chore: General maintenance and fixes

infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking-multiRegion.bicep.md

@@ -57,7 +57,9 @@ parAzFirewallTierSecondaryLocation | No       | Azure Firewall Tier associated w
 parAzFirewallIntelMode | No       | The Azure Firewall Threat Intelligence Mode. If not set, the default value is Alert.
 parAzFirewallIntelModeSecondaryLocation | No       | The Azure Firewall Threat Intelligence Mode in the secondary location. If not set, the default value is Alert.
 parAzFirewallCustomPublicIps | No       | Optional List of Custom Public IPs, which are assigned to firewalls ipConfigurations.
+parAzFirewallCustomManagementIp | No       | Optional Custom Management Public IP resource ID, which is assigned to Azure Firewall managementIpConfiguration. Requires AzureFirewallManagementSubnet to be configured in parSubnets.
 parAzFirewallCustomPublicIpsSecondaryLocation | No       | Optional List of Custom Public IPs, which are assigned to firewalls ipConfigurations in the secondary location.
+parAzFirewallCustomManagementIpSecondaryLocation | No       | Optional Custom Management Public IP resource ID, which is assigned to Azure Firewall managementIpConfiguration in the secondary location. Requires AzureFirewallManagementSubnet to be configured in parSubnetsSecondaryLocation.
 parAzFirewallAvailabilityZones | No       | Availability Zones to deploy the Azure Firewall across. Region must support Availability Zones to use. If it does not then leave empty.
 parAzFirewallAvailabilityZonesSecondaryLocation | No       | Availability Zones to deploy the Azure Firewall across in the secondary location. Region must support Availability Zones to use. If it does not then leave empty.
 parAzErGatewayAvailabilityZones | No       | Availability Zones to deploy the VPN/ER PIP across. Region must support Availability Zones to use. If it does not then leave empty. Ensure that you select a zonal SKU for the ER/VPN Gateway if using Availability Zones for the PIP.
@@ -69,6 +71,7 @@ parAzFirewallDnsProxyEnabledSecondaryLocation | No       | Switch to enable/disa
 parAzFirewallDnsServers | No       | Array of custom DNS servers used by Azure Firewall.
 parAzFirewallDnsServersSecondaryLocation | No       | Array of custom DNS servers used by Azure Firewall in the secondary location.
 parAzureFirewallLock | No       |  Resource Lock Configuration for Azure Firewall.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.  
+parAzureFirewallPolicyLock | No       |  Resource Lock Configuration for Azure Firewall Policy.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.  
 parHubRouteTableName | No       | Name of Route table to create for the default route of Hub.
 parHubRouteTableNameSecondaryLocation | No       | Name of Route table to create for the default route of Hub in the secondary location.
 parDisableBgpRoutePropagation | No       | Switch to enable/disable BGP Propagation on route table.
@@ -529,12 +532,24 @@ The Azure Firewall Threat Intelligence Mode in the secondary location. If not se
 
 Optional List of Custom Public IPs, which are assigned to firewalls ipConfigurations.
 
+### parAzFirewallCustomManagementIp
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+Optional Custom Management Public IP resource ID, which is assigned to Azure Firewall managementIpConfiguration. Requires AzureFirewallManagementSubnet to be configured in parSubnets.
+
 ### parAzFirewallCustomPublicIpsSecondaryLocation
 
 ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
 
 Optional List of Custom Public IPs, which are assigned to firewalls ipConfigurations in the secondary location.
 
+### parAzFirewallCustomManagementIpSecondaryLocation
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+Optional Custom Management Public IP resource ID, which is assigned to Azure Firewall managementIpConfiguration in the secondary location. Requires AzureFirewallManagementSubnet to be configured in parSubnetsSecondaryLocation.
+
 ### parAzFirewallAvailabilityZones
 
 ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
@@ -622,6 +637,19 @@ Array of custom DNS servers used by Azure Firewall in the secondary location.
 
 
 
+- Default value: `@{kind=None; notes=This lock was created by the ALZ Bicep Hub Networking Module.}`
+
+### parAzureFirewallPolicyLock
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+ Resource Lock Configuration for Azure Firewall Policy.
+
+- `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None.
+- `notes` - Notes about this lock.
+
+
+
 - Default value: `@{kind=None; notes=This lock was created by the ALZ Bicep Hub Networking Module.}`
 
 ### parHubRouteTableName
@@ -1095,9 +1123,15 @@ outBastionNsgNameSecondaryLocation | string |
         "parAzFirewallCustomPublicIps": {
             "value": []
         },
+        "parAzFirewallCustomManagementIp": {
+            "value": ""
+        },
         "parAzFirewallCustomPublicIpsSecondaryLocation": {
             "value": []
         },
+        "parAzFirewallCustomManagementIpSecondaryLocation": {
+            "value": ""
+        },
         "parAzFirewallAvailabilityZones": {
             "value": []
         },
@@ -1134,6 +1168,12 @@ outBastionNsgNameSecondaryLocation | string |
                 "notes": "This lock was created by the ALZ Bicep Hub Networking Module."
             }
         },
+        "parAzureFirewallPolicyLock": {
+            "value": {
+                "kind": "None",
+                "notes": "This lock was created by the ALZ Bicep Hub Networking Module."
+            }
+        },
         "parHubRouteTableName": {
             "value": "[format('{0}-hub-routetable', parameters('parCompanyPrefix'))]"
         },

infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md

@@ -35,12 +35,14 @@ parAzFirewallPoliciesPrivateRanges | No       | Private IP addresses/IP ranges t
 parAzFirewallTier | No       | Azure Firewall Tier associated with the Firewall to deploy.
 parAzFirewallIntelMode | No       | The Azure Firewall Threat Intelligence Mode. If not set, the default value is Alert.
 parAzFirewallCustomPublicIps | No       | Optional List of Custom Public IPs, which are assigned to firewalls ipConfigurations.
+parAzFirewallCustomManagementIp | Yes      | Optional Custom Management Public IP resource ID, which is assigned to Azure Firewall managementIpConfiguration. Requires AzureFirewallManagementSubnet to be configured in parSubnets.
 parAzFirewallAvailabilityZones | No       | Availability Zones to deploy the Azure Firewall across. Region must support Availability Zones to use. If it does not then leave empty.
 parAzErGatewayAvailabilityZones | No       | Availability Zones to deploy the VPN/ER PIP across. Region must support Availability Zones to use. If it does not then leave empty. Ensure that you select a zonal SKU for the ER/VPN Gateway if using Availability Zones for the PIP.
 parAzVpnGatewayAvailabilityZones | No       | Availability Zones to deploy the VPN/ER PIP across. Region must support Availability Zones to use. If it does not then leave empty. Ensure that you select a zonal SKU for the ER/VPN Gateway if using Availability Zones for the PIP.
 parAzFirewallDnsProxyEnabled | No       | Switch to enable/disable Azure Firewall DNS Proxy.
 parAzFirewallDnsServers | No       | Array of custom DNS servers used by Azure Firewall
 parAzureFirewallLock | No       |  Resource Lock Configuration for Azure Firewall.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.  
+parAzureFirewallPolicyLock | No       |  Resource Lock Configuration for Azure Firewall Policy.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.  
 parHubRouteTableName | No       | Name of Route table to create for the default route of Hub.
 parDisableBgpRoutePropagation | No       | Switch to enable/disable BGP Propagation on route table.
 parHubRouteTableLock | No       | Resource Lock Configuration for Hub Route Table.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.  
@@ -316,6 +318,12 @@ The Azure Firewall Threat Intelligence Mode. If not set, the default value is Al
 
 Optional List of Custom Public IPs, which are assigned to firewalls ipConfigurations.
 
+### parAzFirewallCustomManagementIp
+
+![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square)
+
+Optional Custom Management Public IP resource ID, which is assigned to Azure Firewall managementIpConfiguration. Requires AzureFirewallManagementSubnet to be configured in parSubnets.
+
 ### parAzFirewallAvailabilityZones
 
 ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
@@ -365,6 +373,19 @@ Array of custom DNS servers used by Azure Firewall
 
 
 
+- Default value: `@{kind=None; notes=This lock was created by the ALZ Bicep Hub Networking Module.}`
+
+### parAzureFirewallPolicyLock
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+ Resource Lock Configuration for Azure Firewall Policy.
+
+- `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None.
+- `notes` - Notes about this lock.
+
+
+
 - Default value: `@{kind=None; notes=This lock was created by the ALZ Bicep Hub Networking Module.}`
 
 ### parHubRouteTableName
@@ -682,6 +703,9 @@ outBastionNsgName | string |
         "parAzFirewallCustomPublicIps": {
             "value": []
         },
+        "parAzFirewallCustomManagementIp": {
+            "value": ""
+        },
         "parAzFirewallAvailabilityZones": {
             "value": []
         },
@@ -703,6 +727,12 @@ outBastionNsgName | string |
                 "notes": "This lock was created by the ALZ Bicep Hub Networking Module."
             }
         },
+        "parAzureFirewallPolicyLock": {
+            "value": {
+                "kind": "None",
+                "notes": "This lock was created by the ALZ Bicep Hub Networking Module."
+            }
+        },
         "parHubRouteTableName": {
             "value": "[format('{0}-hub-routetable', parameters('parCompanyPrefix'))]"
         },

infra-as-code/bicep/modules/hubNetworking/hubNetworking-multiRegion.bicep

@@ -361,9 +361,15 @@ param parAzFirewallIntelModeSecondaryLocation string = 'Alert'
 @sys.description('Optional List of Custom Public IPs, which are assigned to firewalls ipConfigurations.')
 param parAzFirewallCustomPublicIps array = []
 
+@sys.description('Optional Custom Management Public IP resource ID, which is assigned to Azure Firewall managementIpConfiguration. Requires AzureFirewallManagementSubnet to be configured in parSubnets.')
+param parAzFirewallCustomManagementIp string = ''
+
 @sys.description('Optional List of Custom Public IPs, which are assigned to firewalls ipConfigurations in the secondary location.')
 param parAzFirewallCustomPublicIpsSecondaryLocation array = []
 
+@sys.description('Optional Custom Management Public IP resource ID, which is assigned to Azure Firewall managementIpConfiguration in the secondary location. Requires AzureFirewallManagementSubnet to be configured in parSubnetsSecondaryLocation.')
+param parAzFirewallCustomManagementIpSecondaryLocation string = ''
+
 @allowed([
   '1'
   '2'
@@ -435,6 +441,17 @@ param parAzureFirewallLock lockType = {
   notes: 'This lock was created by the ALZ Bicep Hub Networking Module.'
 }
 
+@sys.description(''' Resource Lock Configuration for Azure Firewall Policy.
+
+- `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None.
+- `notes` - Notes about this lock.
+
+''')
+param parAzureFirewallPolicyLock lockType = {
+  kind: 'None'
+  notes: 'This lock was created by the ALZ Bicep Hub Networking Module.'
+}
+
 @sys.description('Name of Route table to create for the default route of Hub.')
 param parHubRouteTableName string = '${parCompanyPrefix}-hub-routetable'
 
@@ -742,8 +759,10 @@ var varZtnP1TriggerSecondaryLocation = (parDdosEnabledSecondaryLocation && parAz
   : false
 
 var varAzFirewallUseCustomPublicIps = length(parAzFirewallCustomPublicIps) > 0
+var varAzFirewallUseCustomManagementIp = !empty(parAzFirewallCustomManagementIp)
 
 var varAzFirewallUseCustomPublicIpsSecondaryLocation = length(parAzFirewallCustomPublicIpsSecondaryLocation) > 0
+var varAzFirewallUseCustomManagementIpSecondaryLocation = !empty(parAzFirewallCustomManagementIpSecondaryLocation)
 
 //DDos Protection plan will only be enabled if parDdosEnabled is true.
 resource resDdosProtectionPlan 'Microsoft.Network/ddosProtectionPlans@2024-05-01' = if (parDdosEnabled) {
@@ -1685,7 +1704,7 @@ module modAzureFirewallPublicIpSecondaryLocation '../publicIp/publicIp.bicep' =
   }
 }
 
-module modAzureFirewallMgmtPublicIp '../publicIp/publicIp.bicep' = if (parAzFirewallEnabled && (contains(
+module modAzureFirewallMgmtPublicIp '../publicIp/publicIp.bicep' = if (parAzFirewallEnabled && !varAzFirewallUseCustomManagementIp && (contains(
   map(parSubnets, subnets => subnets.name),
   'AzureFirewallManagementSubnet'
 ))) {
@@ -1707,7 +1726,7 @@ module modAzureFirewallMgmtPublicIp '../publicIp/publicIp.bicep' = if (parAzFire
   }
 }
 
-module modAzureFirewallMgmtPublicIpSecondaryLocation '../publicIp/publicIp.bicep' = if (parAzFirewallEnabledSecondaryLocation && (contains(
+module modAzureFirewallMgmtPublicIpSecondaryLocation '../publicIp/publicIp.bicep' = if (parAzFirewallEnabledSecondaryLocation && !varAzFirewallUseCustomManagementIpSecondaryLocation && (contains(
   map(parSubnetsSecondaryLocation, subnets => subnets.name),
   'AzureFirewallManagementSubnet'
 ))) {
@@ -1787,23 +1806,23 @@ resource resFirewallPoliciesSecondaryLocation 'Microsoft.Network/firewallPolicie
       }
 }
 
-// Create Azure Firewall Policy resource lock if parAzFirewallEnabled is true and parGlobalResourceLock.kind != 'None' or if parAzureFirewallLock.kind != 'None'
-resource resFirewallPoliciesLock 'Microsoft.Authorization/locks@2020-05-01' = if (parAzFirewallEnabled && (parAzureFirewallLock.kind != 'None' || parGlobalResourceLock.kind != 'None')) {
+// Create Azure Firewall Policy resource lock if parAzFirewallPoliciesEnabled is true and parGlobalResourceLock.kind != 'None' or if parAzureFirewallPolicyLock.kind != 'None'
+resource resFirewallPoliciesLock 'Microsoft.Authorization/locks@2020-05-01' = if (parAzFirewallPoliciesEnabled && (parAzureFirewallPolicyLock.kind != 'None' || parGlobalResourceLock.kind != 'None')) {
   scope: resFirewallPolicies
-  name: parAzureFirewallLock.?name ?? '${resFirewallPolicies.name}-lock'
+  name: parAzureFirewallPolicyLock.?name ?? '${resFirewallPolicies.name}-lock'
   properties: {
-    level: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.kind : parAzureFirewallLock.kind
-    notes: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.?notes : parAzureFirewallLock.?notes
+    level: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.kind : parAzureFirewallPolicyLock.kind
+    notes: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.?notes : parAzureFirewallPolicyLock.?notes
   }
 }
 
-// Create Azure Firewall Policy resource lock if parAzFirewallEnabled is true and parGlobalResourceLock.kind != 'None' or if parAzureFirewallLock.kind != 'None'
-resource resFirewallPoliciesLockSecondaryLocation 'Microsoft.Authorization/locks@2020-05-01' = if (parAzFirewallEnabledSecondaryLocation && (parAzureFirewallLock.kind != 'None' || parGlobalResourceLock.kind != 'None')) {
+// Create Azure Firewall Policy resource lock if parAzFirewallPoliciesEnabledSecondaryLocation is true and parGlobalResourceLock.kind != 'None' or if parAzureFirewallPolicyLock.kind != 'None'
+resource resFirewallPoliciesLockSecondaryLocation 'Microsoft.Authorization/locks@2020-05-01' = if (parAzFirewallPoliciesEnabledSecondaryLocation && (parAzureFirewallPolicyLock.kind != 'None' || parGlobalResourceLock.kind != 'None')) {
   scope: resFirewallPoliciesSecondaryLocation
-  name: parAzureFirewallLock.?name ?? '${resFirewallPoliciesSecondaryLocation.name}-lock'
+  name: parAzureFirewallPolicyLock.?name ?? '${resFirewallPoliciesSecondaryLocation.name}-lock'
   properties: {
-    level: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.kind : parAzureFirewallLock.kind
-    notes: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.?notes : parAzureFirewallLock.?notes
+    level: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.kind : parAzureFirewallPolicyLock.kind
+    notes: (parGlobalResourceLock.kind != 'None') ? parGlobalResourceLock.?notes : parAzureFirewallPolicyLock.?notes
   }
 }
 
@@ -1849,24 +1868,30 @@ resource resAzureFirewall 'Microsoft.Network/azureFirewalls@2024-05-01' = if (pa
             }
           }
         ]
-    managementIpConfiguration: {
-      name: 'mgmtIpConfig'
-      properties: {
-        subnet: {
-          id: resAzureFirewallMgmtSubnetRef.id
-        }
-        publicIPAddress: {
-          id: parAzFirewallEnabled ? modAzureFirewallMgmtPublicIp.?outputs.outPublicIpId : ''
+    managementIpConfiguration: (contains(map(parSubnets, subnets => subnets.name), 'AzureFirewallManagementSubnet'))
+      ? {
+          name: 'mgmtIpConfig'
+          properties: {
+            subnet: {
+              id: resAzureFirewallMgmtSubnetRef.id
+            }
+            publicIPAddress: {
+              id: parAzFirewallEnabled
+                ? (varAzFirewallUseCustomManagementIp ? parAzFirewallCustomManagementIp : modAzureFirewallMgmtPublicIp.?outputs.outPublicIpId)
+                : ''
+            }
+          }
         }
-      }
-    }
+      : null
     sku: {
       name: 'AZFW_VNet'
       tier: parAzFirewallTier
     }
-    firewallPolicy: {
-      id: resFirewallPolicies.id
-    }
+    firewallPolicy: (parAzFirewallPoliciesEnabled)
+      ? {
+          id: resFirewallPolicies.id
+        }
+      : null
   }
 }
 
@@ -1915,26 +1940,30 @@ resource resAzureFirewallSecondaryLocation 'Microsoft.Network/azureFirewalls@202
             }
           }
         ]
-    managementIpConfiguration: {
-      name: 'mgmtIpConfig'
-      properties: {
-        subnet: {
-          id: resAzureFirewallMgmtSubnetRefSecondaryLocation.id
-        }
-        publicIPAddress: {
-          id: parAzFirewallEnabledSecondaryLocation
-            ? modAzureFirewallMgmtPublicIpSecondaryLocation.?outputs.outPublicIpId
-            : ''
+    managementIpConfiguration: (contains(map(parSubnetsSecondaryLocation, subnets => subnets.name), 'AzureFirewallManagementSubnet'))
+      ? {
+          name: 'mgmtIpConfig'
+          properties: {
+            subnet: {
+              id: resAzureFirewallMgmtSubnetRefSecondaryLocation.id
+            }
+            publicIPAddress: {
+              id: parAzFirewallEnabledSecondaryLocation
+                ? (varAzFirewallUseCustomManagementIpSecondaryLocation ? parAzFirewallCustomManagementIpSecondaryLocation : modAzureFirewallMgmtPublicIpSecondaryLocation.?outputs.outPublicIpId)
+                : ''
+            }
+          }
         }
-      }
-    }
+      : null
     sku: {
       name: 'AZFW_VNet'
       tier: parAzFirewallTierSecondaryLocation
     }
-    firewallPolicy: {
-      id: resFirewallPoliciesSecondaryLocation.id
-    }
+    firewallPolicy: (parAzFirewallPoliciesEnabledSecondaryLocation)
+      ? {
+          id: resFirewallPoliciesSecondaryLocation.id
+        }
+      : null
   }
 }