },
             "name": "Relay Namespace Network Rules Sets",
             "description": "This module deploys a Relay Namespace Network Rule Set.",
@@ -938,8 +938,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "3066452421480890151"
+              "version": "0.30.23.60470",
+              "templateHash": "16821503954722419440"
             },
             "name": "Relay Namespace Hybrid Connections",
             "description": "This module deploys a Relay Namespace Hybrid Connection.",
@@ -1223,8 +1223,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.29.47.4906",
-                      "templateHash": "11780139902470137859"
+                      "version": "0.30.23.60470",
+                      "templateHash": "4431168643851665214"
                     },
                     "name": "Hybrid Connection Authorization Rules",
                     "description": "This module deploys a Hybrid Connection Authorization Rule.",
@@ -1366,8 +1366,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "25032660008872161"
+              "version": "0.30.23.60470",
+              "templateHash": "10679723922873486376"
             },
             "name": "Relay Namespace WCF Relays",
             "description": "This module deploys a Relay Namespace WCF Relay.",
@@ -1671,8 +1671,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.29.47.4906",
-                      "templateHash": "9846145731132177305"
+                      "version": "0.30.23.60470",
+                      "templateHash": "15492272456787428584"
                     },
                     "name": "WCF Relay Authorization Rules",
                     "description": "This module deploys a WCF Relay Authorization Rule.",
diff --git a/avm/res/search/search-service/README.md b/avm/res/search/search-service/README.md
index 056c76fef4..6de0311d62 100644
--- a/avm/res/search/search-service/README.md
+++ b/avm/res/search/search-service/README.md
@@ -1340,15 +1340,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint IP address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -1357,6 +1355,13 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `privateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
diff --git a/avm/res/search/search-service/main.bicep b/avm/res/search/search-service/main.bicep
index df608c8af6..4adadf8896 100644
--- a/avm/res/search/search-service/main.bicep
+++ b/avm/res/search/search-service/main.bicep
@@ -467,7 +467,7 @@ type privateEndpointType = {
 
   @description('Optional. Custom DNS configurations.')
   customDnsConfigs: {
-    @description('Required. Fqdn that resolves to private endpoint IP address.')
+    @description('Optional. FQDN that resolves to private endpoint IP address.')
     fqdn: string?
 
     @description('Required. A list of private IP addresses of the private endpoint.')
diff --git a/avm/res/search/search-service/main.json b/avm/res/search/search-service/main.json
index 24719a5ca7..7166a21a5d 100644
--- a/avm/res/search/search-service/main.json
+++ b/avm/res/search/search-service/main.json
@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.30.23.60470",
-      "templateHash": "13527260085574333800"
+      "templateHash": "2146382794975309304"
     },
     "name": "Search Services",
     "description": "This module deploys a Search Service.",
@@ -237,7 +237,7 @@
                   "type": "string",
                   "nullable": true,
                   "metadata": {
-                    "description": "Required. Fqdn that resolves to private endpoint IP address."
+                    "description": "Optional. FQDN that resolves to private endpoint IP address."
                   }
                 },
                 "ipAddresses": {
diff --git a/avm/res/service-bus/namespace/README.md b/avm/res/service-bus/namespace/README.md
index bce7d6853c..69961eb91e 100644
--- a/avm/res/service-bus/namespace/README.md
+++ b/avm/res/service-bus/namespace/README.md
@@ -1527,7 +1527,6 @@ param topics = [
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
 | [`name`](#parameter-name) | string | Name of the Service Bus Namespace. |
-| [`skuObject`](#parameter-skuobject) | object | The SKU of the Service Bus Namespace. Defaulted to Premium for ZoneRedundant configurations by default. |
 
 **Optional parameters**
 
@@ -1552,6 +1551,7 @@ param topics = [
 | [`queues`](#parameter-queues) | array | The queues to create in the service bus namespace. |
 | [`requireInfrastructureEncryption`](#parameter-requireinfrastructureencryption) | bool | Enable infrastructure encryption (double encryption). Note, this setting requires the configuration of Customer-Managed-Keys (CMK) via the corresponding module parameters. |
 | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. |
+| [`skuObject`](#parameter-skuobject) | object | The SKU of the Service Bus Namespace. Defaulted to Premium for ZoneRedundant configurations by default. |
 | [`tags`](#parameter-tags) | object | Tags of the resource. |
 | [`topics`](#parameter-topics) | array | The topics to create in the service bus namespace. |
 | [`zoneRedundant`](#parameter-zoneredundant) | bool | Enabled by default in order to align with resiliency best practices, thus requires Premium SKU. |
@@ -1563,54 +1563,6 @@ Name of the Service Bus Namespace.
 - Required: Yes
 - Type: string
 
-### Parameter: `skuObject`
-
-The SKU of the Service Bus Namespace. Defaulted to Premium for ZoneRedundant configurations by default.
-
-- Required: No
-- Type: object
-- Default:
-  ```Bicep
-  {
-      capacity: 2
-      name: 'Premium'
-  }
-  ```
-
-**Required parameters**
-
-| Parameter | Type | Description |
-| :-- | :-- | :-- |
-| [`name`](#parameter-skuobjectname) | string | Name of this SKU. - Basic, Standard, Premium. |
-
-**Optional parameters**
-
-| Parameter | Type | Description |
-| :-- | :-- | :-- |
-| [`capacity`](#parameter-skuobjectcapacity) | int | The specified messaging units for the tier. Only used for Premium Sku tier. |
-
-### Parameter: `skuObject.name`
-
-Name of this SKU. - Basic, Standard, Premium.
-
-- Required: Yes
-- Type: string
-- Allowed:
-  ```Bicep
-  [
-    'Basic'
-    'Premium'
-    'Standard'
-  ]
-  ```
-
-### Parameter: `skuObject.capacity`
-
-The specified messaging units for the tier. Only used for Premium Sku tier.
-
-- Required: No
-- Type: int
-
 ### Parameter: `alternateName`
 
 Alternate name for namespace.
@@ -2217,15 +2169,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint IP address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -2234,6 +2184,13 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `privateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
@@ -3048,6 +3005,54 @@ The principal type of the assigned principal ID.
   ]
   ```
 
+### Parameter: `skuObject`
+
+The SKU of the Service Bus Namespace. Defaulted to Premium for ZoneRedundant configurations by default.
+
+- Required: No
+- Type: object
+- Default:
+  ```Bicep
+  {
+      capacity: 2
+      name: 'Premium'
+  }
+  ```
+
+**Required parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`name`](#parameter-skuobjectname) | string | Name of this SKU. - Basic, Standard, Premium. |
+
+**Optional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`capacity`](#parameter-skuobjectcapacity) | int | The specified messaging units for the tier. Only used for Premium Sku tier. |
+
+### Parameter: `skuObject.name`
+
+Name of this SKU. - Basic, Standard, Premium.
+
+- Required: Yes
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    'Basic'
+    'Premium'
+    'Standard'
+  ]
+  ```
+
+### Parameter: `skuObject.capacity`
+
+The specified messaging units for the tier. Only used for Premium Sku tier.
+
+- Required: No
+- Type: int
+
 ### Parameter: `tags`
 
 Tags of the resource.
diff --git a/avm/res/service-bus/namespace/main.bicep b/avm/res/service-bus/namespace/main.bicep
index 7b00c06d4c..4fc4c8953c 100644
--- a/avm/res/service-bus/namespace/main.bicep
+++ b/avm/res/service-bus/namespace/main.bicep
@@ -9,7 +9,7 @@ param name string
 @description('Optional. Location for all resources.')
 param location string = resourceGroup().location
 
-@description('Required. The SKU of the Service Bus Namespace. Defaulted to Premium for ZoneRedundant configurations by default.')
+@description('Optional. The SKU of the Service Bus Namespace. Defaulted to Premium for ZoneRedundant configurations by default.')
 param skuObject skuType = {
   name: 'Premium'
   capacity: 2
@@ -552,7 +552,7 @@ type privateEndpointType = {
 
   @description('Optional. Custom DNS configurations.')
   customDnsConfigs: {
-    @description('Required. Fqdn that resolves to private endpoint IP address.')
+    @description('Optional. FQDN that resolves to private endpoint IP address.')
     fqdn: string?
 
     @description('Required. A list of private IP addresses of the private endpoint.')
diff --git a/avm/res/service-bus/namespace/main.json b/avm/res/service-bus/namespace/main.json
index 8b30c416be..0739b0a333 100644
--- a/avm/res/service-bus/namespace/main.json
+++ b/avm/res/service-bus/namespace/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "6397771352503979306"
+      "version": "0.30.23.60470",
+      "templateHash": "11203076592722611139"
     },
     "name": "Service Bus Namespaces",
     "description": "This module deploys a Service Bus Namespace.",
@@ -237,7 +237,7 @@
                   "type": "string",
                   "nullable": true,
                   "metadata": {
-                    "description": "Required. Fqdn that resolves to private endpoint IP address."
+                    "description": "Optional. FQDN that resolves to private endpoint IP address."
                   }
                 },
                 "ipAddresses": {
@@ -1142,7 +1142,7 @@
         "capacity": 2
       },
       "metadata": {
-        "description": "Required. The SKU of the Service Bus Namespace. Defaulted to Premium for ZoneRedundant configurations by default."
+        "description": "Optional. The SKU of the Service Bus Namespace. Defaulted to Premium for ZoneRedundant configurations by default."
       }
     },
     "zoneRedundant": {
@@ -1509,8 +1509,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "16659347344675880024"
+              "version": "0.30.23.60470",
+              "templateHash": "4728331591356881277"
             },
             "name": "Service Bus Namespace Authorization Rules",
             "description": "This module deploys a Service Bus Namespace Authorization Rule.",
@@ -1613,8 +1613,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "2437567647402328568"
+              "version": "0.30.23.60470",
+              "templateHash": "1218226237647695558"
             },
             "name": "Service Bus Namespace Disaster Recovery Configs",
             "description": "This module deploys a Service Bus Namespace Disaster Recovery Config",
@@ -1718,8 +1718,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "5021121087195745079"
+              "version": "0.30.23.60470",
+              "templateHash": "16589713685358551002"
             },
             "name": "Service Bus Namespace Migration Configuration",
             "description": "This module deploys a Service Bus Namespace Migration Configuration.",
@@ -1823,8 +1823,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "18220065019802173538"
+              "version": "0.30.23.60470",
+              "templateHash": "10055705590102866988"
             },
             "name": "Service Bus Namespace Network Rule Sets",
             "description": "This module deploys a ServiceBus Namespace Network Rule Set.",
@@ -2023,8 +2023,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "12442268068778335924"
+              "version": "0.30.23.60470",
+              "templateHash": "13425705366730697938"
             },
             "name": "Service Bus Namespace Queue",
             "description": "This module deploys a Service Bus Namespace Queue.",
@@ -2411,8 +2411,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.29.47.4906",
-                      "templateHash": "13378473188831787359"
+                      "version": "0.30.23.60470",
+                      "templateHash": "13793175890494658919"
                     },
                     "name": "Service Bus Namespace Queue Authorization Rules",
                     "description": "This module deploys a Service Bus Namespace Queue Authorization Rule.",
@@ -2592,8 +2592,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "782028791267114581"
+              "version": "0.30.23.60470",
+              "templateHash": "16840842185273289430"
             },
             "name": "Service Bus Namespace Topic",
             "description": "This module deploys a Service Bus Namespace Topic.",
@@ -3089,8 +3089,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.29.47.4906",
-                      "templateHash": "6843568331497160185"
+                      "version": "0.30.23.60470",
+                      "templateHash": "1348283370469099109"
                     },
                     "name": "Service Bus Namespace Topic Authorization Rules",
                     "description": "This module deploys a Service Bus Namespace Topic Authorization Rule.",
@@ -3239,8 +3239,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.29.47.4906",
-                      "templateHash": "13559505347925945415"
+                      "version": "0.30.23.60470",
+                      "templateHash": "2560238010859719670"
                     },
                     "name": "Service Bus Namespace Topic Subscription",
                     "description": "This module deploys a Service Bus Namespace Topic Subscription.",
diff --git a/avm/res/signal-r-service/signal-r/README.md b/avm/res/signal-r-service/signal-r/README.md
index 3612033f31..211ba9d260 100644
--- a/avm/res/signal-r-service/signal-r/README.md
+++ b/avm/res/signal-r-service/signal-r/README.md
@@ -935,15 +935,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint IP address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -952,6 +950,13 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `privateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
diff --git a/avm/res/signal-r-service/signal-r/main.bicep b/avm/res/signal-r-service/signal-r/main.bicep
index ece400d2ed..b4803a82a9 100644
--- a/avm/res/signal-r-service/signal-r/main.bicep
+++ b/avm/res/signal-r-service/signal-r/main.bicep
@@ -420,7 +420,7 @@ type privateEndpointType = {
 
   @description('Optional. Custom DNS configurations.')
   customDnsConfigs: {
-    @description('Required. Fqdn that resolves to private endpoint IP address.')
+    @description('Optional. FQDN that resolves to private endpoint IP address.')
     fqdn: string?
 
     @description('Required. A list of private IP addresses of the private endpoint.')
diff --git a/avm/res/signal-r-service/signal-r/main.json b/avm/res/signal-r-service/signal-r/main.json
index b6f8656b92..822b12da50 100644
--- a/avm/res/signal-r-service/signal-r/main.json
+++ b/avm/res/signal-r-service/signal-r/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "16576967735793916107"
+      "version": "0.30.23.60470",
+      "templateHash": "18392200258467570081"
     },
     "name": "SignalR Service SignalR",
     "description": "This module deploys a SignalR Service SignalR.",
@@ -214,7 +214,7 @@
                   "type": "string",
                   "nullable": true,
                   "metadata": {
-                    "description": "Required. Fqdn that resolves to private endpoint IP address."
+                    "description": "Optional. FQDN that resolves to private endpoint IP address."
                   }
                 },
                 "ipAddresses": {
diff --git a/avm/res/signal-r-service/web-pub-sub/README.md b/avm/res/signal-r-service/web-pub-sub/README.md
index c060863897..b2d0df64ec 100644
--- a/avm/res/signal-r-service/web-pub-sub/README.md
+++ b/avm/res/signal-r-service/web-pub-sub/README.md
@@ -910,15 +910,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint IP address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -927,6 +925,13 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `privateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
diff --git a/avm/res/signal-r-service/web-pub-sub/main.bicep b/avm/res/signal-r-service/web-pub-sub/main.bicep
index 760511f84b..5961f398e0 100644
--- a/avm/res/signal-r-service/web-pub-sub/main.bicep
+++ b/avm/res/signal-r-service/web-pub-sub/main.bicep
@@ -392,7 +392,7 @@ type privateEndpointType = {
 
   @description('Optional. Custom DNS configurations.')
   customDnsConfigs: {
-    @description('Required. Fqdn that resolves to private endpoint IP address.')
+    @description('Optional. FQDN that resolves to private endpoint IP address.')
     fqdn: string?
 
     @description('Required. A list of private IP addresses of the private endpoint.')
diff --git a/avm/res/signal-r-service/web-pub-sub/main.json b/avm/res/signal-r-service/web-pub-sub/main.json
index 51dcc979c6..5eba55a55e 100644
--- a/avm/res/signal-r-service/web-pub-sub/main.json
+++ b/avm/res/signal-r-service/web-pub-sub/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "17348552013839664242"
+      "version": "0.30.23.60470",
+      "templateHash": "7385525531059358555"
     },
     "name": "SignalR Web PubSub Services",
     "description": "This module deploys a SignalR Web PubSub Service.",
@@ -237,7 +237,7 @@
                   "type": "string",
                   "nullable": true,
                   "metadata": {
-                    "description": "Required. Fqdn that resolves to private endpoint IP address."
+                    "description": "Optional. FQDN that resolves to private endpoint IP address."
                   }
                 },
                 "ipAddresses": {
diff --git a/avm/res/sql/server/README.md b/avm/res/sql/server/README.md
index 1869610a60..74874cacc4 100644
--- a/avm/res/sql/server/README.md
+++ b/avm/res/sql/server/README.md
@@ -2047,15 +2047,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint IP address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -2064,6 +2062,13 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `privateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
diff --git a/avm/res/sql/server/main.bicep b/avm/res/sql/server/main.bicep
index 3919e4655a..6b5adb95f1 100644
--- a/avm/res/sql/server/main.bicep
+++ b/avm/res/sql/server/main.bicep
@@ -612,7 +612,7 @@ type privateEndpointType = {
 
   @description('Optional. Custom DNS configurations.')
   customDnsConfigs: {
-    @description('Required. Fqdn that resolves to private endpoint IP address.')
+    @description('Optional. FQDN that resolves to private endpoint IP address.')
     fqdn: string?
 
     @description('Required. A list of private IP addresses of the private endpoint.')
diff --git a/avm/res/sql/server/main.json b/avm/res/sql/server/main.json
index 66bd386f4d..4af86582a2 100644
--- a/avm/res/sql/server/main.json
+++ b/avm/res/sql/server/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "12721468399061919493"
+      "version": "0.30.23.60470",
+      "templateHash": "8810892363183845130"
     },
     "name": "Azure SQL Servers",
     "description": "This module deploys an Azure SQL Server.",
@@ -237,7 +237,7 @@
                   "type": "string",
                   "nullable": true,
                   "metadata": {
-                    "description": "Required. Fqdn that resolves to private endpoint IP address."
+                    "description": "Optional. FQDN that resolves to private endpoint IP address."
                   }
                 },
                 "ipAddresses": {
@@ -907,8 +907,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "18021918128213514276"
+              "version": "0.30.23.60470",
+              "templateHash": "6415977783551326128"
             },
             "name": "SQL Server Database",
             "description": "This module deploys an Azure SQL Server Database.",
@@ -1389,8 +1389,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.29.47.4906",
-                      "templateHash": "8635162595153731245"
+                      "version": "0.30.23.60470",
+                      "templateHash": "10836519140305169908"
                     },
                     "name": "Azure SQL Server Database Short Term Backup Retention Policies",
                     "description": "This module deploys an Azure SQL Server Database Short-Term Backup Retention Policy.",
@@ -1499,8 +1499,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.29.47.4906",
-                      "templateHash": "2778016138108001251"
+                      "version": "0.30.23.60470",
+                      "templateHash": "10064519186693398262"
                     },
                     "name": "SQL Server Database Long Term Backup Retention Policies",
                     "description": "This module deploys an Azure SQL Server Database Long-Term Backup Retention Policy.",
@@ -1695,8 +1695,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "17774091526328280898"
+              "version": "0.30.23.60470",
+              "templateHash": "15389069656635651285"
             },
             "name": "SQL Server Elastic Pool",
             "description": "This module deploys an Azure SQL Server Elastic Pool.",
@@ -2681,8 +2681,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "7779473510493338097"
+              "version": "0.30.23.60470",
+              "templateHash": "6449556555046717103"
             },
             "name": "Azure SQL Server Firewall Rule",
             "description": "This module deploys an Azure SQL Server Firewall Rule.",
@@ -2789,8 +2789,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "7859066741604114060"
+              "version": "0.30.23.60470",
+              "templateHash": "4969955763304077350"
             },
             "name": "Azure SQL Server Virtual Network Rules",
             "description": "This module deploys an Azure SQL Server Virtual Network Rule.",
@@ -2911,8 +2911,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "6025191760768766090"
+              "version": "0.30.23.60470",
+              "templateHash": "15406914222375641032"
             },
             "name": "Azure SQL Server Security Alert Policies",
             "description": "This module deploys an Azure SQL Server Security Alert Policy.",
@@ -3072,8 +3072,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "5682596516926040129"
+              "version": "0.30.23.60470",
+              "templateHash": "11004049200994426011"
             },
             "name": "Azure SQL Server Vulnerability Assessments",
             "description": "This module deploys an Azure SQL Server Vulnerability Assessment.",
@@ -3175,8 +3175,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.29.47.4906",
-                      "templateHash": "17251889896692066430"
+                      "version": "0.30.23.60470",
+                      "templateHash": "13956215614091387428"
                     }
                   },
                   "parameters": {
@@ -3268,8 +3268,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "5863771213375512760"
+              "version": "0.30.23.60470",
+              "templateHash": "17839617504395216689"
             },
             "name": "Azure SQL Server Keys",
             "description": "This module deploys an Azure SQL Server Key.",
@@ -3391,8 +3391,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "6914924378490463775"
+              "version": "0.30.23.60470",
+              "templateHash": "11473914706327458055"
             },
             "name": "Azure SQL Server Encryption Protector",
             "description": "This module deploys an Azure SQL Server Encryption Protector.",
@@ -3524,8 +3524,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "4165841300638093382"
+              "version": "0.30.23.60470",
+              "templateHash": "2456263707393734456"
             },
             "name": "Azure SQL Server Audit Settings",
             "description": "This module deploys an Azure SQL Server Audit Settings.",
@@ -3663,8 +3663,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.29.47.4906",
-                      "templateHash": "17251889896692066430"
+                      "version": "0.30.23.60470",
+                      "templateHash": "13956215614091387428"
                     }
                   },
                   "parameters": {
@@ -3751,8 +3751,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "594547303316002116"
+              "version": "0.30.23.60470",
+              "templateHash": "16142913599202614386"
             }
           },
           "definitions": {
diff --git a/avm/res/storage/storage-account/README.md b/avm/res/storage/storage-account/README.md
index b5105ee977..2b3bd61fc5 100644
--- a/avm/res/storage/storage-account/README.md
+++ b/avm/res/storage/storage-account/README.md
@@ -3830,15 +3830,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint ip address. |
 | [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | array | A list of private ip addresses of the private endpoint. |
 
-### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint ip address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -3847,6 +3845,13 @@ A list of private ip addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `privateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
diff --git a/avm/res/storage/storage-account/main.bicep b/avm/res/storage/storage-account/main.bicep
index 8e491ac177..f570fafc74 100644
--- a/avm/res/storage/storage-account/main.bicep
+++ b/avm/res/storage/storage-account/main.bicep
@@ -831,7 +831,7 @@ type privateEndpointType = {
 
   @description('Optional. Custom DNS configurations.')
   customDnsConfigs: {
-    @description('Required. Fqdn that resolves to private endpoint ip address.')
+    @description('Optional. FQDN that resolves to private endpoint IP address.')
     fqdn: string?
 
     @description('Required. A list of private ip addresses of the private endpoint.')
diff --git a/avm/res/storage/storage-account/main.json b/avm/res/storage/storage-account/main.json
index b6d1cc5d74..f2b6a4603d 100644
--- a/avm/res/storage/storage-account/main.json
+++ b/avm/res/storage/storage-account/main.json
@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.30.23.60470",
-      "templateHash": "7109049210516898074"
+      "templateHash": "14816410578282611145"
     },
     "name": "Storage Accounts",
     "description": "This module deploys a Storage Account.",
@@ -307,7 +307,7 @@
                   "type": "string",
                   "nullable": true,
                   "metadata": {
-                    "description": "Required. Fqdn that resolves to private endpoint ip address."
+                    "description": "Optional. FQDN that resolves to private endpoint IP address."
                   }
                 },
                 "ipAddresses": {
@@ -3900,7 +3900,7 @@
             "_generator": {
               "name": "bicep",
               "version": "0.30.23.60470",
-              "templateHash": "6947504466788447852"
+              "templateHash": "7439864435097753769"
             },
             "name": "Storage Account Queue Services",
             "description": "This module deploys a Storage Account Queue Service.",
@@ -4145,7 +4145,7 @@
                     "_generator": {
                       "name": "bicep",
                       "version": "0.30.23.60470",
-                      "templateHash": "6090221832347220924"
+                      "templateHash": "13351606092620772899"
                     },
                     "name": "Storage Account Queues",
                     "description": "This module deploys a Storage Account Queue.",
@@ -4244,7 +4244,7 @@
                       "type": "object",
                       "defaultValue": {},
                       "metadata": {
-                        "description": "Required. A name-value pair that represents queue metadata."
+                        "description": "Optional. A name-value pair that represents queue metadata."
                       }
                     },
                     "roleAssignments": {
@@ -5097,4 +5097,4 @@
       "value": "[if(not(equals(parameters('secretsExportConfiguration'), null())), toObject(reference('secretsExport').outputs.secretsSet.value, lambda('secret', last(split(lambdaVariables('secret').secretResourceId, '/'))), lambda('secret', lambdaVariables('secret'))), createObject())]"
     }
   }
-}
+}
\ No newline at end of file
diff --git a/avm/res/storage/storage-account/queue-service/main.json b/avm/res/storage/storage-account/queue-service/main.json
index 6fc76d0b47..0db1650a88 100644
--- a/avm/res/storage/storage-account/queue-service/main.json
+++ b/avm/res/storage/storage-account/queue-service/main.json
@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.30.23.60470",
-      "templateHash": "6947504466788447852"
+      "templateHash": "7439864435097753769"
     },
     "name": "Storage Account Queue Services",
     "description": "This module deploys a Storage Account Queue Service.",
@@ -251,7 +251,7 @@
             "_generator": {
               "name": "bicep",
               "version": "0.30.23.60470",
-              "templateHash": "6090221832347220924"
+              "templateHash": "13351606092620772899"
             },
             "name": "Storage Account Queues",
             "description": "This module deploys a Storage Account Queue.",
@@ -350,7 +350,7 @@
               "type": "object",
               "defaultValue": {},
               "metadata": {
-                "description": "Required. A name-value pair that represents queue metadata."
+                "description": "Optional. A name-value pair that represents queue metadata."
               }
             },
             "roleAssignments": {
diff --git a/avm/res/storage/storage-account/queue-service/queue/README.md b/avm/res/storage/storage-account/queue-service/queue/README.md
index 140ca97388..901bd14104 100644
--- a/avm/res/storage/storage-account/queue-service/queue/README.md
+++ b/avm/res/storage/storage-account/queue-service/queue/README.md
@@ -21,7 +21,6 @@ This module deploys a Storage Account Queue.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`metadata`](#parameter-metadata) | object | A name-value pair that represents queue metadata. |
 | [`name`](#parameter-name) | string | The name of the storage queue to deploy. |
 
 **Conditional parameters**
@@ -34,16 +33,9 @@ This module deploys a Storage Account Queue.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
+| [`metadata`](#parameter-metadata) | object | A name-value pair that represents queue metadata. |
 | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. |
 
-### Parameter: `metadata`
-
-A name-value pair that represents queue metadata.
-
-- Required: No
-- Type: object
-- Default: `{}`
-
 ### Parameter: `name`
 
 The name of the storage queue to deploy.
@@ -58,6 +50,14 @@ The name of the parent Storage Account. Required if the template is used in a st
 - Required: Yes
 - Type: string
 
+### Parameter: `metadata`
+
+A name-value pair that represents queue metadata.
+
+- Required: No
+- Type: object
+- Default: `{}`
+
 ### Parameter: `roleAssignments`
 
 Array of role assignments to create.
diff --git a/avm/res/storage/storage-account/queue-service/queue/main.bicep b/avm/res/storage/storage-account/queue-service/queue/main.bicep
index 4b0f656ef0..bc8bcac2c6 100644
--- a/avm/res/storage/storage-account/queue-service/queue/main.bicep
+++ b/avm/res/storage/storage-account/queue-service/queue/main.bicep
@@ -9,7 +9,7 @@ param storageAccountName string
 @description('Required. The name of the storage queue to deploy.')
 param name string
 
-@description('Required. A name-value pair that represents queue metadata.')
+@description('Optional. A name-value pair that represents queue metadata.')
 param metadata object = {}
 
 @description('Optional. Array of role assignments to create.')
diff --git a/avm/res/storage/storage-account/queue-service/queue/main.json b/avm/res/storage/storage-account/queue-service/queue/main.json
index 2aad9fefb2..a83d2a6292 100644
--- a/avm/res/storage/storage-account/queue-service/queue/main.json
+++ b/avm/res/storage/storage-account/queue-service/queue/main.json
@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.30.23.60470",
-      "templateHash": "6090221832347220924"
+      "templateHash": "13351606092620772899"
     },
     "name": "Storage Account Queues",
     "description": "This module deploys a Storage Account Queue.",
@@ -105,7 +105,7 @@
       "type": "object",
       "defaultValue": {},
       "metadata": {
-        "description": "Required. A name-value pair that represents queue metadata."
+        "description": "Optional. A name-value pair that represents queue metadata."
       }
     },
     "roleAssignments": {
diff --git a/avm/res/synapse/private-link-hub/README.md b/avm/res/synapse/private-link-hub/README.md
index d0dba94113..db18dfbadc 100644
--- a/avm/res/synapse/private-link-hub/README.md
+++ b/avm/res/synapse/private-link-hub/README.md
@@ -598,15 +598,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint IP address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -615,6 +613,13 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `privateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
diff --git a/avm/res/synapse/private-link-hub/main.bicep b/avm/res/synapse/private-link-hub/main.bicep
index 60406e8ea0..b0669167de 100644
--- a/avm/res/synapse/private-link-hub/main.bicep
+++ b/avm/res/synapse/private-link-hub/main.bicep
@@ -256,7 +256,7 @@ type privateEndpointType = {
 
   @description('Optional. Custom DNS configurations.')
   customDnsConfigs: {
-    @description('Required. Fqdn that resolves to private endpoint IP address.')
+    @description('Optional. FQDN that resolves to private endpoint IP address.')
     fqdn: string?
 
     @description('Required. A list of private IP addresses of the private endpoint.')
diff --git a/avm/res/synapse/private-link-hub/main.json b/avm/res/synapse/private-link-hub/main.json
index bdf5c2772a..0f6e41099b 100644
--- a/avm/res/synapse/private-link-hub/main.json
+++ b/avm/res/synapse/private-link-hub/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "6865603283108816559"
+      "version": "0.30.23.60470",
+      "templateHash": "11580034515425711922"
     },
     "name": "Azure Synapse Analytics",
     "description": "This module deploys an Azure Synapse Analytics (Private Link Hub).",
@@ -214,7 +214,7 @@
                   "type": "string",
                   "nullable": true,
                   "metadata": {
-                    "description": "Required. Fqdn that resolves to private endpoint IP address."
+                    "description": "Optional. FQDN that resolves to private endpoint IP address."
                   }
                 },
                 "ipAddresses": {
diff --git a/avm/res/synapse/workspace/README.md b/avm/res/synapse/workspace/README.md
index 5e52048a3a..b3c6f94efb 100644
--- a/avm/res/synapse/workspace/README.md
+++ b/avm/res/synapse/workspace/README.md
@@ -1649,7 +1649,7 @@ The managed identity definition for this resource.
 
 The resource ID(s) to assign to the resource.
 
-- Required: Yes
+- Required: No
 - Type: array
 
 ### Parameter: `managedResourceGroupName`
@@ -1742,15 +1742,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint IP address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -1759,6 +1757,13 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `privateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
diff --git a/avm/res/synapse/workspace/main.bicep b/avm/res/synapse/workspace/main.bicep
index e67c879082..36f43b2715 100644
--- a/avm/res/synapse/workspace/main.bicep
+++ b/avm/res/synapse/workspace/main.bicep
@@ -455,7 +455,7 @@ output privateEndpoints array = [
 
 type managedIdentitiesType = {
   @description('Optional. The resource ID(s) to assign to the resource.')
-  userAssignedResourceIds: string[]
+  userAssignedResourceIds: string[]?
 }?
 
 type lockType = {
@@ -532,7 +532,7 @@ type privateEndpointType = {
 
   @description('Optional. Custom DNS configurations.')
   customDnsConfigs: {
-    @description('Required. Fqdn that resolves to private endpoint IP address.')
+    @description('Optional. FQDN that resolves to private endpoint IP address.')
     fqdn: string?
 
     @description('Required. A list of private IP addresses of the private endpoint.')
diff --git a/avm/res/synapse/workspace/main.json b/avm/res/synapse/workspace/main.json
index a423ffb5a8..fe2f7f7090 100644
--- a/avm/res/synapse/workspace/main.json
+++ b/avm/res/synapse/workspace/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "3075067451671021037"
+      "version": "0.30.23.60470",
+      "templateHash": "13977544414417545286"
     },
     "name": "Synapse Workspaces",
     "description": "This module deploys a Synapse Workspace.",
@@ -21,6 +21,7 @@
           "items": {
             "type": "string"
           },
+          "nullable": true,
           "metadata": {
             "description": "Optional. The resource ID(s) to assign to the resource."
           }
@@ -228,7 +229,7 @@
                   "type": "string",
                   "nullable": true,
                   "metadata": {
-                    "description": "Required. Fqdn that resolves to private endpoint IP address."
+                    "description": "Optional. FQDN that resolves to private endpoint IP address."
                   }
                 },
                 "ipAddresses": {
@@ -925,8 +926,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "4134219125418987684"
+              "version": "0.30.23.60470",
+              "templateHash": "2875700223215345190"
             },
             "name": "Synapse Workspace Integration Runtimes",
             "description": "This module deploys a Synapse Workspace Integration Runtime.",
@@ -1023,8 +1024,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "4045748488403006026"
+              "version": "0.30.23.60470",
+              "templateHash": "6457069339265019781"
             }
           },
           "parameters": {
@@ -1111,8 +1112,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "6170014210030770909"
+              "version": "0.30.23.60470",
+              "templateHash": "15229329511207297146"
             },
             "name": "Synapse Workspaces Keys",
             "description": "This module deploys a Synapse Workspaces Key.",
@@ -1219,8 +1220,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "15890618337043813918"
+              "version": "0.30.23.60470",
+              "templateHash": "11234358964964275645"
             },
             "name": "Synapse Workspaces Administrators",
             "description": "This module deploys Synapse Workspaces Administrators.",
@@ -1334,8 +1335,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "6729418057172891787"
+              "version": "0.30.23.60470",
+              "templateHash": "1410907925603155251"
             },
             "name": "Synapse Workspaces Firewall Rules",
             "description": "This module deploys Synapse Workspaces Firewall Rules.",
diff --git a/avm/res/web/site/README.md b/avm/res/web/site/README.md
index 3707f7303e..333e5cfddf 100644
--- a/avm/res/web/site/README.md
+++ b/avm/res/web/site/README.md
@@ -3563,15 +3563,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint IP address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -3580,6 +3578,13 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `privateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
diff --git a/avm/res/web/site/basic-publishing-credentials-policy/main.json b/avm/res/web/site/basic-publishing-credentials-policy/main.json
index 8da044cc21..2d779d2d14 100644
--- a/avm/res/web/site/basic-publishing-credentials-policy/main.json
+++ b/avm/res/web/site/basic-publishing-credentials-policy/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.3.12046",
-      "templateHash": "17116264484298889418"
+      "version": "0.30.23.60470",
+      "templateHash": "15847824660831257384"
     },
     "name": "Web Site Basic Publishing Credentials Policies",
     "description": "This module deploys a Web Site Basic Publishing Credentials Policy.",
diff --git a/avm/res/web/site/config--appsettings/main.json b/avm/res/web/site/config--appsettings/main.json
index c26bb7c405..0a244e922c 100644
--- a/avm/res/web/site/config--appsettings/main.json
+++ b/avm/res/web/site/config--appsettings/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.3.12046",
-      "templateHash": "13784573514230124302"
+      "version": "0.30.23.60470",
+      "templateHash": "10845600494881775271"
     },
     "name": "Site App Settings",
     "description": "This module deploys a Site App Setting.",
diff --git a/avm/res/web/site/config--authsettingsv2/main.json b/avm/res/web/site/config--authsettingsv2/main.json
index 60f657ccb7..34f9f10696 100644
--- a/avm/res/web/site/config--authsettingsv2/main.json
+++ b/avm/res/web/site/config--authsettingsv2/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.3.12046",
-      "templateHash": "5141699950067054376"
+      "version": "0.30.23.60470",
+      "templateHash": "7782125422759995841"
     },
     "name": "Site Auth Settings V2 Config",
     "description": "This module deploys a Site Auth Settings V2 Configuration.",
diff --git a/avm/res/web/site/config--logs/README.md b/avm/res/web/site/config--logs/README.md
index a40f16313f..12ed9ed5ab 100644
--- a/avm/res/web/site/config--logs/README.md
+++ b/avm/res/web/site/config--logs/README.md
@@ -21,6 +21,11 @@ This module deploys a Site logs Configuration.
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
 | [`appName`](#parameter-appname) | string | The name of the parent site resource. |
+
+**Optional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
 | [`logsConfiguration`](#parameter-logsconfiguration) | object | The logs settings configuration. |
 
 ### Parameter: `appName`
diff --git a/avm/res/web/site/config--logs/main.bicep b/avm/res/web/site/config--logs/main.bicep
index 121c774ba3..7b8da4ca0f 100644
--- a/avm/res/web/site/config--logs/main.bicep
+++ b/avm/res/web/site/config--logs/main.bicep
@@ -5,7 +5,7 @@ metadata owner = 'Azure/module-maintainers'
 @description('Required. The name of the parent site resource.')
 param appName string
 
-@description('Required. The logs settings configuration.')
+@description('Optional. The logs settings configuration.')
 param logsConfiguration object?
 
 resource app 'Microsoft.Web/sites@2023-12-01' existing = {
diff --git a/avm/res/web/site/config--logs/main.json b/avm/res/web/site/config--logs/main.json
index ef01ed7c59..b22108e5fe 100644
--- a/avm/res/web/site/config--logs/main.json
+++ b/avm/res/web/site/config--logs/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.3.12046",
-      "templateHash": "15476128515731477399"
+      "version": "0.30.23.60470",
+      "templateHash": "2527104715221107836"
     },
     "name": "Site logs Config",
     "description": "This module deploys a Site logs Configuration.",
@@ -23,7 +23,7 @@
       "type": "object",
       "nullable": true,
       "metadata": {
-        "description": "Required. The logs settings configuration."
+        "description": "Optional. The logs settings configuration."
       }
     }
   },
diff --git a/avm/res/web/site/config--web/README.md b/avm/res/web/site/config--web/README.md
index 2b2aa8f695..11557f6693 100644
--- a/avm/res/web/site/config--web/README.md
+++ b/avm/res/web/site/config--web/README.md
@@ -20,15 +20,13 @@ This module deploys a Site Api Management Configuration.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`apiManagementConfiguration`](#parameter-apimanagementconfiguration) | object | The web settings api management configuration. |
 | [`appName`](#parameter-appname) | string | The name of the parent site resource. |
 
-### Parameter: `apiManagementConfiguration`
-
-The web settings api management configuration.
+**Optional parameters**
 
-- Required: No
-- Type: object
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`apiManagementConfiguration`](#parameter-apimanagementconfiguration) | object | The web settings api management configuration. |
 
 ### Parameter: `appName`
 
@@ -37,6 +35,13 @@ The name of the parent site resource.
 - Required: Yes
 - Type: string
 
+### Parameter: `apiManagementConfiguration`
+
+The web settings api management configuration.
+
+- Required: No
+- Type: object
+
 ## Outputs
 
 | Output | Type | Description |
diff --git a/avm/res/web/site/config--web/main.bicep b/avm/res/web/site/config--web/main.bicep
index cf98084065..6380556789 100644
--- a/avm/res/web/site/config--web/main.bicep
+++ b/avm/res/web/site/config--web/main.bicep
@@ -5,7 +5,7 @@ metadata owner = 'Azure/module-maintainers'
 @description('Required. The name of the parent site resource.')
 param appName string
 
-@description('Required. The web settings api management configuration.')
+@description('Optional. The web settings api management configuration.')
 param apiManagementConfiguration object?
 
 resource app 'Microsoft.Web/sites@2023-12-01' existing = {
diff --git a/avm/res/web/site/config--web/main.json b/avm/res/web/site/config--web/main.json
index b70a359ef2..75a81a9720 100644
--- a/avm/res/web/site/config--web/main.json
+++ b/avm/res/web/site/config--web/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.3.12046",
-      "templateHash": "7638371671246573627"
+      "version": "0.30.23.60470",
+      "templateHash": "18186736059685095806"
     },
     "name": "Site Api Management Config",
     "description": "This module deploys a Site Api Management Configuration.",
@@ -23,7 +23,7 @@
       "type": "object",
       "nullable": true,
       "metadata": {
-        "description": "Required. The web settings api management configuration."
+        "description": "Optional. The web settings api management configuration."
       }
     }
   },
diff --git a/avm/res/web/site/extensions--msdeploy/README.md b/avm/res/web/site/extensions--msdeploy/README.md
index 0def3b7ba3..5e606af88c 100644
--- a/avm/res/web/site/extensions--msdeploy/README.md
+++ b/avm/res/web/site/extensions--msdeploy/README.md
@@ -21,6 +21,11 @@ This module deploys a Site extension for MSDeploy.
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
 | [`appName`](#parameter-appname) | string | The name of the parent site resource. |
+
+**Optional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
 | [`msDeployConfiguration`](#parameter-msdeployconfiguration) | object | Sets the MSDeployment Properties. |
 
 ### Parameter: `appName`
diff --git a/avm/res/web/site/extensions--msdeploy/main.bicep b/avm/res/web/site/extensions--msdeploy/main.bicep
index 3e0e6401e0..bf4220cf51 100644
--- a/avm/res/web/site/extensions--msdeploy/main.bicep
+++ b/avm/res/web/site/extensions--msdeploy/main.bicep
@@ -5,7 +5,7 @@ metadata owner = 'Azure/module-maintainers'
 @description('Required. The name of the parent site resource.')
 param appName string
 
-@description('Required. Sets the MSDeployment Properties.')
+@description('Optional. Sets the MSDeployment Properties.')
 param msDeployConfiguration object?
 
 resource app 'Microsoft.Web/sites@2023-12-01' existing = {
diff --git a/avm/res/web/site/extensions--msdeploy/main.json b/avm/res/web/site/extensions--msdeploy/main.json
index 67eee5dffa..069239c100 100644
--- a/avm/res/web/site/extensions--msdeploy/main.json
+++ b/avm/res/web/site/extensions--msdeploy/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.3.12046",
-      "templateHash": "6041792177778980481"
+      "version": "0.30.23.60470",
+      "templateHash": "10249716032875912201"
     },
     "name": "Site Deployment Extension ",
     "description": "This module deploys a Site extension for MSDeploy.",
@@ -23,7 +23,7 @@
       "type": "object",
       "nullable": true,
       "metadata": {
-        "description": "Required. Sets the MSDeployment Properties."
+        "description": "Optional. Sets the MSDeployment Properties."
       }
     }
   },
diff --git a/avm/res/web/site/hybrid-connection-namespace/relay/main.json b/avm/res/web/site/hybrid-connection-namespace/relay/main.json
index 0ec1bcc173..bac0f9d832 100644
--- a/avm/res/web/site/hybrid-connection-namespace/relay/main.json
+++ b/avm/res/web/site/hybrid-connection-namespace/relay/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.3.12046",
-      "templateHash": "9740773215195883934"
+      "version": "0.30.23.60470",
+      "templateHash": "9545759447796150909"
     },
     "name": "Web/Function Apps Hybrid Connection Relay",
     "description": "This module deploys a Site Hybrid Connection Namespace Relay.",
diff --git a/avm/res/web/site/main.bicep b/avm/res/web/site/main.bicep
index 6543521431..01a9f7a228 100644
--- a/avm/res/web/site/main.bicep
+++ b/avm/res/web/site/main.bicep
@@ -657,7 +657,7 @@ type privateEndpointType = {
 
   @description('Optional. Custom DNS configurations.')
   customDnsConfigs: {
-    @description('Required. Fqdn that resolves to private endpoint IP address.')
+    @description('Optional. FQDN that resolves to private endpoint IP address.')
     fqdn: string?
 
     @description('Required. A list of private IP addresses of the private endpoint.')
diff --git a/avm/res/web/site/main.json b/avm/res/web/site/main.json
index aee82a8585..3df6f5d784 100644
--- a/avm/res/web/site/main.json
+++ b/avm/res/web/site/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.3.12046",
-      "templateHash": "6864173112039216012"
+      "version": "0.30.23.60470",
+      "templateHash": "15895523310817597793"
     },
     "name": "Web/Function Apps",
     "description": "This module deploys a Web or Function App.",
@@ -237,7 +237,7 @@
                   "type": "string",
                   "nullable": true,
                   "metadata": {
-                    "description": "Required. Fqdn that resolves to private endpoint IP address."
+                    "description": "Optional. FQDN that resolves to private endpoint IP address."
                   }
                 },
                 "ipAddresses": {
@@ -1018,8 +1018,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.3.12046",
-              "templateHash": "13784573514230124302"
+              "version": "0.30.23.60470",
+              "templateHash": "10845600494881775271"
             },
             "name": "Site App Settings",
             "description": "This module deploys a Site App Setting.",
@@ -1182,8 +1182,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.3.12046",
-              "templateHash": "5141699950067054376"
+              "version": "0.30.23.60470",
+              "templateHash": "7782125422759995841"
             },
             "name": "Site Auth Settings V2 Config",
             "description": "This module deploys a Site Auth Settings V2 Configuration.",
@@ -1286,8 +1286,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.3.12046",
-              "templateHash": "15476128515731477399"
+              "version": "0.30.23.60470",
+              "templateHash": "2527104715221107836"
             },
             "name": "Site logs Config",
             "description": "This module deploys a Site logs Configuration.",
@@ -1304,7 +1304,7 @@
               "type": "object",
               "nullable": true,
               "metadata": {
-                "description": "Required. The logs settings configuration."
+                "description": "Optional. The logs settings configuration."
               }
             }
           },
@@ -1381,8 +1381,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.3.12046",
-              "templateHash": "7638371671246573627"
+              "version": "0.30.23.60470",
+              "templateHash": "18186736059685095806"
             },
             "name": "Site Api Management Config",
             "description": "This module deploys a Site Api Management Configuration.",
@@ -1399,7 +1399,7 @@
               "type": "object",
               "nullable": true,
               "metadata": {
-                "description": "Required. The web settings api management configuration."
+                "description": "Optional. The web settings api management configuration."
               }
             }
           },
@@ -1475,8 +1475,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.3.12046",
-              "templateHash": "6041792177778980481"
+              "version": "0.30.23.60470",
+              "templateHash": "10249716032875912201"
             },
             "name": "Site Deployment Extension ",
             "description": "This module deploys a Site extension for MSDeploy.",
@@ -1493,7 +1493,7 @@
               "type": "object",
               "nullable": true,
               "metadata": {
-                "description": "Required. Sets the MSDeployment Properties."
+                "description": "Optional. Sets the MSDeployment Properties."
               }
             }
           },
@@ -1697,8 +1697,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.3.12046",
-              "templateHash": "12989347170911346864"
+              "version": "0.30.23.60470",
+              "templateHash": "2418467213841620758"
             },
             "name": "Web/Function App Deployment Slots",
             "description": "This module deploys a Web or Function App Deployment Slot.",
@@ -1929,7 +1929,7 @@
                           "type": "string",
                           "nullable": true,
                           "metadata": {
-                            "description": "Required. Fqdn that resolves to private endpoint IP address."
+                            "description": "Optional. FQDN that resolves to private endpoint IP address."
                           }
                         },
                         "ipAddresses": {
@@ -2678,8 +2678,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.30.3.12046",
-                      "templateHash": "831233374953684624"
+                      "version": "0.30.23.60470",
+                      "templateHash": "3011151783207983935"
                     },
                     "name": "Site Slot App Settings",
                     "description": "This module deploys a Site Slot App Setting.",
@@ -2861,8 +2861,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.30.3.12046",
-                      "templateHash": "1793943127677832192"
+                      "version": "0.30.23.60470",
+                      "templateHash": "7842363652527859767"
                     },
                     "name": "Site Slot Auth Settings V2 Config",
                     "description": "This module deploys a Site Auth Settings V2 Configuration.",
@@ -2983,8 +2983,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.30.3.12046",
-                      "templateHash": "3658885600663423622"
+                      "version": "0.30.23.60470",
+                      "templateHash": "1564349757337430633"
                     },
                     "name": "Web Site Slot Basic Publishing Credentials Policies",
                     "description": "This module deploys a Web Site Slot Basic Publishing Credentials Policy.",
@@ -3109,8 +3109,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.30.3.12046",
-                      "templateHash": "15904319483580637456"
+                      "version": "0.30.23.60470",
+                      "templateHash": "12569198723769767672"
                     },
                     "name": "Web/Function Apps Slot Hybrid Connection Relay",
                     "description": "This module deploys a Site Slot Hybrid Connection Namespace Relay.",
@@ -3215,8 +3215,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.30.3.12046",
-                      "templateHash": "6041792177778980481"
+                      "version": "0.30.23.60470",
+                      "templateHash": "10249716032875912201"
                     },
                     "name": "Site Deployment Extension ",
                     "description": "This module deploys a Site extension for MSDeploy.",
@@ -3233,7 +3233,7 @@
                       "type": "object",
                       "nullable": true,
                       "metadata": {
-                        "description": "Required. Sets the MSDeployment Properties."
+                        "description": "Optional. Sets the MSDeployment Properties."
                       }
                     }
                   },
@@ -4144,8 +4144,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.3.12046",
-              "templateHash": "17116264484298889418"
+              "version": "0.30.23.60470",
+              "templateHash": "15847824660831257384"
             },
             "name": "Web Site Basic Publishing Credentials Policies",
             "description": "This module deploys a Web Site Basic Publishing Credentials Policy.",
@@ -4260,8 +4260,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.3.12046",
-              "templateHash": "9740773215195883934"
+              "version": "0.30.23.60470",
+              "templateHash": "9545759447796150909"
             },
             "name": "Web/Function Apps Hybrid Connection Relay",
             "description": "This module deploys a Site Hybrid Connection Namespace Relay.",
diff --git a/avm/res/web/site/slot/README.md b/avm/res/web/site/slot/README.md
index c175c19291..99b234b7e0 100644
--- a/avm/res/web/site/slot/README.md
+++ b/avm/res/web/site/slot/README.md
@@ -571,15 +571,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint IP address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -588,6 +586,13 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `privateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
diff --git a/avm/res/web/site/slot/basic-publishing-credentials-policy/main.json b/avm/res/web/site/slot/basic-publishing-credentials-policy/main.json
index 12497b8b75..d18f65520b 100644
--- a/avm/res/web/site/slot/basic-publishing-credentials-policy/main.json
+++ b/avm/res/web/site/slot/basic-publishing-credentials-policy/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.3.12046",
-      "templateHash": "3658885600663423622"
+      "version": "0.30.23.60470",
+      "templateHash": "1564349757337430633"
     },
     "name": "Web Site Slot Basic Publishing Credentials Policies",
     "description": "This module deploys a Web Site Slot Basic Publishing Credentials Policy.",
diff --git a/avm/res/web/site/slot/config--appsettings/main.json b/avm/res/web/site/slot/config--appsettings/main.json
index 91794cde8f..e3b453acd4 100644
--- a/avm/res/web/site/slot/config--appsettings/main.json
+++ b/avm/res/web/site/slot/config--appsettings/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.3.12046",
-      "templateHash": "831233374953684624"
+      "version": "0.30.23.60470",
+      "templateHash": "3011151783207983935"
     },
     "name": "Site Slot App Settings",
     "description": "This module deploys a Site Slot App Setting.",
diff --git a/avm/res/web/site/slot/config--authsettingsv2/main.json b/avm/res/web/site/slot/config--authsettingsv2/main.json
index 4689c49c5d..c68af5ca88 100644
--- a/avm/res/web/site/slot/config--authsettingsv2/main.json
+++ b/avm/res/web/site/slot/config--authsettingsv2/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.3.12046",
-      "templateHash": "1793943127677832192"
+      "version": "0.30.23.60470",
+      "templateHash": "7842363652527859767"
     },
     "name": "Site Slot Auth Settings V2 Config",
     "description": "This module deploys a Site Auth Settings V2 Configuration.",
diff --git a/avm/res/web/site/slot/extensions--msdeploy/README.md b/avm/res/web/site/slot/extensions--msdeploy/README.md
index cc50e99fbb..f52c7e19c3 100644
--- a/avm/res/web/site/slot/extensions--msdeploy/README.md
+++ b/avm/res/web/site/slot/extensions--msdeploy/README.md
@@ -21,6 +21,11 @@ This module deploys a Site extension for MSDeploy.
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
 | [`appName`](#parameter-appname) | string | The name of the parent site resource. |
+
+**Optional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
 | [`msDeployConfiguration`](#parameter-msdeployconfiguration) | object | Sets the MSDeployment Properties. |
 
 ### Parameter: `appName`
diff --git a/avm/res/web/site/slot/extensions--msdeploy/main.bicep b/avm/res/web/site/slot/extensions--msdeploy/main.bicep
index 3e0e6401e0..bf4220cf51 100644
--- a/avm/res/web/site/slot/extensions--msdeploy/main.bicep
+++ b/avm/res/web/site/slot/extensions--msdeploy/main.bicep
@@ -5,7 +5,7 @@ metadata owner = 'Azure/module-maintainers'
 @description('Required. The name of the parent site resource.')
 param appName string
 
-@description('Required. Sets the MSDeployment Properties.')
+@description('Optional. Sets the MSDeployment Properties.')
 param msDeployConfiguration object?
 
 resource app 'Microsoft.Web/sites@2023-12-01' existing = {
diff --git a/avm/res/web/site/slot/extensions--msdeploy/main.json b/avm/res/web/site/slot/extensions--msdeploy/main.json
index 67eee5dffa..069239c100 100644
--- a/avm/res/web/site/slot/extensions--msdeploy/main.json
+++ b/avm/res/web/site/slot/extensions--msdeploy/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.3.12046",
-      "templateHash": "6041792177778980481"
+      "version": "0.30.23.60470",
+      "templateHash": "10249716032875912201"
     },
     "name": "Site Deployment Extension ",
     "description": "This module deploys a Site extension for MSDeploy.",
@@ -23,7 +23,7 @@
       "type": "object",
       "nullable": true,
       "metadata": {
-        "description": "Required. Sets the MSDeployment Properties."
+        "description": "Optional. Sets the MSDeployment Properties."
       }
     }
   },
diff --git a/avm/res/web/site/slot/hybrid-connection-namespace/relay/main.json b/avm/res/web/site/slot/hybrid-connection-namespace/relay/main.json
index b72c79cc1e..accf1b996d 100644
--- a/avm/res/web/site/slot/hybrid-connection-namespace/relay/main.json
+++ b/avm/res/web/site/slot/hybrid-connection-namespace/relay/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.3.12046",
-      "templateHash": "15904319483580637456"
+      "version": "0.30.23.60470",
+      "templateHash": "12569198723769767672"
     },
     "name": "Web/Function Apps Slot Hybrid Connection Relay",
     "description": "This module deploys a Site Slot Hybrid Connection Namespace Relay.",
diff --git a/avm/res/web/site/slot/main.bicep b/avm/res/web/site/slot/main.bicep
index a6f583ab44..2b560f783c 100644
--- a/avm/res/web/site/slot/main.bicep
+++ b/avm/res/web/site/slot/main.bicep
@@ -534,7 +534,7 @@ type privateEndpointType = {
 
   @description('Optional. Custom DNS configurations.')
   customDnsConfigs: {
-    @description('Required. Fqdn that resolves to private endpoint IP address.')
+    @description('Optional. FQDN that resolves to private endpoint IP address.')
     fqdn: string?
 
     @description('Required. A list of private IP addresses of the private endpoint.')
diff --git a/avm/res/web/site/slot/main.json b/avm/res/web/site/slot/main.json
index abe3b4ac41..2607658182 100644
--- a/avm/res/web/site/slot/main.json
+++ b/avm/res/web/site/slot/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.3.12046",
-      "templateHash": "12989347170911346864"
+      "version": "0.30.23.60470",
+      "templateHash": "2418467213841620758"
     },
     "name": "Web/Function App Deployment Slots",
     "description": "This module deploys a Web or Function App Deployment Slot.",
@@ -237,7 +237,7 @@
                   "type": "string",
                   "nullable": true,
                   "metadata": {
-                    "description": "Required. Fqdn that resolves to private endpoint IP address."
+                    "description": "Optional. FQDN that resolves to private endpoint IP address."
                   }
                 },
                 "ipAddresses": {
@@ -986,8 +986,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.3.12046",
-              "templateHash": "831233374953684624"
+              "version": "0.30.23.60470",
+              "templateHash": "3011151783207983935"
             },
             "name": "Site Slot App Settings",
             "description": "This module deploys a Site Slot App Setting.",
@@ -1169,8 +1169,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.3.12046",
-              "templateHash": "1793943127677832192"
+              "version": "0.30.23.60470",
+              "templateHash": "7842363652527859767"
             },
             "name": "Site Slot Auth Settings V2 Config",
             "description": "This module deploys a Site Auth Settings V2 Configuration.",
@@ -1291,8 +1291,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.3.12046",
-              "templateHash": "3658885600663423622"
+              "version": "0.30.23.60470",
+              "templateHash": "1564349757337430633"
             },
             "name": "Web Site Slot Basic Publishing Credentials Policies",
             "description": "This module deploys a Web Site Slot Basic Publishing Credentials Policy.",
@@ -1417,8 +1417,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.3.12046",
-              "templateHash": "15904319483580637456"
+              "version": "0.30.23.60470",
+              "templateHash": "12569198723769767672"
             },
             "name": "Web/Function Apps Slot Hybrid Connection Relay",
             "description": "This module deploys a Site Slot Hybrid Connection Namespace Relay.",
@@ -1523,8 +1523,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.3.12046",
-              "templateHash": "6041792177778980481"
+              "version": "0.30.23.60470",
+              "templateHash": "10249716032875912201"
             },
             "name": "Site Deployment Extension ",
             "description": "This module deploys a Site extension for MSDeploy.",
@@ -1541,7 +1541,7 @@
               "type": "object",
               "nullable": true,
               "metadata": {
-                "description": "Required. Sets the MSDeployment Properties."
+                "description": "Optional. Sets the MSDeployment Properties."
               }
             }
           },
diff --git a/avm/res/web/static-site/README.md b/avm/res/web/static-site/README.md
index fda575fffb..0fc8ad5a31 100644
--- a/avm/res/web/static-site/README.md
+++ b/avm/res/web/static-site/README.md
@@ -874,15 +874,13 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
-
-Fqdn that resolves to private endpoint IP address.
+**Optional parameters**
 
-- Required: No
-- Type: string
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
 
 ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -891,6 +889,13 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
+### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
+
+FQDN that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
+
 ### Parameter: `privateEndpoints.customNetworkInterfaceName`
 
 The custom name of the network interface attached to the private endpoint.
diff --git a/avm/res/web/static-site/main.bicep b/avm/res/web/static-site/main.bicep
index c4c51912de..d481b9055e 100644
--- a/avm/res/web/static-site/main.bicep
+++ b/avm/res/web/static-site/main.bicep
@@ -408,7 +408,7 @@ type privateEndpointType = {
 
   @description('Optional. Custom DNS configurations.')
   customDnsConfigs: {
-    @description('Required. Fqdn that resolves to private endpoint IP address.')
+    @description('Optional. FQDN that resolves to private endpoint IP address.')
     fqdn: string?
 
     @description('Required. A list of private IP addresses of the private endpoint.')
diff --git a/avm/res/web/static-site/main.json b/avm/res/web/static-site/main.json
index 490b5bd6df..8ca2581063 100644
--- a/avm/res/web/static-site/main.json
+++ b/avm/res/web/static-site/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "9780314991768462863"
+      "version": "0.30.23.60470",
+      "templateHash": "6778188667859767695"
     },
     "name": "Static Web Apps",
     "description": "This module deploys a Static Web App.",
@@ -237,7 +237,7 @@
                   "type": "string",
                   "nullable": true,
                   "metadata": {
-                    "description": "Required. Fqdn that resolves to private endpoint IP address."
+                    "description": "Optional. FQDN that resolves to private endpoint IP address."
                   }
                 },
                 "ipAddresses": {
@@ -647,8 +647,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "12808204824131403769"
+              "version": "0.30.23.60470",
+              "templateHash": "850520350862215676"
             },
             "name": "Static Web App Site Linked Backends",
             "description": "This module deploys a Custom Function App into a Static Web App Site using the Linked Backends property.",
@@ -749,8 +749,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "6259766574135261184"
+              "version": "0.30.23.60470",
+              "templateHash": "1193937759400806376"
             },
             "name": "Static Web App Site Config",
             "description": "This module deploys a Static Web App Site Config.",
@@ -844,8 +844,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "6259766574135261184"
+              "version": "0.30.23.60470",
+              "templateHash": "1193937759400806376"
             },
             "name": "Static Web App Site Config",
             "description": "This module deploys a Static Web App Site Config.",
@@ -940,8 +940,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "4543869723891386084"
+              "version": "0.30.23.60470",
+              "templateHash": "777053581790816891"
             },
             "name": "Static Web App Site Custom Domains",
             "description": "This module deploys a Static Web App Site Custom Domain.",
diff --git a/avm/utl/types/avm-common-types/main.bicep b/avm/utl/types/avm-common-types/main.bicep
index 01f8e79c97..ea0706103f 100644
--- a/avm/utl/types/avm-common-types/main.bicep
+++ b/avm/utl/types/avm-common-types/main.bicep
@@ -221,7 +221,7 @@ type privateEndpointPrivateDnsZoneGroupType = {
 }
 
 type privateEndpointCustomDnsConfigType = {
-  @description('Required. Fqdn that resolves to private endpoint IP address.')
+  @description('Optional. FQDN that resolves to private endpoint IP address.')
   fqdn: string?
 
   @description('Required. A list of private IP addresses of the private endpoint.')
diff --git a/avm/utl/types/avm-common-types/main.json b/avm/utl/types/avm-common-types/main.json
index 34218bb4a6..85969026ff 100644
--- a/avm/utl/types/avm-common-types/main.json
+++ b/avm/utl/types/avm-common-types/main.json
@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.30.23.60470",
-      "templateHash": "16862752319174543465"
+      "templateHash": "10247512052602214331"
     },
     "name": "Default interface types for AVM modules",
     "description": "This module provides you with all common variants for AVM interfaces to be used in AVM modules.\n\nDetails for how to implement these interfaces can be found in the AVM documentation [here](https://azure.github.io/Azure-Verified-Modules/specs/shared/interfaces).\n",
@@ -520,7 +520,7 @@
           "type": "string",
           "nullable": true,
           "metadata": {
-            "description": "Required. Fqdn that resolves to private endpoint IP address."
+            "description": "Optional. FQDN that resolves to private endpoint IP address."
           }
         },
         "ipAddresses": {

From 71226ac3344ed357b1e7caa9840cf8fd96254e1f Mon Sep 17 00:00:00 2001
From: ChrisSidebotham-MSFT <48600046+ChrisSidebotham@users.noreply.github.com>
Date: Fri, 25 Oct 2024 10:54:05 +0100
Subject: [PATCH 09/13] fix: Service Bus Auth Rules for Topics (#3505)

## Description

<!--
>Thank you for your contribution !
> Please include a summary of the change and which issue is fixed.
> Please also include the context.
> List any dependencies that are required for this change.

Fixes #123
Fixes #456
Closes #123
Closes #456


-->

Closes #2908

## Pipeline Reference

<!-- Insert your Pipeline Status Badge below -->

| Pipeline |
| -------- |
|
[![avm.res.service-bus.namespace](https://github.com/ChrisSidebotham/bicep-registry-modules/actions/workflows/avm.res.service-bus.namespace.yml/badge.svg?branch=sbus-auth-rules-topics&event=workflow_dispatch)](https://github.com/ChrisSidebotham/bicep-registry-modules/actions/workflows/avm.res.service-bus.namespace.yml)
|

## Type of Change

<!-- Use the checkboxes [x] on the options that are relevant. -->

- [ ] Update to CI Environment or utilities (Non-module affecting
changes)
- [ ] Azure Verified Module updates:
- [x] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [x] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [ ] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [ ] Update to documentation

## Checklist

- [x] I'm sure there are no other open Pull Requests for the same
update/change
- [x] I have run `Set-AVMModule` locally to generate the supporting
module files.
- [x] My corresponding pipelines / checks run clean and green without
any errors or warnings

<!-- Please keep up to date with the contribution guide at
https://aka.ms/avm/contribute/bicep -->
---
 avm/res/service-bus/namespace/README.md       |  6 ++--
 .../namespace/authorization-rule/main.json    |  4 +--
 .../disaster-recovery-config/main.json        |  4 +--
 avm/res/service-bus/namespace/main.bicep      | 10 +++---
 avm/res/service-bus/namespace/main.json       | 33 +++++++------------
 .../migration-configuration/main.json         |  4 +--
 .../namespace/network-rule-set/main.bicep     |  4 +--
 .../namespace/network-rule-set/main.json      |  6 ++--
 .../queue/authorization-rule/main.json        |  4 +--
 avm/res/service-bus/namespace/queue/main.json |  8 ++---
 avm/res/service-bus/namespace/topic/README.md | 16 +--------
 .../topic/authorization-rule/main.json        |  4 +--
 .../service-bus/namespace/topic/main.bicep    | 15 ++-------
 avm/res/service-bus/namespace/topic/main.json | 29 ++++++----------
 .../namespace/topic/subscription/main.json    |  4 +--
 avm/res/service-bus/namespace/version.json    |  2 +-
 16 files changed, 54 insertions(+), 99 deletions(-)

diff --git a/avm/res/service-bus/namespace/README.md b/avm/res/service-bus/namespace/README.md
index 69961eb91e..1df8014370 100644
--- a/avm/res/service-bus/namespace/README.md
+++ b/avm/res/service-bus/namespace/README.md
@@ -1927,7 +1927,7 @@ The managed identity definition for this resource.
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
 | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. |
-| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | array | The resource ID(s) to assign to the resource. |
+| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. |
 
 ### Parameter: `managedIdentities.systemAssigned`
 
@@ -1936,9 +1936,9 @@ Enables system assigned managed identity on the resource.
 - Required: No
 - Type: bool
 
-### Parameter: `managedIdentities.userAssignedResourcesIds`
+### Parameter: `managedIdentities.userAssignedResourceIds`
 
-The resource ID(s) to assign to the resource.
+The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption.
 
 - Required: No
 - Type: array
diff --git a/avm/res/service-bus/namespace/authorization-rule/main.json b/avm/res/service-bus/namespace/authorization-rule/main.json
index e78d5a84b0..69891f3a56 100644
--- a/avm/res/service-bus/namespace/authorization-rule/main.json
+++ b/avm/res/service-bus/namespace/authorization-rule/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "16659347344675880024"
+      "version": "0.30.23.60470",
+      "templateHash": "4728331591356881277"
     },
     "name": "Service Bus Namespace Authorization Rules",
     "description": "This module deploys a Service Bus Namespace Authorization Rule.",
diff --git a/avm/res/service-bus/namespace/disaster-recovery-config/main.json b/avm/res/service-bus/namespace/disaster-recovery-config/main.json
index 93ecd9ffa9..f1d4df322e 100644
--- a/avm/res/service-bus/namespace/disaster-recovery-config/main.json
+++ b/avm/res/service-bus/namespace/disaster-recovery-config/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "2437567647402328568"
+      "version": "0.30.23.60470",
+      "templateHash": "1218226237647695558"
     },
     "name": "Service Bus Namespace Disaster Recovery Configs",
     "description": "This module deploys a Service Bus Namespace Disaster Recovery Config",
diff --git a/avm/res/service-bus/namespace/main.bicep b/avm/res/service-bus/namespace/main.bicep
index 4fc4c8953c..4678c1107a 100644
--- a/avm/res/service-bus/namespace/main.bicep
+++ b/avm/res/service-bus/namespace/main.bicep
@@ -99,7 +99,7 @@ param customerManagedKey customerManagedKeyType
 param requireInfrastructureEncryption bool = true
 
 var formattedUserAssignedIdentities = reduce(
-  map((managedIdentities.?userAssignedResourcesIds ?? []), (id) => { '${id}': {} }),
+  map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }),
   {},
   (cur, next) => union(cur, next)
 ) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} }
@@ -107,8 +107,8 @@ var formattedUserAssignedIdentities = reduce(
 var identity = !empty(managedIdentities)
   ? {
       type: (managedIdentities.?systemAssigned ?? false)
-        ? (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned')
-        : (!empty(managedIdentities.?userAssignedResourcesIds ?? {}) ? 'UserAssigned' : null)
+        ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned, UserAssigned' : 'SystemAssigned')
+        : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null)
       userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null
     }
   : null
@@ -474,8 +474,8 @@ type managedIdentitiesType = {
   @description('Optional. Enables system assigned managed identity on the resource.')
   systemAssigned: bool?
 
-  @description('Optional. The resource ID(s) to assign to the resource.')
-  userAssignedResourcesIds: string[]?
+  @description('Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption.')
+  userAssignedResourceIds: string[]?
 }?
 
 type lockType = {
diff --git a/avm/res/service-bus/namespace/main.json b/avm/res/service-bus/namespace/main.json
index 0739b0a333..476988e30c 100644
--- a/avm/res/service-bus/namespace/main.json
+++ b/avm/res/service-bus/namespace/main.json
@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.30.23.60470",
-      "templateHash": "11203076592722611139"
+      "templateHash": "6478518651645675066"
     },
     "name": "Service Bus Namespaces",
     "description": "This module deploys a Service Bus Namespace.",
@@ -23,14 +23,14 @@
             "description": "Optional. Enables system assigned managed identity on the resource."
           }
         },
-        "userAssignedResourcesIds": {
+        "userAssignedResourceIds": {
           "type": "array",
           "items": {
             "type": "string"
           },
           "nullable": true,
           "metadata": {
-            "description": "Optional. The resource ID(s) to assign to the resource."
+            "description": "Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption."
           }
         }
       },
@@ -1313,8 +1313,8 @@
         "input": "[union(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')], createObject('roleDefinitionId', coalesce(tryGet(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName), if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName)))))]"
       }
     ],
-    "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]",
-    "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]",
+    "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]",
+    "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned, UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]",
     "builtInRoleNames": {
       "Azure Service Bus Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '090c5cfd-751d-490a-894a-3ce6f1109419')]",
       "Azure Service Bus Data Receiver": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]",
@@ -1824,7 +1824,7 @@
             "_generator": {
               "name": "bicep",
               "version": "0.30.23.60470",
-              "templateHash": "10055705590102866988"
+              "templateHash": "10915287587573662426"
             },
             "name": "Service Bus Namespace Network Rule Sets",
             "description": "This module deploys a ServiceBus Namespace Network Rule Set.",
@@ -1889,7 +1889,7 @@
                 "name": "networkRules",
                 "count": "[length(parameters('virtualNetworkRules'))]",
                 "input": {
-                  "ignoreMissingVnetServiceEndpoint": "[if(contains(parameters('virtualNetworkRules')[copyIndex('networkRules')], 'ignoreMissingVnetServiceEndpoint'), parameters('virtualNetworkRules')[copyIndex('networkRules')].ignoreMissingVnetServiceEndpoint, null())]",
+                  "ignoreMissingVnetServiceEndpoint": "[tryGet(parameters('virtualNetworkRules')[copyIndex('networkRules')], 'ignoreMissingVnetServiceEndpoint')]",
                   "subnet": "[if(contains(parameters('virtualNetworkRules')[copyIndex('networkRules')], 'subnetResourceId'), createObject('id', parameters('virtualNetworkRules')[copyIndex('networkRules')].subnetResourceId), null())]"
                 }
               }
@@ -2593,7 +2593,7 @@
             "_generator": {
               "name": "bicep",
               "version": "0.30.23.60470",
-              "templateHash": "16840842185273289430"
+              "templateHash": "8911539763995397815"
             },
             "name": "Service Bus Namespace Topic",
             "description": "This module deploys a Service Bus Namespace Topic.",
@@ -2951,18 +2951,7 @@
             },
             "authorizationRules": {
               "type": "array",
-              "defaultValue": [
-                {
-                  "name": "RootManageSharedAccessKey",
-                  "properties": {
-                    "rights": [
-                      "Listen",
-                      "Manage",
-                      "Send"
-                    ]
-                  }
-                }
-              ],
+              "defaultValue": [],
               "metadata": {
                 "description": "Optional. Authorization Rules for the Service Bus Topic."
               }
@@ -3081,7 +3070,9 @@
                   "name": {
                     "value": "[parameters('authorizationRules')[copyIndex()].name]"
                   },
-                  "rights": "[if(contains(parameters('authorizationRules')[copyIndex()], 'rights'), createObject('value', parameters('authorizationRules')[copyIndex()].rights), createObject('value', createArray()))]"
+                  "rights": {
+                    "value": "[coalesce(tryGet(parameters('authorizationRules')[copyIndex()], 'rights'), createArray())]"
+                  }
                 },
                 "template": {
                   "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
diff --git a/avm/res/service-bus/namespace/migration-configuration/main.json b/avm/res/service-bus/namespace/migration-configuration/main.json
index 47cb3b3ead..58dfcc663d 100644
--- a/avm/res/service-bus/namespace/migration-configuration/main.json
+++ b/avm/res/service-bus/namespace/migration-configuration/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "5021121087195745079"
+      "version": "0.30.23.60470",
+      "templateHash": "16589713685358551002"
     },
     "name": "Service Bus Namespace Migration Configuration",
     "description": "This module deploys a Service Bus Namespace Migration Configuration.",
diff --git a/avm/res/service-bus/namespace/network-rule-set/main.bicep b/avm/res/service-bus/namespace/network-rule-set/main.bicep
index b2fa51cb5e..4930565240 100644
--- a/avm/res/service-bus/namespace/network-rule-set/main.bicep
+++ b/avm/res/service-bus/namespace/network-rule-set/main.bicep
@@ -32,9 +32,7 @@ param ipRules array = []
 
 var networkRules = [
   for (virtualNetworkRule, index) in virtualNetworkRules: {
-    ignoreMissingVnetServiceEndpoint: contains(virtualNetworkRule, 'ignoreMissingVnetServiceEndpoint')
-      ? virtualNetworkRule.ignoreMissingVnetServiceEndpoint
-      : null
+    ignoreMissingVnetServiceEndpoint: virtualNetworkRule.?ignoreMissingVnetServiceEndpoint
     subnet: contains(virtualNetworkRule, 'subnetResourceId')
       ? {
           id: virtualNetworkRule.subnetResourceId
diff --git a/avm/res/service-bus/namespace/network-rule-set/main.json b/avm/res/service-bus/namespace/network-rule-set/main.json
index 5f9ac47d13..2bfebce5e6 100644
--- a/avm/res/service-bus/namespace/network-rule-set/main.json
+++ b/avm/res/service-bus/namespace/network-rule-set/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "18220065019802173538"
+      "version": "0.30.23.60470",
+      "templateHash": "10915287587573662426"
     },
     "name": "Service Bus Namespace Network Rule Sets",
     "description": "This module deploys a ServiceBus Namespace Network Rule Set.",
@@ -70,7 +70,7 @@
         "name": "networkRules",
         "count": "[length(parameters('virtualNetworkRules'))]",
         "input": {
-          "ignoreMissingVnetServiceEndpoint": "[if(contains(parameters('virtualNetworkRules')[copyIndex('networkRules')], 'ignoreMissingVnetServiceEndpoint'), parameters('virtualNetworkRules')[copyIndex('networkRules')].ignoreMissingVnetServiceEndpoint, null())]",
+          "ignoreMissingVnetServiceEndpoint": "[tryGet(parameters('virtualNetworkRules')[copyIndex('networkRules')], 'ignoreMissingVnetServiceEndpoint')]",
           "subnet": "[if(contains(parameters('virtualNetworkRules')[copyIndex('networkRules')], 'subnetResourceId'), createObject('id', parameters('virtualNetworkRules')[copyIndex('networkRules')].subnetResourceId), null())]"
         }
       }
diff --git a/avm/res/service-bus/namespace/queue/authorization-rule/main.json b/avm/res/service-bus/namespace/queue/authorization-rule/main.json
index 2ac613b3a0..7f4595b2c4 100644
--- a/avm/res/service-bus/namespace/queue/authorization-rule/main.json
+++ b/avm/res/service-bus/namespace/queue/authorization-rule/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "13378473188831787359"
+      "version": "0.30.23.60470",
+      "templateHash": "13793175890494658919"
     },
     "name": "Service Bus Namespace Queue Authorization Rules",
     "description": "This module deploys a Service Bus Namespace Queue Authorization Rule.",
diff --git a/avm/res/service-bus/namespace/queue/main.json b/avm/res/service-bus/namespace/queue/main.json
index 49ba95b068..7018e54ac3 100644
--- a/avm/res/service-bus/namespace/queue/main.json
+++ b/avm/res/service-bus/namespace/queue/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "12442268068778335924"
+      "version": "0.30.23.60470",
+      "templateHash": "13425705366730697938"
     },
     "name": "Service Bus Namespace Queue",
     "description": "This module deploys a Service Bus Namespace Queue.",
@@ -393,8 +393,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "13378473188831787359"
+              "version": "0.30.23.60470",
+              "templateHash": "13793175890494658919"
             },
             "name": "Service Bus Namespace Queue Authorization Rules",
             "description": "This module deploys a Service Bus Namespace Queue Authorization Rule.",
diff --git a/avm/res/service-bus/namespace/topic/README.md b/avm/res/service-bus/namespace/topic/README.md
index 7362055d9e..a5b94085ed 100644
--- a/avm/res/service-bus/namespace/topic/README.md
+++ b/avm/res/service-bus/namespace/topic/README.md
@@ -72,21 +72,7 @@ Authorization Rules for the Service Bus Topic.
 
 - Required: No
 - Type: array
-- Default:
-  ```Bicep
-  [
-    {
-      name: 'RootManageSharedAccessKey'
-      properties: {
-        rights: [
-          'Listen'
-          'Manage'
-          'Send'
-        ]
-      }
-    }
-  ]
-  ```
+- Default: `[]`
 
 ### Parameter: `autoDeleteOnIdle`
 
diff --git a/avm/res/service-bus/namespace/topic/authorization-rule/main.json b/avm/res/service-bus/namespace/topic/authorization-rule/main.json
index 60d8ebef9f..f3ac22d34d 100644
--- a/avm/res/service-bus/namespace/topic/authorization-rule/main.json
+++ b/avm/res/service-bus/namespace/topic/authorization-rule/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "6843568331497160185"
+      "version": "0.30.23.60470",
+      "templateHash": "1348283370469099109"
     },
     "name": "Service Bus Namespace Topic Authorization Rules",
     "description": "This module deploys a Service Bus Namespace Topic Authorization Rule.",
diff --git a/avm/res/service-bus/namespace/topic/main.bicep b/avm/res/service-bus/namespace/topic/main.bicep
index 2009633393..4fc34b3be5 100644
--- a/avm/res/service-bus/namespace/topic/main.bicep
+++ b/avm/res/service-bus/namespace/topic/main.bicep
@@ -57,18 +57,7 @@ param enablePartitioning bool = false
 param enableExpress bool = false
 
 @description('Optional. Authorization Rules for the Service Bus Topic.')
-param authorizationRules array = [
-  {
-    name: 'RootManageSharedAccessKey'
-    properties: {
-      rights: [
-        'Listen'
-        'Manage'
-        'Send'
-      ]
-    }
-  }
-]
+param authorizationRules array = []
 
 @description('Optional. The lock settings of the service.')
 param lock lockType
@@ -151,7 +140,7 @@ module topic_authorizationRules 'authorization-rule/main.bicep' = [
       namespaceName: namespaceName
       topicName: topic.name
       name: authorizationRule.name
-      rights: contains(authorizationRule, 'rights') ? authorizationRule.rights : []
+      rights: authorizationRule.?rights ?? []
     }
   }
 ]
diff --git a/avm/res/service-bus/namespace/topic/main.json b/avm/res/service-bus/namespace/topic/main.json
index f037f5762d..5a34b438f3 100644
--- a/avm/res/service-bus/namespace/topic/main.json
+++ b/avm/res/service-bus/namespace/topic/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "782028791267114581"
+      "version": "0.30.23.60470",
+      "templateHash": "8911539763995397815"
     },
     "name": "Service Bus Namespace Topic",
     "description": "This module deploys a Service Bus Namespace Topic.",
@@ -364,18 +364,7 @@
     },
     "authorizationRules": {
       "type": "array",
-      "defaultValue": [
-        {
-          "name": "RootManageSharedAccessKey",
-          "properties": {
-            "rights": [
-              "Listen",
-              "Manage",
-              "Send"
-            ]
-          }
-        }
-      ],
+      "defaultValue": [],
       "metadata": {
         "description": "Optional. Authorization Rules for the Service Bus Topic."
       }
@@ -494,7 +483,9 @@
           "name": {
             "value": "[parameters('authorizationRules')[copyIndex()].name]"
           },
-          "rights": "[if(contains(parameters('authorizationRules')[copyIndex()], 'rights'), createObject('value', parameters('authorizationRules')[copyIndex()].rights), createObject('value', createArray()))]"
+          "rights": {
+            "value": "[coalesce(tryGet(parameters('authorizationRules')[copyIndex()], 'rights'), createArray())]"
+          }
         },
         "template": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
@@ -502,8 +493,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "6843568331497160185"
+              "version": "0.30.23.60470",
+              "templateHash": "1348283370469099109"
             },
             "name": "Service Bus Namespace Topic Authorization Rules",
             "description": "This module deploys a Service Bus Namespace Topic Authorization Rule.",
@@ -652,8 +643,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "13559505347925945415"
+              "version": "0.30.23.60470",
+              "templateHash": "2560238010859719670"
             },
             "name": "Service Bus Namespace Topic Subscription",
             "description": "This module deploys a Service Bus Namespace Topic Subscription.",
diff --git a/avm/res/service-bus/namespace/topic/subscription/main.json b/avm/res/service-bus/namespace/topic/subscription/main.json
index 251f6038f1..60ad0f4b59 100644
--- a/avm/res/service-bus/namespace/topic/subscription/main.json
+++ b/avm/res/service-bus/namespace/topic/subscription/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "13559505347925945415"
+      "version": "0.30.23.60470",
+      "templateHash": "2560238010859719670"
     },
     "name": "Service Bus Namespace Topic Subscription",
     "description": "This module deploys a Service Bus Namespace Topic Subscription.",
diff --git a/avm/res/service-bus/namespace/version.json b/avm/res/service-bus/namespace/version.json
index 6b6be93891..a830c3d961 100644
--- a/avm/res/service-bus/namespace/version.json
+++ b/avm/res/service-bus/namespace/version.json
@@ -1,6 +1,6 @@
 {
   "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#",
-  "version": "0.9",
+  "version": "0.10",
   "pathFilters": [
     "./main.json"
   ]

From a14318a3665526656d0f8352fd76bd986db32be8 Mon Sep 17 00:00:00 2001
From: Kris Baranek <20225789+krbar@users.noreply.github.com>
Date: Fri, 25 Oct 2024 11:55:26 +0200
Subject: [PATCH 10/13] feat: Improvements of the
 `avm/res/network/bastion-host` module (#3611)

## Description

Several improvements of the Azure Bastion module:
- Updated the API version of `Microsoft.Network/bastionHosts` to
`2024-01-01` [(F2a8b179L18R18)](https://github.com
- Added support for the `Premium` SKU and its features:
  - private only Bastion (incl. a dedicated test case)
  - session recording
- Added support for availability zones

Resolves #3308

> Note: due to resource provider errors, the support for the `Developer`
SKU is not included in this update

## Pipeline Reference

<!-- Insert your Pipeline Status Badge below -->

| Pipeline |
| -------- |
|
[![avm.res.network.bastion-host](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.network.bastion-host.yml/badge.svg?branch=users%2Fkrbar%2FbastionUpdate)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.network.bastion-host.yml)
|

## Type of Change

<!-- Use the checkboxes [x] on the options that are relevant. -->

- [ ] Update to CI Environment or utilities (Non-module affecting
changes)
- [x] Azure Verified Module updates:
- [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [x] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [x] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [ ] Update to documentation

## Checklist

- [x] I'm sure there are no other open Pull Requests for the same
update/change
- [x] I have run `Set-AVMModule` locally to generate the supporting
module files.
- [x] My corresponding pipelines / checks run clean and green without
any errors or warnings

<!-- Please keep up to date with the contribution guide at
https://aka.ms/avm/contribute/bicep -->

---------

Co-authored-by: Alexander Sehr <ASehr@hotmail.de>
---
 avm/res/network/bastion-host/README.md        | 174 ++++++++++++++++--
 avm/res/network/bastion-host/main.bicep       |  70 ++++---
 avm/res/network/bastion-host/main.json        |  65 +++++--
 .../tests/e2e/custompip/dependencies.bicep    |   2 +-
 .../tests/e2e/custompip/main.test.bicep       |   2 +-
 .../tests/e2e/defaults/dependencies.bicep     |   2 +-
 .../tests/e2e/defaults/main.test.bicep        |   2 +-
 .../tests/e2e/max/dependencies.bicep          |   9 +-
 .../tests/e2e/max/main.test.bicep             |  28 +--
 .../tests/e2e/private/dependencies.bicep      |  30 +++
 .../tests/e2e/private/main.test.bicep         |  61 ++++++
 .../tests/e2e/waf-aligned/dependencies.bicep  |   7 +-
 .../tests/e2e/waf-aligned/main.test.bicep     |   2 +-
 avm/res/network/bastion-host/version.json     |  10 +-
 14 files changed, 384 insertions(+), 80 deletions(-)
 create mode 100644 avm/res/network/bastion-host/tests/e2e/private/dependencies.bicep
 create mode 100644 avm/res/network/bastion-host/tests/e2e/private/main.test.bicep

diff --git a/avm/res/network/bastion-host/README.md b/avm/res/network/bastion-host/README.md
index 8c95b14dac..d0358319a5 100644
--- a/avm/res/network/bastion-host/README.md
+++ b/avm/res/network/bastion-host/README.md
@@ -18,7 +18,7 @@ This module deploys a Bastion Host.
 | `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) |
 | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
 | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) |
-| `Microsoft.Network/bastionHosts` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-11-01/bastionHosts) |
+| `Microsoft.Network/bastionHosts` | [2024-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2024-01-01/bastionHosts) |
 | `Microsoft.Network/publicIPAddresses` | [2023-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-09-01/publicIPAddresses) |
 
 ## Usage examples
@@ -32,7 +32,8 @@ The following section provides usage examples for the module, which were used to
 - [With a custom public IP address deployed by the module](#example-1-with-a-custom-public-ip-address-deployed-by-the-module)
 - [Using only defaults](#example-2-using-only-defaults)
 - [Using large parameter set](#example-3-using-large-parameter-set)
-- [WAF-aligned](#example-4-waf-aligned)
+- [Private-only deployment](#example-4-private-only-deployment)
+- [WAF-aligned](#example-5-waf-aligned)
 
 ### Example 1: _With a custom public IP address deployed by the module_
 
@@ -350,6 +351,11 @@ module bastionHost 'br/public:avm/res/network/bastion-host:<version>' = {
       'hidden-title': 'This is visible in the resource name'
       Role: 'DeploymentValidation'
     }
+    zones: [
+      1
+      2
+      3
+    ]
   }
 }
 ```
@@ -442,6 +448,13 @@ module bastionHost 'br/public:avm/res/network/bastion-host:<version>' = {
         "hidden-title": "This is visible in the resource name",
         "Role": "DeploymentValidation"
       }
+    },
+    "zones": {
+      "value": [
+        1,
+        2,
+        3
+      ]
     }
   }
 }
@@ -506,12 +519,101 @@ param tags = {
   'hidden-title': 'This is visible in the resource name'
   Role: 'DeploymentValidation'
 }
+param zones = [
+  1
+  2
+  3
+]
 ```
 
 </details>
 <p>
 
-### Example 4: _WAF-aligned_
+### Example 4: _Private-only deployment_
+
+This instance deploys the module as private-only Bastion deployment.
+
+
+<details>
+
+<summary>via Bicep module</summary>
+
+```bicep
+module bastionHost 'br/public:avm/res/network/bastion-host:<version>' = {
+  name: 'bastionHostDeployment'
+  params: {
+    // Required parameters
+    name: 'nbhprv001'
+    virtualNetworkResourceId: '<virtualNetworkResourceId>'
+    // Non-required parameters
+    enablePrivateOnlyBastion: true
+    enableSessionRecording: true
+    location: '<location>'
+    skuName: 'Premium'
+  }
+}
+```
+
+</details>
+<p>
+
+<details>
+
+<summary>via JSON parameters file</summary>
+
+```json
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    // Required parameters
+    "name": {
+      "value": "nbhprv001"
+    },
+    "virtualNetworkResourceId": {
+      "value": "<virtualNetworkResourceId>"
+    },
+    // Non-required parameters
+    "enablePrivateOnlyBastion": {
+      "value": true
+    },
+    "enableSessionRecording": {
+      "value": true
+    },
+    "location": {
+      "value": "<location>"
+    },
+    "skuName": {
+      "value": "Premium"
+    }
+  }
+}
+```
+
+</details>
+<p>
+
+<details>
+
+<summary>via Bicep parameters file</summary>
+
+```bicep-params
+using 'br/public:avm/res/network/bastion-host:<version>'
+
+// Required parameters
+param name = 'nbhprv001'
+param virtualNetworkResourceId = '<virtualNetworkResourceId>'
+// Non-required parameters
+param enablePrivateOnlyBastion = true
+param enableSessionRecording = true
+param location = '<location>'
+param skuName = 'Premium'
+```
+
+</details>
+<p>
+
+### Example 5: _WAF-aligned_
 
 This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.
 
@@ -674,21 +776,24 @@ param tags = {
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`bastionSubnetPublicIpResourceId`](#parameter-bastionsubnetpublicipresourceid) | string | The Public IP resource ID to associate to the azureBastionSubnet. If empty, then the Public IP that is created as part of this module will be applied to the azureBastionSubnet. |
+| [`bastionSubnetPublicIpResourceId`](#parameter-bastionsubnetpublicipresourceid) | string | The Public IP resource ID to associate to the azureBastionSubnet. If empty, then the Public IP that is created as part of this module will be applied to the azureBastionSubnet. This parameter is ignored when enablePrivateOnlyBastion is true. |
 | [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. |
-| [`disableCopyPaste`](#parameter-disablecopypaste) | bool | Choose to disable or enable Copy Paste. |
-| [`enableFileCopy`](#parameter-enablefilecopy) | bool | Choose to disable or enable File Copy. |
-| [`enableIpConnect`](#parameter-enableipconnect) | bool | Choose to disable or enable IP Connect. |
+| [`disableCopyPaste`](#parameter-disablecopypaste) | bool | Choose to disable or enable Copy Paste. For Basic SKU Copy/Paste is always enabled. |
+| [`enableFileCopy`](#parameter-enablefilecopy) | bool | Choose to disable or enable File Copy. Not supported for Basic SKU. |
+| [`enableIpConnect`](#parameter-enableipconnect) | bool | Choose to disable or enable IP Connect. Not supported for Basic SKU. |
 | [`enableKerberos`](#parameter-enablekerberos) | bool | Choose to disable or enable Kerberos authentication. |
-| [`enableShareableLink`](#parameter-enableshareablelink) | bool | Choose to disable or enable Shareable Link. |
+| [`enablePrivateOnlyBastion`](#parameter-enableprivateonlybastion) | bool | Choose to disable or enable Private-only Bastion deployment. The Premium SKU is required for this feature. |
+| [`enableSessionRecording`](#parameter-enablesessionrecording) | bool | Choose to disable or enable Session Recording feature. The Premium SKU is required for this feature. If Session Recording is enabled, the Native client support will be disabled. |
+| [`enableShareableLink`](#parameter-enableshareablelink) | bool | Choose to disable or enable Shareable Link. Not supported for Basic SKU. |
 | [`enableTelemetry`](#parameter-enabletelemetry) | bool | Enable/Disable usage telemetry for module. |
 | [`location`](#parameter-location) | string | Location for all resources. |
 | [`lock`](#parameter-lock) | object | The lock settings of the service. |
-| [`publicIPAddressObject`](#parameter-publicipaddressobject) | object | Specifies the properties of the Public IP to create and be used by Azure Bastion, if no existing public IP was provided. |
+| [`publicIPAddressObject`](#parameter-publicipaddressobject) | object | Specifies the properties of the Public IP to create and be used by Azure Bastion, if no existing public IP was provided. This parameter is ignored when enablePrivateOnlyBastion is true. |
 | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. |
-| [`scaleUnits`](#parameter-scaleunits) | int | The scale units for the Bastion Host resource. |
+| [`scaleUnits`](#parameter-scaleunits) | int | The scale units for the Bastion Host resource. The Basic SKU only supports 2 scale units. |
 | [`skuName`](#parameter-skuname) | string | The SKU of this Bastion Host. |
 | [`tags`](#parameter-tags) | object | Tags of the resource. |
+| [`zones`](#parameter-zones) | array | A list of availability zones denoting where the Bastion Host resource needs to come from. |
 
 ### Parameter: `name`
 
@@ -706,7 +811,7 @@ Shared services Virtual Network resource Id.
 
 ### Parameter: `bastionSubnetPublicIpResourceId`
 
-The Public IP resource ID to associate to the azureBastionSubnet. If empty, then the Public IP that is created as part of this module will be applied to the azureBastionSubnet.
+The Public IP resource ID to associate to the azureBastionSubnet. If empty, then the Public IP that is created as part of this module will be applied to the azureBastionSubnet. This parameter is ignored when enablePrivateOnlyBastion is true.
 
 - Required: No
 - Type: string
@@ -826,7 +931,7 @@ Resource ID of the diagnostic log analytics workspace. For security reasons, it
 
 ### Parameter: `disableCopyPaste`
 
-Choose to disable or enable Copy Paste.
+Choose to disable or enable Copy Paste. For Basic SKU Copy/Paste is always enabled.
 
 - Required: No
 - Type: bool
@@ -834,7 +939,7 @@ Choose to disable or enable Copy Paste.
 
 ### Parameter: `enableFileCopy`
 
-Choose to disable or enable File Copy.
+Choose to disable or enable File Copy. Not supported for Basic SKU.
 
 - Required: No
 - Type: bool
@@ -842,7 +947,7 @@ Choose to disable or enable File Copy.
 
 ### Parameter: `enableIpConnect`
 
-Choose to disable or enable IP Connect.
+Choose to disable or enable IP Connect. Not supported for Basic SKU.
 
 - Required: No
 - Type: bool
@@ -856,9 +961,25 @@ Choose to disable or enable Kerberos authentication.
 - Type: bool
 - Default: `False`
 
+### Parameter: `enablePrivateOnlyBastion`
+
+Choose to disable or enable Private-only Bastion deployment. The Premium SKU is required for this feature.
+
+- Required: No
+- Type: bool
+- Default: `False`
+
+### Parameter: `enableSessionRecording`
+
+Choose to disable or enable Session Recording feature. The Premium SKU is required for this feature. If Session Recording is enabled, the Native client support will be disabled.
+
+- Required: No
+- Type: bool
+- Default: `False`
+
 ### Parameter: `enableShareableLink`
 
-Choose to disable or enable Shareable Link.
+Choose to disable or enable Shareable Link. Not supported for Basic SKU.
 
 - Required: No
 - Type: bool
@@ -918,7 +1039,7 @@ Specify the name of lock.
 
 ### Parameter: `publicIPAddressObject`
 
-Specifies the properties of the Public IP to create and be used by Azure Bastion, if no existing public IP was provided.
+Specifies the properties of the Public IP to create and be used by Azure Bastion, if no existing public IP was provided. This parameter is ignored when enablePrivateOnlyBastion is true.
 
 - Required: No
 - Type: object
@@ -1034,7 +1155,7 @@ The principal type of the assigned principal ID.
 
 ### Parameter: `scaleUnits`
 
-The scale units for the Bastion Host resource.
+The scale units for the Bastion Host resource. The Basic SKU only supports 2 scale units.
 
 - Required: No
 - Type: int
@@ -1051,6 +1172,7 @@ The SKU of this Bastion Host.
   ```Bicep
   [
     'Basic'
+    'Premium'
     'Standard'
   ]
   ```
@@ -1062,6 +1184,22 @@ Tags of the resource.
 - Required: No
 - Type: object
 
+### Parameter: `zones`
+
+A list of availability zones denoting where the Bastion Host resource needs to come from.
+
+- Required: No
+- Type: array
+- Default: `[]`
+- Allowed:
+  ```Bicep
+  [
+    1
+    2
+    3
+  ]
+  ```
+
 ## Outputs
 
 | Output | Type | Description |
@@ -1078,7 +1216,7 @@ This section gives you an overview of all local-referenced module files (i.e., o
 
 | Reference | Type |
 | :-- | :-- |
-| `br/public:avm/res/network/public-ip-address:0.5.1` | Remote reference |
+| `br/public:avm/res/network/public-ip-address:0.6.0` | Remote reference |
 
 ## Data Collection
 
diff --git a/avm/res/network/bastion-host/main.bicep b/avm/res/network/bastion-host/main.bicep
index 3acc37b8df..2e1dd254a3 100644
--- a/avm/res/network/bastion-host/main.bicep
+++ b/avm/res/network/bastion-host/main.bicep
@@ -11,10 +11,10 @@ param location string = resourceGroup().location
 @description('Required. Shared services Virtual Network resource Id.')
 param virtualNetworkResourceId string
 
-@description('Optional. The Public IP resource ID to associate to the azureBastionSubnet. If empty, then the Public IP that is created as part of this module will be applied to the azureBastionSubnet.')
+@description('Optional. The Public IP resource ID to associate to the azureBastionSubnet. If empty, then the Public IP that is created as part of this module will be applied to the azureBastionSubnet. This parameter is ignored when enablePrivateOnlyBastion is true.')
 param bastionSubnetPublicIpResourceId string = ''
 
-@description('Optional. Specifies the properties of the Public IP to create and be used by Azure Bastion, if no existing public IP was provided.')
+@description('Optional. Specifies the properties of the Public IP to create and be used by Azure Bastion, if no existing public IP was provided. This parameter is ignored when enablePrivateOnlyBastion is true.')
 param publicIPAddressObject object = {
   name: '${name}-pip'
 }
@@ -27,27 +27,34 @@ param lock lockType
 
 @allowed([
   'Basic'
+  'Premium'
   'Standard'
 ])
 @description('Optional. The SKU of this Bastion Host.')
 param skuName string = 'Basic'
 
-@description('Optional. Choose to disable or enable Copy Paste.')
+@description('Optional. Choose to disable or enable Copy Paste. For Basic SKU Copy/Paste is always enabled.')
 param disableCopyPaste bool = false
 
-@description('Optional. Choose to disable or enable File Copy.')
+@description('Optional. Choose to disable or enable File Copy. Not supported for Basic SKU.')
 param enableFileCopy bool = true
 
-@description('Optional. Choose to disable or enable IP Connect.')
+@description('Optional. Choose to disable or enable IP Connect. Not supported for Basic SKU.')
 param enableIpConnect bool = false
 
 @description('Optional. Choose to disable or enable Kerberos authentication.')
 param enableKerberos bool = false
 
-@description('Optional. Choose to disable or enable Shareable Link.')
+@description('Optional. Choose to disable or enable Shareable Link. Not supported for Basic SKU.')
 param enableShareableLink bool = false
 
-@description('Optional. The scale units for the Bastion Host resource.')
+@description('Optional. Choose to disable or enable Session Recording feature. The Premium SKU is required for this feature. If Session Recording is enabled, the Native client support will be disabled.')
+param enableSessionRecording bool = false
+
+@description('Optional. Choose to disable or enable Private-only Bastion deployment. The Premium SKU is required for this feature.')
+param enablePrivateOnlyBastion bool = false
+
+@description('Optional. The scale units for the Bastion Host resource. The Basic SKU only supports 2 scale units.')
 param scaleUnits int = 2
 
 @description('Optional. Array of role assignments to create.')
@@ -59,6 +66,14 @@ param tags object?
 @description('Optional. Enable/Disable usage telemetry for module.')
 param enableTelemetry bool = true
 
+@description('Optional. A list of availability zones denoting where the Bastion Host resource needs to come from.')
+@allowed([
+  1
+  2
+  3
+])
+param zones int[] = [] // Availability Zones are currently in preview and only available in certain regions, therefore the default is an empty array.
+
 // ----------------------------------------------------------------------------
 // Prep ipConfigurations object AzureBastionSubnet for different uses cases:
 // 1. Use existing Public IP
@@ -72,14 +87,16 @@ var ipConfigurations = [
           id: '${virtualNetworkResourceId}/subnets/AzureBastionSubnet' // The subnet name must be AzureBastionSubnet
         }
       },
-      {
-        //Use existing Public IP, new Public IP created in this module
-        publicIPAddress: {
-          id: !empty(bastionSubnetPublicIpResourceId)
-            ? bastionSubnetPublicIpResourceId
-            : publicIPAddress.outputs.resourceId
-        }
-      }
+      (!enablePrivateOnlyBastion
+        ? {
+            //Use existing Public IP, new Public IP created in this module
+            publicIPAddress: {
+              id: !empty(bastionSubnetPublicIpResourceId)
+                ? bastionSubnetPublicIpResourceId
+                : publicIPAddress.outputs.resourceId
+            }
+          }
+        : {})
     )
   }
 ]
@@ -130,7 +147,7 @@ resource avmTelemetry 'Microsoft.Resources/deployments@2024-03-01' = if (enableT
   }
 }
 
-module publicIPAddress 'br/public:avm/res/network/public-ip-address:0.5.1' = if (empty(bastionSubnetPublicIpResourceId)) {
+module publicIPAddress 'br/public:avm/res/network/public-ip-address:0.6.0' = if (empty(bastionSubnetPublicIpResourceId) && (!enablePrivateOnlyBastion)) {
   name: '${uniqueString(deployment().name, location)}-Bastion-PIP'
   params: {
     name: publicIPAddressObject.name
@@ -145,7 +162,7 @@ module publicIPAddress 'br/public:avm/res/network/public-ip-address:0.5.1' = if
     skuName: publicIPAddressObject.?skuName
     skuTier: publicIPAddressObject.?skuTier
     tags: publicIPAddressObject.?tags ?? tags
-    zones: publicIPAddressObject.?zones
+    zones: publicIPAddressObject.?zones ?? (length(zones) > 0 ? zones : null) // if zones of the Public IP is empty, use the zones from the bastion host only if not empty (if empty, the default of the public IP will be used)
   }
 }
 
@@ -153,26 +170,37 @@ var bastionpropertiesVar = union(
   {
     scaleUnits: skuName == 'Basic' ? 2 : scaleUnits
     ipConfigurations: ipConfigurations
-    enableKerberos: enableKerberos
   },
-  (skuName == 'Standard'
+  ((skuName == 'Basic' || skuName == 'Standard' || skuName == 'Premium')
+    ? {
+        enableKerberos: enableKerberos
+      }
+    : {}),
+  ((skuName == 'Standard' || skuName == 'Premium')
     ? {
-        enableTunneling: skuName == 'Standard'
+        enableTunneling: skuName == 'Standard' ? true : (enableSessionRecording ? false : true) // Tunneling is enabled by default for Standard SKU. For Premium SKU it is disabled by default if Session Recording is enabled.
         disableCopyPaste: disableCopyPaste
         enableFileCopy: enableFileCopy
         enableIpConnect: enableIpConnect
         enableShareableLink: enableShareableLink
       }
+    : {}),
+  (skuName == 'Premium'
+    ? {
+        enableSessionRecording: enableSessionRecording
+        enablePrivateOnlyBastion: enablePrivateOnlyBastion
+      }
     : {})
 )
 
-resource azureBastion 'Microsoft.Network/bastionHosts@2022-11-01' = {
+resource azureBastion 'Microsoft.Network/bastionHosts@2024-01-01' = {
   name: name
   location: location
   tags: tags
   sku: {
     name: skuName
   }
+  zones: map(zones, zone => string(zone))
   properties: bastionpropertiesVar
 }
 
diff --git a/avm/res/network/bastion-host/main.json b/avm/res/network/bastion-host/main.json
index 2634dae54b..a66baf992b 100644
--- a/avm/res/network/bastion-host/main.json
+++ b/avm/res/network/bastion-host/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "17557675644366875046"
+      "version": "0.30.23.60470",
+      "templateHash": "1273376840607599272"
     },
     "name": "Bastion Hosts",
     "description": "This module deploys a Bastion Host.",
@@ -231,7 +231,7 @@
       "type": "string",
       "defaultValue": "",
       "metadata": {
-        "description": "Optional. The Public IP resource ID to associate to the azureBastionSubnet. If empty, then the Public IP that is created as part of this module will be applied to the azureBastionSubnet."
+        "description": "Optional. The Public IP resource ID to associate to the azureBastionSubnet. If empty, then the Public IP that is created as part of this module will be applied to the azureBastionSubnet. This parameter is ignored when enablePrivateOnlyBastion is true."
       }
     },
     "publicIPAddressObject": {
@@ -240,7 +240,7 @@
         "name": "[format('{0}-pip', parameters('name'))]"
       },
       "metadata": {
-        "description": "Optional. Specifies the properties of the Public IP to create and be used by Azure Bastion, if no existing public IP was provided."
+        "description": "Optional. Specifies the properties of the Public IP to create and be used by Azure Bastion, if no existing public IP was provided. This parameter is ignored when enablePrivateOnlyBastion is true."
       }
     },
     "diagnosticSettings": {
@@ -260,6 +260,7 @@
       "defaultValue": "Basic",
       "allowedValues": [
         "Basic",
+        "Premium",
         "Standard"
       ],
       "metadata": {
@@ -270,21 +271,21 @@
       "type": "bool",
       "defaultValue": false,
       "metadata": {
-        "description": "Optional. Choose to disable or enable Copy Paste."
+        "description": "Optional. Choose to disable or enable Copy Paste. For Basic SKU Copy/Paste is always enabled."
       }
     },
     "enableFileCopy": {
       "type": "bool",
       "defaultValue": true,
       "metadata": {
-        "description": "Optional. Choose to disable or enable File Copy."
+        "description": "Optional. Choose to disable or enable File Copy. Not supported for Basic SKU."
       }
     },
     "enableIpConnect": {
       "type": "bool",
       "defaultValue": false,
       "metadata": {
-        "description": "Optional. Choose to disable or enable IP Connect."
+        "description": "Optional. Choose to disable or enable IP Connect. Not supported for Basic SKU."
       }
     },
     "enableKerberos": {
@@ -298,14 +299,28 @@
       "type": "bool",
       "defaultValue": false,
       "metadata": {
-        "description": "Optional. Choose to disable or enable Shareable Link."
+        "description": "Optional. Choose to disable or enable Shareable Link. Not supported for Basic SKU."
+      }
+    },
+    "enableSessionRecording": {
+      "type": "bool",
+      "defaultValue": false,
+      "metadata": {
+        "description": "Optional. Choose to disable or enable Session Recording feature. The Premium SKU is required for this feature. If Session Recording is enabled, the Native client support will be disabled."
+      }
+    },
+    "enablePrivateOnlyBastion": {
+      "type": "bool",
+      "defaultValue": false,
+      "metadata": {
+        "description": "Optional. Choose to disable or enable Private-only Bastion deployment. The Premium SKU is required for this feature."
       }
     },
     "scaleUnits": {
       "type": "int",
       "defaultValue": 2,
       "metadata": {
-        "description": "Optional. The scale units for the Bastion Host resource."
+        "description": "Optional. The scale units for the Bastion Host resource. The Basic SKU only supports 2 scale units."
       }
     },
     "roleAssignments": {
@@ -327,6 +342,21 @@
       "metadata": {
         "description": "Optional. Enable/Disable usage telemetry for module."
       }
+    },
+    "zones": {
+      "type": "array",
+      "items": {
+        "type": "int"
+      },
+      "defaultValue": [],
+      "allowedValues": [
+        1,
+        2,
+        3
+      ],
+      "metadata": {
+        "description": "Optional. A list of availability zones denoting where the Bastion Host resource needs to come from."
+      }
     }
   },
   "variables": {
@@ -368,14 +398,15 @@
     },
     "azureBastion": {
       "type": "Microsoft.Network/bastionHosts",
-      "apiVersion": "2022-11-01",
+      "apiVersion": "2024-01-01",
       "name": "[parameters('name')]",
       "location": "[parameters('location')]",
       "tags": "[parameters('tags')]",
       "sku": {
         "name": "[parameters('skuName')]"
       },
-      "properties": "[union(createObject('scaleUnits', if(equals(parameters('skuName'), 'Basic'), 2, parameters('scaleUnits')), 'ipConfigurations', createArray(createObject('name', 'IpConfAzureBastionSubnet', 'properties', union(createObject('subnet', createObject('id', format('{0}/subnets/AzureBastionSubnet', parameters('virtualNetworkResourceId')))), createObject('publicIPAddress', createObject('id', if(not(empty(parameters('bastionSubnetPublicIpResourceId'))), parameters('bastionSubnetPublicIpResourceId'), reference('publicIPAddress').outputs.resourceId.value)))))), 'enableKerberos', parameters('enableKerberos')), if(equals(parameters('skuName'), 'Standard'), createObject('enableTunneling', equals(parameters('skuName'), 'Standard'), 'disableCopyPaste', parameters('disableCopyPaste'), 'enableFileCopy', parameters('enableFileCopy'), 'enableIpConnect', parameters('enableIpConnect'), 'enableShareableLink', parameters('enableShareableLink')), createObject()))]",
+      "zones": "[map(parameters('zones'), lambda('zone', string(lambdaVariables('zone'))))]",
+      "properties": "[union(createObject('scaleUnits', if(equals(parameters('skuName'), 'Basic'), 2, parameters('scaleUnits')), 'ipConfigurations', createArray(createObject('name', 'IpConfAzureBastionSubnet', 'properties', union(createObject('subnet', createObject('id', format('{0}/subnets/AzureBastionSubnet', parameters('virtualNetworkResourceId')))), if(not(parameters('enablePrivateOnlyBastion')), createObject('publicIPAddress', createObject('id', if(not(empty(parameters('bastionSubnetPublicIpResourceId'))), parameters('bastionSubnetPublicIpResourceId'), reference('publicIPAddress').outputs.resourceId.value))), createObject()))))), if(or(or(equals(parameters('skuName'), 'Basic'), equals(parameters('skuName'), 'Standard')), equals(parameters('skuName'), 'Premium')), createObject('enableKerberos', parameters('enableKerberos')), createObject()), if(or(equals(parameters('skuName'), 'Standard'), equals(parameters('skuName'), 'Premium')), createObject('enableTunneling', if(equals(parameters('skuName'), 'Standard'), true(), if(parameters('enableSessionRecording'), false(), true())), 'disableCopyPaste', parameters('disableCopyPaste'), 'enableFileCopy', parameters('enableFileCopy'), 'enableIpConnect', parameters('enableIpConnect'), 'enableShareableLink', parameters('enableShareableLink')), createObject()), if(equals(parameters('skuName'), 'Premium'), createObject('enableSessionRecording', parameters('enableSessionRecording'), 'enablePrivateOnlyBastion', parameters('enablePrivateOnlyBastion')), createObject()))]",
       "dependsOn": [
         "publicIPAddress"
       ]
@@ -449,7 +480,7 @@
       ]
     },
     "publicIPAddress": {
-      "condition": "[empty(parameters('bastionSubnetPublicIpResourceId'))]",
+      "condition": "[and(empty(parameters('bastionSubnetPublicIpResourceId')), not(parameters('enablePrivateOnlyBastion')))]",
       "type": "Microsoft.Resources/deployments",
       "apiVersion": "2022-09-01",
       "name": "[format('{0}-Bastion-PIP', uniqueString(deployment().name, parameters('location')))]",
@@ -496,7 +527,7 @@
             "value": "[coalesce(tryGet(parameters('publicIPAddressObject'), 'tags'), parameters('tags'))]"
           },
           "zones": {
-            "value": "[tryGet(parameters('publicIPAddressObject'), 'zones')]"
+            "value": "[coalesce(tryGet(parameters('publicIPAddressObject'), 'zones'), if(greater(length(parameters('zones')), 0), parameters('zones'), null()))]"
           }
         },
         "template": {
@@ -507,7 +538,7 @@
             "_generator": {
               "name": "bicep",
               "version": "0.29.47.4906",
-              "templateHash": "14450344965065009842"
+              "templateHash": "16693645977675862540"
             },
             "name": "Public IP Addresses",
             "description": "This module deploys a Public IP Address.",
@@ -956,7 +987,7 @@
               "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
               "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]",
               "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
-              "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]"
+              "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]"
             }
           },
           "resources": {
@@ -964,7 +995,7 @@
               "condition": "[parameters('enableTelemetry')]",
               "type": "Microsoft.Resources/deployments",
               "apiVersion": "2024-03-01",
-              "name": "[format('46d3xbcp.res.network-publicipaddress.{0}.{1}', replace('0.5.1', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]",
+              "name": "[format('46d3xbcp.res.network-publicipaddress.{0}.{1}', replace('0.6.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]",
               "properties": {
                 "mode": "Incremental",
                 "template": {
@@ -1147,7 +1178,7 @@
       "metadata": {
         "description": "The location the resource was deployed into."
       },
-      "value": "[reference('azureBastion', '2022-11-01', 'full').location]"
+      "value": "[reference('azureBastion', '2024-01-01', 'full').location]"
     },
     "ipConfAzureBastionSubnet": {
       "type": "object",
diff --git a/avm/res/network/bastion-host/tests/e2e/custompip/dependencies.bicep b/avm/res/network/bastion-host/tests/e2e/custompip/dependencies.bicep
index efadbb5134..4166c9be72 100644
--- a/avm/res/network/bastion-host/tests/e2e/custompip/dependencies.bicep
+++ b/avm/res/network/bastion-host/tests/e2e/custompip/dependencies.bicep
@@ -9,7 +9,7 @@ param managedIdentityName string
 
 var addressPrefix = '10.0.0.0/16'
 
-resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = {
+resource virtualNetwork 'Microsoft.Network/virtualNetworks@2024-01-01' = {
   name: virtualNetworkName
   location: location
   properties: {
diff --git a/avm/res/network/bastion-host/tests/e2e/custompip/main.test.bicep b/avm/res/network/bastion-host/tests/e2e/custompip/main.test.bicep
index a72e08b814..c2cc1046b8 100644
--- a/avm/res/network/bastion-host/tests/e2e/custompip/main.test.bicep
+++ b/avm/res/network/bastion-host/tests/e2e/custompip/main.test.bicep
@@ -26,7 +26,7 @@ param namePrefix string = '#_namePrefix_#'
 
 // General resources
 // =================
-resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = {
+resource resourceGroup 'Microsoft.Resources/resourceGroups@2024-03-01' = {
   name: resourceGroupName
   location: resourceLocation
 }
diff --git a/avm/res/network/bastion-host/tests/e2e/defaults/dependencies.bicep b/avm/res/network/bastion-host/tests/e2e/defaults/dependencies.bicep
index 40255471c0..7aada15d55 100644
--- a/avm/res/network/bastion-host/tests/e2e/defaults/dependencies.bicep
+++ b/avm/res/network/bastion-host/tests/e2e/defaults/dependencies.bicep
@@ -6,7 +6,7 @@ param virtualNetworkName string
 
 var addressPrefix = '10.0.0.0/16'
 
-resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = {
+resource virtualNetwork 'Microsoft.Network/virtualNetworks@2024-01-01' = {
   name: virtualNetworkName
   location: location
   properties: {
diff --git a/avm/res/network/bastion-host/tests/e2e/defaults/main.test.bicep b/avm/res/network/bastion-host/tests/e2e/defaults/main.test.bicep
index f103fca5f0..19706f01fd 100644
--- a/avm/res/network/bastion-host/tests/e2e/defaults/main.test.bicep
+++ b/avm/res/network/bastion-host/tests/e2e/defaults/main.test.bicep
@@ -26,7 +26,7 @@ param namePrefix string = '#_namePrefix_#'
 
 // General resources
 // =================
-resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = {
+resource resourceGroup 'Microsoft.Resources/resourceGroups@2024-03-01' = {
   name: resourceGroupName
   location: resourceLocation
 }
diff --git a/avm/res/network/bastion-host/tests/e2e/max/dependencies.bicep b/avm/res/network/bastion-host/tests/e2e/max/dependencies.bicep
index c25af5e3e7..1ff59b7834 100644
--- a/avm/res/network/bastion-host/tests/e2e/max/dependencies.bicep
+++ b/avm/res/network/bastion-host/tests/e2e/max/dependencies.bicep
@@ -12,7 +12,7 @@ param managedIdentityName string
 
 var addressPrefix = '10.0.0.0/16'
 
-resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = {
+resource virtualNetwork 'Microsoft.Network/virtualNetworks@2024-01-01' = {
   name: virtualNetworkName
   location: location
   properties: {
@@ -32,13 +32,18 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = {
   }
 }
 
-resource publicIP 'Microsoft.Network/publicIPAddresses@2023-04-01' = {
+resource publicIP 'Microsoft.Network/publicIPAddresses@2024-01-01' = {
   name: publicIPName
   location: location
   sku: {
     name: 'Standard'
     tier: 'Regional'
   }
+  zones: [
+    '1'
+    '2'
+    '3'
+  ]
   properties: {
     publicIPAllocationMethod: 'Static'
   }
diff --git a/avm/res/network/bastion-host/tests/e2e/max/main.test.bicep b/avm/res/network/bastion-host/tests/e2e/max/main.test.bicep
index 9fe5b24a03..2c3bca2a20 100644
--- a/avm/res/network/bastion-host/tests/e2e/max/main.test.bicep
+++ b/avm/res/network/bastion-host/tests/e2e/max/main.test.bicep
@@ -11,34 +11,35 @@ metadata description = 'This instance deploys the module with most of its featur
 @maxLength(90)
 param resourceGroupName string = 'dep-${namePrefix}-network.bastionhosts-${serviceShort}-rg'
 
-@description('Optional. The location to deploy resources to.')
-param resourceLocation string = deployment().location
-
 @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
 param serviceShort string = 'nbhmax'
 
 @description('Optional. A token to inject into the name of each resource.')
 param namePrefix string = '#_namePrefix_#'
 
+// Availability zones are currently in preview and not available in all regions. This region must be used in the AVM testing subscription
+#disable-next-line no-hardcoded-location
+var enforcedLocation = 'northeurope'
+
 // ============ //
 // Dependencies //
 // ============ //
 
 // General resources
 // =================
-resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = {
+resource resourceGroup 'Microsoft.Resources/resourceGroups@2024-03-01' = {
   name: resourceGroupName
-  location: resourceLocation
+  location: enforcedLocation
 }
 
 module nestedDependencies 'dependencies.bicep' = {
   scope: resourceGroup
-  name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies'
+  name: '${uniqueString(deployment().name, enforcedLocation)}-nestedDependencies'
   params: {
     virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}'
     publicIPName: 'dep-${namePrefix}-pip-${serviceShort}'
     managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}'
-    location: resourceLocation
+    location: enforcedLocation
   }
 }
 
@@ -46,13 +47,13 @@ module nestedDependencies 'dependencies.bicep' = {
 // ===========
 module diagnosticDependencies '../../../../../../utilities/e2e-template-assets/templates/diagnostic.dependencies.bicep' = {
   scope: resourceGroup
-  name: '${uniqueString(deployment().name, resourceLocation)}-diagnosticDependencies'
+  name: '${uniqueString(deployment().name, enforcedLocation)}-diagnosticDependencies'
   params: {
     storageAccountName: 'dep${namePrefix}diasa${serviceShort}01'
     logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}'
     eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}'
     eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}'
-    location: resourceLocation
+    location: enforcedLocation
   }
 }
 
@@ -64,10 +65,10 @@ module diagnosticDependencies '../../../../../../utilities/e2e-template-assets/t
 module testDeployment '../../../main.bicep' = [
   for iteration in ['init', 'idem']: {
     scope: resourceGroup
-    name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}'
+    name: '${uniqueString(deployment().name, enforcedLocation)}-test-${serviceShort}-${iteration}'
     params: {
       name: '${namePrefix}${serviceShort}001'
-      location: resourceLocation
+      location: enforcedLocation
       virtualNetworkResourceId: nestedDependencies.outputs.virtualNetworkResourceId
       bastionSubnetPublicIpResourceId: nestedDependencies.outputs.publicIPResourceId
       diagnosticSettings: [
@@ -116,6 +117,11 @@ module testDeployment '../../../main.bicep' = [
         Environment: 'Non-Prod'
         Role: 'DeploymentValidation'
       }
+      zones: [
+        1
+        2
+        3
+      ]
     }
     dependsOn: [
       nestedDependencies
diff --git a/avm/res/network/bastion-host/tests/e2e/private/dependencies.bicep b/avm/res/network/bastion-host/tests/e2e/private/dependencies.bicep
new file mode 100644
index 0000000000..7aada15d55
--- /dev/null
+++ b/avm/res/network/bastion-host/tests/e2e/private/dependencies.bicep
@@ -0,0 +1,30 @@
+@description('Optional. The location to deploy to.')
+param location string = resourceGroup().location
+
+@description('Required. The name of the Virtual Network to create.')
+param virtualNetworkName string
+
+var addressPrefix = '10.0.0.0/16'
+
+resource virtualNetwork 'Microsoft.Network/virtualNetworks@2024-01-01' = {
+  name: virtualNetworkName
+  location: location
+  properties: {
+    addressSpace: {
+      addressPrefixes: [
+        addressPrefix
+      ]
+    }
+    subnets: [
+      {
+        name: 'AzureBastionSubnet'
+        properties: {
+          addressPrefix: cidrSubnet(addressPrefix, 16, 0)
+        }
+      }
+    ]
+  }
+}
+
+@description('The resource ID of the created Virtual Network.')
+output virtualNetworkResourceId string = virtualNetwork.id
diff --git a/avm/res/network/bastion-host/tests/e2e/private/main.test.bicep b/avm/res/network/bastion-host/tests/e2e/private/main.test.bicep
new file mode 100644
index 0000000000..b35c9f07a9
--- /dev/null
+++ b/avm/res/network/bastion-host/tests/e2e/private/main.test.bicep
@@ -0,0 +1,61 @@
+targetScope = 'subscription'
+
+metadata name = 'Private-only deployment'
+metadata description = 'This instance deploys the module as private-only Bastion deployment.'
+
+// ========== //
+// Parameters //
+// ========== //
+
+@description('Optional. The name of the resource group to deploy for testing purposes.')
+@maxLength(90)
+param resourceGroupName string = 'dep-${namePrefix}-network.bastionhosts-${serviceShort}-rg'
+
+@description('Optional. The location to deploy resources to.')
+param resourceLocation string = deployment().location
+
+@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
+param serviceShort string = 'nbhprv'
+
+@description('Optional. A token to inject into the name of each resource.')
+param namePrefix string = '#_namePrefix_#'
+
+// ============ //
+// Dependencies //
+// ============ //
+
+// General resources
+// =================
+resource resourceGroup 'Microsoft.Resources/resourceGroups@2024-03-01' = {
+  name: resourceGroupName
+  location: resourceLocation
+}
+
+module nestedDependencies 'dependencies.bicep' = {
+  scope: resourceGroup
+  name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies'
+  params: {
+    virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}'
+    location: resourceLocation
+  }
+}
+
+// ============== //
+// Test Execution //
+// ============== //
+
+@batchSize(1)
+module testDeployment '../../../main.bicep' = [
+  for iteration in ['init', 'idem']: {
+    scope: resourceGroup
+    name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}'
+    params: {
+      name: '${namePrefix}${serviceShort}001'
+      location: resourceLocation
+      virtualNetworkResourceId: nestedDependencies.outputs.virtualNetworkResourceId
+      skuName: 'Premium'
+      enableSessionRecording: true
+      enablePrivateOnlyBastion: true
+    }
+  }
+]
diff --git a/avm/res/network/bastion-host/tests/e2e/waf-aligned/dependencies.bicep b/avm/res/network/bastion-host/tests/e2e/waf-aligned/dependencies.bicep
index 32fbd648ed..8027783d25 100644
--- a/avm/res/network/bastion-host/tests/e2e/waf-aligned/dependencies.bicep
+++ b/avm/res/network/bastion-host/tests/e2e/waf-aligned/dependencies.bicep
@@ -9,7 +9,7 @@ param publicIPName string
 
 var addressPrefix = '10.0.0.0/16'
 
-resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = {
+resource virtualNetwork 'Microsoft.Network/virtualNetworks@2024-01-01' = {
   name: virtualNetworkName
   location: location
   properties: {
@@ -39,6 +39,11 @@ resource publicIP 'Microsoft.Network/publicIPAddresses@2023-04-01' = {
   properties: {
     publicIPAllocationMethod: 'Static'
   }
+  zones: [
+    '1'
+    '2'
+    '3'
+  ]
 }
 
 @description('The resource ID of the created Virtual Network.')
diff --git a/avm/res/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep b/avm/res/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep
index 6fb0ed60a0..08ee448bf7 100644
--- a/avm/res/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep
+++ b/avm/res/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep
@@ -26,7 +26,7 @@ param namePrefix string = '#_namePrefix_#'
 
 // General resources
 // =================
-resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = {
+resource resourceGroup 'Microsoft.Resources/resourceGroups@2024-03-01' = {
   name: resourceGroupName
   location: resourceLocation
 }
diff --git a/avm/res/network/bastion-host/version.json b/avm/res/network/bastion-host/version.json
index 3f863a2bec..ea4f3b6e67 100644
--- a/avm/res/network/bastion-host/version.json
+++ b/avm/res/network/bastion-host/version.json
@@ -1,7 +1,7 @@
 {
-    "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#",
-    "version": "0.4",
-    "pathFilters": [
-        "./main.json"
-    ]
+  "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#",
+  "version": "0.5",
+  "pathFilters": [
+    "./main.json"
+  ]
 }
\ No newline at end of file

From 1ffb70c3aace4c32736ddabfbad208bf7e0bfa71 Mon Sep 17 00:00:00 2001
From: Alexander Sehr <ASehr@hotmail.de>
Date: Fri, 25 Oct 2024 17:46:36 +0200
Subject: [PATCH 11/13] fix: Regenerated diverse module files and implemented
 small changes to trigger publishing (#3633)

## Description

- Regenerated diverse module files and implemented small changes to
trigger publishing
- Is based on metadata-fix PR workflow results. Presumably due to merge
issues, the final generated files for the 3 modules did not aligned with
the latest, expected version

## Pipeline Reference

<!-- Insert your Pipeline Status Badge below -->

| Pipeline |
| -------- |

[![avm.ptn.ai-platform.baseline](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.ptn.ai-platform.baseline.yml/badge.svg?branch=users%2Falsehr%2F20241025_staticFixes&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.ptn.ai-platform.baseline.yml)

[![avm.ptn.lz.sub-vending](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.ptn.lz.sub-vending.yml/badge.svg?branch=users%2Falsehr%2F20241025_staticFixes&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.ptn.lz.sub-vending.yml)

[![avm.res.virtual-machine-images.image-template](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.virtual-machine-images.image-template.yml/badge.svg?branch=users%2Falsehr%2F20241025_staticFixes&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.virtual-machine-images.image-template.yml)

## Type of Change

<!-- Use the checkboxes [x] on the options that are relevant. -->

- [ ] Update to CI Environment or utilities (Non-module affecting
changes)
- [ ] Azure Verified Module updates:
- [x] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [ ] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [ ] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [ ] Update to documentation
---
 avm/ptn/ai-platform/baseline/README.md        | 311 +++++++++++++++++-
 avm/ptn/ai-platform/baseline/main.bicep       |  65 ++--
 avm/ptn/ai-platform/baseline/main.json        |  67 ++--
 avm/ptn/lz/sub-vending/README.md              |   7 +-
 avm/ptn/lz/sub-vending/main.bicep             |   3 +-
 avm/ptn/lz/sub-vending/main.json              |   5 +-
 .../image-template/README.md                  | 102 +++---
 .../image-template/main.bicep                 |  60 +---
 .../image-template/main.json                  | 271 ++++++++-------
 9 files changed, 615 insertions(+), 276 deletions(-)

diff --git a/avm/ptn/ai-platform/baseline/README.md b/avm/ptn/ai-platform/baseline/README.md
index 7676df01c3..7456f6c787 100644
--- a/avm/ptn/ai-platform/baseline/README.md
+++ b/avm/ptn/ai-platform/baseline/README.md
@@ -56,9 +56,9 @@ By integrating with Microsoft Entra ID for secure identity management and utiliz
 | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) |
 | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-11-01/privateEndpoints/privateDnsZoneGroups) |
 | `Microsoft.Network/publicIPAddresses` | [2023-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-09-01/publicIPAddresses) |
-| `Microsoft.Network/virtualNetworks` | [2024-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/virtualNetworks) |
-| `Microsoft.Network/virtualNetworks/subnets` | [2024-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/virtualNetworks/subnets) |
-| `Microsoft.Network/virtualNetworks/virtualNetworkPeerings` | [2024-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/virtualNetworks/virtualNetworkPeerings) |
+| `Microsoft.Network/virtualNetworks` | [2024-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2024-01-01/virtualNetworks) |
+| `Microsoft.Network/virtualNetworks/subnets` | [2024-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2024-01-01/virtualNetworks/subnets) |
+| `Microsoft.Network/virtualNetworks/virtualNetworkPeerings` | [2024-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2024-01-01/virtualNetworks/virtualNetworkPeerings) |
 | `Microsoft.OperationalInsights/workspaces` | [2023-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.OperationalInsights/2023-09-01/workspaces) |
 | `Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems` | [2023-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2023-01-01/vaults/backupFabrics/protectionContainers/protectedItems) |
 | `Microsoft.Storage/storageAccounts` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2022-09-01/storageAccounts) |
@@ -864,10 +864,10 @@ param workspaceConfiguration = {
 | [`keyVaultConfiguration`](#parameter-keyvaultconfiguration) | object | Configuration for the key vault. |
 | [`location`](#parameter-location) | string | Location for all Resources. |
 | [`logAnalyticsConfiguration`](#parameter-loganalyticsconfiguration) | object | Configuration for the Log Analytics workspace. |
-| [`managedIdentityName`](#parameter-managedidentityname) | string | The name of the user assigned identity for the AI Studio hub. If not provided, the hub will use a system assigned identity. |
+| [`managedIdentityName`](#parameter-managedidentityname) | string | The name of the user-assigned identity for the AI Studio hub. If not provided, the hub will use a system-assigned identity. |
 | [`storageAccountConfiguration`](#parameter-storageaccountconfiguration) | object | Configuration for the storage account. |
 | [`tags`](#parameter-tags) | object | Resource tags. |
-| [`virtualMachineConfiguration`](#parameter-virtualmachineconfiguration) | secureObject | Configuration for the virtual machine. |
+| [`virtualMachineConfiguration`](#parameter-virtualmachineconfiguration) | object | Configuration for the virtual machine. |
 | [`virtualNetworkConfiguration`](#parameter-virtualnetworkconfiguration) | object | Configuration for the virtual network. |
 | [`workspaceConfiguration`](#parameter-workspaceconfiguration) | object | Configuration for the AI Studio workspace. |
 
@@ -1106,7 +1106,7 @@ The name of the Log Analytics workspace.
 
 ### Parameter: `managedIdentityName`
 
-The name of the user assigned identity for the AI Studio hub. If not provided, the hub will use a system assigned identity.
+The name of the user-assigned identity for the AI Studio hub. If not provided, the hub will use a system-assigned identity.
 
 - Required: No
 - Type: string
@@ -1172,7 +1172,304 @@ Resource tags.
 Configuration for the virtual machine.
 
 - Required: No
-- Type: secureObject
+- Type: object
+
+**Conditional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`adminPassword`](#parameter-virtualmachineconfigurationadminpassword) | securestring | The password for the administrator account on the virtual machine. Required if a virtual machine is created as part of the module. |
+| [`adminUsername`](#parameter-virtualmachineconfigurationadminusername) | string | The username for the administrator account on the virtual machine. Required if a virtual machine is created as part of the module. |
+
+**Optional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`enableAadLoginExtension`](#parameter-virtualmachineconfigurationenableaadloginextension) | bool | Whether to enable the Microsoft.Azure.ActiveDirectory AADLoginForWindows extension, allowing users to log in to the virtual machine using Microsoft Entra. Defaults to 'false'. |
+| [`enableAzureMonitorAgent`](#parameter-virtualmachineconfigurationenableazuremonitoragent) | bool | Whether to enable the Microsoft.Azure.Monitor AzureMonitorWindowsAgent extension. Defaults to 'false'. |
+| [`enabled`](#parameter-virtualmachineconfigurationenabled) | bool | Whether to create a virtual machine in the associated virtual network. Defaults to 'true'. |
+| [`encryptionAtHost`](#parameter-virtualmachineconfigurationencryptionathost) | bool | This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine. This will enable the encryption for all the disks including Resource/Temp disk at host itself. For security reasons, it is recommended to set encryptionAtHost to 'true'. |
+| [`imageReference`](#parameter-virtualmachineconfigurationimagereference) | object | OS image reference. In case of marketplace images, it's the combination of the publisher, offer, sku, version attributes. In case of custom images it's the resource ID of the custom image. |
+| [`maintenanceConfigurationResourceId`](#parameter-virtualmachineconfigurationmaintenanceconfigurationresourceid) | string | The resource Id of a maintenance configuration for the virtual machine. |
+| [`name`](#parameter-virtualmachineconfigurationname) | string | The name of the virtual machine. |
+| [`nicConfigurationConfiguration`](#parameter-virtualmachineconfigurationnicconfigurationconfiguration) | object | Configuration for the virtual machine network interface. |
+| [`osDisk`](#parameter-virtualmachineconfigurationosdisk) | object | Specifies the OS disk. |
+| [`patchMode`](#parameter-virtualmachineconfigurationpatchmode) | string | VM guest patching orchestration mode. Refer to 'https://learn.microsoft.com/en-us/azure/virtual-machines/automatic-vm-guest-patching'. |
+| [`size`](#parameter-virtualmachineconfigurationsize) | string | The virtual machine size. Defaults to 'Standard_D2s_v3'. |
+| [`zone`](#parameter-virtualmachineconfigurationzone) | int | The availability zone of the virtual machine. If set to 0, no availability zone is used (default). |
+
+### Parameter: `virtualMachineConfiguration.adminPassword`
+
+The password for the administrator account on the virtual machine. Required if a virtual machine is created as part of the module.
+
+- Required: No
+- Type: securestring
+
+### Parameter: `virtualMachineConfiguration.adminUsername`
+
+The username for the administrator account on the virtual machine. Required if a virtual machine is created as part of the module.
+
+- Required: No
+- Type: string
+
+### Parameter: `virtualMachineConfiguration.enableAadLoginExtension`
+
+Whether to enable the Microsoft.Azure.ActiveDirectory AADLoginForWindows extension, allowing users to log in to the virtual machine using Microsoft Entra. Defaults to 'false'.
+
+- Required: No
+- Type: bool
+
+### Parameter: `virtualMachineConfiguration.enableAzureMonitorAgent`
+
+Whether to enable the Microsoft.Azure.Monitor AzureMonitorWindowsAgent extension. Defaults to 'false'.
+
+- Required: No
+- Type: bool
+
+### Parameter: `virtualMachineConfiguration.enabled`
+
+Whether to create a virtual machine in the associated virtual network. Defaults to 'true'.
+
+- Required: No
+- Type: bool
+
+### Parameter: `virtualMachineConfiguration.encryptionAtHost`
+
+This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine. This will enable the encryption for all the disks including Resource/Temp disk at host itself. For security reasons, it is recommended to set encryptionAtHost to 'true'.
+
+- Required: No
+- Type: bool
+
+### Parameter: `virtualMachineConfiguration.imageReference`
+
+OS image reference. In case of marketplace images, it's the combination of the publisher, offer, sku, version attributes. In case of custom images it's the resource ID of the custom image.
+
+- Required: No
+- Type: object
+
+### Parameter: `virtualMachineConfiguration.maintenanceConfigurationResourceId`
+
+The resource Id of a maintenance configuration for the virtual machine.
+
+- Required: No
+- Type: string
+
+### Parameter: `virtualMachineConfiguration.name`
+
+The name of the virtual machine.
+
+- Required: No
+- Type: string
+
+### Parameter: `virtualMachineConfiguration.nicConfigurationConfiguration`
+
+Configuration for the virtual machine network interface.
+
+- Required: No
+- Type: object
+
+**Optional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`ipConfigName`](#parameter-virtualmachineconfigurationnicconfigurationconfigurationipconfigname) | string | The name of the IP configuration. |
+| [`name`](#parameter-virtualmachineconfigurationnicconfigurationconfigurationname) | string | The name of the network interface. |
+| [`networkSecurityGroupResourceId`](#parameter-virtualmachineconfigurationnicconfigurationconfigurationnetworksecuritygroupresourceid) | string | The resource ID of an existing network security group to associate with the network interface. |
+| [`privateIPAllocationMethod`](#parameter-virtualmachineconfigurationnicconfigurationconfigurationprivateipallocationmethod) | string | The private IP address allocation method. |
+
+### Parameter: `virtualMachineConfiguration.nicConfigurationConfiguration.ipConfigName`
+
+The name of the IP configuration.
+
+- Required: No
+- Type: string
+
+### Parameter: `virtualMachineConfiguration.nicConfigurationConfiguration.name`
+
+The name of the network interface.
+
+- Required: No
+- Type: string
+
+### Parameter: `virtualMachineConfiguration.nicConfigurationConfiguration.networkSecurityGroupResourceId`
+
+The resource ID of an existing network security group to associate with the network interface.
+
+- Required: No
+- Type: string
+
+### Parameter: `virtualMachineConfiguration.nicConfigurationConfiguration.privateIPAllocationMethod`
+
+The private IP address allocation method.
+
+- Required: No
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    'Dynamic'
+    'Static'
+  ]
+  ```
+
+### Parameter: `virtualMachineConfiguration.osDisk`
+
+Specifies the OS disk.
+
+- Required: No
+- Type: object
+
+**Required parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`managedDisk`](#parameter-virtualmachineconfigurationosdiskmanageddisk) | object | The managed disk parameters. |
+
+**Optional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`caching`](#parameter-virtualmachineconfigurationosdiskcaching) | string | Specifies the caching requirements. |
+| [`createOption`](#parameter-virtualmachineconfigurationosdiskcreateoption) | string | Specifies how the virtual machine should be created. |
+| [`deleteOption`](#parameter-virtualmachineconfigurationosdiskdeleteoption) | string | Specifies whether data disk should be deleted or detached upon VM deletion. |
+| [`diskSizeGB`](#parameter-virtualmachineconfigurationosdiskdisksizegb) | int | Specifies the size of an empty data disk in gigabytes. |
+| [`name`](#parameter-virtualmachineconfigurationosdiskname) | string | The disk name. |
+
+### Parameter: `virtualMachineConfiguration.osDisk.managedDisk`
+
+The managed disk parameters.
+
+- Required: Yes
+- Type: object
+
+**Optional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`diskEncryptionSetResourceId`](#parameter-virtualmachineconfigurationosdiskmanageddiskdiskencryptionsetresourceid) | string | Specifies the customer managed disk encryption set resource id for the managed disk. |
+| [`storageAccountType`](#parameter-virtualmachineconfigurationosdiskmanageddiskstorageaccounttype) | string | Specifies the storage account type for the managed disk. |
+
+### Parameter: `virtualMachineConfiguration.osDisk.managedDisk.diskEncryptionSetResourceId`
+
+Specifies the customer managed disk encryption set resource id for the managed disk.
+
+- Required: No
+- Type: string
+
+### Parameter: `virtualMachineConfiguration.osDisk.managedDisk.storageAccountType`
+
+Specifies the storage account type for the managed disk.
+
+- Required: No
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    'Premium_LRS'
+    'Premium_ZRS'
+    'PremiumV2_LRS'
+    'Standard_LRS'
+    'StandardSSD_LRS'
+    'StandardSSD_ZRS'
+    'UltraSSD_LRS'
+  ]
+  ```
+
+### Parameter: `virtualMachineConfiguration.osDisk.caching`
+
+Specifies the caching requirements.
+
+- Required: No
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    'None'
+    'ReadOnly'
+    'ReadWrite'
+  ]
+  ```
+
+### Parameter: `virtualMachineConfiguration.osDisk.createOption`
+
+Specifies how the virtual machine should be created.
+
+- Required: No
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    'Attach'
+    'Empty'
+    'FromImage'
+  ]
+  ```
+
+### Parameter: `virtualMachineConfiguration.osDisk.deleteOption`
+
+Specifies whether data disk should be deleted or detached upon VM deletion.
+
+- Required: No
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    'Delete'
+    'Detach'
+  ]
+  ```
+
+### Parameter: `virtualMachineConfiguration.osDisk.diskSizeGB`
+
+Specifies the size of an empty data disk in gigabytes.
+
+- Required: No
+- Type: int
+
+### Parameter: `virtualMachineConfiguration.osDisk.name`
+
+The disk name.
+
+- Required: No
+- Type: string
+
+### Parameter: `virtualMachineConfiguration.patchMode`
+
+VM guest patching orchestration mode. Refer to 'https://learn.microsoft.com/en-us/azure/virtual-machines/automatic-vm-guest-patching'.
+
+- Required: No
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    'AutomaticByOS'
+    'AutomaticByPlatform'
+    'Manual'
+  ]
+  ```
+
+### Parameter: `virtualMachineConfiguration.size`
+
+The virtual machine size. Defaults to 'Standard_D2s_v3'.
+
+- Required: No
+- Type: string
+
+### Parameter: `virtualMachineConfiguration.zone`
+
+The availability zone of the virtual machine. If set to 0, no availability zone is used (default).
+
+- Required: No
+- Type: int
+- Allowed:
+  ```Bicep
+  [
+    0
+    1
+    2
+    3
+  ]
+  ```
 
 ### Parameter: `virtualNetworkConfiguration`
 
diff --git a/avm/ptn/ai-platform/baseline/main.bicep b/avm/ptn/ai-platform/baseline/main.bicep
index 7ba33c5974..5a111268da 100644
--- a/avm/ptn/ai-platform/baseline/main.bicep
+++ b/avm/ptn/ai-platform/baseline/main.bicep
@@ -17,35 +17,35 @@ param tags object?
 @description('Optional. Enable/Disable usage telemetry for module.')
 param enableTelemetry bool = true
 
-@description('Optional. The name of the user assigned identity for the AI Studio hub. If not provided, the hub will use a system assigned identity.')
+@description('Optional. The name of the user-assigned identity for the AI Studio hub. If not provided, the hub will use a system-assigned identity.')
 param managedIdentityName string?
 
 @description('Optional. Configuration for the Log Analytics workspace.')
-param logAnalyticsConfiguration logAnalyticsConfigurationType
+param logAnalyticsConfiguration logAnalyticsConfigurationType?
 
 @description('Optional. Configuration for the key vault.')
-param keyVaultConfiguration keyVaultConfigurationType
+param keyVaultConfiguration keyVaultConfigurationType?
 
 @description('Optional. Configuration for the storage account.')
-param storageAccountConfiguration storageAccountConfigurationType
+param storageAccountConfiguration storageAccountConfigurationType?
 
 @description('Optional. Configuration for the container registry.')
-param containerRegistryConfiguration containerRegistryConfigurationType
+param containerRegistryConfiguration containerRegistryConfigurationType?
 
 @description('Optional. Configuration for Application Insights.')
-param applicationInsightsConfiguration applicationInsightsConfigurationType
+param applicationInsightsConfiguration applicationInsightsConfigurationType?
 
 @description('Optional. Configuration for the AI Studio workspace.')
-param workspaceConfiguration workspaceConfigurationType
+param workspaceConfiguration workspaceConfigurationType?
 
 @description('Optional. Configuration for the virtual network.')
-param virtualNetworkConfiguration virtualNetworkConfigurationType
+param virtualNetworkConfiguration virtualNetworkConfigurationType?
 
 @description('Optional. Configuration for the Azure Bastion host.')
-param bastionConfiguration bastionConfigurationType
+param bastionConfiguration bastionConfigurationType?
 
 @description('Optional. Configuration for the virtual machine.')
-param virtualMachineConfiguration virtualMachineConfigurationType
+param virtualMachineConfiguration virtualMachineConfigurationType?
 
 // ============== //
 // Variables      //
@@ -617,19 +617,22 @@ output virtualMachineName string = createVirtualMachine ? virtualMachine.outputs
 // Definitions      //
 // ================ //
 
+@export()
 type logAnalyticsConfigurationType = {
   @description('Optional. The name of the Log Analytics workspace.')
   name: string?
-}?
+}
 
+@export()
 type keyVaultConfigurationType = {
   @description('Optional. The name of the key vault.')
   name: string?
 
   @description('Optional. Provide \'true\' to enable Key Vault\'s purge protection feature. Defaults to \'true\'.')
   enablePurgeProtection: bool?
-}?
+}
 
+@export()
 type storageAccountConfigurationType = {
   @description('Optional. The name of the storage account.')
   name: string?
@@ -647,21 +650,24 @@ type storageAccountConfigurationType = {
 
   @description('Optional. Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Microsoft Entra ID. Defaults to \'false\'.')
   allowSharedKeyAccess: bool?
-}?
+}
 
+@export()
 type containerRegistryConfigurationType = {
   @description('Optional. The name of the container registry.')
   name: string?
 
   @description('Optional. Whether the trust policy is enabled for the container registry. Defaults to \'enabled\'.')
   trustPolicyStatus: 'enabled' | 'disabled'?
-}?
+}
 
+@export()
 type applicationInsightsConfigurationType = {
   @description('Optional. The name of the Application Insights resource.')
   name: string?
-}?
+}
 
+@export()
 type workspaceConfigurationType = {
   @description('Optional. The name of the AI Studio workspace hub.')
   name: string?
@@ -676,8 +682,8 @@ type workspaceConfigurationType = {
   networkIsolationMode: 'AllowInternetOutbound' | 'AllowOnlyApprovedOutbound'?
 
   @description('Optional. The outbound rules for the managed network of the workspace hub.')
-  networkOutboundRules: networkOutboundRuleType
-}?
+  networkOutboundRules: networkOutboundRuleType?
+}
 
 type virtualNetworkSubnetConfigurationType = {
   @description('Optional. The name of the subnet to create.')
@@ -688,8 +694,9 @@ type virtualNetworkSubnetConfigurationType = {
 
   @description('Optional. The resource ID of an existing network security group to associate with the subnet.')
   networkSecurityGroupResourceId: string?
-}?
+}
 
+@export()
 type virtualNetworkConfigurationType = {
   @description('Optional. Whether to create an associated virtual network. Defaults to \'true\'.')
   enabled: bool?
@@ -701,9 +708,10 @@ type virtualNetworkConfigurationType = {
   addressPrefix: string?
 
   @description('Optional. Configuration for the virual network subnet.')
-  subnet: virtualNetworkSubnetConfigurationType
-}?
+  subnet: virtualNetworkSubnetConfigurationType?
+}
 
+@export()
 type bastionConfigurationType = {
   @description('Optional. Whether to create a Bastion host in the virtual network. Defaults to \'true\'.')
   enabled: bool?
@@ -737,7 +745,7 @@ type bastionConfigurationType = {
 
   @description('Optional. The scale units for the Bastion Host resource.')
   scaleUnits: int?
-}?
+}
 
 type nicConfigurationConfigurationType = {
   @description('Optional. The name of the network interface.')
@@ -751,7 +759,7 @@ type nicConfigurationConfigurationType = {
 
   @description('Optional. The resource ID of an existing network security group to associate with the network interface.')
   networkSecurityGroupResourceId: string?
-}?
+}
 
 type osDiskType = {
   @description('Optional. The disk name.')
@@ -784,9 +792,9 @@ type osDiskType = {
     @description('Optional. Specifies the customer managed disk encryption set resource id for the managed disk.')
     diskEncryptionSetResourceId: string?
   }
-}?
+}
 
-@secure()
+@export()
 type virtualMachineConfigurationType = {
   @description('Optional. Whether to create a virtual machine in the associated virtual network. Defaults to \'true\'.')
   enabled: bool?
@@ -805,16 +813,17 @@ type virtualMachineConfigurationType = {
   adminUsername: string?
 
   @description('Conditional. The password for the administrator account on the virtual machine. Required if a virtual machine is created as part of the module.')
+  @secure()
   adminPassword: string?
 
   @description('Optional. Configuration for the virtual machine network interface.')
-  nicConfigurationConfiguration: nicConfigurationConfigurationType
+  nicConfigurationConfiguration: nicConfigurationConfigurationType?
 
   @description('Optional. OS image reference. In case of marketplace images, it\'s the combination of the publisher, offer, sku, version attributes. In case of custom images it\'s the resource ID of the custom image.')
   imageReference: object?
 
   @description('Optional. Specifies the OS disk.')
-  osDisk: osDiskType
+  osDisk: osDiskType?
 
   @description('Optional. This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine. This will enable the encryption for all the disks including Resource/Temp disk at host itself. For security reasons, it is recommended to set encryptionAtHost to \'true\'.')
   encryptionAtHost: bool?
@@ -830,7 +839,7 @@ type virtualMachineConfigurationType = {
 
   @description('Optional. The resource Id of a maintenance configuration for the virtual machine.')
   maintenanceConfigurationResourceId: string?
-}?
+}
 
 @discriminator('type')
 type OutboundRuleType = FqdnOutboundRuleType | PrivateEndpointOutboundRule | ServiceTagOutboundRule
@@ -890,4 +899,4 @@ type ServiceTagOutboundRule = {
 type networkOutboundRuleType = {
   @sys.description('Required. The outbound rule. The name of the rule is the object key.')
   *: OutboundRuleType
-}?
+}
diff --git a/avm/ptn/ai-platform/baseline/main.json b/avm/ptn/ai-platform/baseline/main.json
index 0729d56e61..c12d3ffe40 100644
--- a/avm/ptn/ai-platform/baseline/main.json
+++ b/avm/ptn/ai-platform/baseline/main.json
@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.30.23.60470",
-      "templateHash": "8118431971207259255"
+      "templateHash": "2870627868590310174"
     },
     "name": "AI Platform Baseline",
     "description": "This module provides a secure and scalable environment for deploying AI applications on Azure.\nThe module encompasses all essential components required for building, managing, and observing AI solutions, including a machine learning workspace, observability tools, and necessary data management services.\nBy integrating with Microsoft Entra ID for secure identity management and utilizing private endpoints for services like Key Vault and Blob Storage, the module ensures secure communication and data access.",
@@ -24,7 +24,9 @@
           }
         }
       },
-      "nullable": true
+      "metadata": {
+        "__bicep_export!": true
+      }
     },
     "keyVaultConfigurationType": {
       "type": "object",
@@ -44,7 +46,9 @@
           }
         }
       },
-      "nullable": true
+      "metadata": {
+        "__bicep_export!": true
+      }
     },
     "storageAccountConfigurationType": {
       "type": "object",
@@ -81,7 +85,9 @@
           }
         }
       },
-      "nullable": true
+      "metadata": {
+        "__bicep_export!": true
+      }
     },
     "containerRegistryConfigurationType": {
       "type": "object",
@@ -105,7 +111,9 @@
           }
         }
       },
-      "nullable": true
+      "metadata": {
+        "__bicep_export!": true
+      }
     },
     "applicationInsightsConfigurationType": {
       "type": "object",
@@ -118,7 +126,9 @@
           }
         }
       },
-      "nullable": true
+      "metadata": {
+        "__bicep_export!": true
+      }
     },
     "workspaceConfigurationType": {
       "type": "object",
@@ -157,12 +167,15 @@
         },
         "networkOutboundRules": {
           "$ref": "#/definitions/networkOutboundRuleType",
+          "nullable": true,
           "metadata": {
             "description": "Optional. The outbound rules for the managed network of the workspace hub."
           }
         }
       },
-      "nullable": true
+      "metadata": {
+        "__bicep_export!": true
+      }
     },
     "virtualNetworkSubnetConfigurationType": {
       "type": "object",
@@ -188,8 +201,7 @@
             "description": "Optional. The resource ID of an existing network security group to associate with the subnet."
           }
         }
-      },
-      "nullable": true
+      }
     },
     "virtualNetworkConfigurationType": {
       "type": "object",
@@ -217,12 +229,15 @@
         },
         "subnet": {
           "$ref": "#/definitions/virtualNetworkSubnetConfigurationType",
+          "nullable": true,
           "metadata": {
             "description": "Optional. Configuration for the virual network subnet."
           }
         }
       },
-      "nullable": true
+      "metadata": {
+        "__bicep_export!": true
+      }
     },
     "bastionConfigurationType": {
       "type": "object",
@@ -309,7 +324,9 @@
           }
         }
       },
-      "nullable": true
+      "metadata": {
+        "__bicep_export!": true
+      }
     },
     "nicConfigurationConfigurationType": {
       "type": "object",
@@ -346,8 +363,7 @@
             "description": "Optional. The resource ID of an existing network security group to associate with the network interface."
           }
         }
-      },
-      "nullable": true
+      }
     },
     "osDiskType": {
       "type": "object",
@@ -432,11 +448,10 @@
             "description": "Required. The managed disk parameters."
           }
         }
-      },
-      "nullable": true
+      }
     },
     "virtualMachineConfigurationType": {
-      "type": "secureObject",
+      "type": "object",
       "properties": {
         "enabled": {
           "type": "bool",
@@ -481,7 +496,7 @@
           }
         },
         "adminPassword": {
-          "type": "string",
+          "type": "securestring",
           "nullable": true,
           "metadata": {
             "description": "Conditional. The password for the administrator account on the virtual machine. Required if a virtual machine is created as part of the module."
@@ -489,6 +504,7 @@
         },
         "nicConfigurationConfiguration": {
           "$ref": "#/definitions/nicConfigurationConfigurationType",
+          "nullable": true,
           "metadata": {
             "description": "Optional. Configuration for the virtual machine network interface."
           }
@@ -502,6 +518,7 @@
         },
         "osDisk": {
           "$ref": "#/definitions/osDiskType",
+          "nullable": true,
           "metadata": {
             "description": "Optional. Specifies the OS disk."
           }
@@ -547,7 +564,9 @@
           }
         }
       },
-      "nullable": true
+      "metadata": {
+        "__bicep_export!": true
+      }
     },
     "OutboundRuleType": {
       "type": "object",
@@ -721,7 +740,6 @@
           "description": "Required. The outbound rule. The name of the rule is the object key."
         }
       },
-      "nullable": true,
       "metadata": {
         "description": "Optional. Outbound rules for the managed network of the workspace hub."
       }
@@ -760,59 +778,68 @@
       "type": "string",
       "nullable": true,
       "metadata": {
-        "description": "Optional. The name of the user assigned identity for the AI Studio hub. If not provided, the hub will use a system assigned identity."
+        "description": "Optional. The name of the user-assigned identity for the AI Studio hub. If not provided, the hub will use a system-assigned identity."
       }
     },
     "logAnalyticsConfiguration": {
       "$ref": "#/definitions/logAnalyticsConfigurationType",
+      "nullable": true,
       "metadata": {
         "description": "Optional. Configuration for the Log Analytics workspace."
       }
     },
     "keyVaultConfiguration": {
       "$ref": "#/definitions/keyVaultConfigurationType",
+      "nullable": true,
       "metadata": {
         "description": "Optional. Configuration for the key vault."
       }
     },
     "storageAccountConfiguration": {
       "$ref": "#/definitions/storageAccountConfigurationType",
+      "nullable": true,
       "metadata": {
         "description": "Optional. Configuration for the storage account."
       }
     },
     "containerRegistryConfiguration": {
       "$ref": "#/definitions/containerRegistryConfigurationType",
+      "nullable": true,
       "metadata": {
         "description": "Optional. Configuration for the container registry."
       }
     },
     "applicationInsightsConfiguration": {
       "$ref": "#/definitions/applicationInsightsConfigurationType",
+      "nullable": true,
       "metadata": {
         "description": "Optional. Configuration for Application Insights."
       }
     },
     "workspaceConfiguration": {
       "$ref": "#/definitions/workspaceConfigurationType",
+      "nullable": true,
       "metadata": {
         "description": "Optional. Configuration for the AI Studio workspace."
       }
     },
     "virtualNetworkConfiguration": {
       "$ref": "#/definitions/virtualNetworkConfigurationType",
+      "nullable": true,
       "metadata": {
         "description": "Optional. Configuration for the virtual network."
       }
     },
     "bastionConfiguration": {
       "$ref": "#/definitions/bastionConfigurationType",
+      "nullable": true,
       "metadata": {
         "description": "Optional. Configuration for the Azure Bastion host."
       }
     },
     "virtualMachineConfiguration": {
       "$ref": "#/definitions/virtualMachineConfigurationType",
+      "nullable": true,
       "metadata": {
         "description": "Optional. Configuration for the virtual machine."
       }
diff --git a/avm/ptn/lz/sub-vending/README.md b/avm/ptn/lz/sub-vending/README.md
index 471c80289f..76930aff30 100644
--- a/avm/ptn/lz/sub-vending/README.md
+++ b/avm/ptn/lz/sub-vending/README.md
@@ -25,9 +25,9 @@ This module deploys a subscription to accelerate deployment of landing zones. Fo
 | `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) |
 | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) |
 | `Microsoft.Network/virtualHubs/hubVirtualNetworkConnections` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-11-01/virtualHubs/hubVirtualNetworkConnections) |
-| `Microsoft.Network/virtualNetworks` | [2024-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/virtualNetworks) |
-| `Microsoft.Network/virtualNetworks/subnets` | [2024-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/virtualNetworks/subnets) |
-| `Microsoft.Network/virtualNetworks/virtualNetworkPeerings` | [2024-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/virtualNetworks/virtualNetworkPeerings) |
+| `Microsoft.Network/virtualNetworks` | [2024-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2024-01-01/virtualNetworks) |
+| `Microsoft.Network/virtualNetworks/subnets` | [2024-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2024-01-01/virtualNetworks/subnets) |
+| `Microsoft.Network/virtualNetworks/virtualNetworkPeerings` | [2024-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2024-01-01/virtualNetworks/virtualNetworkPeerings) |
 | `Microsoft.Resources/deploymentScripts` | [2023-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Resources/2023-08-01/deploymentScripts) |
 | `Microsoft.Resources/resourceGroups` | [2021-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Resources/2021-04-01/resourceGroups) |
 | `Microsoft.Resources/tags` | [2019-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Resources/tags) |
@@ -1230,7 +1230,6 @@ The name of the virtual network. The string must consist of a-z, A-Z, 0-9, -, _,
 
 - Required: No
 - Type: string
-- Default: `''`
 
 ### Parameter: `virtualNetworkPeeringEnabled`
 
diff --git a/avm/ptn/lz/sub-vending/main.bicep b/avm/ptn/lz/sub-vending/main.bicep
index a21681711f..832fabd70e 100644
--- a/avm/ptn/lz/sub-vending/main.bicep
+++ b/avm/ptn/lz/sub-vending/main.bicep
@@ -122,10 +122,11 @@ param virtualNetworkResourceGroupLockEnabled bool = true
 ''')
 param virtualNetworkLocation string = deployment().location
 
+@minLength(2)
 @maxLength(64)
 @description('''Optional. The name of the virtual network. The string must consist of a-z, A-Z, 0-9, -, _, and . (period) and be between 2 and 64 characters in length.
 ''')
-param virtualNetworkName string = ''
+param virtualNetworkName string?
 
 @description('''Optional. An object of tag key/value pairs to be set on the Virtual Network that is created.
 
diff --git a/avm/ptn/lz/sub-vending/main.json b/avm/ptn/lz/sub-vending/main.json
index 752668dbf3..730e310ed9 100644
--- a/avm/ptn/lz/sub-vending/main.json
+++ b/avm/ptn/lz/sub-vending/main.json
@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.30.23.60470",
-      "templateHash": "15801074137418249415"
+      "templateHash": "15876773286910776098"
     },
     "name": "Sub-vending",
     "description": "This module deploys a subscription to accelerate deployment of landing zones. For more information on how to use it, please visit this [Wiki](https://github.com/Azure/bicep-lz-vending/wiki).",
@@ -354,7 +354,8 @@
     },
     "virtualNetworkName": {
       "type": "string",
-      "defaultValue": "",
+      "nullable": true,
+      "minLength": 2,
       "maxLength": 64,
       "metadata": {
         "description": "Optional. The name of the virtual network. The string must consist of a-z, A-Z, 0-9, -, _, and . (period) and be between 2 and 64 characters in length.\n"
diff --git a/avm/res/virtual-machine-images/image-template/README.md b/avm/res/virtual-machine-images/image-template/README.md
index 22bfaaa10a..35506743de 100644
--- a/avm/res/virtual-machine-images/image-template/README.md
+++ b/avm/res/virtual-machine-images/image-template/README.md
@@ -58,14 +58,14 @@ module imageTemplate 'br/public:avm/res/virtual-machine-images/image-template:<v
       type: 'PlatformImage'
       version: 'latest'
     }
+    name: 'vmiitmin001'
+    // Non-required parameters
+    location: '<location>'
     managedIdentities: {
       userAssignedResourceIds: [
         '<managedIdentityResourceId>'
       ]
     }
-    name: 'vmiitmin001'
-    // Non-required parameters
-    location: '<location>'
   }
 }
 ```
@@ -100,19 +100,19 @@ module imageTemplate 'br/public:avm/res/virtual-machine-images/image-template:<v
         "version": "latest"
       }
     },
-    "managedIdentities": {
-      "value": {
-        "userAssignedResourceIds": [
-          "<managedIdentityResourceId>"
-        ]
-      }
-    },
     "name": {
       "value": "vmiitmin001"
     },
     // Non-required parameters
     "location": {
       "value": "<location>"
+    },
+    "managedIdentities": {
+      "value": {
+        "userAssignedResourceIds": [
+          "<managedIdentityResourceId>"
+        ]
+      }
     }
   }
 }
@@ -142,14 +142,14 @@ param imageSource = {
   type: 'PlatformImage'
   version: 'latest'
 }
+param name = 'vmiitmin001'
+// Non-required parameters
+param location = '<location>'
 param managedIdentities = {
   userAssignedResourceIds: [
     '<managedIdentityResourceId>'
   ]
 }
-param name = 'vmiitmin001'
-// Non-required parameters
-param location = '<location>'
 ```
 
 </details>
@@ -194,11 +194,6 @@ module imageTemplate 'br/public:avm/res/virtual-machine-images/image-template:<v
       type: 'PlatformImage'
       version: 'latest'
     }
-    managedIdentities: {
-      userAssignedResourceIds: [
-        '<managedIdentityResourceId>'
-      ]
-    }
     name: 'vmiitmax001'
     // Non-required parameters
     buildTimeoutInMinutes: 60
@@ -227,6 +222,11 @@ module imageTemplate 'br/public:avm/res/virtual-machine-images/image-template:<v
       kind: 'CanNotDelete'
       name: 'myCustomLockName'
     }
+    managedIdentities: {
+      userAssignedResourceIds: [
+        '<managedIdentityResourceId>'
+      ]
+    }
     optimizeVmBoot: 'Enabled'
     osDiskSizeGB: 127
     roleAssignments: [
@@ -318,13 +318,6 @@ module imageTemplate 'br/public:avm/res/virtual-machine-images/image-template:<v
         "version": "latest"
       }
     },
-    "managedIdentities": {
-      "value": {
-        "userAssignedResourceIds": [
-          "<managedIdentityResourceId>"
-        ]
-      }
-    },
     "name": {
       "value": "vmiitmax001"
     },
@@ -363,6 +356,13 @@ module imageTemplate 'br/public:avm/res/virtual-machine-images/image-template:<v
         "name": "myCustomLockName"
       }
     },
+    "managedIdentities": {
+      "value": {
+        "userAssignedResourceIds": [
+          "<managedIdentityResourceId>"
+        ]
+      }
+    },
     "optimizeVmBoot": {
       "value": "Enabled"
     },
@@ -466,11 +466,6 @@ param imageSource = {
   type: 'PlatformImage'
   version: 'latest'
 }
-param managedIdentities = {
-  userAssignedResourceIds: [
-    '<managedIdentityResourceId>'
-  ]
-}
 param name = 'vmiitmax001'
 // Non-required parameters
 param buildTimeoutInMinutes = 60
@@ -499,6 +494,11 @@ param lock = {
   kind: 'CanNotDelete'
   name: 'myCustomLockName'
 }
+param managedIdentities = {
+  userAssignedResourceIds: [
+    '<managedIdentityResourceId>'
+  ]
+}
 param optimizeVmBoot = 'Enabled'
 param osDiskSizeGB = 127
 param roleAssignments = [
@@ -576,11 +576,6 @@ module imageTemplate 'br/public:avm/res/virtual-machine-images/image-template:<v
       type: 'PlatformImage'
       version: 'latest'
     }
-    managedIdentities: {
-      userAssignedResourceIds: [
-        '<managedIdentityResourceId>'
-      ]
-    }
     name: 'vmiitwaf001'
     // Non-required parameters
     customizationSteps: [
@@ -590,6 +585,11 @@ module imageTemplate 'br/public:avm/res/virtual-machine-images/image-template:<v
       }
     ]
     location: '<location>'
+    managedIdentities: {
+      userAssignedResourceIds: [
+        '<managedIdentityResourceId>'
+      ]
+    }
     subnetResourceId: '<subnetResourceId>'
     tags: {
       Environment: 'Non-Prod'
@@ -630,13 +630,6 @@ module imageTemplate 'br/public:avm/res/virtual-machine-images/image-template:<v
         "version": "latest"
       }
     },
-    "managedIdentities": {
-      "value": {
-        "userAssignedResourceIds": [
-          "<managedIdentityResourceId>"
-        ]
-      }
-    },
     "name": {
       "value": "vmiitwaf001"
     },
@@ -652,6 +645,13 @@ module imageTemplate 'br/public:avm/res/virtual-machine-images/image-template:<v
     "location": {
       "value": "<location>"
     },
+    "managedIdentities": {
+      "value": {
+        "userAssignedResourceIds": [
+          "<managedIdentityResourceId>"
+        ]
+      }
+    },
     "subnetResourceId": {
       "value": "<subnetResourceId>"
     },
@@ -690,11 +690,6 @@ param imageSource = {
   type: 'PlatformImage'
   version: 'latest'
 }
-param managedIdentities = {
-  userAssignedResourceIds: [
-    '<managedIdentityResourceId>'
-  ]
-}
 param name = 'vmiitwaf001'
 // Non-required parameters
 param customizationSteps = [
@@ -704,6 +699,11 @@ param customizationSteps = [
   }
 ]
 param location = '<location>'
+param managedIdentities = {
+  userAssignedResourceIds: [
+    '<managedIdentityResourceId>'
+  ]
+}
 param subnetResourceId = '<subnetResourceId>'
 param tags = {
   Environment: 'Non-Prod'
@@ -749,7 +749,7 @@ param tags = {
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`baseTime`](#parameter-basetime) | string | Do not provide a value! This date value is used to generate a unique image template name. |
+| [`baseTime`](#parameter-basetime) | string | Do not provide a value! This date is used to generate a unique image template name. |
 
 ### Parameter: `distributions`
 
@@ -769,7 +769,7 @@ Image source definition in object format.
 
 The managed identity definition for this resource.
 
-- Required: Yes
+- Required: No
 - Type: object
 
 **Optional parameters**
@@ -782,7 +782,7 @@ The managed identity definition for this resource.
 
 The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption.
 
-- Required: Yes
+- Required: No
 - Type: array
 
 ### Parameter: `name`
@@ -1157,7 +1157,7 @@ List of User-Assigned Identities associated to the Build VM for accessing Azure
 
 ### Parameter: `baseTime`
 
-Do not provide a value! This date value is used to generate a unique image template name.
+Do not provide a value! This date is used to generate a unique image template name.
 
 - Required: No
 - Type: string
diff --git a/avm/res/virtual-machine-images/image-template/main.bicep b/avm/res/virtual-machine-images/image-template/main.bicep
index 6d68abacc9..e578df5309 100644
--- a/avm/res/virtual-machine-images/image-template/main.bicep
+++ b/avm/res/virtual-machine-images/image-template/main.bicep
@@ -31,20 +31,22 @@ param customizationSteps array?
 @description('Optional. Resource ID of the staging resource group in the same subscription and location as the image template that will be used to build the image.</p>If this field is empty, a resource group with a random name will be created.</p>If the resource group specified in this field doesn\'t exist, it will be created with the same name.</p>If the resource group specified exists, it must be empty and in the same region as the image template.</p>The resource group created will be deleted during template deletion if this field is empty or the resource group specified doesn\'t exist,</p>but if the resource group specified exists the resources created in the resource group will be deleted during template deletion and the resource group itself will remain.')
 param stagingResourceGroupResourceId string?
 
+import { lockType } from 'br/public:avm/utl/types/avm-common-types:0.2.0'
 @description('Optional. The lock settings of the service.')
-param lock lockType
+param lock lockType?
 
 @description('Optional. Tags of the resource.')
 param tags object?
 
-@description('Generated. Do not provide a value! This date value is used to generate a unique image template name.')
+@description('Generated. Do not provide a value! This date is used to generate a unique image template name.')
 param baseTime string = utcNow('yyyy-MM-dd-HH-mm-ss')
 
 @description('Optional. Enable/Disable usage telemetry for module.')
 param enableTelemetry bool = true
 
+import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.2.0'
 @description('Optional. Array of role assignments to create.')
-param roleAssignments roleAssignmentType
+param roleAssignments roleAssignmentType[]?
 
 @description('Required. The distribution targets where the image output needs to go to.')
 param distributions distributionType[]
@@ -52,11 +54,12 @@ param distributions distributionType[]
 @description('Optional. List of User-Assigned Identities associated to the Build VM for accessing Azure resources such as Key Vaults from your customizer scripts. Be aware, the user assigned identities specified in the \'managedIdentities\' parameter must have the \'Managed Identity Operator\' role assignment on all the user assigned identities specified in this parameter for Azure Image Builder to be able to associate them to the build VM.')
 param vmUserAssignedIdentities array = []
 
+import { managedIdentityOnlyUserAssignedType } from 'br/public:avm/utl/types/avm-common-types:0.2.0'
 @description('Required. The managed identity definition for this resource.')
-param managedIdentities managedIdentitiesType
+param managedIdentities managedIdentityOnlyUserAssignedType?
 
 @description('Optional. Configuration options and list of validations to be performed on the resulting image.')
-param validationProcess validationProcessType
+param validationProcess validationProcessType?
 
 @allowed([
   'Enabled'
@@ -182,6 +185,7 @@ resource imageTemplate 'Microsoft.VirtualMachineImages/imageTemplates@2023-07-01
           : {})
       )
     ]
+    #disable-next-line BCP225 //  The discriminator property "type" value cannot be determined at compilation time. - which is fine
     validate: validationProcess
     optimize: optimizeVmBoot != null
       ? {
@@ -242,48 +246,11 @@ output location string = imageTemplate.location
 //   Definitions   //
 // =============== //
 
-type lockType = {
-  @description('Optional. Specify the name of lock.')
-  name: string?
-
-  @description('Optional. Specify the type of lock.')
-  kind: ('CanNotDelete' | 'ReadOnly' | 'None')?
-}?
-
-type roleAssignmentType = {
-  @description('Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated.')
-  name: string?
-
-  @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.')
-  roleDefinitionIdOrName: string
-
-  @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.')
-  principalId: string
-
-  @description('Optional. The principal type of the assigned principal ID.')
-  principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')?
-
-  @description('Optional. The description of the role assignment.')
-  description: string?
-
-  @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".')
-  condition: string?
-
-  @description('Optional. Version of the condition.')
-  conditionVersion: '2.0'?
-
-  @description('Optional. The Resource Id of the delegated managed identity resource.')
-  delegatedManagedIdentityResourceId: string?
-}[]?
-
-type managedIdentitiesType = {
-  @description('Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption.')
-  userAssignedResourceIds: string[]
-}
-
+@export()
 @discriminator('type')
 type distributionType = sharedImageDistributionType | managedImageDistributionType | unManagedDistributionType
 
+@export()
 type sharedImageDistributionType = {
   @description('Optional. The name to be used for the associated RunOutput. If not provided, a name will be calculated.')
   runOutputName: string?
@@ -310,6 +277,7 @@ type sharedImageDistributionType = {
   storageAccountType: ('Standard_LRS' | 'Standard_ZRS')?
 }
 
+@export()
 type unManagedDistributionType = {
   @description('Required. The type of distribution.')
   type: 'VHD'
@@ -324,6 +292,7 @@ type unManagedDistributionType = {
   imageName: string
 }
 
+@export()
 type managedImageDistributionType = {
   @description('Required. The type of distribution.')
   type: 'ManagedImage'
@@ -344,6 +313,7 @@ type managedImageDistributionType = {
   imageName: string
 }
 
+@export()
 type validationProcessType = {
   @description('Optional. If validation fails and this field is set to false, output image(s) will not be distributed. This is the default behavior. If validation fails and this field is set to true, output image(s) will still be distributed. Please use this option with caution as it may result in bad images being distributed for use. In either case (true or false), the end to end image run will be reported as having failed in case of a validation failure. [Note: This field has no effect if validation succeeds.].')
   continueDistributeOnFailure: bool?
@@ -383,4 +353,4 @@ type validationProcessType = {
 
   @description('Optional. If this field is set to true, the image specified in the \'source\' section will directly be validated. No separate build will be run to generate and then validate a customized image. Not supported when performing customizations, validations or distributions on the image.')
   sourceValidationOnly: bool?
-}?
+}
diff --git a/avm/res/virtual-machine-images/image-template/main.json b/avm/res/virtual-machine-images/image-template/main.json
index 8a2d773d7c..b1470f143e 100644
--- a/avm/res/virtual-machine-images/image-template/main.json
+++ b/avm/res/virtual-machine-images/image-template/main.json
@@ -5,126 +5,14 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "7173338220381253397"
+      "version": "0.30.23.60470",
+      "templateHash": "11745682874369411361"
     },
     "name": "Virtual Machine Image Templates",
     "description": "This module deploys a Virtual Machine Image Template that can be consumed by Azure Image Builder (AIB).",
     "owner": "Azure/module-maintainers"
   },
   "definitions": {
-    "lockType": {
-      "type": "object",
-      "properties": {
-        "name": {
-          "type": "string",
-          "nullable": true,
-          "metadata": {
-            "description": "Optional. Specify the name of lock."
-          }
-        },
-        "kind": {
-          "type": "string",
-          "allowedValues": [
-            "CanNotDelete",
-            "None",
-            "ReadOnly"
-          ],
-          "nullable": true,
-          "metadata": {
-            "description": "Optional. Specify the type of lock."
-          }
-        }
-      },
-      "nullable": true
-    },
-    "roleAssignmentType": {
-      "type": "array",
-      "items": {
-        "type": "object",
-        "properties": {
-          "name": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated."
-            }
-          },
-          "roleDefinitionIdOrName": {
-            "type": "string",
-            "metadata": {
-              "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'."
-            }
-          },
-          "principalId": {
-            "type": "string",
-            "metadata": {
-              "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to."
-            }
-          },
-          "principalType": {
-            "type": "string",
-            "allowedValues": [
-              "Device",
-              "ForeignGroup",
-              "Group",
-              "ServicePrincipal",
-              "User"
-            ],
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The principal type of the assigned principal ID."
-            }
-          },
-          "description": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The description of the role assignment."
-            }
-          },
-          "condition": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"."
-            }
-          },
-          "conditionVersion": {
-            "type": "string",
-            "allowedValues": [
-              "2.0"
-            ],
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. Version of the condition."
-            }
-          },
-          "delegatedManagedIdentityResourceId": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The Resource Id of the delegated managed identity resource."
-            }
-          }
-        }
-      },
-      "nullable": true
-    },
-    "managedIdentitiesType": {
-      "type": "object",
-      "properties": {
-        "userAssignedResourceIds": {
-          "type": "array",
-          "items": {
-            "type": "string"
-          },
-          "metadata": {
-            "description": "Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption."
-          }
-        }
-      }
-    },
     "distributionType": {
       "type": "object",
       "discriminator": {
@@ -140,6 +28,9 @@
             "$ref": "#/definitions/unManagedDistributionType"
           }
         }
+      },
+      "metadata": {
+        "__bicep_export!": true
       }
     },
     "sharedImageDistributionType": {
@@ -209,6 +100,9 @@
             "description": "Optional. The storage account type of the image. Defaults to [Standard_LRS]."
           }
         }
+      },
+      "metadata": {
+        "__bicep_export!": true
       }
     },
     "unManagedDistributionType": {
@@ -243,6 +137,9 @@
             "description": "Conditional. Name of the managed or unmanaged image that will be created."
           }
         }
+      },
+      "metadata": {
+        "__bicep_export!": true
       }
     },
     "managedImageDistributionType": {
@@ -291,6 +188,9 @@
             "description": "Conditional. Name of the managed or unmanaged image that will be created."
           }
         }
+      },
+      "metadata": {
+        "__bicep_export!": true
       }
     },
     "validationProcessType": {
@@ -403,7 +303,135 @@
           }
         }
       },
-      "nullable": true
+      "metadata": {
+        "__bicep_export!": true
+      }
+    },
+    "lockType": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Specify the name of lock."
+          }
+        },
+        "kind": {
+          "type": "string",
+          "allowedValues": [
+            "CanNotDelete",
+            "None",
+            "ReadOnly"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Specify the type of lock."
+          }
+        }
+      },
+      "metadata": {
+        "description": "An AVM-aligned type for a lock.",
+        "__bicep_imported_from!": {
+          "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.0"
+        }
+      }
+    },
+    "managedIdentityOnlyUserAssignedType": {
+      "type": "object",
+      "properties": {
+        "userAssignedResourceIds": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption."
+          }
+        }
+      },
+      "metadata": {
+        "description": "An AVM-aligned type for a managed identity configuration. To be used if only user-assigned identities are supported by the resource provider.",
+        "__bicep_imported_from!": {
+          "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.0"
+        }
+      }
+    },
+    "roleAssignmentType": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated."
+          }
+        },
+        "roleDefinitionIdOrName": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'."
+          }
+        },
+        "principalId": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to."
+          }
+        },
+        "principalType": {
+          "type": "string",
+          "allowedValues": [
+            "Device",
+            "ForeignGroup",
+            "Group",
+            "ServicePrincipal",
+            "User"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The principal type of the assigned principal ID."
+          }
+        },
+        "description": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The description of the role assignment."
+          }
+        },
+        "condition": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"."
+          }
+        },
+        "conditionVersion": {
+          "type": "string",
+          "allowedValues": [
+            "2.0"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Version of the condition."
+          }
+        },
+        "delegatedManagedIdentityResourceId": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The Resource Id of the delegated managed identity resource."
+          }
+        }
+      },
+      "metadata": {
+        "description": "An AVM-aligned type for a role assignment.",
+        "__bicep_imported_from!": {
+          "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.0"
+        }
+      }
     }
   },
   "parameters": {
@@ -472,6 +500,7 @@
     },
     "lock": {
       "$ref": "#/definitions/lockType",
+      "nullable": true,
       "metadata": {
         "description": "Optional. The lock settings of the service."
       }
@@ -487,7 +516,7 @@
       "type": "string",
       "defaultValue": "[utcNow('yyyy-MM-dd-HH-mm-ss')]",
       "metadata": {
-        "description": "Generated. Do not provide a value! This date value is used to generate a unique image template name."
+        "description": "Generated. Do not provide a value! This date is used to generate a unique image template name."
       }
     },
     "enableTelemetry": {
@@ -498,7 +527,11 @@
       }
     },
     "roleAssignments": {
-      "$ref": "#/definitions/roleAssignmentType",
+      "type": "array",
+      "items": {
+        "$ref": "#/definitions/roleAssignmentType"
+      },
+      "nullable": true,
       "metadata": {
         "description": "Optional. Array of role assignments to create."
       }
@@ -520,13 +553,15 @@
       }
     },
     "managedIdentities": {
-      "$ref": "#/definitions/managedIdentitiesType",
+      "$ref": "#/definitions/managedIdentityOnlyUserAssignedType",
+      "nullable": true,
       "metadata": {
         "description": "Required. The managed identity definition for this resource."
       }
     },
     "validationProcess": {
       "$ref": "#/definitions/validationProcessType",
+      "nullable": true,
       "metadata": {
         "description": "Optional. Configuration options and list of validations to be performed on the resulting image."
       }

From 34bc34c65d8adbfce33d6d01231c6be9ab88d8b5 Mon Sep 17 00:00:00 2001
From: jbinko <jbinko+github@gmail.com>
Date: Fri, 25 Oct 2024 17:49:36 +0200
Subject: [PATCH 12/13] fix: avm/ptn/data/private-analytical-workspace -
 failing tests with random locations (#3626)

## Description

<!--
>Thank you for your contribution !
> Please include a summary of the change and which issue is fixed.
> Please also include the context.
> List any dependencies that are required for this change.

Fixes #3307
-->

Fixes #3307

## Pipeline Reference

<!-- Insert your Pipeline Status Badge below -->

| Pipeline |
| -------- |

[![avm.ptn.data.private-analytical-workspace](https://github.com/jbinko/bicep-registry-modules/actions/workflows/avm.ptn.data.private-analytical-workspace.yml/badge.svg?branch=private-analytical-workspace-tests-neu&event=workflow_dispatch)](https://github.com/jbinko/bicep-registry-modules/actions/workflows/avm.ptn.data.private-analytical-workspace.yml)

## Type of Change

<!-- Use the checkboxes [x] on the options that are relevant. -->

- [ ] Update to CI Environment or utilities (Non-module affecting
changes)
- [x] Azure Verified Module updates:
- [x] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [ ] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [ ] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [ ] Update to documentation

## Checklist

- [x] I'm sure there are no other open Pull Requests for the same
update/change
- [x] I have run `Set-AVMModule` locally to generate the supporting
module files.
- [x] My corresponding pipelines / checks run clean and green without
any errors or warnings

<!-- Please keep up to date with the contribution guide at
https://aka.ms/avm/contribute/bicep -->
---
 avm/ptn/data/private-analytical-workspace/README.md |  4 ++--
 .../data/private-analytical-workspace/main.bicep    |  2 +-
 avm/ptn/data/private-analytical-workspace/main.json |  4 ++--
 .../tests/e2e/defaults/main.test.bicep              |  9 +++++----
 .../tests/e2e/max/custom.tests.ps1                  |  4 ++--
 .../tests/e2e/max/main.test.bicep                   | 11 ++++++-----
 .../tests/e2e/min-priv/main.test.bicep              |  9 +++++----
 .../tests/e2e/min-pub/main.test.bicep               |  9 +++++----
 .../tests/e2e/uc01-priv/custom.tests.ps1            |  4 ++--
 .../tests/e2e/uc01-priv/main.test.bicep             |  9 +++++----
 .../tests/e2e/uc01-pub/custom.tests.ps1             |  4 ++--
 .../tests/e2e/uc01-pub/main.test.bicep              |  9 +++++----
 .../tests/e2e/uc02-priv/main.test.bicep             | 13 +++++++------
 .../tests/e2e/uc02-pub/main.test.bicep              | 13 +++++++------
 .../tests/e2e/uc03-priv/main.test.bicep             | 13 +++++++------
 .../tests/e2e/uc03-pub/main.test.bicep              | 13 +++++++------
 .../tests/e2e/waf-aligned/custom.tests.ps1          |  4 ++--
 .../tests/e2e/waf-aligned/main.test.bicep           | 11 ++++++-----
 18 files changed, 78 insertions(+), 67 deletions(-)

diff --git a/avm/ptn/data/private-analytical-workspace/README.md b/avm/ptn/data/private-analytical-workspace/README.md
index 151666140c..5f0106847f 100644
--- a/avm/ptn/data/private-analytical-workspace/README.md
+++ b/avm/ptn/data/private-analytical-workspace/README.md
@@ -1266,7 +1266,7 @@ param tags = {
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
 | [`advancedOptions`](#parameter-advancedoptions) | object | Additional options that can affect some components of the solution and how they are configured. |
-| [`enableDatabricks`](#parameter-enabledatabricks) | bool | Enable/Disable Azure Databricks service in the solution. |
+| [`enableDatabricks`](#parameter-enabledatabricks) | bool | Enable/Disable Azure Databricks service within the solution. |
 | [`enableTelemetry`](#parameter-enabletelemetry) | bool | Enable/Disable usage telemetry for module. |
 | [`keyVaultResourceId`](#parameter-keyvaultresourceid) | string | If you already have a Key Vault that you want to use with the solution, you can specify it here. Otherwise, this module will create a new Key Vault for you. |
 | [`location`](#parameter-location) | string | Location for all Resources in the solution. |
@@ -1450,7 +1450,7 @@ The name of the existing Private Link Subnet within the Virtual Network in the p
 
 ### Parameter: `enableDatabricks`
 
-Enable/Disable Azure Databricks service in the solution.
+Enable/Disable Azure Databricks service within the solution.
 
 - Required: No
 - Type: bool
diff --git a/avm/ptn/data/private-analytical-workspace/main.bicep b/avm/ptn/data/private-analytical-workspace/main.bicep
index 4d05804216..aa3d8d5f05 100644
--- a/avm/ptn/data/private-analytical-workspace/main.bicep
+++ b/avm/ptn/data/private-analytical-workspace/main.bicep
@@ -17,7 +17,7 @@ param tags object?
 @description('Optional. Enable/Disable usage telemetry for module.')
 param enableTelemetry bool = true
 
-@description('Optional. Enable/Disable Azure Databricks service in the solution.')
+@description('Optional. Enable/Disable Azure Databricks service within the solution.')
 param enableDatabricks bool = false
 
 @description('Optional. This option allows the solution to be connected to a VNET that the customer provides. If you have an existing VNET that was made for this solution, you can specify it here. If you do not use this option, this module will make a new VNET for you.')
diff --git a/avm/ptn/data/private-analytical-workspace/main.json b/avm/ptn/data/private-analytical-workspace/main.json
index 34410c46df..ae4fe32df4 100644
--- a/avm/ptn/data/private-analytical-workspace/main.json
+++ b/avm/ptn/data/private-analytical-workspace/main.json
@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.29.47.4906",
-      "templateHash": "2111096587136126273"
+      "templateHash": "17435710338744006218"
     },
     "name": "private-analytical-workspace",
     "description": "This pattern module enables you to use Azure services that are typical for data analytics solutions. The goal is to help data scientists establish an environment for data analysis simply. It is secure by default for enterprise use. Data scientists should not spend much time on how to build infrastructure solution. They should mainly concentrate on the data analytics components they require for the solution.",
@@ -273,7 +273,7 @@
       "type": "bool",
       "defaultValue": false,
       "metadata": {
-        "description": "Optional. Enable/Disable Azure Databricks service in the solution."
+        "description": "Optional. Enable/Disable Azure Databricks service within the solution."
       }
     },
     "virtualNetworkResourceId": {
diff --git a/avm/ptn/data/private-analytical-workspace/tests/e2e/defaults/main.test.bicep b/avm/ptn/data/private-analytical-workspace/tests/e2e/defaults/main.test.bicep
index 6dba35f966..7294cf0921 100644
--- a/avm/ptn/data/private-analytical-workspace/tests/e2e/defaults/main.test.bicep
+++ b/avm/ptn/data/private-analytical-workspace/tests/e2e/defaults/main.test.bicep
@@ -11,8 +11,9 @@ metadata description = 'This instance deploys the module with the minimum set of
 @maxLength(90)
 param resourceGroupName string = 'dep-${namePrefix}-data-privateanalyticalworkspace-${serviceShort}-rg'
 
-@description('Optional. The location to deploy resources to.')
-param resourceLocation string = deployment().location
+// enforcing location due to ADB private link behavior
+#disable-next-line no-hardcoded-location
+var enforcedLocation = 'northeurope'
 
 @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
 param serviceShort string = 'dpawmin'
@@ -28,7 +29,7 @@ param namePrefix string = '#_namePrefix_#'
 // =================
 resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
   name: resourceGroupName
-  location: resourceLocation
+  location: enforcedLocation
 }
 
 // ============== //
@@ -39,7 +40,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
 module testDeployment '../../../main.bicep' = [
   for iteration in ['init', 'idem']: {
     scope: resourceGroup
-    name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}'
+    name: '${uniqueString(deployment().name, enforcedLocation)}-test-${serviceShort}-${iteration}'
     params: {
       name: '${namePrefix}${serviceShort}001'
     }
diff --git a/avm/ptn/data/private-analytical-workspace/tests/e2e/max/custom.tests.ps1 b/avm/ptn/data/private-analytical-workspace/tests/e2e/max/custom.tests.ps1
index 3122893b83..79d304745d 100644
--- a/avm/ptn/data/private-analytical-workspace/tests/e2e/max/custom.tests.ps1
+++ b/avm/ptn/data/private-analytical-workspace/tests/e2e/max/custom.tests.ps1
@@ -61,7 +61,7 @@ Describe 'Validate Pattern deployment' {
                     -Tags $expectedTags -LogAnalyticsWorkspaceResourceId $logAnalyticsWorkspaceResourceId -AddressPrefix '192.168.224.0/19' -NumberOfSubnets 3
 
                 Test-VerifySubnet -Subnet $vnet.Subnets[0] -SubnetName 'private-link-subnet' -SubnetAddressPrefix '192.168.224.0/24' `
-                    -NumberOfSecurityGroups 1 -NumberOfPrivateEndpoints 4 -NumberOfIpConfigurations 6 -DelegationServiceName $null
+                    -NumberOfSecurityGroups 1 -NumberOfPrivateEndpoints 4 -NumberOfIpConfigurations 5 -DelegationServiceName $null
 
                 Test-VerifySubnet -Subnet $vnet.Subnets[1] -SubnetName 'dbw-frontend-subnet' -SubnetAddressPrefix '192.168.228.0/23' `
                     -NumberOfSecurityGroups 1 -NumberOfPrivateEndpoints $null -NumberOfIpConfigurations $null -DelegationServiceName 'Microsoft.Databricks/workspaces'
@@ -119,7 +119,7 @@ Describe 'Validate Pattern deployment' {
                 Test-VerifyDatabricks -DatabricksResourceGroupName $databricksResourceGroupName -DatabricksName $databricksName -Tags $expectedTags `
                     -LogAnalyticsWorkspaceResourceId $logAnalyticsWorkspaceResourceId -Sku 'premium' -VirtualNetworkResourceId $virtualNetworkResourceId `
                     -PrivateSubnetName 'dbw-backend-subnet' -PublicSubnetName 'dbw-frontend-subnet' -PEPName0 '-sa-blob-PEP' -PEPName1 '-dbw-auth-PEP' -PEPName2 '-dbw-ui-PEP' `
-                    -BlobNumberOfRecordSets 2 -DatabricksNumberOfRecordSets 5 -PLSubnetName 'private-link-subnet' -PublicNetworkAccess 'Enabled' -RequiredNsgRule 'AllRules'
+                    -BlobNumberOfRecordSets 2 -DatabricksNumberOfRecordSets 4 -PLSubnetName 'private-link-subnet' -PublicNetworkAccess 'Enabled' -RequiredNsgRule 'AllRules'
             }
         }
     }
diff --git a/avm/ptn/data/private-analytical-workspace/tests/e2e/max/main.test.bicep b/avm/ptn/data/private-analytical-workspace/tests/e2e/max/main.test.bicep
index 78427a48ed..2ed8f5a925 100644
--- a/avm/ptn/data/private-analytical-workspace/tests/e2e/max/main.test.bicep
+++ b/avm/ptn/data/private-analytical-workspace/tests/e2e/max/main.test.bicep
@@ -11,8 +11,9 @@ metadata description = 'This instance deploys the module with most of its featur
 @maxLength(90)
 param resourceGroupName string = 'dep-${namePrefix}-data-privateanalyticalworkspace-${serviceShort}-rg'
 
-@description('Optional. The location to deploy resources to.')
-param resourceLocation string = deployment().location
+// enforcing location due to ADB private link behavior
+#disable-next-line no-hardcoded-location
+var enforcedLocation = 'northeurope'
 
 @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
 param serviceShort string = 'dpawmax'
@@ -28,7 +29,7 @@ param namePrefix string = '#_namePrefix_#'
 // =================
 resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
   name: resourceGroupName
-  location: resourceLocation
+  location: enforcedLocation
 }
 
 // ============== //
@@ -39,10 +40,10 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
 module testDeployment '../../../main.bicep' = [
   for iteration in ['init', 'idem']: {
     scope: resourceGroup
-    name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}'
+    name: '${uniqueString(deployment().name, enforcedLocation)}-test-${serviceShort}-${iteration}'
     params: {
       name: '${namePrefix}${serviceShort}001'
-      location: resourceLocation
+      location: enforcedLocation
       tags: {
         Owner: 'Contoso MAX Team'
         CostCenter: '123459876'
diff --git a/avm/ptn/data/private-analytical-workspace/tests/e2e/min-priv/main.test.bicep b/avm/ptn/data/private-analytical-workspace/tests/e2e/min-priv/main.test.bicep
index dc1dbbeb45..6fa222de9e 100644
--- a/avm/ptn/data/private-analytical-workspace/tests/e2e/min-priv/main.test.bicep
+++ b/avm/ptn/data/private-analytical-workspace/tests/e2e/min-priv/main.test.bicep
@@ -11,8 +11,9 @@ metadata description = 'Isolated network deployment (Minimalistic) - fully priva
 @maxLength(90)
 param resourceGroupName string = 'dep-${namePrefix}-data-privateanalyticalworkspace-${serviceShort}-rg'
 
-@description('Optional. The location to deploy resources to.')
-param resourceLocation string = deployment().location
+// enforcing location due to ADB private link behavior
+#disable-next-line no-hardcoded-location
+var enforcedLocation = 'northeurope'
 
 @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
 param serviceShort string = 'dpawminpriv'
@@ -28,7 +29,7 @@ param namePrefix string = '#_namePrefix_#'
 // =================
 resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
   name: resourceGroupName
-  location: resourceLocation
+  location: enforcedLocation
 }
 
 // ============== //
@@ -39,7 +40,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
 module testDeployment '../../../main.bicep' = [
   for iteration in ['init', 'idem']: {
     scope: resourceGroup
-    name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}'
+    name: '${uniqueString(deployment().name, enforcedLocation)}-test-${serviceShort}-${iteration}'
     params: {
       name: '${namePrefix}${serviceShort}001'
       tags: {
diff --git a/avm/ptn/data/private-analytical-workspace/tests/e2e/min-pub/main.test.bicep b/avm/ptn/data/private-analytical-workspace/tests/e2e/min-pub/main.test.bicep
index 133a514ca5..f39b800312 100644
--- a/avm/ptn/data/private-analytical-workspace/tests/e2e/min-pub/main.test.bicep
+++ b/avm/ptn/data/private-analytical-workspace/tests/e2e/min-pub/main.test.bicep
@@ -11,8 +11,9 @@ metadata description = 'Isolated network deployment (Minimalistic) - allowed IP
 @maxLength(90)
 param resourceGroupName string = 'dep-${namePrefix}-data-privateanalyticalworkspace-${serviceShort}-rg'
 
-@description('Optional. The location to deploy resources to.')
-param resourceLocation string = deployment().location
+// enforcing location due to ADB private link behavior
+#disable-next-line no-hardcoded-location
+var enforcedLocation = 'northeurope'
 
 @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
 param serviceShort string = 'dpawminpub'
@@ -28,7 +29,7 @@ param namePrefix string = '#_namePrefix_#'
 // =================
 resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
   name: resourceGroupName
-  location: resourceLocation
+  location: enforcedLocation
 }
 
 // ============== //
@@ -39,7 +40,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
 module testDeployment '../../../main.bicep' = [
   for iteration in ['init', 'idem']: {
     scope: resourceGroup
-    name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}'
+    name: '${uniqueString(deployment().name, enforcedLocation)}-test-${serviceShort}-${iteration}'
     params: {
       name: '${namePrefix}${serviceShort}001'
       tags: {
diff --git a/avm/ptn/data/private-analytical-workspace/tests/e2e/uc01-priv/custom.tests.ps1 b/avm/ptn/data/private-analytical-workspace/tests/e2e/uc01-priv/custom.tests.ps1
index e42327401d..87735bb251 100644
--- a/avm/ptn/data/private-analytical-workspace/tests/e2e/uc01-priv/custom.tests.ps1
+++ b/avm/ptn/data/private-analytical-workspace/tests/e2e/uc01-priv/custom.tests.ps1
@@ -61,7 +61,7 @@ Describe 'Validate Pattern deployment' {
                     -Tags $expectedTags -LogAnalyticsWorkspaceResourceId $logAnalyticsWorkspaceResourceId -AddressPrefix '192.168.224.0/19' -NumberOfSubnets 3
 
                 Test-VerifySubnet -Subnet $vnet.Subnets[0] -SubnetName 'private-link-subnet' -SubnetAddressPrefix '192.168.224.0/24' `
-                    -NumberOfSecurityGroups 1 -NumberOfPrivateEndpoints 4 -NumberOfIpConfigurations 6 -DelegationServiceName $null
+                    -NumberOfSecurityGroups 1 -NumberOfPrivateEndpoints 4 -NumberOfIpConfigurations 5 -DelegationServiceName $null
 
                 Test-VerifySubnet -Subnet $vnet.Subnets[1] -SubnetName 'dbw-frontend-subnet' -SubnetAddressPrefix '192.168.228.0/23' `
                     -NumberOfSecurityGroups 1 -NumberOfPrivateEndpoints $null -NumberOfIpConfigurations $null -DelegationServiceName 'Microsoft.Databricks/workspaces'
@@ -119,7 +119,7 @@ Describe 'Validate Pattern deployment' {
                 Test-VerifyDatabricks -DatabricksResourceGroupName $databricksResourceGroupName -DatabricksName $databricksName -Tags $expectedTags `
                     -LogAnalyticsWorkspaceResourceId $logAnalyticsWorkspaceResourceId -Sku 'premium' -VirtualNetworkResourceId $virtualNetworkResourceId `
                     -PrivateSubnetName 'dbw-backend-subnet' -PublicSubnetName 'dbw-frontend-subnet' -PEPName0 '-sa-blob-PEP' -PEPName1 '-dbw-auth-PEP' -PEPName2 '-dbw-ui-PEP' `
-                    -BlobNumberOfRecordSets 2 -DatabricksNumberOfRecordSets 5 -PLSubnetName 'private-link-subnet' -PublicNetworkAccess 'Disabled' -RequiredNsgRule 'NoAzureDatabricksRules'
+                    -BlobNumberOfRecordSets 2 -DatabricksNumberOfRecordSets 4 -PLSubnetName 'private-link-subnet' -PublicNetworkAccess 'Disabled' -RequiredNsgRule 'NoAzureDatabricksRules'
             }
         }
     }
diff --git a/avm/ptn/data/private-analytical-workspace/tests/e2e/uc01-priv/main.test.bicep b/avm/ptn/data/private-analytical-workspace/tests/e2e/uc01-priv/main.test.bicep
index 69e53118ba..b4bcb77b27 100644
--- a/avm/ptn/data/private-analytical-workspace/tests/e2e/uc01-priv/main.test.bicep
+++ b/avm/ptn/data/private-analytical-workspace/tests/e2e/uc01-priv/main.test.bicep
@@ -11,8 +11,9 @@ metadata description = 'Isolated network deployment - fully private.'
 @maxLength(90)
 param resourceGroupName string = 'dep-${namePrefix}-data-privateanalyticalworkspace-${serviceShort}-rg'
 
-@description('Optional. The location to deploy resources to.')
-param resourceLocation string = deployment().location
+// enforcing location due to ADB private link behavior
+#disable-next-line no-hardcoded-location
+var enforcedLocation = 'northeurope'
 
 @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
 param serviceShort string = 'dpawuc01priv'
@@ -28,7 +29,7 @@ param namePrefix string = '#_namePrefix_#'
 // =================
 resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
   name: resourceGroupName
-  location: resourceLocation
+  location: enforcedLocation
 }
 
 // ============== //
@@ -39,7 +40,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
 module testDeployment '../../../main.bicep' = [
   for iteration in ['init', 'idem']: {
     scope: resourceGroup
-    name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}'
+    name: '${uniqueString(deployment().name, enforcedLocation)}-test-${serviceShort}-${iteration}'
     params: {
       name: '${namePrefix}${serviceShort}001'
       tags: {
diff --git a/avm/ptn/data/private-analytical-workspace/tests/e2e/uc01-pub/custom.tests.ps1 b/avm/ptn/data/private-analytical-workspace/tests/e2e/uc01-pub/custom.tests.ps1
index 54c837a355..3f81afeb31 100644
--- a/avm/ptn/data/private-analytical-workspace/tests/e2e/uc01-pub/custom.tests.ps1
+++ b/avm/ptn/data/private-analytical-workspace/tests/e2e/uc01-pub/custom.tests.ps1
@@ -61,7 +61,7 @@ Describe 'Validate Pattern deployment' {
                     -Tags $expectedTags -LogAnalyticsWorkspaceResourceId $logAnalyticsWorkspaceResourceId -AddressPrefix '192.168.224.0/19' -NumberOfSubnets 3
 
                 Test-VerifySubnet -Subnet $vnet.Subnets[0] -SubnetName 'private-link-subnet' -SubnetAddressPrefix '192.168.224.0/24' `
-                    -NumberOfSecurityGroups 1 -NumberOfPrivateEndpoints 4 -NumberOfIpConfigurations 6 -DelegationServiceName $null
+                    -NumberOfSecurityGroups 1 -NumberOfPrivateEndpoints 4 -NumberOfIpConfigurations 5 -DelegationServiceName $null
 
                 Test-VerifySubnet -Subnet $vnet.Subnets[1] -SubnetName 'dbw-frontend-subnet' -SubnetAddressPrefix '192.168.228.0/23' `
                     -NumberOfSecurityGroups 1 -NumberOfPrivateEndpoints $null -NumberOfIpConfigurations $null -DelegationServiceName 'Microsoft.Databricks/workspaces'
@@ -119,7 +119,7 @@ Describe 'Validate Pattern deployment' {
                 Test-VerifyDatabricks -DatabricksResourceGroupName $databricksResourceGroupName -DatabricksName $databricksName -Tags $expectedTags `
                     -LogAnalyticsWorkspaceResourceId $logAnalyticsWorkspaceResourceId -Sku 'premium' -VirtualNetworkResourceId $virtualNetworkResourceId `
                     -PrivateSubnetName 'dbw-backend-subnet' -PublicSubnetName 'dbw-frontend-subnet' -PEPName0 '-sa-blob-PEP' -PEPName1 '-dbw-auth-PEP' -PEPName2 '-dbw-ui-PEP' `
-                    -BlobNumberOfRecordSets 2 -DatabricksNumberOfRecordSets 5 -PLSubnetName 'private-link-subnet' -PublicNetworkAccess 'Enabled' -RequiredNsgRule 'AllRules'
+                    -BlobNumberOfRecordSets 2 -DatabricksNumberOfRecordSets 4 -PLSubnetName 'private-link-subnet' -PublicNetworkAccess 'Enabled' -RequiredNsgRule 'AllRules'
             }
         }
     }
diff --git a/avm/ptn/data/private-analytical-workspace/tests/e2e/uc01-pub/main.test.bicep b/avm/ptn/data/private-analytical-workspace/tests/e2e/uc01-pub/main.test.bicep
index 1842a1412c..ec65507b8a 100644
--- a/avm/ptn/data/private-analytical-workspace/tests/e2e/uc01-pub/main.test.bicep
+++ b/avm/ptn/data/private-analytical-workspace/tests/e2e/uc01-pub/main.test.bicep
@@ -11,8 +11,9 @@ metadata description = 'Isolated network deployment - allowed IP address.'
 @maxLength(90)
 param resourceGroupName string = 'dep-${namePrefix}-data-privateanalyticalworkspace-${serviceShort}-rg'
 
-@description('Optional. The location to deploy resources to.')
-param resourceLocation string = deployment().location
+// enforcing location due to ADB private link behavior
+#disable-next-line no-hardcoded-location
+var enforcedLocation = 'northeurope'
 
 @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
 param serviceShort string = 'dpawuc01pub'
@@ -28,7 +29,7 @@ param namePrefix string = '#_namePrefix_#'
 // =================
 resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
   name: resourceGroupName
-  location: resourceLocation
+  location: enforcedLocation
 }
 
 // ============== //
@@ -39,7 +40,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
 module testDeployment '../../../main.bicep' = [
   for iteration in ['init', 'idem']: {
     scope: resourceGroup
-    name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}'
+    name: '${uniqueString(deployment().name, enforcedLocation)}-test-${serviceShort}-${iteration}'
     params: {
       name: '${namePrefix}${serviceShort}001'
       tags: {
diff --git a/avm/ptn/data/private-analytical-workspace/tests/e2e/uc02-priv/main.test.bicep b/avm/ptn/data/private-analytical-workspace/tests/e2e/uc02-priv/main.test.bicep
index 0dd828cb67..3e0b702e8f 100644
--- a/avm/ptn/data/private-analytical-workspace/tests/e2e/uc02-priv/main.test.bicep
+++ b/avm/ptn/data/private-analytical-workspace/tests/e2e/uc02-priv/main.test.bicep
@@ -11,8 +11,9 @@ metadata description = 'Deployment in an Existing, Enterprise-Specific Virtual N
 @maxLength(90)
 param resourceGroupName string = 'dep-${namePrefix}-data-privateanalyticalworkspace-${serviceShort}-rg'
 
-@description('Optional. The location to deploy resources to.')
-param resourceLocation string = deployment().location
+// enforcing location due to ADB private link behavior
+#disable-next-line no-hardcoded-location
+var enforcedLocation = 'northeurope'
 
 @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
 param serviceShort string = 'dpawuc02priv'
@@ -28,15 +29,15 @@ param namePrefix string = '#_namePrefix_#'
 // =================
 resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
   name: resourceGroupName
-  location: resourceLocation
+  location: enforcedLocation
 }
 
 module nestedDependencies 'dependencies.bicep' = {
   scope: resourceGroup
-  name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies'
+  name: '${uniqueString(deployment().name, enforcedLocation)}-nestedDependencies'
   params: {
     virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}'
-    location: resourceLocation
+    location: enforcedLocation
   }
 }
 
@@ -48,7 +49,7 @@ module nestedDependencies 'dependencies.bicep' = {
 module testDeployment '../../../main.bicep' = [
   for iteration in ['init', 'idem']: {
     scope: resourceGroup
-    name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}'
+    name: '${uniqueString(deployment().name, enforcedLocation)}-test-${serviceShort}-${iteration}'
     params: {
       name: '${namePrefix}${serviceShort}001'
       tags: {
diff --git a/avm/ptn/data/private-analytical-workspace/tests/e2e/uc02-pub/main.test.bicep b/avm/ptn/data/private-analytical-workspace/tests/e2e/uc02-pub/main.test.bicep
index 8434453c77..14d147df4d 100644
--- a/avm/ptn/data/private-analytical-workspace/tests/e2e/uc02-pub/main.test.bicep
+++ b/avm/ptn/data/private-analytical-workspace/tests/e2e/uc02-pub/main.test.bicep
@@ -11,8 +11,9 @@ metadata description = 'Deployment in an Existing, Enterprise-Specific Virtual N
 @maxLength(90)
 param resourceGroupName string = 'dep-${namePrefix}-data-privateanalyticalworkspace-${serviceShort}-rg'
 
-@description('Optional. The location to deploy resources to.')
-param resourceLocation string = deployment().location
+// enforcing location due to ADB private link behavior
+#disable-next-line no-hardcoded-location
+var enforcedLocation = 'northeurope'
 
 @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
 param serviceShort string = 'dpawuc02pub'
@@ -28,14 +29,14 @@ param namePrefix string = '#_namePrefix_#'
 // =================
 resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
   name: resourceGroupName
-  location: resourceLocation
+  location: enforcedLocation
 }
 
 module nestedDependencies 'dependencies.bicep' = {
   scope: resourceGroup
-  name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies'
+  name: '${uniqueString(deployment().name, enforcedLocation)}-nestedDependencies'
   params: {
-    location: resourceLocation
+    location: enforcedLocation
     virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}'
   }
 }
@@ -48,7 +49,7 @@ module nestedDependencies 'dependencies.bicep' = {
 module testDeployment '../../../main.bicep' = [
   for iteration in ['init', 'idem']: {
     scope: resourceGroup
-    name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}'
+    name: '${uniqueString(deployment().name, enforcedLocation)}-test-${serviceShort}-${iteration}'
     params: {
       name: '${namePrefix}${serviceShort}001'
       tags: {
diff --git a/avm/ptn/data/private-analytical-workspace/tests/e2e/uc03-priv/main.test.bicep b/avm/ptn/data/private-analytical-workspace/tests/e2e/uc03-priv/main.test.bicep
index 5cdb9ab715..6a2dae197b 100644
--- a/avm/ptn/data/private-analytical-workspace/tests/e2e/uc03-priv/main.test.bicep
+++ b/avm/ptn/data/private-analytical-workspace/tests/e2e/uc03-priv/main.test.bicep
@@ -11,8 +11,9 @@ metadata description = 'Integration with existing core Infrastructure - fully pr
 @maxLength(90)
 param resourceGroupName string = 'dep-${namePrefix}-data-privateanalyticalworkspace-${serviceShort}-rg'
 
-@description('Optional. The location to deploy resources to.')
-param resourceLocation string = deployment().location
+// enforcing location due to ADB private link behavior
+#disable-next-line no-hardcoded-location
+var enforcedLocation = 'northeurope'
 
 @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
 param serviceShort string = 'dpawuc03priv'
@@ -28,14 +29,14 @@ param namePrefix string = '#_namePrefix_#'
 // =================
 resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
   name: resourceGroupName
-  location: resourceLocation
+  location: enforcedLocation
 }
 
 module nestedDependencies 'dependencies.bicep' = {
   scope: resourceGroup
-  name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies'
+  name: '${uniqueString(deployment().name, enforcedLocation)}-nestedDependencies'
   params: {
-    location: resourceLocation
+    location: enforcedLocation
     virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}'
     logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}'
     keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}'
@@ -50,7 +51,7 @@ module nestedDependencies 'dependencies.bicep' = {
 module testDeployment '../../../main.bicep' = [
   for iteration in ['init', 'idem']: {
     scope: resourceGroup
-    name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}'
+    name: '${uniqueString(deployment().name, enforcedLocation)}-test-${serviceShort}-${iteration}'
     params: {
       name: '${namePrefix}${serviceShort}001'
       tags: {
diff --git a/avm/ptn/data/private-analytical-workspace/tests/e2e/uc03-pub/main.test.bicep b/avm/ptn/data/private-analytical-workspace/tests/e2e/uc03-pub/main.test.bicep
index 71518b8ac4..2c154ddca6 100644
--- a/avm/ptn/data/private-analytical-workspace/tests/e2e/uc03-pub/main.test.bicep
+++ b/avm/ptn/data/private-analytical-workspace/tests/e2e/uc03-pub/main.test.bicep
@@ -11,8 +11,9 @@ metadata description = 'Integration with existing core Infrastructure - allowed
 @maxLength(90)
 param resourceGroupName string = 'dep-${namePrefix}-data-privateanalyticalworkspace-${serviceShort}-rg'
 
-@description('Optional. The location to deploy resources to.')
-param resourceLocation string = deployment().location
+// enforcing location due to ADB private link behavior
+#disable-next-line no-hardcoded-location
+var enforcedLocation = 'northeurope'
 
 @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
 param serviceShort string = 'dpawuc03pub'
@@ -28,14 +29,14 @@ param namePrefix string = '#_namePrefix_#'
 // =================
 resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
   name: resourceGroupName
-  location: resourceLocation
+  location: enforcedLocation
 }
 
 module nestedDependencies 'dependencies.bicep' = {
   scope: resourceGroup
-  name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies'
+  name: '${uniqueString(deployment().name, enforcedLocation)}-nestedDependencies'
   params: {
-    location: resourceLocation
+    location: enforcedLocation
     virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}'
     logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}'
     keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}'
@@ -50,7 +51,7 @@ module nestedDependencies 'dependencies.bicep' = {
 module testDeployment '../../../main.bicep' = [
   for iteration in ['init', 'idem']: {
     scope: resourceGroup
-    name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}'
+    name: '${uniqueString(deployment().name, enforcedLocation)}-test-${serviceShort}-${iteration}'
     params: {
       name: '${namePrefix}${serviceShort}001'
       tags: {
diff --git a/avm/ptn/data/private-analytical-workspace/tests/e2e/waf-aligned/custom.tests.ps1 b/avm/ptn/data/private-analytical-workspace/tests/e2e/waf-aligned/custom.tests.ps1
index b83b0e6465..5b595270d7 100644
--- a/avm/ptn/data/private-analytical-workspace/tests/e2e/waf-aligned/custom.tests.ps1
+++ b/avm/ptn/data/private-analytical-workspace/tests/e2e/waf-aligned/custom.tests.ps1
@@ -61,7 +61,7 @@ Describe 'Validate Pattern deployment' {
                     -Tags $expectedTags -LogAnalyticsWorkspaceResourceId $logAnalyticsWorkspaceResourceId -AddressPrefix '192.168.224.0/19' -NumberOfSubnets 3
 
                 Test-VerifySubnet -Subnet $vnet.Subnets[0] -SubnetName 'private-link-subnet' -SubnetAddressPrefix '192.168.224.0/24' `
-                    -NumberOfSecurityGroups 1 -NumberOfPrivateEndpoints 4 -NumberOfIpConfigurations 6 -DelegationServiceName $null
+                    -NumberOfSecurityGroups 1 -NumberOfPrivateEndpoints 4 -NumberOfIpConfigurations 5 -DelegationServiceName $null
 
                 Test-VerifySubnet -Subnet $vnet.Subnets[1] -SubnetName 'dbw-frontend-subnet' -SubnetAddressPrefix '192.168.228.0/23' `
                     -NumberOfSecurityGroups 1 -NumberOfPrivateEndpoints $null -NumberOfIpConfigurations $null -DelegationServiceName 'Microsoft.Databricks/workspaces'
@@ -119,7 +119,7 @@ Describe 'Validate Pattern deployment' {
                 Test-VerifyDatabricks -DatabricksResourceGroupName $databricksResourceGroupName -DatabricksName $databricksName -Tags $expectedTags `
                     -LogAnalyticsWorkspaceResourceId $logAnalyticsWorkspaceResourceId -Sku 'premium' -VirtualNetworkResourceId $virtualNetworkResourceId `
                     -PrivateSubnetName 'dbw-backend-subnet' -PublicSubnetName 'dbw-frontend-subnet' -PEPName0 '-sa-blob-PEP' -PEPName1 '-dbw-auth-PEP' -PEPName2 '-dbw-ui-PEP' `
-                    -BlobNumberOfRecordSets 2 -DatabricksNumberOfRecordSets 5 -PLSubnetName 'private-link-subnet' -PublicNetworkAccess 'Disabled' -RequiredNsgRule 'NoAzureDatabricksRules'
+                    -BlobNumberOfRecordSets 2 -DatabricksNumberOfRecordSets 4 -PLSubnetName 'private-link-subnet' -PublicNetworkAccess 'Disabled' -RequiredNsgRule 'NoAzureDatabricksRules'
             }
         }
     }
diff --git a/avm/ptn/data/private-analytical-workspace/tests/e2e/waf-aligned/main.test.bicep b/avm/ptn/data/private-analytical-workspace/tests/e2e/waf-aligned/main.test.bicep
index f013c19214..a2d221f635 100644
--- a/avm/ptn/data/private-analytical-workspace/tests/e2e/waf-aligned/main.test.bicep
+++ b/avm/ptn/data/private-analytical-workspace/tests/e2e/waf-aligned/main.test.bicep
@@ -11,8 +11,9 @@ metadata description = 'This instance deploys the module in alignment with the b
 @maxLength(90)
 param resourceGroupName string = 'dep-${namePrefix}-data-privateanalyticalworkspace-${serviceShort}-rg'
 
-@description('Optional. The location to deploy resources to.')
-param resourceLocation string = deployment().location
+// enforcing location due to ADB private link behavior
+#disable-next-line no-hardcoded-location
+var enforcedLocation = 'northeurope'
 
 @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
 param serviceShort string = 'dpawwaf'
@@ -28,7 +29,7 @@ param namePrefix string = '#_namePrefix_#'
 // =================
 resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
   name: resourceGroupName
-  location: resourceLocation
+  location: enforcedLocation
 }
 
 // ============== //
@@ -39,10 +40,10 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
 module testDeployment '../../../main.bicep' = [
   for iteration in ['init', 'idem']: {
     scope: resourceGroup
-    name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}'
+    name: '${uniqueString(deployment().name, enforcedLocation)}-test-${serviceShort}-${iteration}'
     params: {
       name: '${namePrefix}${serviceShort}001'
-      location: resourceLocation
+      location: enforcedLocation
       tags: {
         'hidden-title': 'This is visible in the resource name'
         Owner: 'Contoso'

From a6fe0c72ccdeac2a059e3516f061ec12cb09ab61 Mon Sep 17 00:00:00 2001
From: Alexander Sehr <ASehr@hotmail.de>
Date: Fri, 25 Oct 2024 17:50:14 +0200
Subject: [PATCH 13/13] fix: Service-Bus - Fixed identity implementation &
 updated UDTs (#3637)

## Description

- Fixed issue with 'Identity' object (`null` is not accepted, changed to
'None')
- Introduced common-types
- Added type exports

## Pipeline Reference

<!-- Insert your Pipeline Status Badge below -->

| Pipeline |
| -------- |
|
[![avm.res.service-bus.namespace](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.service-bus.namespace.yml/badge.svg?branch=users%2Falsehr%2FserviceBusFix&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.service-bus.namespace.yml)
|

## Type of Change

<!-- Use the checkboxes [x] on the options that are relevant. -->

- [ ] Update to CI Environment or utilities (Non-module affecting
changes)
- [ ] Azure Verified Module updates:
- [x] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [ ] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [ ] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [ ] Update to documentation
---
 avm/res/service-bus/namespace/README.md       |  145 +-
 avm/res/service-bus/namespace/main.bicep      |  310 +-
 avm/res/service-bus/namespace/main.json       | 2688 +++++++++--------
 .../service-bus/namespace/queue/main.bicep    |   44 +-
 avm/res/service-bus/namespace/queue/main.json |  154 +-
 .../namespace/tests/e2e/encr/main.test.bicep  |    2 +-
 .../namespace/tests/e2e/max/main.test.bicep   |    6 +-
 .../tests/e2e/waf-aligned/main.test.bicep     |   22 -
 avm/res/service-bus/namespace/topic/README.md |  179 +-
 .../service-bus/namespace/topic/main.bicep    |   49 +-
 avm/res/service-bus/namespace/topic/main.json |  447 +--
 11 files changed, 1989 insertions(+), 2057 deletions(-)

diff --git a/avm/res/service-bus/namespace/README.md b/avm/res/service-bus/namespace/README.md
index 1df8014370..2a747277f2 100644
--- a/avm/res/service-bus/namespace/README.md
+++ b/avm/res/service-bus/namespace/README.md
@@ -146,7 +146,7 @@ module namespace 'br/public:avm/res/service-bus/namespace:<version>' = {
     location: '<location>'
     managedIdentities: {
       systemAssigned: false
-      userAssignedResourcesIds: [
+      userAssignedResourceIds: [
         '<managedIdentityResourceId>'
       ]
     }
@@ -188,7 +188,7 @@ module namespace 'br/public:avm/res/service-bus/namespace:<version>' = {
     "managedIdentities": {
       "value": {
         "systemAssigned": false,
-        "userAssignedResourcesIds": [
+        "userAssignedResourceIds": [
           "<managedIdentityResourceId>"
         ]
       }
@@ -224,7 +224,7 @@ param customerManagedKey = {
 param location = '<location>'
 param managedIdentities = {
   systemAssigned: false
-  userAssignedResourcesIds: [
+  userAssignedResourceIds: [
     '<managedIdentityResourceId>'
   ]
 }
@@ -297,7 +297,7 @@ module namespace 'br/public:avm/res/service-bus/namespace:<version>' = {
     }
     managedIdentities: {
       systemAssigned: true
-      userAssignedResourcesIds: [
+      userAssignedResourceIds: [
         '<managedIdentityResourceId>'
       ]
     }
@@ -560,7 +560,7 @@ module namespace 'br/public:avm/res/service-bus/namespace:<version>' = {
     "managedIdentities": {
       "value": {
         "systemAssigned": true,
-        "userAssignedResourcesIds": [
+        "userAssignedResourceIds": [
           "<managedIdentityResourceId>"
         ]
       }
@@ -829,7 +829,7 @@ param lock = {
 }
 param managedIdentities = {
   systemAssigned: true
-  userAssignedResourcesIds: [
+  userAssignedResourceIds: [
     '<managedIdentityResourceId>'
   ]
 }
@@ -1062,19 +1062,7 @@ module namespace 'br/public:avm/res/service-bus/namespace:<version>' = {
         workspaceResourceId: '<workspaceResourceId>'
       }
     ]
-    disableLocalAuth: true
     location: '<location>'
-    lock: {
-      kind: 'CanNotDelete'
-      name: 'myCustomLockName'
-    }
-    managedIdentities: {
-      systemAssigned: true
-      userAssignedResourcesIds: [
-        '<managedIdentityResourceId>'
-      ]
-    }
-    minimumTlsVersion: '1.2'
     networkRuleSets: {
       defaultAction: 'Deny'
       ipRules: [
@@ -1095,7 +1083,6 @@ module namespace 'br/public:avm/res/service-bus/namespace:<version>' = {
         }
       ]
     }
-    premiumMessagingPartitions: 1
     privateEndpoints: [
       {
         privateDnsZoneGroup: {
@@ -1140,11 +1127,6 @@ module namespace 'br/public:avm/res/service-bus/namespace:<version>' = {
         roleAssignments: []
       }
     ]
-    roleAssignments: []
-    skuObject: {
-      capacity: 2
-      name: 'Premium'
-    }
     tags: {
       Environment: 'Non-Prod'
       'hidden-title': 'This is visible in the resource name'
@@ -1223,29 +1205,9 @@ module namespace 'br/public:avm/res/service-bus/namespace:<version>' = {
         }
       ]
     },
-    "disableLocalAuth": {
-      "value": true
-    },
     "location": {
       "value": "<location>"
     },
-    "lock": {
-      "value": {
-        "kind": "CanNotDelete",
-        "name": "myCustomLockName"
-      }
-    },
-    "managedIdentities": {
-      "value": {
-        "systemAssigned": true,
-        "userAssignedResourcesIds": [
-          "<managedIdentityResourceId>"
-        ]
-      }
-    },
-    "minimumTlsVersion": {
-      "value": "1.2"
-    },
     "networkRuleSets": {
       "value": {
         "defaultAction": "Deny",
@@ -1268,9 +1230,6 @@ module namespace 'br/public:avm/res/service-bus/namespace:<version>' = {
         ]
       }
     },
-    "premiumMessagingPartitions": {
-      "value": 1
-    },
     "privateEndpoints": {
       "value": [
         {
@@ -1321,15 +1280,6 @@ module namespace 'br/public:avm/res/service-bus/namespace:<version>' = {
         }
       ]
     },
-    "roleAssignments": {
-      "value": []
-    },
-    "skuObject": {
-      "value": {
-        "capacity": 2,
-        "name": "Premium"
-      }
-    },
     "tags": {
       "value": {
         "Environment": "Non-Prod",
@@ -1404,19 +1354,7 @@ param diagnosticSettings = [
     workspaceResourceId: '<workspaceResourceId>'
   }
 ]
-param disableLocalAuth = true
 param location = '<location>'
-param lock = {
-  kind: 'CanNotDelete'
-  name: 'myCustomLockName'
-}
-param managedIdentities = {
-  systemAssigned: true
-  userAssignedResourcesIds: [
-    '<managedIdentityResourceId>'
-  ]
-}
-param minimumTlsVersion = '1.2'
 param networkRuleSets = {
   defaultAction: 'Deny'
   ipRules: [
@@ -1437,7 +1375,6 @@ param networkRuleSets = {
     }
   ]
 }
-param premiumMessagingPartitions = 1
 param privateEndpoints = [
   {
     privateDnsZoneGroup: {
@@ -1482,11 +1419,6 @@ param queues = [
     roleAssignments: []
   }
 ]
-param roleAssignments = []
-param skuObject = {
-  capacity: 2
-  name: 'Premium'
-}
 param tags = {
   Environment: 'Non-Prod'
   'hidden-title': 'This is visible in the resource name'
@@ -1690,7 +1622,7 @@ The diagnostic settings of the service.
 | [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to `[]` to disable log collection. |
 | [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. |
 | [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of metrics that will be streamed. "allMetrics" includes all possible metrics for the resource. Set to `[]` to disable metric collection. |
-| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. |
+| [`name`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting. |
 | [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. |
 | [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. |
 
@@ -1800,7 +1732,7 @@ Enable or disable the category explicitly. Default is `true`.
 
 ### Parameter: `diagnosticSettings.name`
 
-The name of diagnostic setting.
+The name of the diagnostic setting.
 
 - Required: No
 - Type: string
@@ -2127,22 +2059,22 @@ Configuration details for private endpoints. For security reasons, it is recomme
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. |
+| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the Private Endpoint IP configuration is included. |
 | [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. |
-| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. |
+| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the Private Endpoint. |
 | [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. |
-| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. |
+| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the Private Endpoint. This will be used to map to the first-party Service endpoints. |
 | [`isManualConnection`](#parameter-privateendpointsismanualconnection) | bool | If Manual Private Link Connection is required. |
-| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. |
+| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the Private Endpoint to. |
 | [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. |
 | [`manualConnectionRequestMessage`](#parameter-privateendpointsmanualconnectionrequestmessage) | string | A message passed to the owner of the remote resource with the manual connection request. |
-| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. |
-| [`privateDnsZoneGroup`](#parameter-privateendpointsprivatednszonegroup) | object | The private DNS zone group to configure for the private endpoint. |
+| [`name`](#parameter-privateendpointsname) | string | The name of the Private Endpoint. |
+| [`privateDnsZoneGroup`](#parameter-privateendpointsprivatednszonegroup) | object | The private DNS Zone Group to configure for the Private Endpoint. |
 | [`privateLinkServiceConnectionName`](#parameter-privateendpointsprivatelinkserviceconnectionname) | string | The name of the private link connection to create. |
-| [`resourceGroupName`](#parameter-privateendpointsresourcegroupname) | string | Specify if you want to deploy the Private Endpoint into a different resource group than the main resource. |
+| [`resourceGroupName`](#parameter-privateendpointsresourcegroupname) | string | Specify if you want to deploy the Private Endpoint into a different Resource Group than the main resource. |
 | [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. |
-| [`service`](#parameter-privateendpointsservice) | string | The subresource to deploy the private endpoint for. For example "vault", "mysqlServer" or "dataFactory". |
-| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. |
+| [`service`](#parameter-privateendpointsservice) | string | The subresource to deploy the Private Endpoint for. For example "vault" for a Key Vault Private Endpoint. |
+| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/Resource Groups in this deployment. |
 
 ### Parameter: `privateEndpoints.subnetResourceId`
 
@@ -2153,7 +2085,7 @@ Resource ID of the subnet where the endpoint needs to be created.
 
 ### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds`
 
-Application security groups in which the private endpoint IP configuration is included.
+Application security groups in which the Private Endpoint IP configuration is included.
 
 - Required: No
 - Type: array
@@ -2169,13 +2101,15 @@ Custom DNS configurations.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
+| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | Fqdn that resolves to private endpoint IP address. |
 | [`ipAddresses`](#parameter-privateendpointscustomdnsconfigsipaddresses) | array | A list of private IP addresses of the private endpoint. |
 
-**Optional parameters**
+### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
 
-| Parameter | Type | Description |
-| :-- | :-- | :-- |
-| [`fqdn`](#parameter-privateendpointscustomdnsconfigsfqdn) | string | FQDN that resolves to private endpoint IP address. |
+Fqdn that resolves to private endpoint IP address.
+
+- Required: No
+- Type: string
 
 ### Parameter: `privateEndpoints.customDnsConfigs.ipAddresses`
 
@@ -2184,16 +2118,9 @@ A list of private IP addresses of the private endpoint.
 - Required: Yes
 - Type: array
 
-### Parameter: `privateEndpoints.customDnsConfigs.fqdn`
-
-FQDN that resolves to private endpoint IP address.
-
-- Required: No
-- Type: string
-
 ### Parameter: `privateEndpoints.customNetworkInterfaceName`
 
-The custom name of the network interface attached to the private endpoint.
+The custom name of the network interface attached to the Private Endpoint.
 
 - Required: No
 - Type: string
@@ -2207,7 +2134,7 @@ Enable/Disable usage telemetry for module.
 
 ### Parameter: `privateEndpoints.ipConfigurations`
 
-A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.
+A list of IP configurations of the Private Endpoint. This will be used to map to the first-party Service endpoints.
 
 - Required: No
 - Type: array
@@ -2271,7 +2198,7 @@ If Manual Private Link Connection is required.
 
 ### Parameter: `privateEndpoints.location`
 
-The location to deploy the private endpoint to.
+The location to deploy the Private Endpoint to.
 
 - Required: No
 - Type: string
@@ -2321,14 +2248,14 @@ A message passed to the owner of the remote resource with the manual connection
 
 ### Parameter: `privateEndpoints.name`
 
-The name of the private endpoint.
+The name of the Private Endpoint.
 
 - Required: No
 - Type: string
 
 ### Parameter: `privateEndpoints.privateDnsZoneGroup`
 
-The private DNS zone group to configure for the private endpoint.
+The private DNS Zone Group to configure for the Private Endpoint.
 
 - Required: No
 - Type: object
@@ -2337,7 +2264,7 @@ The private DNS zone group to configure for the private endpoint.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`privateDnsZoneGroupConfigs`](#parameter-privateendpointsprivatednszonegroupprivatednszonegroupconfigs) | array | The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones. |
+| [`privateDnsZoneGroupConfigs`](#parameter-privateendpointsprivatednszonegroupprivatednszonegroupconfigs) | array | The private DNS Zone Groups to associate the Private Endpoint. A DNS Zone Group can support up to 5 DNS zones. |
 
 **Optional parameters**
 
@@ -2347,7 +2274,7 @@ The private DNS zone group to configure for the private endpoint.
 
 ### Parameter: `privateEndpoints.privateDnsZoneGroup.privateDnsZoneGroupConfigs`
 
-The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones.
+The private DNS Zone Groups to associate the Private Endpoint. A DNS Zone Group can support up to 5 DNS zones.
 
 - Required: Yes
 - Type: array
@@ -2362,7 +2289,7 @@ The private DNS zone groups to associate the private endpoint. A DNS zone group
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`name`](#parameter-privateendpointsprivatednszonegroupprivatednszonegroupconfigsname) | string | The name of the private DNS zone group config. |
+| [`name`](#parameter-privateendpointsprivatednszonegroupprivatednszonegroupconfigsname) | string | The name of the private DNS Zone Group config. |
 
 ### Parameter: `privateEndpoints.privateDnsZoneGroup.privateDnsZoneGroupConfigs.privateDnsZoneResourceId`
 
@@ -2373,7 +2300,7 @@ The resource id of the private DNS zone.
 
 ### Parameter: `privateEndpoints.privateDnsZoneGroup.privateDnsZoneGroupConfigs.name`
 
-The name of the private DNS zone group config.
+The name of the private DNS Zone Group config.
 
 - Required: No
 - Type: string
@@ -2394,7 +2321,7 @@ The name of the private link connection to create.
 
 ### Parameter: `privateEndpoints.resourceGroupName`
 
-Specify if you want to deploy the Private Endpoint into a different resource group than the main resource.
+Specify if you want to deploy the Private Endpoint into a different Resource Group than the main resource.
 
 - Required: No
 - Type: string
@@ -2509,14 +2436,14 @@ The principal type of the assigned principal ID.
 
 ### Parameter: `privateEndpoints.service`
 
-The subresource to deploy the private endpoint for. For example "vault", "mysqlServer" or "dataFactory".
+The subresource to deploy the Private Endpoint for. For example "vault" for a Key Vault Private Endpoint.
 
 - Required: No
 - Type: string
 
 ### Parameter: `privateEndpoints.tags`
 
-Tags to be applied on all resources/resource groups in this deployment.
+Tags to be applied on all resources/Resource Groups in this deployment.
 
 - Required: No
 - Type: object
diff --git a/avm/res/service-bus/namespace/main.bicep b/avm/res/service-bus/namespace/main.bicep
index 4678c1107a..349cbb4a83 100644
--- a/avm/res/service-bus/namespace/main.bicep
+++ b/avm/res/service-bus/namespace/main.bicep
@@ -33,7 +33,7 @@ param alternateName string?
 param premiumMessagingPartitions int = 1
 
 @description('Optional. Authorization Rules for the Service Bus namespace.')
-param authorizationRules authorizationRuleType = [
+param authorizationRules authorizationRuleType[] = [
   {
     name: 'RootManageSharedAccessKey'
     rights: [
@@ -45,22 +45,26 @@ param authorizationRules authorizationRuleType = [
 ]
 
 @description('Optional. The migration configuration.')
-param migrationConfiguration migrationConfigurationsType
+param migrationConfiguration migrationConfigurationsType?
 
 @description('Optional. The disaster recovery configuration.')
-param disasterRecoveryConfig disasterRecoveryConfigType
+param disasterRecoveryConfig disasterRecoveryConfigType?
 
+import { diagnosticSettingFullType } from 'br/public:avm/utl/types/avm-common-types:0.2.0'
 @description('Optional. The diagnostic settings of the service.')
-param diagnosticSettings diagnosticSettingType
+param diagnosticSettings diagnosticSettingFullType[]?
 
+import { lockType } from 'br/public:avm/utl/types/avm-common-types:0.2.0'
 @description('Optional. The lock settings of the service.')
-param lock lockType
+param lock lockType?
 
+import { managedIdentityAllType } from 'br/public:avm/utl/types/avm-common-types:0.2.0'
 @description('Optional. The managed identity definition for this resource.')
-param managedIdentities managedIdentitiesType
+param managedIdentities managedIdentityAllType?
 
+import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.2.0'
 @description('Optional. Array of role assignments to create.')
-param roleAssignments roleAssignmentType
+param roleAssignments roleAssignmentType[]?
 
 @description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.')
 @allowed([
@@ -71,8 +75,9 @@ param roleAssignments roleAssignmentType
 ])
 param publicNetworkAccess string = ''
 
+import { privateEndpointSingleServiceType } from 'br/public:avm/utl/types/avm-common-types:0.2.0'
 @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.')
-param privateEndpoints privateEndpointType
+param privateEndpoints privateEndpointSingleServiceType[]?
 
 @description('Optional. Configure networking options for Premium SKU Service Bus. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace.')
 param networkRuleSets networkRuleSetType?
@@ -87,13 +92,14 @@ param tags object?
 param enableTelemetry bool = true
 
 @description('Optional. The queues to create in the service bus namespace.')
-param queues queueType?
+param queues queueType[]?
 
 @description('Optional. The topics to create in the service bus namespace.')
-param topics topicType?
+param topics topicType[]?
 
+import { customerManagedKeyType } from 'br/public:avm/utl/types/avm-common-types:0.2.0'
 @description('Optional. The customer managed key definition.')
-param customerManagedKey customerManagedKeyType
+param customerManagedKey customerManagedKeyType?
 
 @description('Optional. Enable infrastructure encryption (double encryption). Note, this setting requires the configuration of Customer-Managed-Keys (CMK) via the corresponding module parameters.')
 param requireInfrastructureEncryption bool = true
@@ -108,7 +114,7 @@ var identity = !empty(managedIdentities)
   ? {
       type: (managedIdentities.?systemAssigned ?? false)
         ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned, UserAssigned' : 'SystemAssigned')
-        : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null)
+        : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : 'None')
       userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null
     }
   : null
@@ -470,193 +476,7 @@ output privateEndpoints array = [
 //   Definitions   //
 // =============== //
 
-type managedIdentitiesType = {
-  @description('Optional. Enables system assigned managed identity on the resource.')
-  systemAssigned: bool?
-
-  @description('Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption.')
-  userAssignedResourceIds: string[]?
-}?
-
-type lockType = {
-  @description('Optional. Specify the name of lock.')
-  name: string?
-
-  @description('Optional. Specify the type of lock.')
-  kind: ('CanNotDelete' | 'ReadOnly' | 'None')?
-}?
-
-type roleAssignmentType = {
-  @description('Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated.')
-  name: string?
-
-  @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.')
-  roleDefinitionIdOrName: string
-
-  @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.')
-  principalId: string
-
-  @description('Optional. The principal type of the assigned principal ID.')
-  principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')?
-
-  @description('Optional. The description of the role assignment.')
-  description: string?
-
-  @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".')
-  condition: string?
-
-  @description('Optional. Version of the condition.')
-  conditionVersion: '2.0'?
-
-  @description('Optional. The Resource Id of the delegated managed identity resource.')
-  delegatedManagedIdentityResourceId: string?
-}[]?
-
-type privateEndpointType = {
-  @description('Optional. The name of the private endpoint.')
-  name: string?
-
-  @description('Optional. The location to deploy the private endpoint to.')
-  location: string?
-
-  @description('Optional. The name of the private link connection to create.')
-  privateLinkServiceConnectionName: string?
-
-  @description('Optional. The subresource to deploy the private endpoint for. For example "vault", "mysqlServer" or "dataFactory".')
-  service: string?
-
-  @description('Required. Resource ID of the subnet where the endpoint needs to be created.')
-  subnetResourceId: string
-
-  @description('Optional. The private DNS zone group to configure for the private endpoint.')
-  privateDnsZoneGroup: {
-    @description('Optional. The name of the Private DNS Zone Group.')
-    name: string?
-
-    @description('Required. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones.')
-    privateDnsZoneGroupConfigs: {
-      @description('Optional. The name of the private DNS zone group config.')
-      name: string?
-
-      @description('Required. The resource id of the private DNS zone.')
-      privateDnsZoneResourceId: string
-    }[]
-  }?
-
-  @description('Optional. If Manual Private Link Connection is required.')
-  isManualConnection: bool?
-
-  @description('Optional. A message passed to the owner of the remote resource with the manual connection request.')
-  @maxLength(140)
-  manualConnectionRequestMessage: string?
-
-  @description('Optional. Custom DNS configurations.')
-  customDnsConfigs: {
-    @description('Optional. FQDN that resolves to private endpoint IP address.')
-    fqdn: string?
-
-    @description('Required. A list of private IP addresses of the private endpoint.')
-    ipAddresses: string[]
-  }[]?
-
-  @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.')
-  ipConfigurations: {
-    @description('Required. The name of the resource that is unique within a resource group.')
-    name: string
-
-    @description('Required. Properties of private endpoint IP configurations.')
-    properties: {
-      @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.')
-      groupId: string
-
-      @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.')
-      memberName: string
-
-      @description('Required. A private IP address obtained from the private endpoint\'s subnet.')
-      privateIPAddress: string
-    }
-  }[]?
-
-  @description('Optional. Application security groups in which the private endpoint IP configuration is included.')
-  applicationSecurityGroupResourceIds: string[]?
-
-  @description('Optional. The custom name of the network interface attached to the private endpoint.')
-  customNetworkInterfaceName: string?
-
-  @description('Optional. Specify the type of lock.')
-  lock: lockType
-
-  @description('Optional. Array of role assignments to create.')
-  roleAssignments: roleAssignmentType
-
-  @description('Optional. Tags to be applied on all resources/resource groups in this deployment.')
-  tags: object?
-
-  @description('Optional. Enable/Disable usage telemetry for module.')
-  enableTelemetry: bool?
-
-  @description('Optional. Specify if you want to deploy the Private Endpoint into a different resource group than the main resource.')
-  resourceGroupName: string?
-}[]?
-
-type diagnosticSettingType = {
-  @description('Optional. The name of diagnostic setting.')
-  name: string?
-
-  @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to `[]` to disable log collection.')
-  logCategoriesAndGroups: {
-    @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.')
-    category: string?
-
-    @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs.')
-    categoryGroup: string?
-
-    @description('Optional. Enable or disable the category explicitly. Default is `true`.')
-    enabled: bool?
-  }[]?
-
-  @description('Optional. The name of metrics that will be streamed. "allMetrics" includes all possible metrics for the resource. Set to `[]` to disable metric collection.')
-  metricCategories: {
-    @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics.')
-    category: string
-
-    @description('Optional. Enable or disable the category explicitly. Default is `true`.')
-    enabled: bool?
-  }[]?
-
-  @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.')
-  logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')?
-
-  @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.')
-  workspaceResourceId: string?
-
-  @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.')
-  storageAccountResourceId: string?
-
-  @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.')
-  eventHubAuthorizationRuleResourceId: string?
-
-  @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.')
-  eventHubName: string?
-
-  @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.')
-  marketplacePartnerResourceId: string?
-}[]?
-
-type customerManagedKeyType = {
-  @description('Required. The resource ID of a key vault to reference a customer managed key for encryption from.')
-  keyVaultResourceId: string
-
-  @description('Required. The name of the customer managed key to use for encryption.')
-  keyName: string
-
-  @description('Optional. The version of the customer managed key to reference for encryption. If not provided, using \'latest\'.')
-  keyVersion: string?
-
-  @description('Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use.')
-  userAssignedIdentityResourceId: string?
-}?
-
+@export()
 type skuType = {
   @description('Required. Name of this SKU. - Basic, Standard, Premium.')
   name: ('Basic' | 'Standard' | 'Premium')
@@ -665,14 +485,16 @@ type skuType = {
   capacity: int?
 }
 
+@export()
 type authorizationRuleType = {
   @description('Required. The name of the authorization rule.')
   name: string
 
   @description('Optional. The rights associated with the rule.')
   rights: ('Listen' | 'Manage' | 'Send')[]?
-}[]
+}
 
+@export()
 type disasterRecoveryConfigType = {
   @description('Optional. The name of the disaster recovery config.')
   name: string?
@@ -682,16 +504,18 @@ type disasterRecoveryConfigType = {
 
   @description('Optional. Resource ID of the Primary/Secondary event hub namespace name, which is part of GEO DR pairing.')
   partnerNamespace: string?
-}?
+}
 
+@export()
 type migrationConfigurationsType = {
   @description('Required. Name to access Standard Namespace after migration.')
   postMigrationName: string
 
   @description('Required. Existing premium Namespace resource ID which has no entities, will be used for migration.')
   targetNamespace: string
-}?
+}
 
+@export()
 type networkRuleSetType = {
   @description('Optional. This determines if traffic is allowed over public network. Default is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied.')
   publicNetworkAccess: ('Disabled' | 'Enabled')?
@@ -719,8 +543,9 @@ type networkRuleSetType = {
     @description('Required. The ID of the subnet.')
     subnetResourceId: string
   }[]?
-}?
+}
 
+@export()
 type queueType = {
   @description('Required. The name of the queue.')
   name: string
@@ -738,7 +563,7 @@ type queueType = {
   maxMessageSizeInKilobytes: int?
 
   @description('Optional. Authorization Rules for the Service Bus Queue.')
-  authorizationRules: authorizationRuleType?
+  authorizationRules: authorizationRuleType[]?
 
   @description('Optional. A value that indicates whether this queue has dead letter support when a message expires.')
   deadLetteringOnMessageExpiration: bool?
@@ -777,7 +602,7 @@ type queueType = {
   requiresSession: bool?
 
   @description('Optional. Array of role assignments to create.')
-  roleAssignments: roleAssignmentType?
+  roleAssignments: roleAssignmentType[]?
 
   @description('Optional. Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown.')
   status: (
@@ -790,14 +615,16 @@ type queueType = {
     | 'Deleting'
     | 'Renaming'
     | 'Unknown')?
-}[]?
+}
 
+import { subscriptionType } from 'topic/main.bicep'
+@export()
 type topicType = {
   @description('Required. The name of the topic.')
   name: string
 
   @description('Optional. Authorization Rules for the Service Bus Topic.')
-  authorizationRules: authorizationRuleType?
+  authorizationRules: authorizationRuleType[]?
 
   @description('Optional. ISO 8601 timespan idle interval after which the topic is automatically deleted. The minimum duration is 5 minutes.')
   autoDeleteOnIdle: string?
@@ -830,7 +657,7 @@ type topicType = {
   requiresDuplicateDetection: bool?
 
   @description('Optional. Array of role assignments to create.')
-  roleAssignments: roleAssignmentType?
+  roleAssignments: roleAssignmentType[]?
 
   @description('Optional. Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown.')
   status: (
@@ -848,68 +675,5 @@ type topicType = {
   supportOrdering: bool?
 
   @description('Optional. The subscriptions of the topic.')
-  subscriptions: {
-    @description('Required. The name of the service bus namespace topic subscription.')
-    name: string
-
-    @description('Optional. ISO 8601 timespan idle interval after which the syubscription is automatically deleted. The minimum duration is 5 minutes.')
-    autoDeleteOnIdle: string?
-
-    @description('Optional. The properties that are associated with a subscription that is client-affine.')
-    clientAffineProperties: {
-      @description('Required. Indicates the Client ID of the application that created the client-affine subscription.')
-      clientId: string
-
-      @description('Optional. For client-affine subscriptions, this value indicates whether the subscription is durable or not.')
-      isDurable: bool?
-
-      @description('Optional. For client-affine subscriptions, this value indicates whether the subscription is shared or not.')
-      isShared: bool?
-    }?
-
-    @description('Optional. A value that indicates whether a subscription has dead letter support when a message expires.')
-    deadLetteringOnMessageExpiration: bool?
-
-    @description('Optional. A value that indicates whether a subscription has dead letter support when a message expires.')
-    deadLetteringOnFilterEvaluationExceptions: bool?
-
-    @description('Optional. ISO 8601 timespan idle interval after which the message expires. The minimum duration is 5 minutes.')
-    defaultMessageTimeToLive: string?
-
-    @description('Optional. ISO 8601 timespan that defines the duration of the duplicate detection history. The default value is 10 minutes.')
-    duplicateDetectionHistoryTimeWindow: string?
-
-    @description('Optional. A value that indicates whether server-side batched operations are enabled.')
-    enableBatchedOperations: bool?
-
-    @description('Optional. The name of the recipient entity to which all the messages sent to the subscription are forwarded to.')
-    forwardDeadLetteredMessagesTo: string?
-
-    @description('Optional. The name of the recipient entity to which all the messages sent to the subscription are forwarded to.')
-    forwardTo: string?
-
-    @description('Optional. A value that indicates whether the subscription supports the concept of session.')
-    isClientAffine: bool?
-
-    @description('Optional. ISO 8601 timespan duration of a peek-lock; that is, the amount of time that the message is locked for other receivers. The maximum value for LockDuration is 5 minutes; the default value is 1 minute.')
-    lockDuration: string?
-
-    @description('Optional. Number of maximum deliveries. A message is automatically deadlettered after this number of deliveries. Default value is 10.')
-    maxDeliveryCount: int?
-
-    @description('Optional. A value that indicates whether the subscription supports the concept of session.')
-    requiresSession: bool?
-
-    @description('Optional. Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown.')
-    status: (
-      | 'Active'
-      | 'Disabled'
-      | 'Restoring'
-      | 'SendDisabled'
-      | 'ReceiveDisabled'
-      | 'Creating'
-      | 'Deleting'
-      | 'Renaming'
-      | 'Unknown')?
-  }[]?
-}[]?
+  subscriptions: subscriptionType[]?
+}
diff --git a/avm/res/service-bus/namespace/main.json b/avm/res/service-bus/namespace/main.json
index 476988e30c..8c5967f54c 100644
--- a/avm/res/service-bus/namespace/main.json
+++ b/avm/res/service-bus/namespace/main.json
@@ -6,1118 +6,1195 @@
     "_generator": {
       "name": "bicep",
       "version": "0.30.23.60470",
-      "templateHash": "6478518651645675066"
+      "templateHash": "9114786529076553925"
     },
     "name": "Service Bus Namespaces",
     "description": "This module deploys a Service Bus Namespace.",
     "owner": "Azure/module-maintainers"
   },
   "definitions": {
-    "managedIdentitiesType": {
+    "skuType": {
       "type": "object",
       "properties": {
-        "systemAssigned": {
-          "type": "bool",
+        "name": {
+          "type": "string",
+          "allowedValues": [
+            "Basic",
+            "Premium",
+            "Standard"
+          ],
+          "metadata": {
+            "description": "Required. Name of this SKU. - Basic, Standard, Premium."
+          }
+        },
+        "capacity": {
+          "type": "int",
           "nullable": true,
           "metadata": {
-            "description": "Optional. Enables system assigned managed identity on the resource."
+            "description": "Optional. The specified messaging units for the tier. Only used for Premium Sku tier."
+          }
+        }
+      },
+      "metadata": {
+        "__bicep_export!": true
+      }
+    },
+    "authorizationRuleType": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The name of the authorization rule."
           }
         },
-        "userAssignedResourceIds": {
+        "rights": {
           "type": "array",
-          "items": {
-            "type": "string"
-          },
+          "allowedValues": [
+            "Listen",
+            "Manage",
+            "Send"
+          ],
           "nullable": true,
           "metadata": {
-            "description": "Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption."
+            "description": "Optional. The rights associated with the rule."
           }
         }
       },
-      "nullable": true
+      "metadata": {
+        "__bicep_export!": true
+      }
     },
-    "lockType": {
+    "disasterRecoveryConfigType": {
       "type": "object",
       "properties": {
         "name": {
           "type": "string",
           "nullable": true,
           "metadata": {
-            "description": "Optional. Specify the name of lock."
+            "description": "Optional. The name of the disaster recovery config."
           }
         },
-        "kind": {
+        "alternateName": {
           "type": "string",
-          "allowedValues": [
-            "CanNotDelete",
-            "None",
-            "ReadOnly"
-          ],
           "nullable": true,
           "metadata": {
-            "description": "Optional. Specify the type of lock."
+            "description": "Optional. Primary/Secondary eventhub namespace name, which is part of GEO DR pairing."
+          }
+        },
+        "partnerNamespace": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Resource ID of the Primary/Secondary event hub namespace name, which is part of GEO DR pairing."
           }
         }
       },
-      "nullable": true
+      "metadata": {
+        "__bicep_export!": true
+      }
     },
-    "roleAssignmentType": {
-      "type": "array",
-      "items": {
-        "type": "object",
-        "properties": {
-          "name": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated."
-            }
-          },
-          "roleDefinitionIdOrName": {
-            "type": "string",
-            "metadata": {
-              "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'."
-            }
-          },
-          "principalId": {
-            "type": "string",
-            "metadata": {
-              "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to."
-            }
-          },
-          "principalType": {
-            "type": "string",
-            "allowedValues": [
-              "Device",
-              "ForeignGroup",
-              "Group",
-              "ServicePrincipal",
-              "User"
-            ],
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The principal type of the assigned principal ID."
-            }
-          },
-          "description": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The description of the role assignment."
-            }
-          },
-          "condition": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"."
-            }
-          },
-          "conditionVersion": {
-            "type": "string",
-            "allowedValues": [
-              "2.0"
-            ],
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. Version of the condition."
-            }
-          },
-          "delegatedManagedIdentityResourceId": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The Resource Id of the delegated managed identity resource."
-            }
+    "migrationConfigurationsType": {
+      "type": "object",
+      "properties": {
+        "postMigrationName": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. Name to access Standard Namespace after migration."
+          }
+        },
+        "targetNamespace": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. Existing premium Namespace resource ID which has no entities, will be used for migration."
           }
         }
       },
-      "nullable": true
+      "metadata": {
+        "__bicep_export!": true
+      }
     },
-    "privateEndpointType": {
-      "type": "array",
-      "items": {
-        "type": "object",
-        "properties": {
-          "name": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The name of the private endpoint."
-            }
-          },
-          "location": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The location to deploy the private endpoint to."
-            }
-          },
-          "privateLinkServiceConnectionName": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The name of the private link connection to create."
-            }
-          },
-          "service": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The subresource to deploy the private endpoint for. For example \"vault\", \"mysqlServer\" or \"dataFactory\"."
-            }
-          },
-          "subnetResourceId": {
-            "type": "string",
-            "metadata": {
-              "description": "Required. Resource ID of the subnet where the endpoint needs to be created."
-            }
-          },
-          "privateDnsZoneGroup": {
+    "networkRuleSetType": {
+      "type": "object",
+      "properties": {
+        "publicNetworkAccess": {
+          "type": "string",
+          "allowedValues": [
+            "Disabled",
+            "Enabled"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. This determines if traffic is allowed over public network. Default is \"Enabled\". If set to \"Disabled\", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied."
+          }
+        },
+        "defaultAction": {
+          "type": "string",
+          "allowedValues": [
+            "Allow",
+            "Deny"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Default Action for Network Rule Set. Default is \"Allow\". It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, it will be set to \"Deny\" if ipRules or virtualNetworkRules are being used."
+          }
+        },
+        "trustedServiceAccessEnabled": {
+          "type": "bool",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Value that indicates whether Trusted Service Access is enabled or not. Default is \"true\". It will not be set if publicNetworkAccess is \"Disabled\"."
+          }
+        },
+        "ipRules": {
+          "type": "array",
+          "items": {
             "type": "object",
             "properties": {
-              "name": {
+              "action": {
                 "type": "string",
-                "nullable": true,
+                "allowedValues": [
+                  "Allow",
+                  "Deny"
+                ],
                 "metadata": {
-                  "description": "Optional. The name of the Private DNS Zone Group."
+                  "description": "Required. The IP filter action."
                 }
               },
-              "privateDnsZoneGroupConfigs": {
-                "type": "array",
-                "items": {
-                  "type": "object",
-                  "properties": {
-                    "name": {
-                      "type": "string",
-                      "nullable": true,
-                      "metadata": {
-                        "description": "Optional. The name of the private DNS zone group config."
-                      }
-                    },
-                    "privateDnsZoneResourceId": {
-                      "type": "string",
-                      "metadata": {
-                        "description": "Required. The resource id of the private DNS zone."
-                      }
-                    }
-                  }
-                },
+              "ipMask": {
+                "type": "string",
                 "metadata": {
-                  "description": "Required. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones."
+                  "description": "Required. The IP mask."
                 }
               }
-            },
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The private DNS zone group to configure for the private endpoint."
-            }
-          },
-          "isManualConnection": {
-            "type": "bool",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. If Manual Private Link Connection is required."
-            }
-          },
-          "manualConnectionRequestMessage": {
-            "type": "string",
-            "nullable": true,
-            "maxLength": 140,
-            "metadata": {
-              "description": "Optional. A message passed to the owner of the remote resource with the manual connection request."
             }
           },
-          "customDnsConfigs": {
-            "type": "array",
-            "items": {
-              "type": "object",
-              "properties": {
-                "fqdn": {
-                  "type": "string",
-                  "nullable": true,
-                  "metadata": {
-                    "description": "Optional. FQDN that resolves to private endpoint IP address."
-                  }
-                },
-                "ipAddresses": {
-                  "type": "array",
-                  "items": {
-                    "type": "string"
-                  },
-                  "metadata": {
-                    "description": "Required. A list of private IP addresses of the private endpoint."
-                  }
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. List of IpRules. It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, when used, defaultAction will be set to \"Deny\"."
+          }
+        },
+        "virtualNetworkRules": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "ignoreMissingVnetServiceEndpoint": {
+                "type": "bool",
+                "metadata": {
+                  "description": "Required. The virtual network rule name."
                 }
-              }
-            },
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. Custom DNS configurations."
-            }
-          },
-          "ipConfigurations": {
-            "type": "array",
-            "items": {
-              "type": "object",
-              "properties": {
-                "name": {
-                  "type": "string",
-                  "metadata": {
-                    "description": "Required. The name of the resource that is unique within a resource group."
-                  }
-                },
-                "properties": {
-                  "type": "object",
-                  "properties": {
-                    "groupId": {
-                      "type": "string",
-                      "metadata": {
-                        "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to."
-                      }
-                    },
-                    "memberName": {
-                      "type": "string",
-                      "metadata": {
-                        "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to."
-                      }
-                    },
-                    "privateIPAddress": {
-                      "type": "string",
-                      "metadata": {
-                        "description": "Required. A private IP address obtained from the private endpoint's subnet."
-                      }
-                    }
-                  },
-                  "metadata": {
-                    "description": "Required. Properties of private endpoint IP configurations."
-                  }
+              },
+              "subnetResourceId": {
+                "type": "string",
+                "metadata": {
+                  "description": "Required. The ID of the subnet."
                 }
               }
-            },
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints."
-            }
-          },
-          "applicationSecurityGroupResourceIds": {
-            "type": "array",
-            "items": {
-              "type": "string"
-            },
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. Application security groups in which the private endpoint IP configuration is included."
-            }
-          },
-          "customNetworkInterfaceName": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The custom name of the network interface attached to the private endpoint."
-            }
-          },
-          "lock": {
-            "$ref": "#/definitions/lockType",
-            "metadata": {
-              "description": "Optional. Specify the type of lock."
             }
           },
-          "roleAssignments": {
-            "$ref": "#/definitions/roleAssignmentType",
-            "metadata": {
-              "description": "Optional. Array of role assignments to create."
-            }
-          },
-          "tags": {
-            "type": "object",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. Tags to be applied on all resources/resource groups in this deployment."
-            }
-          },
-          "enableTelemetry": {
-            "type": "bool",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. Enable/Disable usage telemetry for module."
-            }
-          },
-          "resourceGroupName": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. Specify if you want to deploy the Private Endpoint into a different resource group than the main resource."
-            }
-          }
-        }
-      },
-      "nullable": true
-    },
-    "diagnosticSettingType": {
-      "type": "array",
-      "items": {
-        "type": "object",
-        "properties": {
-          "name": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The name of diagnostic setting."
-            }
-          },
-          "logCategoriesAndGroups": {
-            "type": "array",
-            "items": {
-              "type": "object",
-              "properties": {
-                "category": {
-                  "type": "string",
-                  "nullable": true,
-                  "metadata": {
-                    "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here."
-                  }
-                },
-                "categoryGroup": {
-                  "type": "string",
-                  "nullable": true,
-                  "metadata": {
-                    "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs."
-                  }
-                },
-                "enabled": {
-                  "type": "bool",
-                  "nullable": true,
-                  "metadata": {
-                    "description": "Optional. Enable or disable the category explicitly. Default is `true`."
-                  }
-                }
-              }
-            },
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to `[]` to disable log collection."
-            }
-          },
-          "metricCategories": {
-            "type": "array",
-            "items": {
-              "type": "object",
-              "properties": {
-                "category": {
-                  "type": "string",
-                  "metadata": {
-                    "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics."
-                  }
-                },
-                "enabled": {
-                  "type": "bool",
-                  "nullable": true,
-                  "metadata": {
-                    "description": "Optional. Enable or disable the category explicitly. Default is `true`."
-                  }
-                }
-              }
-            },
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The name of metrics that will be streamed. \"allMetrics\" includes all possible metrics for the resource. Set to `[]` to disable metric collection."
-            }
-          },
-          "logAnalyticsDestinationType": {
-            "type": "string",
-            "allowedValues": [
-              "AzureDiagnostics",
-              "Dedicated"
-            ],
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type."
-            }
-          },
-          "workspaceResourceId": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub."
-            }
-          },
-          "storageAccountResourceId": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub."
-            }
-          },
-          "eventHubAuthorizationRuleResourceId": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to."
-            }
-          },
-          "eventHubName": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub."
-            }
-          },
-          "marketplacePartnerResourceId": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs."
-            }
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. List virtual network rules. It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, when used, defaultAction will be set to \"Deny\"."
           }
         }
       },
-      "nullable": true
+      "metadata": {
+        "__bicep_export!": true
+      }
     },
-    "customerManagedKeyType": {
+    "queueType": {
       "type": "object",
       "properties": {
-        "keyVaultResourceId": {
+        "name": {
           "type": "string",
           "metadata": {
-            "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from."
+            "description": "Required. The name of the queue."
           }
         },
-        "keyName": {
+        "autoDeleteOnIdle": {
           "type": "string",
+          "nullable": true,
           "metadata": {
-            "description": "Required. The name of the customer managed key to use for encryption."
+            "description": "Optional. ISO 8061 timeSpan idle interval after which the queue is automatically deleted. The minimum duration is 5 minutes (PT5M)."
           }
         },
-        "keyVersion": {
+        "forwardDeadLetteredMessagesTo": {
           "type": "string",
           "nullable": true,
           "metadata": {
-            "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'."
+            "description": "Optional. Queue/Topic name to forward the Dead Letter message."
           }
         },
-        "userAssignedIdentityResourceId": {
+        "forwardTo": {
           "type": "string",
           "nullable": true,
           "metadata": {
-            "description": "Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use."
-          }
-        }
-      },
-      "nullable": true
-    },
-    "skuType": {
-      "type": "object",
-      "properties": {
-        "name": {
-          "type": "string",
-          "allowedValues": [
-            "Basic",
-            "Premium",
-            "Standard"
-          ],
-          "metadata": {
-            "description": "Required. Name of this SKU. - Basic, Standard, Premium."
+            "description": "Optional. Queue/Topic name to forward the messages."
           }
         },
-        "capacity": {
+        "maxMessageSizeInKilobytes": {
           "type": "int",
           "nullable": true,
           "metadata": {
-            "description": "Optional. The specified messaging units for the tier. Only used for Premium Sku tier."
+            "description": "Optional. Maximum size (in KB) of the message payload that can be accepted by the queue. This property is only used in Premium today and default is 1024."
           }
-        }
-      }
-    },
-    "authorizationRuleType": {
-      "type": "array",
-      "items": {
-        "type": "object",
-        "properties": {
-          "name": {
-            "type": "string",
-            "metadata": {
-              "description": "Required. The name of the authorization rule."
-            }
+        },
+        "authorizationRules": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/authorizationRuleType"
           },
-          "rights": {
-            "type": "array",
-            "allowedValues": [
-              "Listen",
-              "Manage",
-              "Send"
-            ],
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The rights associated with the rule."
-            }
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Authorization Rules for the Service Bus Queue."
           }
-        }
-      }
-    },
-    "disasterRecoveryConfigType": {
-      "type": "object",
-      "properties": {
-        "name": {
-          "type": "string",
+        },
+        "deadLetteringOnMessageExpiration": {
+          "type": "bool",
           "nullable": true,
           "metadata": {
-            "description": "Optional. The name of the disaster recovery config."
+            "description": "Optional. A value that indicates whether this queue has dead letter support when a message expires."
           }
         },
-        "alternateName": {
+        "defaultMessageTimeToLive": {
           "type": "string",
           "nullable": true,
           "metadata": {
-            "description": "Optional. Primary/Secondary eventhub namespace name, which is part of GEO DR pairing."
+            "description": "Optional. ISO 8601 default message timespan to live value. This is the duration after which the message expires, starting from when the message is sent to Service Bus. This is the default value used when TimeToLive is not set on a message itself."
           }
         },
-        "partnerNamespace": {
+        "duplicateDetectionHistoryTimeWindow": {
           "type": "string",
           "nullable": true,
           "metadata": {
-            "description": "Optional. Resource ID of the Primary/Secondary event hub namespace name, which is part of GEO DR pairing."
+            "description": "Optional. ISO 8601 timeSpan structure that defines the duration of the duplicate detection history. The default value is 10 minutes."
           }
-        }
-      },
-      "nullable": true
-    },
-    "migrationConfigurationsType": {
-      "type": "object",
-      "properties": {
-        "postMigrationName": {
-          "type": "string",
+        },
+        "enableBatchedOperations": {
+          "type": "bool",
+          "nullable": true,
           "metadata": {
-            "description": "Required. Name to access Standard Namespace after migration."
+            "description": "Optional. Value that indicates whether server-side batched operations are enabled."
           }
         },
-        "targetNamespace": {
-          "type": "string",
+        "enableExpress": {
+          "type": "bool",
+          "nullable": true,
           "metadata": {
-            "description": "Required. Existing premium Namespace resource ID which has no entities, will be used for migration."
+            "description": "Optional. A value that indicates whether Express Entities are enabled. An express queue holds a message in memory temporarily before writing it to persistent storage. This property is only used if the `service-bus/namespace` sku is Premium."
           }
-        }
-      },
-      "nullable": true
-    },
-    "networkRuleSetType": {
-      "type": "object",
-      "properties": {
-        "publicNetworkAccess": {
-          "type": "string",
-          "allowedValues": [
-            "Disabled",
-            "Enabled"
-          ],
+        },
+        "enablePartitioning": {
+          "type": "bool",
           "nullable": true,
           "metadata": {
-            "description": "Optional. This determines if traffic is allowed over public network. Default is \"Enabled\". If set to \"Disabled\", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied."
+            "description": "Optional. A value that indicates whether the queue is to be partitioned across multiple message brokers."
           }
         },
-        "defaultAction": {
+        "lock": {
+          "$ref": "#/definitions/lockType",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The lock settings of the service."
+          }
+        },
+        "lockDuration": {
           "type": "string",
-          "allowedValues": [
-            "Allow",
-            "Deny"
-          ],
           "nullable": true,
           "metadata": {
-            "description": "Optional. Default Action for Network Rule Set. Default is \"Allow\". It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, it will be set to \"Deny\" if ipRules or virtualNetworkRules are being used."
+            "description": "Optional. ISO 8601 timespan duration of a peek-lock; that is, the amount of time that the message is locked for other receivers. The maximum value for LockDuration is 5 minutes; the default value is 1 minute."
           }
         },
-        "trustedServiceAccessEnabled": {
+        "maxDeliveryCount": {
+          "type": "int",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The maximum delivery count. A message is automatically deadlettered after this number of deliveries. default value is 10."
+          }
+        },
+        "maxSizeInMegabytes": {
+          "type": "int",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The maximum size of the queue in megabytes, which is the size of memory allocated for the queue. Default is 1024."
+          }
+        },
+        "requiresDuplicateDetection": {
           "type": "bool",
           "nullable": true,
           "metadata": {
-            "description": "Optional. Value that indicates whether Trusted Service Access is enabled or not. Default is \"true\". It will not be set if publicNetworkAccess is \"Disabled\"."
+            "description": "Optional. A value indicating if this queue requires duplicate detection."
           }
         },
-        "ipRules": {
-          "type": "array",
-          "items": {
-            "type": "object",
-            "properties": {
-              "action": {
-                "type": "string",
-                "allowedValues": [
-                  "Allow",
-                  "Deny"
-                ],
-                "metadata": {
-                  "description": "Required. The IP filter action."
-                }
-              },
-              "ipMask": {
-                "type": "string",
-                "metadata": {
-                  "description": "Required. The IP mask."
-                }
-              }
-            }
-          },
+        "requiresSession": {
+          "type": "bool",
           "nullable": true,
           "metadata": {
-            "description": "Optional. List of IpRules. It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, when used, defaultAction will be set to \"Deny\"."
+            "description": "Optional. A value that indicates whether the queue supports the concept of sessions."
           }
         },
-        "virtualNetworkRules": {
+        "roleAssignments": {
           "type": "array",
           "items": {
-            "type": "object",
-            "properties": {
-              "ignoreMissingVnetServiceEndpoint": {
-                "type": "bool",
-                "metadata": {
-                  "description": "Required. The virtual network rule name."
-                }
-              },
-              "subnetResourceId": {
-                "type": "string",
-                "metadata": {
-                  "description": "Required. The ID of the subnet."
-                }
-              }
-            }
+            "$ref": "#/definitions/roleAssignmentType"
           },
           "nullable": true,
           "metadata": {
-            "description": "Optional. List virtual network rules. It will not be set if publicNetworkAccess is \"Disabled\". Otherwise, when used, defaultAction will be set to \"Deny\"."
+            "description": "Optional. Array of role assignments to create."
+          }
+        },
+        "status": {
+          "type": "string",
+          "allowedValues": [
+            "Active",
+            "Creating",
+            "Deleting",
+            "Disabled",
+            "ReceiveDisabled",
+            "Renaming",
+            "Restoring",
+            "SendDisabled",
+            "Unknown"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown."
           }
         }
       },
-      "nullable": true
+      "metadata": {
+        "__bicep_export!": true
+      }
     },
-    "queueType": {
-      "type": "array",
-      "items": {
-        "type": "object",
-        "properties": {
-          "name": {
-            "type": "string",
-            "metadata": {
-              "description": "Required. The name of the queue."
-            }
-          },
-          "autoDeleteOnIdle": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. ISO 8061 timeSpan idle interval after which the queue is automatically deleted. The minimum duration is 5 minutes (PT5M)."
-            }
-          },
-          "forwardDeadLetteredMessagesTo": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. Queue/Topic name to forward the Dead Letter message."
-            }
-          },
-          "forwardTo": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. Queue/Topic name to forward the messages."
-            }
-          },
-          "maxMessageSizeInKilobytes": {
-            "type": "int",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. Maximum size (in KB) of the message payload that can be accepted by the queue. This property is only used in Premium today and default is 1024."
-            }
-          },
-          "authorizationRules": {
-            "$ref": "#/definitions/authorizationRuleType",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. Authorization Rules for the Service Bus Queue."
-            }
-          },
-          "deadLetteringOnMessageExpiration": {
-            "type": "bool",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. A value that indicates whether this queue has dead letter support when a message expires."
-            }
-          },
-          "defaultMessageTimeToLive": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. ISO 8601 default message timespan to live value. This is the duration after which the message expires, starting from when the message is sent to Service Bus. This is the default value used when TimeToLive is not set on a message itself."
-            }
-          },
-          "duplicateDetectionHistoryTimeWindow": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. ISO 8601 timeSpan structure that defines the duration of the duplicate detection history. The default value is 10 minutes."
-            }
-          },
-          "enableBatchedOperations": {
-            "type": "bool",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. Value that indicates whether server-side batched operations are enabled."
-            }
-          },
-          "enableExpress": {
-            "type": "bool",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. A value that indicates whether Express Entities are enabled. An express queue holds a message in memory temporarily before writing it to persistent storage. This property is only used if the `service-bus/namespace` sku is Premium."
-            }
-          },
-          "enablePartitioning": {
-            "type": "bool",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. A value that indicates whether the queue is to be partitioned across multiple message brokers."
-            }
-          },
-          "lock": {
-            "$ref": "#/definitions/lockType",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The lock settings of the service."
-            }
-          },
-          "lockDuration": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. ISO 8601 timespan duration of a peek-lock; that is, the amount of time that the message is locked for other receivers. The maximum value for LockDuration is 5 minutes; the default value is 1 minute."
-            }
-          },
-          "maxDeliveryCount": {
-            "type": "int",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The maximum delivery count. A message is automatically deadlettered after this number of deliveries. default value is 10."
-            }
-          },
-          "maxSizeInMegabytes": {
-            "type": "int",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The maximum size of the queue in megabytes, which is the size of memory allocated for the queue. Default is 1024."
-            }
+    "topicType": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The name of the topic."
+          }
+        },
+        "authorizationRules": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/authorizationRuleType"
           },
-          "requiresDuplicateDetection": {
-            "type": "bool",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. A value indicating if this queue requires duplicate detection."
-            }
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Authorization Rules for the Service Bus Topic."
+          }
+        },
+        "autoDeleteOnIdle": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. ISO 8601 timespan idle interval after which the topic is automatically deleted. The minimum duration is 5 minutes."
+          }
+        },
+        "defaultMessageTimeToLive": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. ISO 8601 default message timespan to live value. This is the duration after which the message expires, starting from when the message is sent to Service Bus. This is the default value used when TimeToLive is not set on a message itself."
+          }
+        },
+        "duplicateDetectionHistoryTimeWindow": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. ISO 8601 timeSpan structure that defines the duration of the duplicate detection history. The default value is 10 minutes."
+          }
+        },
+        "enableBatchedOperations": {
+          "type": "bool",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Value that indicates whether server-side batched operations are enabled."
+          }
+        },
+        "enableExpress": {
+          "type": "bool",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. A value that indicates whether Express Entities are enabled. An express topic holds a message in memory temporarily before writing it to persistent storage. This property is only used if the `service-bus/namespace` sku is Premium."
+          }
+        },
+        "enablePartitioning": {
+          "type": "bool",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. A value that indicates whether the topic is to be partitioned across multiple message brokers."
+          }
+        },
+        "lock": {
+          "$ref": "#/definitions/lockType",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The lock settings of the service."
+          }
+        },
+        "maxMessageSizeInKilobytes": {
+          "type": "int",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Maximum size (in KB) of the message payload that can be accepted by the topic. This property is only used in Premium today and default is 1024."
+          }
+        },
+        "maxSizeInMegabytes": {
+          "type": "int",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The maximum size of the topic in megabytes, which is the size of memory allocated for the topic. Default is 1024."
+          }
+        },
+        "requiresDuplicateDetection": {
+          "type": "bool",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. A value indicating if this topic requires duplicate detection."
+          }
+        },
+        "roleAssignments": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/roleAssignmentType"
           },
-          "requiresSession": {
-            "type": "bool",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. A value that indicates whether the queue supports the concept of sessions."
-            }
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Array of role assignments to create."
+          }
+        },
+        "status": {
+          "type": "string",
+          "allowedValues": [
+            "Active",
+            "Creating",
+            "Deleting",
+            "Disabled",
+            "ReceiveDisabled",
+            "Renaming",
+            "Restoring",
+            "SendDisabled",
+            "Unknown"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown."
+          }
+        },
+        "supportOrdering": {
+          "type": "bool",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Value that indicates whether the topic supports ordering."
+          }
+        },
+        "subscriptions": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/subscriptionType"
           },
-          "roleAssignments": {
-            "$ref": "#/definitions/roleAssignmentType",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. Array of role assignments to create."
-            }
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The subscriptions of the topic."
+          }
+        }
+      },
+      "metadata": {
+        "__bicep_export!": true
+      }
+    },
+    "_1.privateEndpointCustomDnsConfigType": {
+      "type": "object",
+      "properties": {
+        "fqdn": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Required. Fqdn that resolves to private endpoint IP address."
+          }
+        },
+        "ipAddresses": {
+          "type": "array",
+          "items": {
+            "type": "string"
           },
-          "status": {
-            "type": "string",
-            "allowedValues": [
-              "Active",
-              "Creating",
-              "Deleting",
-              "Disabled",
-              "ReceiveDisabled",
-              "Renaming",
-              "Restoring",
-              "SendDisabled",
-              "Unknown"
-            ],
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown."
-            }
+          "metadata": {
+            "description": "Required. A list of private IP addresses of the private endpoint."
           }
         }
       },
-      "nullable": true
+      "metadata": {
+        "__bicep_imported_from!": {
+          "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.0"
+        }
+      }
     },
-    "topicType": {
-      "type": "array",
-      "items": {
-        "type": "object",
+    "_1.privateEndpointIpConfigurationType": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The name of the resource that is unique within a resource group."
+          }
+        },
         "properties": {
-          "name": {
-            "type": "string",
-            "metadata": {
-              "description": "Required. The name of the topic."
-            }
-          },
-          "authorizationRules": {
-            "$ref": "#/definitions/authorizationRuleType",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. Authorization Rules for the Service Bus Topic."
-            }
-          },
-          "autoDeleteOnIdle": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. ISO 8601 timespan idle interval after which the topic is automatically deleted. The minimum duration is 5 minutes."
-            }
-          },
-          "defaultMessageTimeToLive": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. ISO 8601 default message timespan to live value. This is the duration after which the message expires, starting from when the message is sent to Service Bus. This is the default value used when TimeToLive is not set on a message itself."
-            }
-          },
-          "duplicateDetectionHistoryTimeWindow": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. ISO 8601 timeSpan structure that defines the duration of the duplicate detection history. The default value is 10 minutes."
-            }
-          },
-          "enableBatchedOperations": {
-            "type": "bool",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. Value that indicates whether server-side batched operations are enabled."
-            }
-          },
-          "enableExpress": {
-            "type": "bool",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. A value that indicates whether Express Entities are enabled. An express topic holds a message in memory temporarily before writing it to persistent storage. This property is only used if the `service-bus/namespace` sku is Premium."
-            }
-          },
-          "enablePartitioning": {
-            "type": "bool",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. A value that indicates whether the topic is to be partitioned across multiple message brokers."
-            }
-          },
-          "lock": {
-            "$ref": "#/definitions/lockType",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The lock settings of the service."
-            }
-          },
-          "maxMessageSizeInKilobytes": {
-            "type": "int",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. Maximum size (in KB) of the message payload that can be accepted by the topic. This property is only used in Premium today and default is 1024."
-            }
-          },
-          "maxSizeInMegabytes": {
-            "type": "int",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The maximum size of the topic in megabytes, which is the size of memory allocated for the topic. Default is 1024."
-            }
-          },
-          "requiresDuplicateDetection": {
-            "type": "bool",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. A value indicating if this topic requires duplicate detection."
-            }
-          },
-          "roleAssignments": {
-            "$ref": "#/definitions/roleAssignmentType",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. Array of role assignments to create."
-            }
-          },
-          "status": {
-            "type": "string",
-            "allowedValues": [
-              "Active",
-              "Creating",
-              "Deleting",
-              "Disabled",
-              "ReceiveDisabled",
-              "Renaming",
-              "Restoring",
-              "SendDisabled",
-              "Unknown"
-            ],
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown."
+          "type": "object",
+          "properties": {
+            "groupId": {
+              "type": "string",
+              "metadata": {
+                "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to."
+              }
+            },
+            "memberName": {
+              "type": "string",
+              "metadata": {
+                "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to."
+              }
+            },
+            "privateIPAddress": {
+              "type": "string",
+              "metadata": {
+                "description": "Required. A private IP address obtained from the private endpoint's subnet."
+              }
             }
           },
-          "supportOrdering": {
-            "type": "bool",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. Value that indicates whether the topic supports ordering."
+          "metadata": {
+            "description": "Required. Properties of private endpoint IP configurations."
+          }
+        }
+      },
+      "metadata": {
+        "__bicep_imported_from!": {
+          "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.0"
+        }
+      }
+    },
+    "_1.privateEndpointPrivateDnsZoneGroupType": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The name of the Private DNS Zone Group."
+          }
+        },
+        "privateDnsZoneGroupConfigs": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "name": {
+                "type": "string",
+                "nullable": true,
+                "metadata": {
+                  "description": "Optional. The name of the private DNS Zone Group config."
+                }
+              },
+              "privateDnsZoneResourceId": {
+                "type": "string",
+                "metadata": {
+                  "description": "Required. The resource id of the private DNS zone."
+                }
+              }
             }
           },
-          "subscriptions": {
-            "type": "array",
-            "items": {
-              "type": "object",
-              "properties": {
-                "name": {
-                  "type": "string",
-                  "metadata": {
-                    "description": "Required. The name of the service bus namespace topic subscription."
-                  }
-                },
-                "autoDeleteOnIdle": {
-                  "type": "string",
-                  "nullable": true,
-                  "metadata": {
-                    "description": "Optional. ISO 8601 timespan idle interval after which the syubscription is automatically deleted. The minimum duration is 5 minutes."
-                  }
-                },
-                "clientAffineProperties": {
-                  "type": "object",
-                  "properties": {
-                    "clientId": {
-                      "type": "string",
-                      "metadata": {
-                        "description": "Required. Indicates the Client ID of the application that created the client-affine subscription."
-                      }
-                    },
-                    "isDurable": {
-                      "type": "bool",
-                      "nullable": true,
-                      "metadata": {
-                        "description": "Optional. For client-affine subscriptions, this value indicates whether the subscription is durable or not."
-                      }
-                    },
-                    "isShared": {
-                      "type": "bool",
-                      "nullable": true,
-                      "metadata": {
-                        "description": "Optional. For client-affine subscriptions, this value indicates whether the subscription is shared or not."
-                      }
-                    }
-                  },
-                  "nullable": true,
-                  "metadata": {
-                    "description": "Optional. The properties that are associated with a subscription that is client-affine."
-                  }
-                },
-                "deadLetteringOnMessageExpiration": {
-                  "type": "bool",
-                  "nullable": true,
-                  "metadata": {
-                    "description": "Optional. A value that indicates whether a subscription has dead letter support when a message expires."
-                  }
-                },
-                "deadLetteringOnFilterEvaluationExceptions": {
-                  "type": "bool",
-                  "nullable": true,
-                  "metadata": {
-                    "description": "Optional. A value that indicates whether a subscription has dead letter support when a message expires."
-                  }
-                },
-                "defaultMessageTimeToLive": {
-                  "type": "string",
-                  "nullable": true,
-                  "metadata": {
-                    "description": "Optional. ISO 8601 timespan idle interval after which the message expires. The minimum duration is 5 minutes."
-                  }
-                },
-                "duplicateDetectionHistoryTimeWindow": {
-                  "type": "string",
-                  "nullable": true,
-                  "metadata": {
-                    "description": "Optional. ISO 8601 timespan that defines the duration of the duplicate detection history. The default value is 10 minutes."
-                  }
-                },
-                "enableBatchedOperations": {
-                  "type": "bool",
-                  "nullable": true,
-                  "metadata": {
-                    "description": "Optional. A value that indicates whether server-side batched operations are enabled."
-                  }
-                },
-                "forwardDeadLetteredMessagesTo": {
-                  "type": "string",
-                  "nullable": true,
-                  "metadata": {
-                    "description": "Optional. The name of the recipient entity to which all the messages sent to the subscription are forwarded to."
-                  }
-                },
-                "forwardTo": {
-                  "type": "string",
-                  "nullable": true,
-                  "metadata": {
-                    "description": "Optional. The name of the recipient entity to which all the messages sent to the subscription are forwarded to."
-                  }
-                },
-                "isClientAffine": {
-                  "type": "bool",
-                  "nullable": true,
-                  "metadata": {
-                    "description": "Optional. A value that indicates whether the subscription supports the concept of session."
-                  }
-                },
-                "lockDuration": {
-                  "type": "string",
-                  "nullable": true,
-                  "metadata": {
-                    "description": "Optional. ISO 8601 timespan duration of a peek-lock; that is, the amount of time that the message is locked for other receivers. The maximum value for LockDuration is 5 minutes; the default value is 1 minute."
-                  }
-                },
-                "maxDeliveryCount": {
-                  "type": "int",
-                  "nullable": true,
-                  "metadata": {
-                    "description": "Optional. Number of maximum deliveries. A message is automatically deadlettered after this number of deliveries. Default value is 10."
-                  }
-                },
-                "requiresSession": {
-                  "type": "bool",
-                  "nullable": true,
-                  "metadata": {
-                    "description": "Optional. A value that indicates whether the subscription supports the concept of session."
-                  }
-                },
-                "status": {
-                  "type": "string",
-                  "allowedValues": [
-                    "Active",
-                    "Creating",
-                    "Deleting",
-                    "Disabled",
-                    "ReceiveDisabled",
-                    "Renaming",
-                    "Restoring",
-                    "SendDisabled",
-                    "Unknown"
-                  ],
-                  "nullable": true,
-                  "metadata": {
-                    "description": "Optional. Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown."
-                  }
+          "metadata": {
+            "description": "Required. The private DNS Zone Groups to associate the Private Endpoint. A DNS Zone Group can support up to 5 DNS zones."
+          }
+        }
+      },
+      "metadata": {
+        "__bicep_imported_from!": {
+          "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.0"
+        }
+      }
+    },
+    "customerManagedKeyType": {
+      "type": "object",
+      "properties": {
+        "keyVaultResourceId": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from."
+          }
+        },
+        "keyName": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The name of the customer managed key to use for encryption."
+          }
+        },
+        "keyVersion": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'."
+          }
+        },
+        "userAssignedIdentityResourceId": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use."
+          }
+        }
+      },
+      "metadata": {
+        "description": "An AVM-aligned type for a customer-managed key.",
+        "__bicep_imported_from!": {
+          "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.0"
+        }
+      }
+    },
+    "diagnosticSettingFullType": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The name of the diagnostic setting."
+          }
+        },
+        "logCategoriesAndGroups": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "category": {
+                "type": "string",
+                "nullable": true,
+                "metadata": {
+                  "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here."
                 }
+              },
+              "categoryGroup": {
+                "type": "string",
+                "nullable": true,
+                "metadata": {
+                  "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs."
+                }
+              },
+              "enabled": {
+                "type": "bool",
+                "nullable": true,
+                "metadata": {
+                  "description": "Optional. Enable or disable the category explicitly. Default is `true`."
+                }
+              }
+            }
+          },
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to `[]` to disable log collection."
+          }
+        },
+        "metricCategories": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "category": {
+                "type": "string",
+                "metadata": {
+                  "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics."
+                }
+              },
+              "enabled": {
+                "type": "bool",
+                "nullable": true,
+                "metadata": {
+                  "description": "Optional. Enable or disable the category explicitly. Default is `true`."
+                }
+              }
+            }
+          },
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The name of metrics that will be streamed. \"allMetrics\" includes all possible metrics for the resource. Set to `[]` to disable metric collection."
+          }
+        },
+        "logAnalyticsDestinationType": {
+          "type": "string",
+          "allowedValues": [
+            "AzureDiagnostics",
+            "Dedicated"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type."
+          }
+        },
+        "workspaceResourceId": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub."
+          }
+        },
+        "storageAccountResourceId": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub."
+          }
+        },
+        "eventHubAuthorizationRuleResourceId": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to."
+          }
+        },
+        "eventHubName": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub."
+          }
+        },
+        "marketplacePartnerResourceId": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs."
+          }
+        }
+      },
+      "metadata": {
+        "description": "An AVM-aligned type for a diagnostic setting. To be used if both logs & metrics are supported by the resource provider.",
+        "__bicep_imported_from!": {
+          "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.0"
+        }
+      }
+    },
+    "lockType": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Specify the name of lock."
+          }
+        },
+        "kind": {
+          "type": "string",
+          "allowedValues": [
+            "CanNotDelete",
+            "None",
+            "ReadOnly"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Specify the type of lock."
+          }
+        }
+      },
+      "metadata": {
+        "description": "An AVM-aligned type for a lock.",
+        "__bicep_imported_from!": {
+          "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.0"
+        }
+      }
+    },
+    "managedIdentityAllType": {
+      "type": "object",
+      "properties": {
+        "systemAssigned": {
+          "type": "bool",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Enables system assigned managed identity on the resource."
+          }
+        },
+        "userAssignedResourceIds": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption."
+          }
+        }
+      },
+      "metadata": {
+        "description": "An AVM-aligned type for a managed identity configuration. To be used if both a system-assigned & user-assigned identities are supported by the resource provider.",
+        "__bicep_imported_from!": {
+          "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.0"
+        }
+      }
+    },
+    "privateEndpointSingleServiceType": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The name of the Private Endpoint."
+          }
+        },
+        "location": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The location to deploy the Private Endpoint to."
+          }
+        },
+        "privateLinkServiceConnectionName": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The name of the private link connection to create."
+          }
+        },
+        "service": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The subresource to deploy the Private Endpoint for. For example \"vault\" for a Key Vault Private Endpoint."
+          }
+        },
+        "subnetResourceId": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. Resource ID of the subnet where the endpoint needs to be created."
+          }
+        },
+        "privateDnsZoneGroup": {
+          "$ref": "#/definitions/_1.privateEndpointPrivateDnsZoneGroupType",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The private DNS Zone Group to configure for the Private Endpoint."
+          }
+        },
+        "isManualConnection": {
+          "type": "bool",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. If Manual Private Link Connection is required."
+          }
+        },
+        "manualConnectionRequestMessage": {
+          "type": "string",
+          "nullable": true,
+          "maxLength": 140,
+          "metadata": {
+            "description": "Optional. A message passed to the owner of the remote resource with the manual connection request."
+          }
+        },
+        "customDnsConfigs": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/_1.privateEndpointCustomDnsConfigType"
+          },
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Custom DNS configurations."
+          }
+        },
+        "ipConfigurations": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/_1.privateEndpointIpConfigurationType"
+          },
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. A list of IP configurations of the Private Endpoint. This will be used to map to the first-party Service endpoints."
+          }
+        },
+        "applicationSecurityGroupResourceIds": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Application security groups in which the Private Endpoint IP configuration is included."
+          }
+        },
+        "customNetworkInterfaceName": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The custom name of the network interface attached to the Private Endpoint."
+          }
+        },
+        "lock": {
+          "$ref": "#/definitions/lockType",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Specify the type of lock."
+          }
+        },
+        "roleAssignments": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/roleAssignmentType"
+          },
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Array of role assignments to create."
+          }
+        },
+        "tags": {
+          "type": "object",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Tags to be applied on all resources/Resource Groups in this deployment."
+          }
+        },
+        "enableTelemetry": {
+          "type": "bool",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Enable/Disable usage telemetry for module."
+          }
+        },
+        "resourceGroupName": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Specify if you want to deploy the Private Endpoint into a different Resource Group than the main resource."
+          }
+        }
+      },
+      "metadata": {
+        "description": "An AVM-aligned type for a private endpoint. To be used if the private endpoint's default service / groupId can be assumed (i.e., for services that only have one Private Endpoint type like 'vault' for key vault).",
+        "__bicep_imported_from!": {
+          "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.0"
+        }
+      }
+    },
+    "roleAssignmentType": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated."
+          }
+        },
+        "roleDefinitionIdOrName": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'."
+          }
+        },
+        "principalId": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to."
+          }
+        },
+        "principalType": {
+          "type": "string",
+          "allowedValues": [
+            "Device",
+            "ForeignGroup",
+            "Group",
+            "ServicePrincipal",
+            "User"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The principal type of the assigned principal ID."
+          }
+        },
+        "description": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The description of the role assignment."
+          }
+        },
+        "condition": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"."
+          }
+        },
+        "conditionVersion": {
+          "type": "string",
+          "allowedValues": [
+            "2.0"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Version of the condition."
+          }
+        },
+        "delegatedManagedIdentityResourceId": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The Resource Id of the delegated managed identity resource."
+          }
+        }
+      },
+      "metadata": {
+        "description": "An AVM-aligned type for a role assignment.",
+        "__bicep_imported_from!": {
+          "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.0"
+        }
+      }
+    },
+    "subscriptionType": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The name of the service bus namespace topic subscription."
+          }
+        },
+        "autoDeleteOnIdle": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. ISO 8601 timespan idle interval after which the syubscription is automatically deleted. The minimum duration is 5 minutes."
+          }
+        },
+        "clientAffineProperties": {
+          "type": "object",
+          "properties": {
+            "clientId": {
+              "type": "string",
+              "metadata": {
+                "description": "Required. Indicates the Client ID of the application that created the client-affine subscription."
+              }
+            },
+            "isDurable": {
+              "type": "bool",
+              "nullable": true,
+              "metadata": {
+                "description": "Optional. For client-affine subscriptions, this value indicates whether the subscription is durable or not."
               }
             },
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The subscriptions of the topic."
+            "isShared": {
+              "type": "bool",
+              "nullable": true,
+              "metadata": {
+                "description": "Optional. For client-affine subscriptions, this value indicates whether the subscription is shared or not."
+              }
             }
+          },
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The properties that are associated with a subscription that is client-affine."
+          }
+        },
+        "deadLetteringOnMessageExpiration": {
+          "type": "bool",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. A value that indicates whether a subscription has dead letter support when a message expires."
+          }
+        },
+        "deadLetteringOnFilterEvaluationExceptions": {
+          "type": "bool",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. A value that indicates whether a subscription has dead letter support when a message expires."
+          }
+        },
+        "defaultMessageTimeToLive": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. ISO 8601 timespan idle interval after which the message expires. The minimum duration is 5 minutes."
+          }
+        },
+        "duplicateDetectionHistoryTimeWindow": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. ISO 8601 timespan that defines the duration of the duplicate detection history. The default value is 10 minutes."
+          }
+        },
+        "enableBatchedOperations": {
+          "type": "bool",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. A value that indicates whether server-side batched operations are enabled."
+          }
+        },
+        "forwardDeadLetteredMessagesTo": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The name of the recipient entity to which all the messages sent to the subscription are forwarded to."
+          }
+        },
+        "forwardTo": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The name of the recipient entity to which all the messages sent to the subscription are forwarded to."
+          }
+        },
+        "isClientAffine": {
+          "type": "bool",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. A value that indicates whether the subscription supports the concept of session."
+          }
+        },
+        "lockDuration": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. ISO 8601 timespan duration of a peek-lock; that is, the amount of time that the message is locked for other receivers. The maximum value for LockDuration is 5 minutes; the default value is 1 minute."
+          }
+        },
+        "maxDeliveryCount": {
+          "type": "int",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Number of maximum deliveries. A message is automatically deadlettered after this number of deliveries. Default value is 10."
+          }
+        },
+        "requiresSession": {
+          "type": "bool",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. A value that indicates whether the subscription supports the concept of session."
+          }
+        },
+        "status": {
+          "type": "string",
+          "allowedValues": [
+            "Active",
+            "Creating",
+            "Deleting",
+            "Disabled",
+            "ReceiveDisabled",
+            "Renaming",
+            "Restoring",
+            "SendDisabled",
+            "Unknown"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown."
           }
         }
       },
-      "nullable": true
+      "metadata": {
+        "__bicep_imported_from!": {
+          "sourceTemplate": "topic/main.bicep"
+        }
+      }
     }
   },
   "parameters": {
@@ -1179,7 +1256,10 @@
       }
     },
     "authorizationRules": {
-      "$ref": "#/definitions/authorizationRuleType",
+      "type": "array",
+      "items": {
+        "$ref": "#/definitions/authorizationRuleType"
+      },
       "defaultValue": [
         {
           "name": "RootManageSharedAccessKey",
@@ -1196,36 +1276,48 @@
     },
     "migrationConfiguration": {
       "$ref": "#/definitions/migrationConfigurationsType",
+      "nullable": true,
       "metadata": {
         "description": "Optional. The migration configuration."
       }
     },
     "disasterRecoveryConfig": {
       "$ref": "#/definitions/disasterRecoveryConfigType",
+      "nullable": true,
       "metadata": {
         "description": "Optional. The disaster recovery configuration."
       }
     },
     "diagnosticSettings": {
-      "$ref": "#/definitions/diagnosticSettingType",
+      "type": "array",
+      "items": {
+        "$ref": "#/definitions/diagnosticSettingFullType"
+      },
+      "nullable": true,
       "metadata": {
         "description": "Optional. The diagnostic settings of the service."
       }
     },
     "lock": {
       "$ref": "#/definitions/lockType",
+      "nullable": true,
       "metadata": {
         "description": "Optional. The lock settings of the service."
       }
     },
     "managedIdentities": {
-      "$ref": "#/definitions/managedIdentitiesType",
+      "$ref": "#/definitions/managedIdentityAllType",
+      "nullable": true,
       "metadata": {
         "description": "Optional. The managed identity definition for this resource."
       }
     },
     "roleAssignments": {
-      "$ref": "#/definitions/roleAssignmentType",
+      "type": "array",
+      "items": {
+        "$ref": "#/definitions/roleAssignmentType"
+      },
+      "nullable": true,
       "metadata": {
         "description": "Optional. Array of role assignments to create."
       }
@@ -1244,7 +1336,11 @@
       }
     },
     "privateEndpoints": {
-      "$ref": "#/definitions/privateEndpointType",
+      "type": "array",
+      "items": {
+        "$ref": "#/definitions/privateEndpointSingleServiceType"
+      },
+      "nullable": true,
       "metadata": {
         "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible."
       }
@@ -1278,14 +1374,20 @@
       }
     },
     "queues": {
-      "$ref": "#/definitions/queueType",
+      "type": "array",
+      "items": {
+        "$ref": "#/definitions/queueType"
+      },
       "nullable": true,
       "metadata": {
         "description": "Optional. The queues to create in the service bus namespace."
       }
     },
     "topics": {
-      "$ref": "#/definitions/topicType",
+      "type": "array",
+      "items": {
+        "$ref": "#/definitions/topicType"
+      },
       "nullable": true,
       "metadata": {
         "description": "Optional. The topics to create in the service bus namespace."
@@ -1293,6 +1395,7 @@
     },
     "customerManagedKey": {
       "$ref": "#/definitions/customerManagedKeyType",
+      "nullable": true,
       "metadata": {
         "description": "Optional. The customer managed key definition."
       }
@@ -1314,7 +1417,7 @@
       }
     ],
     "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]",
-    "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned, UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', null())), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]",
+    "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned, UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', 'None')), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]",
     "builtInRoleNames": {
       "Azure Service Bus Data Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '090c5cfd-751d-490a-894a-3ce6f1109419')]",
       "Azure Service Bus Data Receiver": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]",
@@ -2024,110 +2127,117 @@
             "_generator": {
               "name": "bicep",
               "version": "0.30.23.60470",
-              "templateHash": "13425705366730697938"
+              "templateHash": "1473006512521228493"
+            },
+            "name": "Service Bus Namespace Queue",
+            "description": "This module deploys a Service Bus Namespace Queue.",
+            "owner": "Azure/module-maintainers"
+          },
+          "definitions": {
+            "lockType": {
+              "type": "object",
+              "properties": {
+                "name": {
+                  "type": "string",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. Specify the name of lock."
+                  }
+                },
+                "kind": {
+                  "type": "string",
+                  "allowedValues": [
+                    "CanNotDelete",
+                    "None",
+                    "ReadOnly"
+                  ],
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. Specify the type of lock."
+                  }
+                }
+              },
+              "metadata": {
+                "description": "An AVM-aligned type for a lock.",
+                "__bicep_imported_from!": {
+                  "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.0"
+                }
+              }
             },
-            "name": "Service Bus Namespace Queue",
-            "description": "This module deploys a Service Bus Namespace Queue.",
-            "owner": "Azure/module-maintainers"
-          },
-          "definitions": {
-            "lockType": {
+            "roleAssignmentType": {
               "type": "object",
               "properties": {
                 "name": {
                   "type": "string",
                   "nullable": true,
                   "metadata": {
-                    "description": "Optional. Specify the name of lock."
+                    "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated."
                   }
                 },
-                "kind": {
+                "roleDefinitionIdOrName": {
+                  "type": "string",
+                  "metadata": {
+                    "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'."
+                  }
+                },
+                "principalId": {
+                  "type": "string",
+                  "metadata": {
+                    "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to."
+                  }
+                },
+                "principalType": {
                   "type": "string",
                   "allowedValues": [
-                    "CanNotDelete",
-                    "None",
-                    "ReadOnly"
+                    "Device",
+                    "ForeignGroup",
+                    "Group",
+                    "ServicePrincipal",
+                    "User"
                   ],
                   "nullable": true,
                   "metadata": {
-                    "description": "Optional. Specify the type of lock."
+                    "description": "Optional. The principal type of the assigned principal ID."
                   }
-                }
-              },
-              "nullable": true
-            },
-            "roleAssignmentType": {
-              "type": "array",
-              "items": {
-                "type": "object",
-                "properties": {
-                  "name": {
-                    "type": "string",
-                    "nullable": true,
-                    "metadata": {
-                      "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated."
-                    }
-                  },
-                  "roleDefinitionIdOrName": {
-                    "type": "string",
-                    "metadata": {
-                      "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'."
-                    }
-                  },
-                  "principalId": {
-                    "type": "string",
-                    "metadata": {
-                      "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to."
-                    }
-                  },
-                  "principalType": {
-                    "type": "string",
-                    "allowedValues": [
-                      "Device",
-                      "ForeignGroup",
-                      "Group",
-                      "ServicePrincipal",
-                      "User"
-                    ],
-                    "nullable": true,
-                    "metadata": {
-                      "description": "Optional. The principal type of the assigned principal ID."
-                    }
-                  },
-                  "description": {
-                    "type": "string",
-                    "nullable": true,
-                    "metadata": {
-                      "description": "Optional. The description of the role assignment."
-                    }
-                  },
-                  "condition": {
-                    "type": "string",
-                    "nullable": true,
-                    "metadata": {
-                      "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"."
-                    }
-                  },
-                  "conditionVersion": {
-                    "type": "string",
-                    "allowedValues": [
-                      "2.0"
-                    ],
-                    "nullable": true,
-                    "metadata": {
-                      "description": "Optional. Version of the condition."
-                    }
-                  },
-                  "delegatedManagedIdentityResourceId": {
-                    "type": "string",
-                    "nullable": true,
-                    "metadata": {
-                      "description": "Optional. The Resource Id of the delegated managed identity resource."
-                    }
+                },
+                "description": {
+                  "type": "string",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The description of the role assignment."
+                  }
+                },
+                "condition": {
+                  "type": "string",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"."
+                  }
+                },
+                "conditionVersion": {
+                  "type": "string",
+                  "allowedValues": [
+                    "2.0"
+                  ],
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. Version of the condition."
+                  }
+                },
+                "delegatedManagedIdentityResourceId": {
+                  "type": "string",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The Resource Id of the delegated managed identity resource."
                   }
                 }
               },
-              "nullable": true
+              "metadata": {
+                "description": "An AVM-aligned type for a role assignment.",
+                "__bicep_imported_from!": {
+                  "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.0"
+                }
+              }
             }
           },
           "parameters": {
@@ -2279,12 +2389,17 @@
             },
             "lock": {
               "$ref": "#/definitions/lockType",
+              "nullable": true,
               "metadata": {
                 "description": "Optional. The lock settings of the service."
               }
             },
             "roleAssignments": {
-              "$ref": "#/definitions/roleAssignmentType",
+              "type": "array",
+              "items": {
+                "$ref": "#/definitions/roleAssignmentType"
+              },
+              "nullable": true,
               "metadata": {
                 "description": "Optional. Array of role assignments to create."
               }
@@ -2593,13 +2708,158 @@
             "_generator": {
               "name": "bicep",
               "version": "0.30.23.60470",
-              "templateHash": "8911539763995397815"
+              "templateHash": "718453666158486848"
+            },
+            "name": "Service Bus Namespace Topic",
+            "description": "This module deploys a Service Bus Namespace Topic.",
+            "owner": "Azure/module-maintainers"
+          },
+          "definitions": {
+            "subscriptionType": {
+              "type": "object",
+              "properties": {
+                "name": {
+                  "type": "string",
+                  "metadata": {
+                    "description": "Required. The name of the service bus namespace topic subscription."
+                  }
+                },
+                "autoDeleteOnIdle": {
+                  "type": "string",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. ISO 8601 timespan idle interval after which the syubscription is automatically deleted. The minimum duration is 5 minutes."
+                  }
+                },
+                "clientAffineProperties": {
+                  "type": "object",
+                  "properties": {
+                    "clientId": {
+                      "type": "string",
+                      "metadata": {
+                        "description": "Required. Indicates the Client ID of the application that created the client-affine subscription."
+                      }
+                    },
+                    "isDurable": {
+                      "type": "bool",
+                      "nullable": true,
+                      "metadata": {
+                        "description": "Optional. For client-affine subscriptions, this value indicates whether the subscription is durable or not."
+                      }
+                    },
+                    "isShared": {
+                      "type": "bool",
+                      "nullable": true,
+                      "metadata": {
+                        "description": "Optional. For client-affine subscriptions, this value indicates whether the subscription is shared or not."
+                      }
+                    }
+                  },
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The properties that are associated with a subscription that is client-affine."
+                  }
+                },
+                "deadLetteringOnMessageExpiration": {
+                  "type": "bool",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. A value that indicates whether a subscription has dead letter support when a message expires."
+                  }
+                },
+                "deadLetteringOnFilterEvaluationExceptions": {
+                  "type": "bool",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. A value that indicates whether a subscription has dead letter support when a message expires."
+                  }
+                },
+                "defaultMessageTimeToLive": {
+                  "type": "string",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. ISO 8601 timespan idle interval after which the message expires. The minimum duration is 5 minutes."
+                  }
+                },
+                "duplicateDetectionHistoryTimeWindow": {
+                  "type": "string",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. ISO 8601 timespan that defines the duration of the duplicate detection history. The default value is 10 minutes."
+                  }
+                },
+                "enableBatchedOperations": {
+                  "type": "bool",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. A value that indicates whether server-side batched operations are enabled."
+                  }
+                },
+                "forwardDeadLetteredMessagesTo": {
+                  "type": "string",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The name of the recipient entity to which all the messages sent to the subscription are forwarded to."
+                  }
+                },
+                "forwardTo": {
+                  "type": "string",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The name of the recipient entity to which all the messages sent to the subscription are forwarded to."
+                  }
+                },
+                "isClientAffine": {
+                  "type": "bool",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. A value that indicates whether the subscription supports the concept of session."
+                  }
+                },
+                "lockDuration": {
+                  "type": "string",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. ISO 8601 timespan duration of a peek-lock; that is, the amount of time that the message is locked for other receivers. The maximum value for LockDuration is 5 minutes; the default value is 1 minute."
+                  }
+                },
+                "maxDeliveryCount": {
+                  "type": "int",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. Number of maximum deliveries. A message is automatically deadlettered after this number of deliveries. Default value is 10."
+                  }
+                },
+                "requiresSession": {
+                  "type": "bool",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. A value that indicates whether the subscription supports the concept of session."
+                  }
+                },
+                "status": {
+                  "type": "string",
+                  "allowedValues": [
+                    "Active",
+                    "Creating",
+                    "Deleting",
+                    "Disabled",
+                    "ReceiveDisabled",
+                    "Renaming",
+                    "Restoring",
+                    "SendDisabled",
+                    "Unknown"
+                  ],
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown."
+                  }
+                }
+              },
+              "metadata": {
+                "__bicep_export!": true
+              }
             },
-            "name": "Service Bus Namespace Topic",
-            "description": "This module deploys a Service Bus Namespace Topic.",
-            "owner": "Azure/module-maintainers"
-          },
-          "definitions": {
             "lockType": {
               "type": "object",
               "properties": {
@@ -2623,225 +2883,87 @@
                   }
                 }
               },
-              "nullable": true
+              "metadata": {
+                "description": "An AVM-aligned type for a lock.",
+                "__bicep_imported_from!": {
+                  "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.0"
+                }
+              }
             },
             "roleAssignmentType": {
-              "type": "array",
-              "items": {
-                "type": "object",
-                "properties": {
-                  "name": {
-                    "type": "string",
-                    "nullable": true,
-                    "metadata": {
-                      "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated."
-                    }
-                  },
-                  "roleDefinitionIdOrName": {
-                    "type": "string",
-                    "metadata": {
-                      "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'."
-                    }
-                  },
-                  "principalId": {
-                    "type": "string",
-                    "metadata": {
-                      "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to."
-                    }
-                  },
-                  "principalType": {
-                    "type": "string",
-                    "allowedValues": [
-                      "Device",
-                      "ForeignGroup",
-                      "Group",
-                      "ServicePrincipal",
-                      "User"
-                    ],
-                    "nullable": true,
-                    "metadata": {
-                      "description": "Optional. The principal type of the assigned principal ID."
-                    }
-                  },
-                  "description": {
-                    "type": "string",
-                    "nullable": true,
-                    "metadata": {
-                      "description": "Optional. The description of the role assignment."
-                    }
-                  },
-                  "condition": {
-                    "type": "string",
-                    "nullable": true,
-                    "metadata": {
-                      "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"."
-                    }
-                  },
-                  "conditionVersion": {
-                    "type": "string",
-                    "allowedValues": [
-                      "2.0"
-                    ],
-                    "nullable": true,
-                    "metadata": {
-                      "description": "Optional. Version of the condition."
-                    }
-                  },
-                  "delegatedManagedIdentityResourceId": {
-                    "type": "string",
-                    "nullable": true,
-                    "metadata": {
-                      "description": "Optional. The Resource Id of the delegated managed identity resource."
-                    }
+              "type": "object",
+              "properties": {
+                "name": {
+                  "type": "string",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated."
                   }
-                }
-              },
-              "nullable": true
-            },
-            "subscriptionsType": {
-              "type": "array",
-              "items": {
-                "type": "object",
-                "properties": {
-                  "name": {
-                    "type": "string",
-                    "metadata": {
-                      "description": "Required. The name of the service bus namespace topic subscription."
-                    }
-                  },
-                  "autoDeleteOnIdle": {
-                    "type": "string",
-                    "metadata": {
-                      "description": "Optional. ISO 8601 timespan idle interval after which the syubscription is automatically deleted. The minimum duration is 5 minutes."
-                    }
-                  },
-                  "clientAffineProperties": {
-                    "type": "object",
-                    "properties": {
-                      "clientId": {
-                        "type": "string",
-                        "metadata": {
-                          "description": "Required. Indicates the Client ID of the application that created the client-affine subscription."
-                        }
-                      },
-                      "isDurable": {
-                        "type": "bool",
-                        "nullable": true,
-                        "metadata": {
-                          "description": "Optional. For client-affine subscriptions, this value indicates whether the subscription is durable or not."
-                        }
-                      },
-                      "isShared": {
-                        "type": "bool",
-                        "nullable": true,
-                        "metadata": {
-                          "description": "Optional. For client-affine subscriptions, this value indicates whether the subscription is shared or not."
-                        }
-                      }
-                    },
-                    "nullable": true,
-                    "metadata": {
-                      "description": "Optional. The properties that are associated with a subscription that is client-affine."
-                    }
-                  },
-                  "deadLetteringOnMessageExpiration": {
-                    "type": "bool",
-                    "nullable": true,
-                    "metadata": {
-                      "description": "Optional. A value that indicates whether a subscription has dead letter support when a message expires."
-                    }
-                  },
-                  "deadLetteringOnFilterEvaluationExceptions": {
-                    "type": "bool",
-                    "nullable": true,
-                    "metadata": {
-                      "description": "Optional. A value that indicates whether a subscription has dead letter support when a message expires."
-                    }
-                  },
-                  "defaultMessageTimeToLive": {
-                    "type": "string",
-                    "nullable": true,
-                    "metadata": {
-                      "description": "Optional. ISO 8601 timespan idle interval after which the message expires. The minimum duration is 5 minutes."
-                    }
-                  },
-                  "duplicateDetectionHistoryTimeWindow": {
-                    "type": "string",
-                    "nullable": true,
-                    "metadata": {
-                      "description": "Optional. ISO 8601 timespan that defines the duration of the duplicate detection history. The default value is 10 minutes."
-                    }
-                  },
-                  "enableBatchedOperations": {
-                    "type": "bool",
-                    "nullable": true,
-                    "metadata": {
-                      "description": "Optional. A value that indicates whether server-side batched operations are enabled."
-                    }
-                  },
-                  "forwardDeadLetteredMessagesTo": {
-                    "type": "string",
-                    "nullable": true,
-                    "metadata": {
-                      "description": "Optional. The name of the recipient entity to which all the messages sent to the subscription are forwarded to."
-                    }
-                  },
-                  "forwardTo": {
-                    "type": "string",
-                    "nullable": true,
-                    "metadata": {
-                      "description": "Optional. The name of the recipient entity to which all the messages sent to the subscription are forwarded to."
-                    }
-                  },
-                  "isClientAffine": {
-                    "type": "bool",
-                    "nullable": true,
-                    "metadata": {
-                      "description": "Optional. A value that indicates whether the subscription supports the concept of session."
-                    }
-                  },
-                  "lockDuration": {
-                    "type": "string",
-                    "nullable": true,
-                    "metadata": {
-                      "description": "Optional. ISO 8601 timespan duration of a peek-lock; that is, the amount of time that the message is locked for other receivers. The maximum value for LockDuration is 5 minutes; the default value is 1 minute."
-                    }
-                  },
-                  "maxDeliveryCount": {
-                    "type": "int",
-                    "nullable": true,
-                    "metadata": {
-                      "description": "Optional. Number of maximum deliveries. A message is automatically deadlettered after this number of deliveries. Default value is 10."
-                    }
-                  },
-                  "requiresSession": {
-                    "type": "bool",
-                    "nullable": true,
-                    "metadata": {
-                      "description": "Optional. A value that indicates whether the subscription supports the concept of session."
-                    }
-                  },
-                  "status": {
-                    "type": "string",
-                    "allowedValues": [
-                      "Active",
-                      "Creating",
-                      "Deleting",
-                      "Disabled",
-                      "ReceiveDisabled",
-                      "Renaming",
-                      "Restoring",
-                      "SendDisabled",
-                      "Unknown"
-                    ],
-                    "nullable": true,
-                    "metadata": {
-                      "description": "Optional. Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown."
-                    }
+                },
+                "roleDefinitionIdOrName": {
+                  "type": "string",
+                  "metadata": {
+                    "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'."
+                  }
+                },
+                "principalId": {
+                  "type": "string",
+                  "metadata": {
+                    "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to."
+                  }
+                },
+                "principalType": {
+                  "type": "string",
+                  "allowedValues": [
+                    "Device",
+                    "ForeignGroup",
+                    "Group",
+                    "ServicePrincipal",
+                    "User"
+                  ],
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The principal type of the assigned principal ID."
+                  }
+                },
+                "description": {
+                  "type": "string",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The description of the role assignment."
+                  }
+                },
+                "condition": {
+                  "type": "string",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"."
+                  }
+                },
+                "conditionVersion": {
+                  "type": "string",
+                  "allowedValues": [
+                    "2.0"
+                  ],
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. Version of the condition."
+                  }
+                },
+                "delegatedManagedIdentityResourceId": {
+                  "type": "string",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The Resource Id of the delegated managed identity resource."
                   }
                 }
               },
-              "nullable": true
+              "metadata": {
+                "description": "An AVM-aligned type for a role assignment.",
+                "__bicep_imported_from!": {
+                  "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.0"
+                }
+              }
             }
           },
           "parameters": {
@@ -2958,19 +3080,27 @@
             },
             "lock": {
               "$ref": "#/definitions/lockType",
+              "nullable": true,
               "metadata": {
                 "description": "Optional. The lock settings of the service."
               }
             },
             "roleAssignments": {
-              "$ref": "#/definitions/roleAssignmentType",
+              "type": "array",
+              "items": {
+                "$ref": "#/definitions/roleAssignmentType"
+              },
+              "nullable": true,
               "metadata": {
                 "description": "Optional. Array of role assignments to create."
               }
             },
             "subscriptions": {
               "type": "array",
-              "defaultValue": [],
+              "items": {
+                "$ref": "#/definitions/subscriptionType"
+              },
+              "nullable": true,
               "metadata": {
                 "description": "Optional. The subscriptions of the topic."
               }
diff --git a/avm/res/service-bus/namespace/queue/main.bicep b/avm/res/service-bus/namespace/queue/main.bicep
index b6e1097705..33aad9ee4c 100644
--- a/avm/res/service-bus/namespace/queue/main.bicep
+++ b/avm/res/service-bus/namespace/queue/main.bicep
@@ -74,11 +74,13 @@ param enableExpress bool = false
 @description('Optional. Authorization Rules for the Service Bus Queue.')
 param authorizationRules array = []
 
+import { lockType } from 'br/public:avm/utl/types/avm-common-types:0.2.0'
 @description('Optional. The lock settings of the service.')
-param lock lockType
+param lock lockType?
 
+import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.2.0'
 @description('Optional. Array of role assignments to create.')
-param roleAssignments roleAssignmentType
+param roleAssignments roleAssignmentType[]?
 
 var builtInRoleNames = {
   'Azure Service Bus Data Owner': subscriptionResourceId(
@@ -191,41 +193,3 @@ output resourceId string = queue.id
 
 @description('The resource group of the deployed queue.')
 output resourceGroupName string = resourceGroup().name
-
-// =============== //
-//   Definitions   //
-// =============== //
-
-type lockType = {
-  @description('Optional. Specify the name of lock.')
-  name: string?
-
-  @description('Optional. Specify the type of lock.')
-  kind: ('CanNotDelete' | 'ReadOnly' | 'None')?
-}?
-
-type roleAssignmentType = {
-  @description('Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated.')
-  name: string?
-
-  @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.')
-  roleDefinitionIdOrName: string
-
-  @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.')
-  principalId: string
-
-  @description('Optional. The principal type of the assigned principal ID.')
-  principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')?
-
-  @description('Optional. The description of the role assignment.')
-  description: string?
-
-  @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".')
-  condition: string?
-
-  @description('Optional. Version of the condition.')
-  conditionVersion: '2.0'?
-
-  @description('Optional. The Resource Id of the delegated managed identity resource.')
-  delegatedManagedIdentityResourceId: string?
-}[]?
diff --git a/avm/res/service-bus/namespace/queue/main.json b/avm/res/service-bus/namespace/queue/main.json
index 7018e54ac3..d18e95f321 100644
--- a/avm/res/service-bus/namespace/queue/main.json
+++ b/avm/res/service-bus/namespace/queue/main.json
@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.30.23.60470",
-      "templateHash": "13425705366730697938"
+      "templateHash": "1473006512521228493"
     },
     "name": "Service Bus Namespace Queue",
     "description": "This module deploys a Service Bus Namespace Queue.",
@@ -36,80 +36,87 @@
           }
         }
       },
-      "nullable": true
+      "metadata": {
+        "description": "An AVM-aligned type for a lock.",
+        "__bicep_imported_from!": {
+          "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.0"
+        }
+      }
     },
     "roleAssignmentType": {
-      "type": "array",
-      "items": {
-        "type": "object",
-        "properties": {
-          "name": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated."
-            }
-          },
-          "roleDefinitionIdOrName": {
-            "type": "string",
-            "metadata": {
-              "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'."
-            }
-          },
-          "principalId": {
-            "type": "string",
-            "metadata": {
-              "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to."
-            }
-          },
-          "principalType": {
-            "type": "string",
-            "allowedValues": [
-              "Device",
-              "ForeignGroup",
-              "Group",
-              "ServicePrincipal",
-              "User"
-            ],
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The principal type of the assigned principal ID."
-            }
-          },
-          "description": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The description of the role assignment."
-            }
-          },
-          "condition": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"."
-            }
-          },
-          "conditionVersion": {
-            "type": "string",
-            "allowedValues": [
-              "2.0"
-            ],
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. Version of the condition."
-            }
-          },
-          "delegatedManagedIdentityResourceId": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The Resource Id of the delegated managed identity resource."
-            }
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated."
+          }
+        },
+        "roleDefinitionIdOrName": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'."
+          }
+        },
+        "principalId": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to."
+          }
+        },
+        "principalType": {
+          "type": "string",
+          "allowedValues": [
+            "Device",
+            "ForeignGroup",
+            "Group",
+            "ServicePrincipal",
+            "User"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The principal type of the assigned principal ID."
+          }
+        },
+        "description": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The description of the role assignment."
+          }
+        },
+        "condition": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"."
+          }
+        },
+        "conditionVersion": {
+          "type": "string",
+          "allowedValues": [
+            "2.0"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Version of the condition."
+          }
+        },
+        "delegatedManagedIdentityResourceId": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The Resource Id of the delegated managed identity resource."
           }
         }
       },
-      "nullable": true
+      "metadata": {
+        "description": "An AVM-aligned type for a role assignment.",
+        "__bicep_imported_from!": {
+          "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.0"
+        }
+      }
     }
   },
   "parameters": {
@@ -261,12 +268,17 @@
     },
     "lock": {
       "$ref": "#/definitions/lockType",
+      "nullable": true,
       "metadata": {
         "description": "Optional. The lock settings of the service."
       }
     },
     "roleAssignments": {
-      "$ref": "#/definitions/roleAssignmentType",
+      "type": "array",
+      "items": {
+        "$ref": "#/definitions/roleAssignmentType"
+      },
+      "nullable": true,
       "metadata": {
         "description": "Optional. Array of role assignments to create."
       }
diff --git a/avm/res/service-bus/namespace/tests/e2e/encr/main.test.bicep b/avm/res/service-bus/namespace/tests/e2e/encr/main.test.bicep
index 9a02d24b0c..7f28c08ba6 100644
--- a/avm/res/service-bus/namespace/tests/e2e/encr/main.test.bicep
+++ b/avm/res/service-bus/namespace/tests/e2e/encr/main.test.bicep
@@ -64,7 +64,7 @@ module testDeployment '../../../main.bicep' = [
       location: resourceLocation
       managedIdentities: {
         systemAssigned: false
-        userAssignedResourcesIds: [
+        userAssignedResourceIds: [
           nestedDependencies.outputs.managedIdentityResourceId
         ]
       }
diff --git a/avm/res/service-bus/namespace/tests/e2e/max/main.test.bicep b/avm/res/service-bus/namespace/tests/e2e/max/main.test.bicep
index fcf8d82aee..49c8e10bae 100644
--- a/avm/res/service-bus/namespace/tests/e2e/max/main.test.bicep
+++ b/avm/res/service-bus/namespace/tests/e2e/max/main.test.bicep
@@ -299,7 +299,7 @@ module testDeployment '../../../main.bicep' = [
       ]
       managedIdentities: {
         systemAssigned: true
-        userAssignedResourcesIds: [
+        userAssignedResourceIds: [
           nestedDependencies.outputs.managedIdentityResourceId
         ]
       }
@@ -307,9 +307,5 @@ module testDeployment '../../../main.bicep' = [
       publicNetworkAccess: 'Enabled'
       minimumTlsVersion: '1.2'
     }
-    dependsOn: [
-      nestedDependencies
-      diagnosticDependencies
-    ]
   }
 ]
diff --git a/avm/res/service-bus/namespace/tests/e2e/waf-aligned/main.test.bicep b/avm/res/service-bus/namespace/tests/e2e/waf-aligned/main.test.bicep
index 2160534080..3eb6f9aff1 100644
--- a/avm/res/service-bus/namespace/tests/e2e/waf-aligned/main.test.bicep
+++ b/avm/res/service-bus/namespace/tests/e2e/waf-aligned/main.test.bicep
@@ -66,22 +66,12 @@ module testDeployment '../../../main.bicep' = [
     name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}'
     params: {
       name: '${namePrefix}${serviceShort}001'
-      lock: {
-        kind: 'CanNotDelete'
-        name: 'myCustomLockName'
-      }
       location: resourceLocation
-      skuObject: {
-        name: 'Premium'
-        capacity: 2
-      }
-      premiumMessagingPartitions: 1
       tags: {
         'hidden-title': 'This is visible in the resource name'
         Environment: 'Non-Prod'
         Role: 'DeploymentValidation'
       }
-      roleAssignments: []
       networkRuleSets: {
         defaultAction: 'Deny'
         trustedServiceAccessEnabled: true
@@ -193,19 +183,7 @@ module testDeployment '../../../main.bicep' = [
           }
         }
       ]
-      managedIdentities: {
-        systemAssigned: true
-        userAssignedResourcesIds: [
-          nestedDependencies.outputs.managedIdentityResourceId
-        ]
-      }
-      disableLocalAuth: true
       publicNetworkAccess: 'Enabled'
-      minimumTlsVersion: '1.2'
     }
-    dependsOn: [
-      nestedDependencies
-      diagnosticDependencies
-    ]
   }
 ]
diff --git a/avm/res/service-bus/namespace/topic/README.md b/avm/res/service-bus/namespace/topic/README.md
index a5b94085ed..adea8eec40 100644
--- a/avm/res/service-bus/namespace/topic/README.md
+++ b/avm/res/service-bus/namespace/topic/README.md
@@ -315,7 +315,184 @@ The subscriptions of the topic.
 
 - Required: No
 - Type: array
-- Default: `[]`
+
+**Required parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`name`](#parameter-subscriptionsname) | string | The name of the service bus namespace topic subscription. |
+
+**Optional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`autoDeleteOnIdle`](#parameter-subscriptionsautodeleteonidle) | string | ISO 8601 timespan idle interval after which the syubscription is automatically deleted. The minimum duration is 5 minutes. |
+| [`clientAffineProperties`](#parameter-subscriptionsclientaffineproperties) | object | The properties that are associated with a subscription that is client-affine. |
+| [`deadLetteringOnFilterEvaluationExceptions`](#parameter-subscriptionsdeadletteringonfilterevaluationexceptions) | bool | A value that indicates whether a subscription has dead letter support when a message expires. |
+| [`deadLetteringOnMessageExpiration`](#parameter-subscriptionsdeadletteringonmessageexpiration) | bool | A value that indicates whether a subscription has dead letter support when a message expires. |
+| [`defaultMessageTimeToLive`](#parameter-subscriptionsdefaultmessagetimetolive) | string | ISO 8601 timespan idle interval after which the message expires. The minimum duration is 5 minutes. |
+| [`duplicateDetectionHistoryTimeWindow`](#parameter-subscriptionsduplicatedetectionhistorytimewindow) | string | ISO 8601 timespan that defines the duration of the duplicate detection history. The default value is 10 minutes. |
+| [`enableBatchedOperations`](#parameter-subscriptionsenablebatchedoperations) | bool | A value that indicates whether server-side batched operations are enabled. |
+| [`forwardDeadLetteredMessagesTo`](#parameter-subscriptionsforwarddeadletteredmessagesto) | string | The name of the recipient entity to which all the messages sent to the subscription are forwarded to. |
+| [`forwardTo`](#parameter-subscriptionsforwardto) | string | The name of the recipient entity to which all the messages sent to the subscription are forwarded to. |
+| [`isClientAffine`](#parameter-subscriptionsisclientaffine) | bool | A value that indicates whether the subscription supports the concept of session. |
+| [`lockDuration`](#parameter-subscriptionslockduration) | string | ISO 8601 timespan duration of a peek-lock; that is, the amount of time that the message is locked for other receivers. The maximum value for LockDuration is 5 minutes; the default value is 1 minute. |
+| [`maxDeliveryCount`](#parameter-subscriptionsmaxdeliverycount) | int | Number of maximum deliveries. A message is automatically deadlettered after this number of deliveries. Default value is 10. |
+| [`requiresSession`](#parameter-subscriptionsrequiressession) | bool | A value that indicates whether the subscription supports the concept of session. |
+| [`status`](#parameter-subscriptionsstatus) | string | Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown. |
+
+### Parameter: `subscriptions.name`
+
+The name of the service bus namespace topic subscription.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `subscriptions.autoDeleteOnIdle`
+
+ISO 8601 timespan idle interval after which the syubscription is automatically deleted. The minimum duration is 5 minutes.
+
+- Required: No
+- Type: string
+
+### Parameter: `subscriptions.clientAffineProperties`
+
+The properties that are associated with a subscription that is client-affine.
+
+- Required: No
+- Type: object
+
+**Required parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`clientId`](#parameter-subscriptionsclientaffinepropertiesclientid) | string | Indicates the Client ID of the application that created the client-affine subscription. |
+
+**Optional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`isDurable`](#parameter-subscriptionsclientaffinepropertiesisdurable) | bool | For client-affine subscriptions, this value indicates whether the subscription is durable or not. |
+| [`isShared`](#parameter-subscriptionsclientaffinepropertiesisshared) | bool | For client-affine subscriptions, this value indicates whether the subscription is shared or not. |
+
+### Parameter: `subscriptions.clientAffineProperties.clientId`
+
+Indicates the Client ID of the application that created the client-affine subscription.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `subscriptions.clientAffineProperties.isDurable`
+
+For client-affine subscriptions, this value indicates whether the subscription is durable or not.
+
+- Required: No
+- Type: bool
+
+### Parameter: `subscriptions.clientAffineProperties.isShared`
+
+For client-affine subscriptions, this value indicates whether the subscription is shared or not.
+
+- Required: No
+- Type: bool
+
+### Parameter: `subscriptions.deadLetteringOnFilterEvaluationExceptions`
+
+A value that indicates whether a subscription has dead letter support when a message expires.
+
+- Required: No
+- Type: bool
+
+### Parameter: `subscriptions.deadLetteringOnMessageExpiration`
+
+A value that indicates whether a subscription has dead letter support when a message expires.
+
+- Required: No
+- Type: bool
+
+### Parameter: `subscriptions.defaultMessageTimeToLive`
+
+ISO 8601 timespan idle interval after which the message expires. The minimum duration is 5 minutes.
+
+- Required: No
+- Type: string
+
+### Parameter: `subscriptions.duplicateDetectionHistoryTimeWindow`
+
+ISO 8601 timespan that defines the duration of the duplicate detection history. The default value is 10 minutes.
+
+- Required: No
+- Type: string
+
+### Parameter: `subscriptions.enableBatchedOperations`
+
+A value that indicates whether server-side batched operations are enabled.
+
+- Required: No
+- Type: bool
+
+### Parameter: `subscriptions.forwardDeadLetteredMessagesTo`
+
+The name of the recipient entity to which all the messages sent to the subscription are forwarded to.
+
+- Required: No
+- Type: string
+
+### Parameter: `subscriptions.forwardTo`
+
+The name of the recipient entity to which all the messages sent to the subscription are forwarded to.
+
+- Required: No
+- Type: string
+
+### Parameter: `subscriptions.isClientAffine`
+
+A value that indicates whether the subscription supports the concept of session.
+
+- Required: No
+- Type: bool
+
+### Parameter: `subscriptions.lockDuration`
+
+ISO 8601 timespan duration of a peek-lock; that is, the amount of time that the message is locked for other receivers. The maximum value for LockDuration is 5 minutes; the default value is 1 minute.
+
+- Required: No
+- Type: string
+
+### Parameter: `subscriptions.maxDeliveryCount`
+
+Number of maximum deliveries. A message is automatically deadlettered after this number of deliveries. Default value is 10.
+
+- Required: No
+- Type: int
+
+### Parameter: `subscriptions.requiresSession`
+
+A value that indicates whether the subscription supports the concept of session.
+
+- Required: No
+- Type: bool
+
+### Parameter: `subscriptions.status`
+
+Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown.
+
+- Required: No
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    'Active'
+    'Creating'
+    'Deleting'
+    'Disabled'
+    'ReceiveDisabled'
+    'Renaming'
+    'Restoring'
+    'SendDisabled'
+    'Unknown'
+  ]
+  ```
 
 ### Parameter: `supportOrdering`
 
diff --git a/avm/res/service-bus/namespace/topic/main.bicep b/avm/res/service-bus/namespace/topic/main.bicep
index 4fc34b3be5..f41519ffc2 100644
--- a/avm/res/service-bus/namespace/topic/main.bicep
+++ b/avm/res/service-bus/namespace/topic/main.bicep
@@ -59,14 +59,16 @@ param enableExpress bool = false
 @description('Optional. Authorization Rules for the Service Bus Topic.')
 param authorizationRules array = []
 
+import { lockType } from 'br/public:avm/utl/types/avm-common-types:0.2.0'
 @description('Optional. The lock settings of the service.')
-param lock lockType
+param lock lockType?
 
+import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.2.0'
 @description('Optional. Array of role assignments to create.')
-param roleAssignments roleAssignmentType
+param roleAssignments roleAssignmentType[]?
 
 @description('Optional. The subscriptions of the topic.')
-param subscriptions array = []
+param subscriptions subscriptionType[]?
 
 var builtInRoleNames = {
   'Azure Service Bus Data Owner': subscriptionResourceId(
@@ -210,46 +212,13 @@ output resourceGroupName string = resourceGroup().name
 //   Definitions   //
 // =============== //
 
-type lockType = {
-  @description('Optional. Specify the name of lock.')
-  name: string?
-
-  @description('Optional. Specify the type of lock.')
-  kind: ('CanNotDelete' | 'ReadOnly' | 'None')?
-}?
-
-type roleAssignmentType = {
-  @description('Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated.')
-  name: string?
-
-  @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.')
-  roleDefinitionIdOrName: string
-
-  @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.')
-  principalId: string
-
-  @description('Optional. The principal type of the assigned principal ID.')
-  principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')?
-
-  @description('Optional. The description of the role assignment.')
-  description: string?
-
-  @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".')
-  condition: string?
-
-  @description('Optional. Version of the condition.')
-  conditionVersion: '2.0'?
-
-  @description('Optional. The Resource Id of the delegated managed identity resource.')
-  delegatedManagedIdentityResourceId: string?
-}[]?
-
-type subscriptionsType = {
+@export()
+type subscriptionType = {
   @description('Required. The name of the service bus namespace topic subscription.')
   name: string
 
   @description('Optional. ISO 8601 timespan idle interval after which the syubscription is automatically deleted. The minimum duration is 5 minutes.')
-  autoDeleteOnIdle: string
+  autoDeleteOnIdle: string?
 
   @description('Optional. The properties that are associated with a subscription that is client-affine.')
   clientAffineProperties: {
@@ -307,4 +276,4 @@ type subscriptionsType = {
     | 'Deleting'
     | 'Renaming'
     | 'Unknown')?
-}[]?
+}
diff --git a/avm/res/service-bus/namespace/topic/main.json b/avm/res/service-bus/namespace/topic/main.json
index 5a34b438f3..c8c27aa210 100644
--- a/avm/res/service-bus/namespace/topic/main.json
+++ b/avm/res/service-bus/namespace/topic/main.json
@@ -6,13 +6,158 @@
     "_generator": {
       "name": "bicep",
       "version": "0.30.23.60470",
-      "templateHash": "8911539763995397815"
+      "templateHash": "718453666158486848"
     },
     "name": "Service Bus Namespace Topic",
     "description": "This module deploys a Service Bus Namespace Topic.",
     "owner": "Azure/module-maintainers"
   },
   "definitions": {
+    "subscriptionType": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The name of the service bus namespace topic subscription."
+          }
+        },
+        "autoDeleteOnIdle": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. ISO 8601 timespan idle interval after which the syubscription is automatically deleted. The minimum duration is 5 minutes."
+          }
+        },
+        "clientAffineProperties": {
+          "type": "object",
+          "properties": {
+            "clientId": {
+              "type": "string",
+              "metadata": {
+                "description": "Required. Indicates the Client ID of the application that created the client-affine subscription."
+              }
+            },
+            "isDurable": {
+              "type": "bool",
+              "nullable": true,
+              "metadata": {
+                "description": "Optional. For client-affine subscriptions, this value indicates whether the subscription is durable or not."
+              }
+            },
+            "isShared": {
+              "type": "bool",
+              "nullable": true,
+              "metadata": {
+                "description": "Optional. For client-affine subscriptions, this value indicates whether the subscription is shared or not."
+              }
+            }
+          },
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The properties that are associated with a subscription that is client-affine."
+          }
+        },
+        "deadLetteringOnMessageExpiration": {
+          "type": "bool",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. A value that indicates whether a subscription has dead letter support when a message expires."
+          }
+        },
+        "deadLetteringOnFilterEvaluationExceptions": {
+          "type": "bool",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. A value that indicates whether a subscription has dead letter support when a message expires."
+          }
+        },
+        "defaultMessageTimeToLive": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. ISO 8601 timespan idle interval after which the message expires. The minimum duration is 5 minutes."
+          }
+        },
+        "duplicateDetectionHistoryTimeWindow": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. ISO 8601 timespan that defines the duration of the duplicate detection history. The default value is 10 minutes."
+          }
+        },
+        "enableBatchedOperations": {
+          "type": "bool",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. A value that indicates whether server-side batched operations are enabled."
+          }
+        },
+        "forwardDeadLetteredMessagesTo": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The name of the recipient entity to which all the messages sent to the subscription are forwarded to."
+          }
+        },
+        "forwardTo": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The name of the recipient entity to which all the messages sent to the subscription are forwarded to."
+          }
+        },
+        "isClientAffine": {
+          "type": "bool",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. A value that indicates whether the subscription supports the concept of session."
+          }
+        },
+        "lockDuration": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. ISO 8601 timespan duration of a peek-lock; that is, the amount of time that the message is locked for other receivers. The maximum value for LockDuration is 5 minutes; the default value is 1 minute."
+          }
+        },
+        "maxDeliveryCount": {
+          "type": "int",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Number of maximum deliveries. A message is automatically deadlettered after this number of deliveries. Default value is 10."
+          }
+        },
+        "requiresSession": {
+          "type": "bool",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. A value that indicates whether the subscription supports the concept of session."
+          }
+        },
+        "status": {
+          "type": "string",
+          "allowedValues": [
+            "Active",
+            "Creating",
+            "Deleting",
+            "Disabled",
+            "ReceiveDisabled",
+            "Renaming",
+            "Restoring",
+            "SendDisabled",
+            "Unknown"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown."
+          }
+        }
+      },
+      "metadata": {
+        "__bicep_export!": true
+      }
+    },
     "lockType": {
       "type": "object",
       "properties": {
@@ -36,225 +181,87 @@
           }
         }
       },
-      "nullable": true
+      "metadata": {
+        "description": "An AVM-aligned type for a lock.",
+        "__bicep_imported_from!": {
+          "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.0"
+        }
+      }
     },
     "roleAssignmentType": {
-      "type": "array",
-      "items": {
-        "type": "object",
-        "properties": {
-          "name": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated."
-            }
-          },
-          "roleDefinitionIdOrName": {
-            "type": "string",
-            "metadata": {
-              "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'."
-            }
-          },
-          "principalId": {
-            "type": "string",
-            "metadata": {
-              "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to."
-            }
-          },
-          "principalType": {
-            "type": "string",
-            "allowedValues": [
-              "Device",
-              "ForeignGroup",
-              "Group",
-              "ServicePrincipal",
-              "User"
-            ],
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The principal type of the assigned principal ID."
-            }
-          },
-          "description": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The description of the role assignment."
-            }
-          },
-          "condition": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"."
-            }
-          },
-          "conditionVersion": {
-            "type": "string",
-            "allowedValues": [
-              "2.0"
-            ],
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. Version of the condition."
-            }
-          },
-          "delegatedManagedIdentityResourceId": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The Resource Id of the delegated managed identity resource."
-            }
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated."
           }
-        }
-      },
-      "nullable": true
-    },
-    "subscriptionsType": {
-      "type": "array",
-      "items": {
-        "type": "object",
-        "properties": {
-          "name": {
-            "type": "string",
-            "metadata": {
-              "description": "Required. The name of the service bus namespace topic subscription."
-            }
-          },
-          "autoDeleteOnIdle": {
-            "type": "string",
-            "metadata": {
-              "description": "Optional. ISO 8601 timespan idle interval after which the syubscription is automatically deleted. The minimum duration is 5 minutes."
-            }
-          },
-          "clientAffineProperties": {
-            "type": "object",
-            "properties": {
-              "clientId": {
-                "type": "string",
-                "metadata": {
-                  "description": "Required. Indicates the Client ID of the application that created the client-affine subscription."
-                }
-              },
-              "isDurable": {
-                "type": "bool",
-                "nullable": true,
-                "metadata": {
-                  "description": "Optional. For client-affine subscriptions, this value indicates whether the subscription is durable or not."
-                }
-              },
-              "isShared": {
-                "type": "bool",
-                "nullable": true,
-                "metadata": {
-                  "description": "Optional. For client-affine subscriptions, this value indicates whether the subscription is shared or not."
-                }
-              }
-            },
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The properties that are associated with a subscription that is client-affine."
-            }
-          },
-          "deadLetteringOnMessageExpiration": {
-            "type": "bool",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. A value that indicates whether a subscription has dead letter support when a message expires."
-            }
-          },
-          "deadLetteringOnFilterEvaluationExceptions": {
-            "type": "bool",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. A value that indicates whether a subscription has dead letter support when a message expires."
-            }
-          },
-          "defaultMessageTimeToLive": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. ISO 8601 timespan idle interval after which the message expires. The minimum duration is 5 minutes."
-            }
-          },
-          "duplicateDetectionHistoryTimeWindow": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. ISO 8601 timespan that defines the duration of the duplicate detection history. The default value is 10 minutes."
-            }
-          },
-          "enableBatchedOperations": {
-            "type": "bool",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. A value that indicates whether server-side batched operations are enabled."
-            }
-          },
-          "forwardDeadLetteredMessagesTo": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The name of the recipient entity to which all the messages sent to the subscription are forwarded to."
-            }
-          },
-          "forwardTo": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The name of the recipient entity to which all the messages sent to the subscription are forwarded to."
-            }
-          },
-          "isClientAffine": {
-            "type": "bool",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. A value that indicates whether the subscription supports the concept of session."
-            }
-          },
-          "lockDuration": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. ISO 8601 timespan duration of a peek-lock; that is, the amount of time that the message is locked for other receivers. The maximum value for LockDuration is 5 minutes; the default value is 1 minute."
-            }
-          },
-          "maxDeliveryCount": {
-            "type": "int",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. Number of maximum deliveries. A message is automatically deadlettered after this number of deliveries. Default value is 10."
-            }
-          },
-          "requiresSession": {
-            "type": "bool",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. A value that indicates whether the subscription supports the concept of session."
-            }
-          },
-          "status": {
-            "type": "string",
-            "allowedValues": [
-              "Active",
-              "Creating",
-              "Deleting",
-              "Disabled",
-              "ReceiveDisabled",
-              "Renaming",
-              "Restoring",
-              "SendDisabled",
-              "Unknown"
-            ],
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. Enumerates the possible values for the status of a messaging entity. - Active, Disabled, Restoring, SendDisabled, ReceiveDisabled, Creating, Deleting, Renaming, Unknown."
-            }
+        },
+        "roleDefinitionIdOrName": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'."
+          }
+        },
+        "principalId": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to."
+          }
+        },
+        "principalType": {
+          "type": "string",
+          "allowedValues": [
+            "Device",
+            "ForeignGroup",
+            "Group",
+            "ServicePrincipal",
+            "User"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The principal type of the assigned principal ID."
+          }
+        },
+        "description": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The description of the role assignment."
+          }
+        },
+        "condition": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"."
+          }
+        },
+        "conditionVersion": {
+          "type": "string",
+          "allowedValues": [
+            "2.0"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Version of the condition."
+          }
+        },
+        "delegatedManagedIdentityResourceId": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The Resource Id of the delegated managed identity resource."
           }
         }
       },
-      "nullable": true
+      "metadata": {
+        "description": "An AVM-aligned type for a role assignment.",
+        "__bicep_imported_from!": {
+          "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.0"
+        }
+      }
     }
   },
   "parameters": {
@@ -371,19 +378,27 @@
     },
     "lock": {
       "$ref": "#/definitions/lockType",
+      "nullable": true,
       "metadata": {
         "description": "Optional. The lock settings of the service."
       }
     },
     "roleAssignments": {
-      "$ref": "#/definitions/roleAssignmentType",
+      "type": "array",
+      "items": {
+        "$ref": "#/definitions/roleAssignmentType"
+      },
+      "nullable": true,
       "metadata": {
         "description": "Optional. Array of role assignments to create."
       }
     },
     "subscriptions": {
       "type": "array",
-      "defaultValue": [],
+      "items": {
+        "$ref": "#/definitions/subscriptionType"
+      },
+      "nullable": true,
       "metadata": {
         "description": "Optional. The subscriptions of the topic."
       }