Azure · AlexanderSehr · Nov 6, 2021 · Nov 5, 2021 · Nov 5, 2021 · Nov 5, 2021
@@ -203,7 +203,7 @@ var backendAddressPools = [for backendPool in backendPools: {
   name: backendPool.backendPoolName
   type: 'Microsoft.Network/applicationGateways/backendAddressPools'
   properties: {
-    backendAddresses: (contains(backendPool, 'BackendAddresses') ? backendPool.BackendAddresses : [])
+    backendAddresses: contains(backendPool, 'BackendAddresses') ? backendPool.BackendAddresses : []
   }
 }]
 var probes_var = [for probe in probes: {
@@ -213,12 +213,12 @@ var probes_var = [for probe in probes: {
     protocol: probe.protocol
     host: probe.host
     path: probe.path
-    interval: (contains(probe, 'interval') ? probe.interval : 30)
-    timeout: (contains(probe, 'timeout') ? probe.timeout : 30)
-    unhealthyThreshold: (contains(probe, 'timeout') ? probe.unhealthyThreshold : 3)
-    minServers: (contains(probe, 'timeout') ? probe.minServers : 0)
+    interval: contains(probe, 'interval') ? probe.interval : 30
+    timeout: contains(probe, 'timeout') ? probe.timeout : 30
+    unhealthyThreshold: contains(probe, 'timeout') ? probe.unhealthyThreshold : 3
+    minServers: contains(probe, 'timeout') ? probe.minServers : 0
     match: {
-      body: (contains(probe, 'timeout') ? probe.body : '')
+      body: contains(probe, 'timeout') ? probe.body : ''
       statusCodes: probe.statusCodes
     }
   }
@@ -231,7 +231,7 @@ var backendHttpConfigurations_var = [for backendHttpConfiguration in backendHttp
     cookieBasedAffinity: backendHttpConfiguration.cookieBasedAffinity
     pickHostNameFromBackendAddress: backendHttpConfiguration.pickHostNameFromBackendAddress
     probeEnabled: backendHttpConfiguration.probeEnabled
-    probe: (bool(backendHttpConfiguration.probeEnabled) ? json('{"id": "${applicationGatewayResourceId}/probes/${backendHttpConfiguration.backendHttpConfigurationName}Probe"}') : json('null'))
+    probe: bool(backendHttpConfiguration.probeEnabled) ? json('{"id": "${applicationGatewayResourceId}/probes/${backendHttpConfiguration.backendHttpConfigurationName}Probe"}') : null
   }
 }]
 var frontendHttpsPorts = [for frontendHttpsListener in frontendHttpsListeners: {
@@ -343,12 +343,12 @@ module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) {
 resource applicationGateway 'Microsoft.Network/applicationGateways@2021-02-01' = {
   name: applicationGatewayName
   location: location
-  identity: (empty(managedIdentityResourceId) ? json('null') : identity)
+  identity: empty(managedIdentityResourceId) ? null : identity
   tags: tags
   properties: {
     sku: {
       name: sku
-      tier: (endsWith(sku, 'v2') ? sku : substring(sku, 0, indexOf(sku, '_')))
+      tier: endsWith(sku, 'v2') ? sku : substring(sku, 0, indexOf(sku, '_'))
       capacity: capacity
     }
     gatewayIPConfigurations: [
@@ -365,7 +365,7 @@ resource applicationGateway 'Microsoft.Network/applicationGateways@2021-02-01' =
       {
         name: frontendPrivateIPConfigurationName
         type: 'Microsoft.Network/applicationGateways/frontendIPConfigurations'
-        properties: (empty(frontendPrivateIpAddress) ? frontendPrivateIPDynamicConfiguration : frontendPrivateIPStaticConfiguration)
+        properties: empty(frontendPrivateIpAddress) ? frontendPrivateIPDynamicConfiguration : frontendPrivateIPStaticConfiguration
       }
       {
         name: frontendPublicIPConfigurationName
@@ -376,7 +376,7 @@ resource applicationGateway 'Microsoft.Network/applicationGateways@2021-02-01' =
         }
       }
     ]
-    sslCertificates: (empty(sslCertificateKeyVaultSecretId) ? json('null') : sslCertificates)
+    sslCertificates: empty(sslCertificateKeyVaultSecretId) ? null : sslCertificates
     backendAddressPools: backendAddressPools
     probes: probes_var
     backendHttpSettingsCollection: backendHttpConfigurations_var
@@ -385,7 +385,7 @@ resource applicationGateway 'Microsoft.Network/applicationGateways@2021-02-01' =
     redirectConfigurations: redirectConfigurations
     requestRoutingRules: requestRoutingRules
     enableHttp2: http2Enabled
-    webApplicationFirewallConfiguration: (startsWith(sku, 'WAF') ? wafConfiguration : json('null'))
+    webApplicationFirewallConfiguration: startsWith(sku, 'WAF') ? wafConfiguration : null
   }
   dependsOn: []
 }
@@ -394,20 +394,20 @@ resource applicationGateway_lock 'Microsoft.Authorization/locks@2016-09-01' = if
   name: '${applicationGateway.name}-${lock}-lock'
   properties: {
     level: lock
-    notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
+    notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
   }
   scope: applicationGateway
 }
 
-resource applicationGateway_diagnosticSettingName 'Microsoft.Insights/diagnosticsettings@2017-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(workspaceId)) || (!empty(eventHubAuthorizationRuleId)) || (!empty(eventHubName))) {
+resource applicationGateway_diagnosticSettingName 'Microsoft.Insights/diagnosticSettings@2017-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(workspaceId) || !empty(eventHubAuthorizationRuleId) || !empty(eventHubName)) {
   name: '${applicationGateway.name}-diagnosticSettings'
   properties: {
-    storageAccountId: (empty(diagnosticStorageAccountId) ? json('null') : diagnosticStorageAccountId)
-    workspaceId: (empty(workspaceId) ? json('null') : workspaceId)
-    eventHubAuthorizationRuleId: (empty(eventHubAuthorizationRuleId) ? json('null') : eventHubAuthorizationRuleId)
-    eventHubName: (empty(eventHubName) ? json('null') : eventHubName)
-    metrics: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsMetrics)
-    logs: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsLogs)
+    storageAccountId: empty(diagnosticStorageAccountId) ? null : diagnosticStorageAccountId
+    workspaceId: empty(workspaceId) ? null : workspaceId
+    eventHubAuthorizationRuleId: empty(eventHubAuthorizationRuleId) ? null : eventHubAuthorizationRuleId
+    eventHubName: empty(eventHubName) ? null : eventHubName
+    metrics: empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName) ? null : diagnosticsMetrics
+    logs: empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName) ? null : diagnosticsLogs
   }
   scope: applicationGateway
 }
@@ -420,6 +420,11 @@ module applicationGateway_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment
   }
 }]
 
+@description('The name of the application gateway')
 output applicationGatewayName string = applicationGateway.name
+
+@description('The resource Id of the application gateway')
 output applicationGatewayResourceId string = applicationGateway.id
+
+@description('The resource group the application gateway was deployed into')
 output applicationGatewayResourceGroup string = resourceGroup().name
@@ -227,11 +227,11 @@ Tag names and tag values can be provided as needed. A tag can be left without a
 
 ## Outputs
 
-| Output Name | Type |
-| :-- | :-- |
-| `applicationGatewayName` | string |
-| `applicationGatewayResourceGroup` | string |
-| `applicationGatewayResourceId` | string |
+| Output Name | Type | Description |
+| :-- | :-- | :-- |
+| `applicationGatewayName` | string | The name of the application gateway |
+| `applicationGatewayResourceGroup` | string | The resource group the application gateway was deployed into |
+| `applicationGatewayResourceId` | string | The resource Id of the application gateway |
 
 ## Template references
 

@@ -37,7 +37,7 @@ resource applicationSecurityGroup_lock 'Microsoft.Authorization/locks@2016-09-01
   name: '${applicationSecurityGroup.name}-${lock}-lock'
   properties: {
     level: lock
-    notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
+    notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
   }
   scope: applicationSecurityGroup
 }
@@ -50,6 +50,11 @@ module applicationSecurityGroup_rbac '.bicep/nested_rbac.bicep' = [for (roleAssi
   }
 }]
 
+@description('The resource group the application security group was deployed into')
 output applicationSecurityGroupsResourceGroup string = resourceGroup().name
+
+@description('The resourceId of the application security group')
 output applicationSecurityGroupsResourceId string = applicationSecurityGroup.id
+
+@description('The name of the application security group')
 output applicationSecurityGroupsName string = applicationSecurityGroup.name
@@ -69,11 +69,11 @@ Tag names and tag values can be provided as needed. A tag can be left without a
 
 ## Outputs
 
-| Output Name | Type |
-| :-- | :-- |
-| `applicationSecurityGroupsName` | string |
-| `applicationSecurityGroupsResourceGroup` | string |
-| `applicationSecurityGroupsResourceId` | string |
+| Output Name | Type | Description |
+| :-- | :-- | :-- |
+| `applicationSecurityGroupsName` | string | The name of the application security group |
+| `applicationSecurityGroupsResourceGroup` | string | The resource group the application security group was deployed into |
+| `applicationSecurityGroupsResourceId` | string | The resourceId of the application security group |
 
 ## Template references
 

@@ -163,36 +163,36 @@ resource azureFirewallPip 'Microsoft.Network/publicIPAddresses@2021-02-01' = {
   properties: {
     publicIPAllocationMethod: 'Static'
     publicIPAddressVersion: 'IPv4'
-    publicIPPrefix: ((!empty(publicIPPrefixId)) ? publicIPPrefix : json('null'))
+    publicIPPrefix: !empty(publicIPPrefixId) ? publicIPPrefix : null
   }
 }
 
 resource azureFirewallPip_lock 'Microsoft.Authorization/locks@2016-09-01' = if (lock != 'NotSpecified') {
   name: '${azureFirewallPip.name}-${lock}-lock'
   properties: {
     level: lock
-    notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
+    notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
   }
   scope: azureFirewallPip
 }
 
-resource azureFirewallPip_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2017-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(workspaceId)) || (!empty(eventHubAuthorizationRuleId)) || (!empty(eventHubName))) {
+resource azureFirewallPip_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2017-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(workspaceId) || !empty(eventHubAuthorizationRuleId) || !empty(eventHubName)) {
   name: '${azureFirewallPip.name}-diagnosticSettings'
   properties: {
-    storageAccountId: (empty(diagnosticStorageAccountId) ? json('null') : diagnosticStorageAccountId)
-    workspaceId: (empty(workspaceId) ? json('null') : workspaceId)
-    eventHubAuthorizationRuleId: (empty(eventHubAuthorizationRuleId) ? json('null') : eventHubAuthorizationRuleId)
-    eventHubName: (empty(eventHubName) ? json('null') : eventHubName)
-    metrics: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsMetrics)
-    logs: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsLogsPublicIp)
+    storageAccountId: empty(diagnosticStorageAccountId) ? null : diagnosticStorageAccountId
+    workspaceId: empty(workspaceId) ? null : workspaceId
+    eventHubAuthorizationRuleId: empty(eventHubAuthorizationRuleId) ? null : eventHubAuthorizationRuleId
+    eventHubName: empty(eventHubName) ? null : eventHubName
+    metrics: empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName) ? null : diagnosticsMetrics
+    logs: empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName) ? null : diagnosticsLogsPublicIp
   }
   scope: azureFirewallPip
 }
 
 resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-02-01' = {
   name: azureFirewallName
   location: location
-  zones: ((length(availabilityZones) == 0) ? json('null') : availabilityZones)
+  zones: length(availabilityZones) == 0 ? null : availabilityZones
   tags: tags
   properties: {
     threatIntelMode: 'Deny'
@@ -226,20 +226,20 @@ resource azureFirewall_lock 'Microsoft.Authorization/locks@2016-09-01' = if (loc
   name: '${azureFirewall.name}-${lock}-lock'
   properties: {
     level: lock
-    notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
+    notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
   }
   scope: azureFirewall
 }
 
-resource azureFirewall_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2017-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(workspaceId)) || (!empty(eventHubAuthorizationRuleId)) || (!empty(eventHubName))) {
+resource azureFirewall_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2017-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(workspaceId) || !empty(eventHubAuthorizationRuleId) || !empty(eventHubName)) {
   name: '${azureFirewall.name}-diagnosticSettings'
   properties: {
-    storageAccountId: (empty(diagnosticStorageAccountId) ? json('null') : diagnosticStorageAccountId)
-    workspaceId: (empty(workspaceId) ? json('null') : workspaceId)
-    eventHubAuthorizationRuleId: (empty(eventHubAuthorizationRuleId) ? json('null') : eventHubAuthorizationRuleId)
-    eventHubName: (empty(eventHubName) ? json('null') : eventHubName)
-    metrics: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsMetrics)
-    logs: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsLogsAzureFirewall)
+    storageAccountId: empty(diagnosticStorageAccountId) ? null : diagnosticStorageAccountId
+    workspaceId: empty(workspaceId) ? null : workspaceId
+    eventHubAuthorizationRuleId: empty(eventHubAuthorizationRuleId) ? null : eventHubAuthorizationRuleId
+    eventHubName: empty(eventHubName) ? null : eventHubName
+    metrics: empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName) ? null : diagnosticsMetrics
+    logs: empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName) ? null : diagnosticsLogsAzureFirewall
   }
   scope: azureFirewall
 }
@@ -252,11 +252,26 @@ module azureFirewall_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, ind
   }
 }]
 
+@description('The resourceId of the Azure firewall')
 output azureFirewallResourceId string = azureFirewall.id
+
+@description('The name of the Azure firewall')
 output azureFirewallName string = azureFirewall.name
+
+@description('The resource group the azure firewall was deployed into')
 output azureFirewallResourceGroup string = resourceGroup().name
+
+@description('The private IP of the Azure Firewall')
 output azureFirewallPrivateIp string = azureFirewall.properties.ipConfigurations[0].properties.privateIPAddress
+
+@description('The public IP of the Azure Firewall')
 output azureFirewallPublicIp string = azureFirewallPip.properties.ipAddress
+
+@description('List of Application Rule Collections')
 output applicationRuleCollections array = applicationRuleCollections
+
+@description('List of Network Rule Collections')
 output networkRuleCollections array = networkRuleCollections
+
+@description('Collection of NAT rule collections used by Azure Firewall')
 output natRuleCollections array = natRuleCollections
@@ -90,16 +90,16 @@ Tag names and tag values can be provided as needed. A tag can be left without a
 
 ## Outputs
 
-| Output Name | Type |
-| :-- | :-- |
-| `applicationRuleCollections` | array |
-| `azureFirewallName` | string |
-| `azureFirewallPrivateIp` | string |
-| `azureFirewallPublicIp` | string |
-| `azureFirewallResourceGroup` | string |
-| `azureFirewallResourceId` | string |
-| `natRuleCollections` | array |
-| `networkRuleCollections` | array |
+| Output Name | Type | Description |
+| :-- | :-- | :-- |
+| `applicationRuleCollections` | array | List of Application Rule Collections |
+| `azureFirewallName` | string | The name of the Azure firewall |
+| `azureFirewallPrivateIp` | string | The private IP of the Azure Firewall |
+| `azureFirewallPublicIp` | string | The public IP of the Azure Firewall |
+| `azureFirewallResourceGroup` | string | The resource group the azure firewall was deployed into |
+| `azureFirewallResourceId` | string | The resourceId of the Azure firewall |
+| `natRuleCollections` | array | Collection of NAT rule collections used by Azure Firewall |
+| `networkRuleCollections` | array | List of Network Rule Collections |
 
 ## Considerations