From ddc5f5fb0293aa78b8b0a24644b5f99e8d1e6ce4 Mon Sep 17 00:00:00 2001
From: Alexander Sehr <ASehr@hotmail.de>
Date: Wed, 13 Mar 2024 14:58:01 -0400
Subject: [PATCH] Users/alsehr/token regex fix (#1276)

## Description

Fixed fail-safe regex (added missing escapes). Until now, `--------`
would cause an issue, even though we're only interested in `-..--..-`.

Output for Azure-Firewall with default behavior:

![image](https://github.com/Azure/bicep-registry-modules/assets/5365358/37d63bb9-73c0-4809-bc73-497e402d3775)

Output for Azure Firewall with disabled token replacement (to validate
the fail-safe works):

![image](https://github.com/Azure/bicep-registry-modules/assets/5365358/291a842f-4689-4cc7-9520-746a60d43244)


## Pipeline Reference

<!-- Insert your Pipeline Status Badge below -->

| Pipeline |
| -------- |
|          |

## Type of Change

<!-- Use the check-boxes [x] on the options that are relevant. -->

- [x] Update to CI Environment or utlities (Non-module effecting
changes)
- [ ] Azure Verified Module updates:
- [ ] Bugfix containing backwards compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [ ] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [ ] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [ ] Update to documentation

---------

Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com>
---
 avm/res/network/azure-firewall/README.md      | 34 +++++++++----------
 avm/res/network/azure-firewall/main.bicep     |  8 ++---
 avm/res/network/azure-firewall/main.json      |  8 ++---
 .../tests/e2e/addpip/main.test.bicep          |  2 +-
 .../tests/e2e/custompip/main.test.bicep       |  2 +-
 .../tests/e2e/defaults/main.test.bicep        |  2 +-
 .../tests/e2e/max/main.test.bicep             |  2 +-
 .../tests/e2e/waf-aligned/main.test.bicep     |  2 +-
 avm/res/network/bastion-host/README.md        | 30 ++++++++--------
 avm/res/network/bastion-host/main.bicep       |  6 ++--
 avm/res/network/bastion-host/main.json        |  8 ++---
 .../tests/e2e/custompip/main.test.bicep       |  2 +-
 .../tests/e2e/defaults/main.test.bicep        |  2 +-
 .../tests/e2e/max/main.test.bicep             |  2 +-
 .../tests/e2e/waf-aligned/main.test.bicep     |  2 +-
 avm/res/network/bastion-host/version.json     |  2 +-
 avm/res/network/virtual-network/main.bicep    | 16 ++++-----
 avm/res/network/virtual-network/main.json     | 12 ++-----
 avm/res/network/virtual-network/version.json  |  2 +-
 .../publish/Publish-ModuleFromPathToPBR.ps1   |  6 ++--
 20 files changed, 70 insertions(+), 80 deletions(-)

diff --git a/avm/res/network/azure-firewall/README.md b/avm/res/network/azure-firewall/README.md
index fbb0980ca3..1a450e250b 100644
--- a/avm/res/network/azure-firewall/README.md
+++ b/avm/res/network/azure-firewall/README.md
@@ -71,7 +71,7 @@ module azureFirewall 'br/public:avm/res/network/azure-firewall:<version>' = {
         }
       ]
     }
-    virtualNetworkId: '<virtualNetworkId>'
+    virtualNetworkResourceId: '<virtualNetworkResourceId>'
   }
 }
 ```
@@ -119,8 +119,8 @@ module azureFirewall 'br/public:avm/res/network/azure-firewall:<version>' = {
         ]
       }
     },
-    "virtualNetworkId": {
-      "value": "<virtualNetworkId>"
+    "virtualNetworkResourceId": {
+      "value": "<virtualNetworkResourceId>"
     }
   }
 }
@@ -174,7 +174,7 @@ module azureFirewall 'br/public:avm/res/network/azure-firewall:<version>' = {
       skuName: 'Standard'
       skuTier: 'Regional'
     }
-    virtualNetworkId: '<virtualNetworkId>'
+    virtualNetworkResourceId: '<virtualNetworkResourceId>'
   }
 }
 ```
@@ -229,8 +229,8 @@ module azureFirewall 'br/public:avm/res/network/azure-firewall:<version>' = {
         "skuTier": "Regional"
       }
     },
-    "virtualNetworkId": {
-      "value": "<virtualNetworkId>"
+    "virtualNetworkResourceId": {
+      "value": "<virtualNetworkResourceId>"
     }
   }
 }
@@ -256,7 +256,7 @@ module azureFirewall 'br/public:avm/res/network/azure-firewall:<version>' = {
     name: 'nafmin001'
     // Non-required parameters
     location: '<location>'
-    virtualNetworkId: '<virtualNetworkId>'
+    virtualNetworkResourceId: '<virtualNetworkResourceId>'
   }
 }
 ```
@@ -281,8 +281,8 @@ module azureFirewall 'br/public:avm/res/network/azure-firewall:<version>' = {
     "location": {
       "value": "<location>"
     },
-    "virtualNetworkId": {
-      "value": "<virtualNetworkId>"
+    "virtualNetworkResourceId": {
+      "value": "<virtualNetworkResourceId>"
     }
   }
 }
@@ -562,7 +562,7 @@ module azureFirewall 'br/public:avm/res/network/azure-firewall:<version>' = {
       'hidden-title': 'This is visible in the resource name'
       Role: 'DeploymentValidation'
     }
-    virtualNetworkId: '<virtualNetworkId>'
+    virtualNetworkResourceId: '<virtualNetworkResourceId>'
     zones: [
       '1'
       '2'
@@ -728,8 +728,8 @@ module azureFirewall 'br/public:avm/res/network/azure-firewall:<version>' = {
         "Role": "DeploymentValidation"
       }
     },
-    "virtualNetworkId": {
-      "value": "<virtualNetworkId>"
+    "virtualNetworkResourceId": {
+      "value": "<virtualNetworkResourceId>"
     },
     "zones": {
       "value": [
@@ -863,7 +863,7 @@ module azureFirewall 'br/public:avm/res/network/azure-firewall:<version>' = {
       'hidden-title': 'This is visible in the resource name'
       Role: 'DeploymentValidation'
     }
-    virtualNetworkId: '<virtualNetworkId>'
+    virtualNetworkResourceId: '<virtualNetworkResourceId>'
     zones: [
       '1'
       '2'
@@ -1004,8 +1004,8 @@ module azureFirewall 'br/public:avm/res/network/azure-firewall:<version>' = {
         "Role": "DeploymentValidation"
       }
     },
-    "virtualNetworkId": {
-      "value": "<virtualNetworkId>"
+    "virtualNetworkResourceId": {
+      "value": "<virtualNetworkResourceId>"
     },
     "zones": {
       "value": [
@@ -1036,7 +1036,7 @@ module azureFirewall 'br/public:avm/res/network/azure-firewall:<version>' = {
 | :-- | :-- | :-- |
 | [`hubIPAddresses`](#parameter-hubipaddresses) | object | IP addresses associated with AzureFirewall. Required if `virtualHubId` is supplied. |
 | [`virtualHubId`](#parameter-virtualhubid) | string | The virtualHub resource ID to which the firewall belongs. Required if `virtualNetworkId` is empty. |
-| [`virtualNetworkId`](#parameter-virtualnetworkid) | string | Shared services Virtual Network resource ID. The virtual network ID containing AzureFirewallSubnet. If a Public IP is not provided, then the Public IP that is created as part of this module will be applied with the subnet provided in this variable. Required if `virtualHubId` is empty. |
+| [`virtualNetworkResourceId`](#parameter-virtualnetworkresourceid) | string | Shared services Virtual Network resource ID. The virtual network ID containing AzureFirewallSubnet. If a Public IP is not provided, then the Public IP that is created as part of this module will be applied with the subnet provided in this variable. Required if `virtualHubId` is empty. |
 
 **Optional parameters**
 
@@ -1084,7 +1084,7 @@ The virtualHub resource ID to which the firewall belongs. Required if `virtualNe
 - Type: string
 - Default: `''`
 
-### Parameter: `virtualNetworkId`
+### Parameter: `virtualNetworkResourceId`
 
 Shared services Virtual Network resource ID. The virtual network ID containing AzureFirewallSubnet. If a Public IP is not provided, then the Public IP that is created as part of this module will be applied with the subnet provided in this variable. Required if `virtualHubId` is empty.
 
diff --git a/avm/res/network/azure-firewall/main.bicep b/avm/res/network/azure-firewall/main.bicep
index df64924d31..f0edf1142c 100644
--- a/avm/res/network/azure-firewall/main.bicep
+++ b/avm/res/network/azure-firewall/main.bicep
@@ -14,7 +14,7 @@ param name string
 param azureSkuTier string = 'Standard'
 
 @description('Conditional. Shared services Virtual Network resource ID. The virtual network ID containing AzureFirewallSubnet. If a Public IP is not provided, then the Public IP that is created as part of this module will be applied with the subnet provided in this variable. Required if `virtualHubId` is empty.')
-param virtualNetworkId string = ''
+param virtualNetworkResourceId string = ''
 
 @description('Optional. The Public IP resource ID to associate to the AzureFirewallSubnet. If empty, then the Public IP that is created as part of this module will be applied to the AzureFirewallSubnet.')
 param publicIPResourceID string = ''
@@ -84,7 +84,7 @@ param tags object?
 @description('Optional. Enable/Disable usage telemetry for module.')
 param enableTelemetry bool = true
 
-var azureSkuName = empty(virtualNetworkId) ? 'AZFW_Hub' : 'AZFW_VNet'
+var azureSkuName = empty(virtualNetworkResourceId) ? 'AZFW_Hub' : 'AZFW_VNet'
 var requiresManagementIp = azureSkuTier == 'Basic' ? true : false
 var isCreateDefaultManagementIP = empty(managementIPResourceID) && requiresManagementIp
 
@@ -107,7 +107,7 @@ var ipConfigurations = concat([
       name: !empty(publicIPResourceID) ? last(split(publicIPResourceID, '/')) : publicIPAddress.outputs.name
       properties: union({
           subnet: {
-            id: '${virtualNetworkId}/subnets/AzureFirewallSubnet' // The subnet name must be AzureFirewallSubnet
+            id: '${virtualNetworkResourceId}/subnets/AzureFirewallSubnet' // The subnet name must be AzureFirewallSubnet
           }
         }, (!empty(publicIPResourceID) || !empty(publicIPAddressObject)) ? {
           //Use existing Public IP, new Public IP created in this module, or none if neither
@@ -127,7 +127,7 @@ var managementIPConfiguration = {
   name: !empty(managementIPResourceID) ? last(split(managementIPResourceID, '/')) : managementIPAddress.outputs.name
   properties: union({
       subnet: {
-        id: '${virtualNetworkId}/subnets/AzureFirewallManagementSubnet' // The subnet name must be AzureFirewallManagementSubnet for a 'Basic' SKU tier firewall
+        id: '${virtualNetworkResourceId}/subnets/AzureFirewallManagementSubnet' // The subnet name must be AzureFirewallManagementSubnet for a 'Basic' SKU tier firewall
       }
     }, (!empty(publicIPResourceID) || !empty(managementIPAddressObject)) ? {
       // Use existing Management Public IP, new Management Public IP created in this module, or none if neither
diff --git a/avm/res/network/azure-firewall/main.json b/avm/res/network/azure-firewall/main.json
index 0d3a43ef89..27aaafd57d 100644
--- a/avm/res/network/azure-firewall/main.json
+++ b/avm/res/network/azure-firewall/main.json
@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.25.53.49325",
-      "templateHash": "1020924055893877667"
+      "templateHash": "4205211650529288648"
     },
     "name": "Azure Firewalls",
     "description": "This module deploys an Azure Firewall.",
@@ -244,7 +244,7 @@
         "description": "Optional. Tier of an Azure Firewall."
       }
     },
-    "virtualNetworkId": {
+    "virtualNetworkResourceId": {
       "type": "string",
       "defaultValue": "",
       "metadata": {
@@ -406,7 +406,7 @@
         }
       }
     ],
-    "azureSkuName": "[if(empty(parameters('virtualNetworkId')), 'AZFW_Hub', 'AZFW_VNet')]",
+    "azureSkuName": "[if(empty(parameters('virtualNetworkResourceId')), 'AZFW_Hub', 'AZFW_VNet')]",
     "requiresManagementIp": "[if(equals(parameters('azureSkuTier'), 'Basic'), true(), false())]",
     "isCreateDefaultManagementIP": "[and(empty(parameters('managementIPResourceID')), variables('requiresManagementIp'))]",
     "builtInRoleNames": {
@@ -445,7 +445,7 @@
       "location": "[parameters('location')]",
       "zones": "[if(equals(length(parameters('zones')), 0), null(), parameters('zones'))]",
       "tags": "[parameters('tags')]",
-      "properties": "[if(equals(variables('azureSkuName'), 'AZFW_VNet'), createObject('threatIntelMode', parameters('threatIntelMode'), 'firewallPolicy', if(not(empty(parameters('firewallPolicyId'))), createObject('id', parameters('firewallPolicyId')), null()), 'ipConfigurations', concat(createArray(createObject('name', if(not(empty(parameters('publicIPResourceID'))), last(split(parameters('publicIPResourceID'), '/')), reference('publicIPAddress').outputs.name.value), 'properties', union(createObject('subnet', createObject('id', format('{0}/subnets/AzureFirewallSubnet', parameters('virtualNetworkId')))), if(or(not(empty(parameters('publicIPResourceID'))), not(empty(parameters('publicIPAddressObject')))), createObject('publicIPAddress', createObject('id', if(not(empty(parameters('publicIPResourceID'))), parameters('publicIPResourceID'), reference('publicIPAddress').outputs.resourceId.value))), createObject())))), variables('additionalPublicIpConfigurationsVar')), 'managementIpConfiguration', if(variables('requiresManagementIp'), createObject('name', if(not(empty(parameters('managementIPResourceID'))), last(split(parameters('managementIPResourceID'), '/')), reference('managementIPAddress').outputs.name.value), 'properties', union(createObject('subnet', createObject('id', format('{0}/subnets/AzureFirewallManagementSubnet', parameters('virtualNetworkId')))), if(or(not(empty(parameters('publicIPResourceID'))), not(empty(parameters('managementIPAddressObject')))), createObject('publicIPAddress', createObject('id', if(not(empty(parameters('managementIPResourceID'))), parameters('managementIPResourceID'), reference('managementIPAddress').outputs.resourceId.value))), createObject()))), null()), 'sku', createObject('name', variables('azureSkuName'), 'tier', parameters('azureSkuTier')), 'applicationRuleCollections', parameters('applicationRuleCollections'), 'natRuleCollections', parameters('natRuleCollections'), 'networkRuleCollections', parameters('networkRuleCollections')), createObject('firewallPolicy', if(not(empty(parameters('firewallPolicyId'))), createObject('id', parameters('firewallPolicyId')), null()), 'sku', createObject('name', variables('azureSkuName'), 'tier', parameters('azureSkuTier')), 'hubIPAddresses', if(not(empty(parameters('hubIPAddresses'))), parameters('hubIPAddresses'), null()), 'virtualHub', if(not(empty(parameters('virtualHubId'))), createObject('id', parameters('virtualHubId')), null())))]",
+      "properties": "[if(equals(variables('azureSkuName'), 'AZFW_VNet'), createObject('threatIntelMode', parameters('threatIntelMode'), 'firewallPolicy', if(not(empty(parameters('firewallPolicyId'))), createObject('id', parameters('firewallPolicyId')), null()), 'ipConfigurations', concat(createArray(createObject('name', if(not(empty(parameters('publicIPResourceID'))), last(split(parameters('publicIPResourceID'), '/')), reference('publicIPAddress').outputs.name.value), 'properties', union(createObject('subnet', createObject('id', format('{0}/subnets/AzureFirewallSubnet', parameters('virtualNetworkResourceId')))), if(or(not(empty(parameters('publicIPResourceID'))), not(empty(parameters('publicIPAddressObject')))), createObject('publicIPAddress', createObject('id', if(not(empty(parameters('publicIPResourceID'))), parameters('publicIPResourceID'), reference('publicIPAddress').outputs.resourceId.value))), createObject())))), variables('additionalPublicIpConfigurationsVar')), 'managementIpConfiguration', if(variables('requiresManagementIp'), createObject('name', if(not(empty(parameters('managementIPResourceID'))), last(split(parameters('managementIPResourceID'), '/')), reference('managementIPAddress').outputs.name.value), 'properties', union(createObject('subnet', createObject('id', format('{0}/subnets/AzureFirewallManagementSubnet', parameters('virtualNetworkResourceId')))), if(or(not(empty(parameters('publicIPResourceID'))), not(empty(parameters('managementIPAddressObject')))), createObject('publicIPAddress', createObject('id', if(not(empty(parameters('managementIPResourceID'))), parameters('managementIPResourceID'), reference('managementIPAddress').outputs.resourceId.value))), createObject()))), null()), 'sku', createObject('name', variables('azureSkuName'), 'tier', parameters('azureSkuTier')), 'applicationRuleCollections', parameters('applicationRuleCollections'), 'natRuleCollections', parameters('natRuleCollections'), 'networkRuleCollections', parameters('networkRuleCollections')), createObject('firewallPolicy', if(not(empty(parameters('firewallPolicyId'))), createObject('id', parameters('firewallPolicyId')), null()), 'sku', createObject('name', variables('azureSkuName'), 'tier', parameters('azureSkuTier')), 'hubIPAddresses', if(not(empty(parameters('hubIPAddresses'))), parameters('hubIPAddresses'), null()), 'virtualHub', if(not(empty(parameters('virtualHubId'))), createObject('id', parameters('virtualHubId')), null())))]",
       "dependsOn": [
         "managementIPAddress",
         "publicIPAddress"
diff --git a/avm/res/network/azure-firewall/tests/e2e/addpip/main.test.bicep b/avm/res/network/azure-firewall/tests/e2e/addpip/main.test.bicep
index 4a27824896..28f977e678 100644
--- a/avm/res/network/azure-firewall/tests/e2e/addpip/main.test.bicep
+++ b/avm/res/network/azure-firewall/tests/e2e/addpip/main.test.bicep
@@ -53,7 +53,7 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem'
   params: {
     location: resourceLocation
     name: '${namePrefix}${serviceShort}001'
-    virtualNetworkId: nestedDependencies.outputs.virtualNetworkResourceId
+    virtualNetworkResourceId: nestedDependencies.outputs.virtualNetworkResourceId
     additionalPublicIpConfigurations: [
       {
         name: 'ipConfig01'
diff --git a/avm/res/network/azure-firewall/tests/e2e/custompip/main.test.bicep b/avm/res/network/azure-firewall/tests/e2e/custompip/main.test.bicep
index e201b2d21f..2891ccb851 100644
--- a/avm/res/network/azure-firewall/tests/e2e/custompip/main.test.bicep
+++ b/avm/res/network/azure-firewall/tests/e2e/custompip/main.test.bicep
@@ -66,7 +66,7 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem'
   params: {
     location: resourceLocation
     name: '${namePrefix}${serviceShort}001'
-    virtualNetworkId: nestedDependencies.outputs.virtualNetworkResourceId
+    virtualNetworkResourceId: nestedDependencies.outputs.virtualNetworkResourceId
     publicIPAddressObject: {
       name: 'new-${namePrefix}-pip-${serviceShort}'
       publicIPAllocationMethod: 'Static'
diff --git a/avm/res/network/azure-firewall/tests/e2e/defaults/main.test.bicep b/avm/res/network/azure-firewall/tests/e2e/defaults/main.test.bicep
index 8ec00541a0..623ae364cb 100644
--- a/avm/res/network/azure-firewall/tests/e2e/defaults/main.test.bicep
+++ b/avm/res/network/azure-firewall/tests/e2e/defaults/main.test.bicep
@@ -50,7 +50,7 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem'
   name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}'
   params: {
     name: '${namePrefix}${serviceShort}001'
-    virtualNetworkId: nestedDependencies.outputs.virtualNetworkResourceId
+    virtualNetworkResourceId: nestedDependencies.outputs.virtualNetworkResourceId
     location: resourceLocation
   }
 }]
diff --git a/avm/res/network/azure-firewall/tests/e2e/max/main.test.bicep b/avm/res/network/azure-firewall/tests/e2e/max/main.test.bicep
index 51b94e2234..c3c6ca138f 100644
--- a/avm/res/network/azure-firewall/tests/e2e/max/main.test.bicep
+++ b/avm/res/network/azure-firewall/tests/e2e/max/main.test.bicep
@@ -67,7 +67,7 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem'
   params: {
     location: resourceLocation
     name: '${namePrefix}${serviceShort}001'
-    virtualNetworkId: nestedDependencies.outputs.virtualNetworkResourceId
+    virtualNetworkResourceId: nestedDependencies.outputs.virtualNetworkResourceId
     applicationRuleCollections: [
       {
         name: 'allow-app-rules'
diff --git a/avm/res/network/azure-firewall/tests/e2e/waf-aligned/main.test.bicep b/avm/res/network/azure-firewall/tests/e2e/waf-aligned/main.test.bicep
index 524ca25f25..61cca78551 100644
--- a/avm/res/network/azure-firewall/tests/e2e/waf-aligned/main.test.bicep
+++ b/avm/res/network/azure-firewall/tests/e2e/waf-aligned/main.test.bicep
@@ -67,7 +67,7 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem'
   params: {
     location: resourceLocation
     name: '${namePrefix}${serviceShort}001'
-    virtualNetworkId: nestedDependencies.outputs.virtualNetworkResourceId
+    virtualNetworkResourceId: nestedDependencies.outputs.virtualNetworkResourceId
     applicationRuleCollections: [
       {
         name: 'allow-app-rules'
diff --git a/avm/res/network/bastion-host/README.md b/avm/res/network/bastion-host/README.md
index 70bf4d00ce..15f3229fbe 100644
--- a/avm/res/network/bastion-host/README.md
+++ b/avm/res/network/bastion-host/README.md
@@ -49,7 +49,7 @@ module bastionHost 'br/public:avm/res/network/bastion-host:<version>' = {
   params: {
     // Required parameters
     name: 'nbhctmpip001'
-    vNetId: '<vNetId>'
+    virtualNetworkResourceId: '<virtualNetworkResourceId>'
     // Non-required parameters
     location: '<location>'
     publicIPAddressObject: {
@@ -110,8 +110,8 @@ module bastionHost 'br/public:avm/res/network/bastion-host:<version>' = {
     "name": {
       "value": "nbhctmpip001"
     },
-    "vNetId": {
-      "value": "<vNetId>"
+    "virtualNetworkResourceId": {
+      "value": "<virtualNetworkResourceId>"
     },
     // Non-required parameters
     "location": {
@@ -179,7 +179,7 @@ module bastionHost 'br/public:avm/res/network/bastion-host:<version>' = {
   params: {
     // Required parameters
     name: 'nbhmin001'
-    vNetId: '<vNetId>'
+    virtualNetworkResourceId: '<virtualNetworkResourceId>'
     // Non-required parameters
     location: '<location>'
   }
@@ -202,8 +202,8 @@ module bastionHost 'br/public:avm/res/network/bastion-host:<version>' = {
     "name": {
       "value": "nbhmin001"
     },
-    "vNetId": {
-      "value": "<vNetId>"
+    "virtualNetworkResourceId": {
+      "value": "<virtualNetworkResourceId>"
     },
     // Non-required parameters
     "location": {
@@ -231,7 +231,7 @@ module bastionHost 'br/public:avm/res/network/bastion-host:<version>' = {
   params: {
     // Required parameters
     name: 'nbhmax001'
-    vNetId: '<vNetId>'
+    virtualNetworkResourceId: '<virtualNetworkResourceId>'
     // Non-required parameters
     bastionSubnetPublicIpResourceId: '<bastionSubnetPublicIpResourceId>'
     diagnosticSettings: [
@@ -296,8 +296,8 @@ module bastionHost 'br/public:avm/res/network/bastion-host:<version>' = {
     "name": {
       "value": "nbhmax001"
     },
-    "vNetId": {
-      "value": "<vNetId>"
+    "virtualNetworkResourceId": {
+      "value": "<virtualNetworkResourceId>"
     },
     // Non-required parameters
     "bastionSubnetPublicIpResourceId": {
@@ -389,7 +389,7 @@ module bastionHost 'br/public:avm/res/network/bastion-host:<version>' = {
   params: {
     // Required parameters
     name: 'nbhwaf001'
-    vNetId: '<vNetId>'
+    virtualNetworkResourceId: '<virtualNetworkResourceId>'
     // Non-required parameters
     bastionSubnetPublicIpResourceId: '<bastionSubnetPublicIpResourceId>'
     diagnosticSettings: [
@@ -433,8 +433,8 @@ module bastionHost 'br/public:avm/res/network/bastion-host:<version>' = {
     "name": {
       "value": "nbhwaf001"
     },
-    "vNetId": {
-      "value": "<vNetId>"
+    "virtualNetworkResourceId": {
+      "value": "<virtualNetworkResourceId>"
     },
     // Non-required parameters
     "bastionSubnetPublicIpResourceId": {
@@ -494,7 +494,7 @@ module bastionHost 'br/public:avm/res/network/bastion-host:<version>' = {
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
 | [`name`](#parameter-name) | string | Name of the Azure Bastion resource. |
-| [`vNetId`](#parameter-vnetid) | string | Shared services Virtual Network resource identifier. |
+| [`virtualNetworkResourceId`](#parameter-virtualnetworkresourceid) | string | Shared services Virtual Network resource Id. |
 
 **Optional parameters**
 
@@ -523,9 +523,9 @@ Name of the Azure Bastion resource.
 - Required: Yes
 - Type: string
 
-### Parameter: `vNetId`
+### Parameter: `virtualNetworkResourceId`
 
-Shared services Virtual Network resource identifier.
+Shared services Virtual Network resource Id.
 
 - Required: Yes
 - Type: string
diff --git a/avm/res/network/bastion-host/main.bicep b/avm/res/network/bastion-host/main.bicep
index 61acff82d1..c7e49dc622 100644
--- a/avm/res/network/bastion-host/main.bicep
+++ b/avm/res/network/bastion-host/main.bicep
@@ -8,8 +8,8 @@ param name string
 @description('Optional. Location for all resources.')
 param location string = resourceGroup().location
 
-@description('Required. Shared services Virtual Network resource identifier.')
-param vNetId string
+@description('Required. Shared services Virtual Network resource Id.')
+param virtualNetworkResourceId string
 
 @description('Optional. The Public IP resource ID to associate to the azureBastionSubnet. If empty, then the Public IP that is created as part of this module will be applied to the azureBastionSubnet.')
 param bastionSubnetPublicIpResourceId string = ''
@@ -68,7 +68,7 @@ var ipConfigurations = [
     name: 'IpConfAzureBastionSubnet'
     properties: union({
         subnet: {
-          id: '${vNetId}/subnets/AzureBastionSubnet' // The subnet name must be AzureBastionSubnet
+          id: '${virtualNetworkResourceId}/subnets/AzureBastionSubnet' // The subnet name must be AzureBastionSubnet
         }
       }, {
         //Use existing Public IP, new Public IP created in this module
diff --git a/avm/res/network/bastion-host/main.json b/avm/res/network/bastion-host/main.json
index 3902a1b7fd..d16ef2479c 100644
--- a/avm/res/network/bastion-host/main.json
+++ b/avm/res/network/bastion-host/main.json
@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.25.53.49325",
-      "templateHash": "17052449880021967417"
+      "templateHash": "403145241490619459"
     },
     "name": "Bastion Hosts",
     "description": "This module deploys a Bastion Host.",
@@ -214,10 +214,10 @@
         "description": "Optional. Location for all resources."
       }
     },
-    "vNetId": {
+    "virtualNetworkResourceId": {
       "type": "string",
       "metadata": {
-        "description": "Required. Shared services Virtual Network resource identifier."
+        "description": "Required. Shared services Virtual Network resource Id."
       }
     },
     "bastionSubnetPublicIpResourceId": {
@@ -361,7 +361,7 @@
       "sku": {
         "name": "[parameters('skuName')]"
       },
-      "properties": "[union(createObject('scaleUnits', if(equals(parameters('skuName'), 'Basic'), 2, parameters('scaleUnits')), 'ipConfigurations', createArray(createObject('name', 'IpConfAzureBastionSubnet', 'properties', union(createObject('subnet', createObject('id', format('{0}/subnets/AzureBastionSubnet', parameters('vNetId')))), createObject('publicIPAddress', createObject('id', if(not(empty(parameters('bastionSubnetPublicIpResourceId'))), parameters('bastionSubnetPublicIpResourceId'), reference('publicIPAddress').outputs.resourceId.value)))))), 'enableKerberos', parameters('enableKerberos')), if(equals(parameters('skuName'), 'Standard'), createObject('enableTunneling', equals(parameters('skuName'), 'Standard'), 'disableCopyPaste', parameters('disableCopyPaste'), 'enableFileCopy', parameters('enableFileCopy'), 'enableIpConnect', parameters('enableIpConnect'), 'enableShareableLink', parameters('enableShareableLink')), createObject()))]",
+      "properties": "[union(createObject('scaleUnits', if(equals(parameters('skuName'), 'Basic'), 2, parameters('scaleUnits')), 'ipConfigurations', createArray(createObject('name', 'IpConfAzureBastionSubnet', 'properties', union(createObject('subnet', createObject('id', format('{0}/subnets/AzureBastionSubnet', parameters('virtualNetworkResourceId')))), createObject('publicIPAddress', createObject('id', if(not(empty(parameters('bastionSubnetPublicIpResourceId'))), parameters('bastionSubnetPublicIpResourceId'), reference('publicIPAddress').outputs.resourceId.value)))))), 'enableKerberos', parameters('enableKerberos')), if(equals(parameters('skuName'), 'Standard'), createObject('enableTunneling', equals(parameters('skuName'), 'Standard'), 'disableCopyPaste', parameters('disableCopyPaste'), 'enableFileCopy', parameters('enableFileCopy'), 'enableIpConnect', parameters('enableIpConnect'), 'enableShareableLink', parameters('enableShareableLink')), createObject()))]",
       "dependsOn": [
         "publicIPAddress"
       ]
diff --git a/avm/res/network/bastion-host/tests/e2e/custompip/main.test.bicep b/avm/res/network/bastion-host/tests/e2e/custompip/main.test.bicep
index a3fd490ef2..7aaeca854b 100644
--- a/avm/res/network/bastion-host/tests/e2e/custompip/main.test.bicep
+++ b/avm/res/network/bastion-host/tests/e2e/custompip/main.test.bicep
@@ -66,7 +66,7 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem'
   params: {
     name: '${namePrefix}${serviceShort}001'
     location: resourceLocation
-    vNetId: nestedDependencies.outputs.virtualNetworkResourceId
+    virtualNetworkResourceId: nestedDependencies.outputs.virtualNetworkResourceId
     publicIPAddressObject: {
       name: '${namePrefix}${serviceShort}001-pip'
       allocationMethod: 'Static'
diff --git a/avm/res/network/bastion-host/tests/e2e/defaults/main.test.bicep b/avm/res/network/bastion-host/tests/e2e/defaults/main.test.bicep
index 4cfee495f8..27e87ef3c2 100644
--- a/avm/res/network/bastion-host/tests/e2e/defaults/main.test.bicep
+++ b/avm/res/network/bastion-host/tests/e2e/defaults/main.test.bicep
@@ -51,7 +51,7 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem'
   params: {
     name: '${namePrefix}${serviceShort}001'
     location: resourceLocation
-    vNetId: nestedDependencies.outputs.virtualNetworkResourceId
+    virtualNetworkResourceId: nestedDependencies.outputs.virtualNetworkResourceId
   }
   dependsOn: [
     nestedDependencies
diff --git a/avm/res/network/bastion-host/tests/e2e/max/main.test.bicep b/avm/res/network/bastion-host/tests/e2e/max/main.test.bicep
index 3bca75080b..fb76689996 100644
--- a/avm/res/network/bastion-host/tests/e2e/max/main.test.bicep
+++ b/avm/res/network/bastion-host/tests/e2e/max/main.test.bicep
@@ -67,7 +67,7 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem'
   params: {
     name: '${namePrefix}${serviceShort}001'
     location: resourceLocation
-    vNetId: nestedDependencies.outputs.virtualNetworkResourceId
+    virtualNetworkResourceId: nestedDependencies.outputs.virtualNetworkResourceId
     bastionSubnetPublicIpResourceId: nestedDependencies.outputs.publicIPResourceId
     diagnosticSettings: [
       {
diff --git a/avm/res/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep b/avm/res/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep
index fa5beb4653..ac7d900ba9 100644
--- a/avm/res/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep
+++ b/avm/res/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep
@@ -66,7 +66,7 @@ module testDeployment '../../../main.bicep' = [for iteration in [ 'init', 'idem'
   params: {
     name: '${namePrefix}${serviceShort}001'
     location: resourceLocation
-    vNetId: nestedDependencies.outputs.virtualNetworkResourceId
+    virtualNetworkResourceId: nestedDependencies.outputs.virtualNetworkResourceId
     bastionSubnetPublicIpResourceId: nestedDependencies.outputs.publicIPResourceId
     diagnosticSettings: [
       {
diff --git a/avm/res/network/bastion-host/version.json b/avm/res/network/bastion-host/version.json
index 83083db694..1c035df49f 100644
--- a/avm/res/network/bastion-host/version.json
+++ b/avm/res/network/bastion-host/version.json
@@ -1,6 +1,6 @@
 {
     "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#",
-    "version": "0.1",
+    "version": "0.2",
     "pathFilters": [
         "./main.json"
     ]
diff --git a/avm/res/network/virtual-network/main.bicep b/avm/res/network/virtual-network/main.bicep
index 99be2a2f8c..5a8eaf6be6 100644
--- a/avm/res/network/virtual-network/main.bicep
+++ b/avm/res/network/virtual-network/main.bicep
@@ -52,14 +52,6 @@ param tags object?
 @description('Optional. Enable/Disable usage telemetry for module.')
 param enableTelemetry bool = true
 
-var dnsServersVar = {
-  dnsServers: array(dnsServers)
-}
-
-var ddosProtectionPlan = {
-  id: ddosProtectionPlanResourceId
-}
-
 var builtInRoleNames = {
   Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
   'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')
@@ -99,8 +91,12 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = {
     addressSpace: {
       addressPrefixes: addressPrefixes
     }
-    ddosProtectionPlan: !empty(ddosProtectionPlanResourceId) ? ddosProtectionPlan : null
-    dhcpOptions: !empty(dnsServers) ? dnsServersVar : null
+    ddosProtectionPlan: !empty(ddosProtectionPlanResourceId) ? {
+      id: ddosProtectionPlanResourceId
+    } : null
+    dhcpOptions: !empty(dnsServers) ? {
+      dnsServers: array(dnsServers)
+    } : null
     enableDdosProtection: !empty(ddosProtectionPlanResourceId)
     encryption: vnetEncryption == true ? {
       enabled: vnetEncryption
diff --git a/avm/res/network/virtual-network/main.json b/avm/res/network/virtual-network/main.json
index eec6da87bf..755e75f48d 100644
--- a/avm/res/network/virtual-network/main.json
+++ b/avm/res/network/virtual-network/main.json
@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.25.53.49325",
-      "templateHash": "17055439590426138357"
+      "templateHash": "10848130532872395336"
     },
     "name": "Virtual Networks",
     "description": "This module deploys a Virtual Network (vNet).",
@@ -333,12 +333,6 @@
     }
   },
   "variables": {
-    "dnsServersVar": {
-      "dnsServers": "[array(parameters('dnsServers'))]"
-    },
-    "ddosProtectionPlan": {
-      "id": "[parameters('ddosProtectionPlanResourceId')]"
-    },
     "builtInRoleNames": {
       "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
       "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]",
@@ -402,8 +396,8 @@
         "addressSpace": {
           "addressPrefixes": "[parameters('addressPrefixes')]"
         },
-        "ddosProtectionPlan": "[if(not(empty(parameters('ddosProtectionPlanResourceId'))), variables('ddosProtectionPlan'), null())]",
-        "dhcpOptions": "[if(not(empty(parameters('dnsServers'))), variables('dnsServersVar'), null())]",
+        "ddosProtectionPlan": "[if(not(empty(parameters('ddosProtectionPlanResourceId'))), createObject('id', parameters('ddosProtectionPlanResourceId')), null())]",
+        "dhcpOptions": "[if(not(empty(parameters('dnsServers'))), createObject('dnsServers', array(parameters('dnsServers'))), null())]",
         "enableDdosProtection": "[not(empty(parameters('ddosProtectionPlanResourceId')))]",
         "encryption": "[if(equals(parameters('vnetEncryption'), true()), createObject('enabled', parameters('vnetEncryption'), 'enforcement', parameters('vnetEncryptionEnforcement')), null())]",
         "flowTimeoutInMinutes": "[if(not(equals(parameters('flowTimeoutInMinutes'), 0)), parameters('flowTimeoutInMinutes'), null())]"
diff --git a/avm/res/network/virtual-network/version.json b/avm/res/network/virtual-network/version.json
index 8def869ede..1c884ecaa9 100644
--- a/avm/res/network/virtual-network/version.json
+++ b/avm/res/network/virtual-network/version.json
@@ -4,4 +4,4 @@
   "pathFilters": [
     "./main.json"
   ]
-}
+}
\ No newline at end of file
diff --git a/avm/utilities/pipelines/publish/Publish-ModuleFromPathToPBR.ps1 b/avm/utilities/pipelines/publish/Publish-ModuleFromPathToPBR.ps1
index 953521d606..d66f55502f 100644
--- a/avm/utilities/pipelines/publish/Publish-ModuleFromPathToPBR.ps1
+++ b/avm/utilities/pipelines/publish/Publish-ModuleFromPathToPBR.ps1
@@ -77,11 +77,11 @@ function Publish-ModuleFromPathToPBR {
   $null = Convert-TokensInFileList @tokenConfiguration
 
   # Double-check that tokens are correctly replaced
-  $templateContent = Get-Content -Path $moduleBicepFilePath
+  $templateContent = bicep build $moduleBicepFilePath --stdout
   $incorrectLines = @()
   for ($index = 0; $index -lt $templateContent.Count; $index++) {
-    if ($templateContent[$index] -match '-..--..-') {
-      $incorrectLines += ('You have the token [{0}] in line [{1}] of file [{2}]. Please seek advice from the AVM team.' -f $matches[0], ($index + 1), $moduleBicepFilePath)
+    if ($templateContent[$index] -match '\-\.\.-\-\.\.\-') {
+      $incorrectLines += ('You have the token [{0}] in line [{1}] of the compiled Bicep file [{2}]. Please seek advice from the AVM team.' -f $matches[0], ($index + 1), $moduleBicepFilePath)
     }
   }
   if ($incorrectLines) {