Azure · ahmadabdalla · Oct 13, 2023 · Oct 12, 2023 · Oct 12, 2023 · Oct 12, 2023
@@ -553,10 +553,6 @@ module policyExemption './authorization/policy-exemption/main.bicep' = {
 
 ## Notes
 
-### Module Pre-requisites
-
-Policy Exemptions have a dependency on Policy Assignments being applied before creating an exemption.
-
 ### Module Usage Guidance
 
 In general, most of the resources under the `Microsoft.Authorization` namespace allows deploying resources at multiple scopes (management groups, subscriptions, resource groups). The `main.bicep` root module is simply an orchestrator module that targets sub-modules for different scopes as seen in the parameter usage section. All sub-modules for this namespace have folders that represent the target scope. For example, if the orchestrator module in the [root](main.bicep) needs to target 'subscription' level scopes. It will look at the relative path ['/subscription/main.bicep'](./subscription/main.bicep) and use this sub-module for the actual deployment, while still passing the same parameters from the root module.

@@ -10,7 +10,6 @@ This module deploys a Policy Set Definition (Initiative) at a Management Group o
 - [Cross-referenced modules](#Cross-referenced-modules)
 - [Deployment examples](#Deployment-examples)
 - [Notes](#Notes)
-- [Module Pre-requisites](#Module-Pre-requisites)
 
 ## Resource types
 
@@ -491,10 +490,6 @@ module policySetDefinition './authorization/policy-set-definition/main.bicep' =
 
 ## Notes
 
-## Module Pre-requisites
-
-- Policy Set Definitions (Initiatives) have a dependency on Policy Definitions being applied before creating an initiative.
-
 ### Module Usage Guidance
 
 In general, most of the resources under the `Microsoft.Authorization` namespace allows deploying resources at multiple scopes (management groups, subscriptions, resource groups). The `main.bicep` root module is simply an orchestrator module that targets sub-modules for different scopes as seen in the parameter usage section. All sub-modules for this namespace have folders that represent the target scope. For example, if the orchestrator module in the [root](main.bicep) needs to target 'subscription' level scopes. It will look at the relative path ['/subscription/main.bicep'](./subscription/main.bicep) and use this sub-module for the actual deployment, while still passing the same parameters from the root module.

@@ -9,7 +9,6 @@ This module deploys an Azure Automation Account.
 - [Outputs](#Outputs)
 - [Cross-referenced modules](#Cross-referenced-modules)
 - [Deployment examples](#Deployment-examples)
-- [Notes](#Notes)
 
 ## Resource Types
 
@@ -891,61 +890,3 @@ module automationAccount './automation/automation-account/main.bicep' = {
 
 </details>
 <p>
-
-
-## Notes
-
-### Parameter Usage: `encryption`
-
-Prerequisites:
-
-- User Assigned Identity for Encryption needs `Get`, `List`, `Wrap` and `Unwrap` permissions on the key.
-- User Assigned Identity have to be one of the defined identities in userAssignedIdentities parameter block.
-- To use Azure Automation with customer managed keys, both `Soft Delete` and `Do Not Purge` features must be turned on to allow for recovery of keys in case of accidental deletion.
-
-<details>
-
-<summary>Parameter JSON format</summary>
-
-```json
-"encryptionKeySource" : {
-    "value" : "Microsoft.KeyVault"
-},
-"encryptionUserAssignedIdentity": {
-    "value": "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-[[namePrefix]]-az-msi-x-001" // this identity needs to be one of the identities defined in userAssignedIdentities section
-},
-"keyName" : {
-        "value" : "keyEncryptionKey"
-},
-"keyvaultUri" : {
-            "value" : "https://[[keyValutName]].vault.azure.net/"
-},
-"keyVersion" : {
-            "value" : "aa11b22c1234567890c3608c657cd5a2"
-},
-"userAssignedIdentities": {
-    "value": {
-        "/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-[[namePrefix]]-az-msi-x-001": {}, // same value as 'encryptionUserAssignedIdentity' parameter
-    }
-}
-```
-
-</details>
-
-<details>
-
-<summary>Bicep format</summary>
-
-```bicep
-encryptionKeySource: 'Microsoft.KeyVault'
-encryptionUserAssignedIdentity: '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-[[namePrefix]]-az-msi-x-001' // this identity needs to be one of the identities defined in userAssignedIdentities section
-keyName : 'keyEncryptionKey'
-keyvaultUri: 'https://[[keyValutName]].vault.azure.net/'
-keyVersion: 'aa11b22c1234567890c3608c657cd5a2'
-userAssignedIdentities: {
-    '/subscriptions/[[subscriptionId]]/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-[[namePrefix]]-az-msi-x-001': {} // same value as 'encryptionUserAssignedIdentity' parameter
-}
-```
-
-</details>
-<p>
@@ -247,6 +247,65 @@ userAssignedIdentities: {
 </details>
 <p>
 
+### Parameter Usage: `roleAssignments`
+
+Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure.
+
+<details>
+
+<summary>Parameter JSON format</summary>
+
+```json
+"roleAssignments": {
+    "value": [
+        {
+            "roleDefinitionIdOrName": "Reader",
+            "description": "Reader Role Assignment",
+            "principalIds": [
+                "12345678-1234-1234-1234-123456789012", // object 1
+                "78945612-1234-1234-1234-123456789012" // object 2
+            ]
+        },
+        {
+            "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
+            "principalIds": [
+                "12345678-1234-1234-1234-123456789012" // object 1
+            ],
+            "principalType": "ServicePrincipal"
+        }
+    ]
+}
+```
+
+</details>
+
+<details>
+
+<summary>Bicep format</summary>
+
+```bicep
+roleAssignments: [
+    {
+        roleDefinitionIdOrName: 'Reader'
+        description: 'Reader Role Assignment'
+        principalIds: [
+            '12345678-1234-1234-1234-123456789012' // object 1
+            '78945612-1234-1234-1234-123456789012' // object 2
+        ]
+    }
+    {
+        roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'
+        principalIds: [
+            '12345678-1234-1234-1234-123456789012' // object 1
+        ]
+        principalType: 'ServicePrincipal'
+    }
+]
+```
+
+</details>
+<p>
+
 ## Outputs
 
 | Output Name | Type | Description |
@@ -706,175 +765,6 @@ module account './cognitive-services/account/main.bicep' = {
 
 ## Notes
 
-### Considerations
+### Module Usage Guidance
 
 - Not all combinations of parameters `kind` and `SKU` are valid and they may vary in different Azure Regions. Please use PowerShell cmdlet `Get-AzCognitiveServicesAccountSku` or another methods to determine valid values in your region.
-- Not all kinds of Cognitive Services support virtual networks. Please visit the link below to determine supported services.
-
-### Parameter Usage: `encryption`
-
-<details>
-
-<summary>Parameter JSON format</summary>
-
-```json
-// With customer-managed key
-"encryption": {
-    "value": {
-        "keySource": "Microsoft.KeyVault",
-        "keyVaultProperties": {
-            "identityClientId": "12345678-1234-1234-1234-123456789012", // ID must be updated for new identity
-            "keyVaultUri": "https://adp-[[namePrefix]]-az-kv-nopr-002.vault.azure.net/",
-            "keyName": "keyEncryptionKey",
-            "keyversion": "1111111111111111111111111111111" // Version must be updated for new keys
-        }
-    }
-}
-// With service-managed key
-"encryption": {
-    "value": {
-        "keySource": "Microsoft.CognitiveServices"
-    }
-}
-```
-
-</details>
-
-<details>
-
-<summary>Bicep format</summary>
-
-```bicep
-// With customer managed key
-encryption: {
-    keySource: 'Microsoft.KeyVault'
-    keyVaultProperties: {
-        identityClientId: '12345678-1234-1234-1234-123456789012' // ID must be updated for new identity
-        keyVaultUri: 'https://adp-[[namePrefix]]-az-kv-nopr-002.vault.azure.net/'
-        keyName: 'keyEncryptionKey'
-        keyversion: '1111111111111111111111111111111' // Version must be updated for new keys
-    }
-}
-// With service-managed key
-encryption: {
-    keySource: 'Microsoft.CognitiveServices'
-}
-```
-
-</details>
-<p>
-### Parameter Usage: `roleAssignments`
-
-Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure.
-
-<details>
-
-<summary>Parameter JSON format</summary>
-
-```json
-"roleAssignments": {
-    "value": [
-        {
-            "roleDefinitionIdOrName": "Reader",
-            "description": "Reader Role Assignment",
-            "principalIds": [
-                "12345678-1234-1234-1234-123456789012", // object 1
-                "78945612-1234-1234-1234-123456789012" // object 2
-            ]
-        },
-        {
-            "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
-            "principalIds": [
-                "12345678-1234-1234-1234-123456789012" // object 1
-            ],
-            "principalType": "ServicePrincipal"
-        }
-    ]
-}
-```
-
-</details>
-
-<details>
-
-<summary>Bicep format</summary>
-
-```bicep
-roleAssignments: [
-    {
-        roleDefinitionIdOrName: 'Reader'
-        description: 'Reader Role Assignment'
-        principalIds: [
-            '12345678-1234-1234-1234-123456789012' // object 1
-            '78945612-1234-1234-1234-123456789012' // object 2
-        ]
-    }
-    {
-        roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'
-        principalIds: [
-            '12345678-1234-1234-1234-123456789012' // object 1
-        ]
-        principalType: 'ServicePrincipal'
-    }
-]
-```
-
-</details>
-<p>
-
-### Parameter Usage: `networkAcls`
-
-<details>
-
-<summary>Parameter JSON format</summary>
-
-```json
-"networkAcls": {
-  "value": {
-    "defaultAction": "Deny",
-    "virtualNetworkRules": [
-      {
-        "id": "/subscriptions/<subscription-ID>/resourceGroups/resourceGroup/providers/Microsoft.Network/virtualNetworks/<vnet-name>/subnets/<subnet-name>",
-        "ignoreMissingVnetServiceEndpoint": false
-      }
-    ],
-    "ipRules": [
-      {
-        "value": "1.1.1.1"
-      },
-      {
-        "value": "<IP address or CIDR>"
-      }
-    ]
-  }
-}
-```
-
-</details>
-
-<details>
-
-<summary>Bicep format</summary>
-
-```bicep
-networkAcls: {
-    defaultAction: 'Deny'
-    virtualNetworkRules: [
-        {
-            id: '/subscriptions/<subscription-ID>/resourceGroups/resourceGroup/providers/Microsoft.Network/virtualNetworks/<vnet-name>/subnets/<subnet-name>'
-            ignoreMissingVnetServiceEndpoint: false
-        }
-    ]
-    ipRules: [
-        {
-            value: '1.1.1.1'
-        }
-        {
-            value: '<IP address or CIDR>'
-        }
-    ]
-}
-```
-
-</details>
-<p>