From dbdf9a8354ff87421bd1b31cc06ba2374925fff2 Mon Sep 17 00:00:00 2001
From: Zach <19664186+FallenHoot@users.noreply.github.com>
Date: Sun, 17 Nov 2024 15:09:54 +0100
Subject: [PATCH] fix: Avm vmss bootdiagnosticenabled (#4)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Update virtual machine resources and documentation

- Updated README.md in avmavm/res/compute/virtual-machine to include new setup instructions and usage examples.
- Modified main.bicep in avm/res/compute/virtual-machine to fix deployment issues and improve resource configuration.
- Updated main.json in avm/res/compute/virtual-machine to align with the latest schema and add new parameters for flexibility.

* Update VM scale set resources and documentation

- Updated README.md in avm/res/compute/virtual-machine-scale-set to include new setup instructions and usage examples.
- Modified main.bicep in avm/res/compute/virtual-machine-scale-set to fix deployment issues and improve resource configuration.
- Updated main.json in avm/res/compute/virtual-machine-scale-set to align with the latest schema and add new parameters for flexibility.

* Delete avm/res/compute/virtual-machine/main.json

* Delete avm/res/compute/virtual-machine/main.bicep

* Restore main.bicep, main.json, and README.md from upstream/main

* Fixed wrong placement of ',' in main.json

* fix: `Postgresql Flexible Server Pipeline Failure (#3768)

## Description
 Updated AVM common types to version 0.2.1

Fixes #3642
<!--
>Thank you for your contribution !
> Please include a summary of the change and which issue is fixed.
> Please also include the context.
> List any dependencies that are required for this change.

Fixes #123
Fixes #456
Closes #123
Closes #456
-->

## Pipeline Reference

<!-- Insert your Pipeline Status Badge below -->

| Pipeline |
| -------- |
|
[![avm.res.db-for-postgre-sql.flexible-server](https://github.com/arnoldna/bicep-registry-modules/actions/workflows/avm.res.db-for-postgre-sql.flexible-server.yml/badge.svg?branch=avm%2Fres%2Fdb-for-postgre-sql%2Fflexible-server3)](https://github.com/arnoldna/bicep-registry-modules/actions/workflows/avm.res.db-for-postgre-sql.flexible-server.yml)
|

## Type of Change

<!-- Use the checkboxes [x] on the options that are relevant. -->

- [ ] Update to CI Environment or utilities (Non-module affecting
changes)
- [X] Azure Verified Module updates:
- [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [ ] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [ ] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [X ] Update to documentation

## Checklist

- [X ] I'm sure there are no other open Pull Requests for the same
update/change
- [X ] I have run `Set-AVMModule` locally to generate the supporting
module files.
- [ X] My corresponding pipelines / checks run clean and green without
any errors or warnings

<!-- Please keep up to date with the contribution guide at
https://aka.ms/avm/contribute/bicep -->

* feat: Add common types in `avm/res/insights/component` (#3769)

## Description

Using common types in `avm/res/insights/component`

## Pipeline Reference

<!-- Insert your Pipeline Status Badge below -->

| Pipeline |
| -------- |
|
[![avm.res.insights.component](https://github.com/krbar/bicep-registry-modules/actions/workflows/avm.res.insights.component.yml/badge.svg?branch=users%2Fkrbar%2FappInsightsCommonTypes)](https://github.com/krbar/bicep-registry-modules/actions/workflows/avm.res.insights.component.yml)
|

## Type of Change

<!-- Use the checkboxes [x] on the options that are relevant. -->

- [ ] Update to CI Environment or utilities (Non-module affecting
changes)
- [x] Azure Verified Module updates:
- [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [ ] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [ ] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [ ] Update to documentation

## Checklist

- [x] I'm sure there are no other open Pull Requests for the same
update/change
- [x] I have run `Set-AVMModule` locally to generate the supporting
module files.
- [x] My corresponding pipelines / checks run clean and green without
any errors or warnings

<!-- Please keep up to date with the contribution guide at
https://aka.ms/avm/contribute/bicep -->

* Increased minor version

Reflecting 'bootdiagnosticenabled' change, the minor version has been increased.

* fix: ApiManagement-Service - Changed `loggers` to `logger` (#3677)

## Description

- Changing folder name to singular to align with AVM spec: [resource
module
naming](https://azure.github.io/Azure-Verified-Modules/specs/shared/#bicep-resource-module-naming)
- Fixed incorrect description. See failed test
[here](https://github.com/Azure/bicep-registry-modules/actions/runs/11607584544)

## Pipeline Reference

<!-- Insert your Pipeline Status Badge below -->

| Pipeline |
| -------- |
|
[![avm.res.api-management.service](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.api-management.service.yml/badge.svg?branch=users%2Falsehr%2FloggerSingular&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.api-management.service.yml)
|

## Type of Change

<!-- Use the checkboxes [x] on the options that are relevant. -->

- [ ] Update to CI Environment or utilities (Non-module affecting
changes)
- [ ] Azure Verified Module updates:
- [x] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [ ] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [ ] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [ ] Update to documentation

---------

Co-authored-by: Tony Box <tonybox@gmail.com>

* feat: Add UDT & common types to `avm/res/search/search-service` module (#3767)

## Description

Add UDT to `avm/res/search/search-service` module

## Pipeline Reference

| Pipeline |
| -------- |
|
[![avm.res.search.search-service](https://github.com/krbar/bicep-registry-modules/actions/workflows/avm.res.search.search-service.yml/badge.svg?branch=users%2Fkrbar%2FsearchServiceUDT)](https://github.com/krbar/bicep-registry-modules/actions/workflows/avm.res.search.search-service.yml)
|

## Type of Change

<!-- Use the checkboxes [x] on the options that are relevant. -->

- [ ] Update to CI Environment or utilities (Non-module affecting
changes)
- [x] Azure Verified Module updates:
- [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [ ] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [x] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [ ] Update to documentation

## Checklist

- [x] I'm sure there are no other open Pull Requests for the same
update/change
- [x] I have run `Set-AVMModule` locally to generate the supporting
module files.
- [x] My corresponding pipelines / checks run clean and green without
any errors or warnings

<!-- Please keep up to date with the contribution guide at
https://aka.ms/avm/contribute/bicep -->

* Feat: deploy premium SSDv2 disks and specify IOPS and throughput configuration (#3770)

## Description

Add support for premium SSD v2 disks and the ability to specify IOPS and
throughput configuration. A new test was added to show the new
functionality.

Fixes #3252

## Pipeline Reference

<!-- Insert your Pipeline Status Badge below -->

all runs are good, except NVIdia test, due to capacity restrictions.

| Pipeline |
| -------- |
|
[![avm.res.compute.virtual-machine](https://github.com/rahalan/bicep-registry-modules/actions/workflows/avm.res.compute.virtual-machine.yml/badge.svg?branch=users%2Frahalan%2FUpdateVMDisk)](https://github.com/rahalan/bicep-registry-modules/actions/workflows/avm.res.compute.virtual-machine.yml)
|

## Type of Change

<!-- Use the checkboxes [x] on the options that are relevant. -->

- [ ] Update to CI Environment or utilities (Non-module affecting
changes)
- [ ] Azure Verified Module updates:
- [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [ ] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [x] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [ ] Update to documentation

## Checklist

- [x] I'm sure there are no other open Pull Requests for the same
update/change
- [x] I have run `Set-AVMModule` locally to generate the supporting
module files.
- [x] My corresponding pipelines / checks run clean and green without
any errors or warnings

<!-- Please keep up to date with the contribution guide at
https://aka.ms/avm/contribute/bicep -->

* feat: adds examples and removes RP for `ptn/lz/sub-vending` (#3778)

## Description

- Removes deprecated Time Series Insights Resource provider
- add examples

## Pipeline Reference

<!-- Insert your Pipeline Status Badge below -->

| Pipeline |
| -------- |
|
[![avm.ptn.lz.sub-vending](https://github.com/ReneHezser/bicep-registry-modules/actions/workflows/avm.ptn.lz.sub-vending.yml/badge.svg?branch=sub-vending-doc)](https://github.com/ReneHezser/bicep-registry-modules/actions/workflows/avm.ptn.lz.sub-vending.yml)
|

## Type of Change

- [ ] Update to CI Environment or utilities (Non-module affecting
changes)
- [x] Azure Verified Module updates:
- [x] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [ ] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [ ] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [ ] Update to documentation

## Checklist

- [x] I'm sure there are no other open Pull Requests for the same
update/change
- [x] I have run `Set-AVMModule` locally to generate the supporting
module files.
- [ ] My corresponding pipelines / checks run clean and green without
any errors or warnings

* fix: bump github/codeql-action from 3.27.1 to 3.27.3 (#3777)

Bumps [github/codeql-action](https://github.com/github/codeql-action)
from 3.27.1 to 3.27.3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/releases">github/codeql-action's
releases</a>.</em></p>
<blockquote>
<h2>v3.27.3</h2>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<p>Note that the only difference between <code>v2</code> and
<code>v3</code> of the CodeQL Action is the node version they support,
with <code>v3</code> running on node 20 while we continue to release
<code>v2</code> to support running on node 16. For example
<code>3.22.11</code> was the first <code>v3</code> release and is
functionally identical to <code>2.22.11</code>. This approach ensures an
easy way to track exactly which features are included in different
versions, indicated by the minor and patch version numbers.</p>
<h2>3.27.3 - 12 Nov 2024</h2>
<p>No user facing changes.</p>
<p>See the full <a
href="https://github.com/github/codeql-action/blob/v3.27.3/CHANGELOG.md">CHANGELOG.md</a>
for more information.</p>
<h2>v3.27.2</h2>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<p>Note that the only difference between <code>v2</code> and
<code>v3</code> of the CodeQL Action is the node version they support,
with <code>v3</code> running on node 20 while we continue to release
<code>v2</code> to support running on node 16. For example
<code>3.22.11</code> was the first <code>v3</code> release and is
functionally identical to <code>2.22.11</code>. This approach ensures an
easy way to track exactly which features are included in different
versions, indicated by the minor and patch version numbers.</p>
<h2>3.27.2 - 12 Nov 2024</h2>
<ul>
<li>Fixed an issue where setting up the CodeQL tools would sometimes
fail with the message &quot;Invalid value 'undefined' for header
'authorization'&quot;. <a
href="https://redirect.github.com/github/codeql-action/pull/2590">#2590</a></li>
</ul>
<p>See the full <a
href="https://github.com/github/codeql-action/blob/v3.27.2/CHANGELOG.md">CHANGELOG.md</a>
for more information.</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's
changelog</a>.</em></p>
<blockquote>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<p>Note that the only difference between <code>v2</code> and
<code>v3</code> of the CodeQL Action is the node version they support,
with <code>v3</code> running on node 20 while we continue to release
<code>v2</code> to support running on node 16. For example
<code>3.22.11</code> was the first <code>v3</code> release and is
functionally identical to <code>2.22.11</code>. This approach ensures an
easy way to track exactly which features are included in different
versions, indicated by the minor and patch version numbers.</p>
<h2>[UNRELEASED]</h2>
<p>No user facing changes.</p>
<h2>3.27.3 - 12 Nov 2024</h2>
<p>No user facing changes.</p>
<h2>3.27.2 - 12 Nov 2024</h2>
<ul>
<li>Fixed an issue where setting up the CodeQL tools would sometimes
fail with the message &quot;Invalid value 'undefined' for header
'authorization'&quot;. <a
href="https://redirect.github.com/github/codeql-action/pull/2590">#2590</a></li>
</ul>
<h2>3.27.1 - 08 Nov 2024</h2>
<ul>
<li>The CodeQL Action now downloads bundles compressed using Zstandard
on GitHub Enterprise Server when using Linux or macOS runners. This
speeds up the installation of the CodeQL tools. This feature is already
available to GitHub.com users. <a
href="https://redirect.github.com/github/codeql-action/pull/2573">#2573</a></li>
<li>Update default CodeQL bundle version to 2.19.3. <a
href="https://redirect.github.com/github/codeql-action/pull/2576">#2576</a></li>
</ul>
<h2>3.27.0 - 22 Oct 2024</h2>
<ul>
<li>Bump the minimum CodeQL bundle version to 2.14.6. <a
href="https://redirect.github.com/github/codeql-action/pull/2549">#2549</a></li>
<li>Fix an issue where the <code>upload-sarif</code> Action would fail
with &quot;upload-sarif post-action step failed: Input required and not
supplied: token&quot; when called in a composite Action that had a
different set of inputs to the ones expected by the
<code>upload-sarif</code> Action. <a
href="https://redirect.github.com/github/codeql-action/pull/2557">#2557</a></li>
<li>Update default CodeQL bundle version to 2.19.2. <a
href="https://redirect.github.com/github/codeql-action/pull/2552">#2552</a></li>
</ul>
<h2>3.26.13 - 14 Oct 2024</h2>
<p>No user facing changes.</p>
<h2>3.26.12 - 07 Oct 2024</h2>
<ul>
<li>
<p><em>Upcoming breaking change</em>: Add a deprecation warning for
customers using CodeQL version 2.14.5 and earlier. These versions of
CodeQL were discontinued on 24 September 2024 alongside GitHub
Enterprise Server 3.10, and will be unsupported by CodeQL Action
versions 3.27.0 and later and versions 2.27.0 and later. <a
href="https://redirect.github.com/github/codeql-action/pull/2520">#2520</a></p>
<ul>
<li>
<p>If you are using one of these versions, please update to CodeQL CLI
version 2.14.6 or later. For instance, if you have specified a custom
version of the CLI using the 'tools' input to the 'init' Action, you can
remove this input to use the default version.</p>
</li>
<li>
<p>Alternatively, if you want to continue using a version of the CodeQL
CLI between 2.13.5 and 2.14.5, you can replace
<code>github/codeql-action/*@v3</code> by
<code>github/codeql-action/*@v3.26.11</code> and
<code>github/codeql-action/*@v2</code> by
<code>github/codeql-action/*@v2.26.11</code> in your code scanning
workflow to ensure you continue using this version of the CodeQL
Action.</p>
</li>
</ul>
</li>
</ul>
<h2>3.26.11 - 03 Oct 2024</h2>
<ul>
<li>
<p><em>Upcoming breaking change</em>: Add support for using
<code>actions/download-artifact@v4</code> to programmatically consume
CodeQL Action debug artifacts.</p>
<p>Starting November 30, 2024, GitHub.com customers will <a
href="https://github.blog/changelog/2024-04-16-deprecation-notice-v3-of-the-artifact-actions/">no
longer be able to use <code>actions/download-artifact@v3</code></a>.
Therefore, to avoid breakage, customers who programmatically download
the CodeQL Action debug artifacts should set the
<code>CODEQL_ACTION_ARTIFACT_V4_UPGRADE</code> environment variable to
<code>true</code> and bump <code>actions/download-artifact@v3</code> to
<code>actions/download-artifact@v4</code> in their workflows. The CodeQL
Action will enable this behavior by default in early November and
workflows that have not yet bumped to
<code>actions/download-artifact@v3</code> to
<code>actions/download-artifact@v4</code> will begin failing then.</p>
<p>This change is currently unavailable for GitHub Enterprise Server
customers, as <code>actions/upload-artifact@v4</code> and
<code>actions/download-artifact@v4</code> are not yet compatible with
GHES.</p>
</li>
<li>
<p>Update default CodeQL bundle version to 2.19.1. <a
href="https://redirect.github.com/github/codeql-action/pull/2519">#2519</a></p>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/github/codeql-action/commit/396bb3e45325a47dd9ef434068033c6d5bb0d11a"><code>396bb3e</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2601">#2601</a>
from github/update-v3.27.3-f04790367</li>
<li><a
href="https://github.com/github/codeql-action/commit/2b1319450a8536cc55c2629acf08b8de0d6974fc"><code>2b13194</code></a>
Update changelog for v3.27.3</li>
<li><a
href="https://github.com/github/codeql-action/commit/f047903675361d0d500a0615aebf72964b96d702"><code>f047903</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2599">#2599</a>
from github/NlightNFotis/disable-streaming</li>
<li><a
href="https://github.com/github/codeql-action/commit/427ce4600e3528c07838070154127e2af6dfb3c2"><code>427ce46</code></a>
doc: add issue link to todo reminders in tests</li>
<li><a
href="https://github.com/github/codeql-action/commit/5445a29a97a0f7c3a83cbb314dacfa84c628f2a6"><code>5445a29</code></a>
tests: instead of false, use old feature flag with default value of
false</li>
<li><a
href="https://github.com/github/codeql-action/commit/e6dd4048e948138fdedb84209e7f981c0a31c5f6"><code>e6dd404</code></a>
workaround: disable streaming when downloading codeql bundle</li>
<li><a
href="https://github.com/github/codeql-action/commit/5cb4249dc7848e27a64daec41f25f109ccf2a515"><code>5cb4249</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2595">#2595</a>
from github/mergeback/v3.27.2-to-main-9278e421</li>
<li><a
href="https://github.com/github/codeql-action/commit/a4ee280ec94edd31a1e4cb07dc1e4c58d5ef4793"><code>a4ee280</code></a>
Update checked-in dependencies</li>
<li><a
href="https://github.com/github/codeql-action/commit/9a25759866eb456f0526bccb7483a6f0758c3808"><code>9a25759</code></a>
Update changelog and version after v3.27.2</li>
<li><a
href="https://github.com/github/codeql-action/commit/9278e421667d5d90a2839487a482448c4ec7df4d"><code>9278e42</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2594">#2594</a>
from github/update-v3.27.2-02167d77f</li>
<li>Additional commits viewable in <a
href="https://github.com/github/codeql-action/compare/4f3212b61783c3c68e8309a0f18a699764811cda...396bb3e45325a47dd9ef434068033c6d5bb0d11a">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github/codeql-action&package-manager=github_actions&previous-version=3.27.1&new-version=3.27.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix: pipeline failure for `Avm/res/db for postgre sql/flexible server` (#3779)

## Description

Fixes  #3768  - Pipeline failure
<!--
>Thank you for your contribution !
> Please include a summary of the change and which issue is fixed.
> Please also include the context.
> List any dependencies that are required for this change.

Fixes #123
Fixes #456
Closes #123
Closes #456
-->

## Pipeline Reference

<!-- Insert your Pipeline Status Badge below -->

| Pipeline |
| -------- |
|
[![avm.res.db-for-postgre-sql.flexible-server](https://github.com/arnoldna/bicep-registry-modules/actions/workflows/avm.res.db-for-postgre-sql.flexible-server.yml/badge.svg?branch=avm%2Fres%2Fdb-for-postgre-sql%2Fflexible-server)](https://github.com/arnoldna/bicep-registry-modules/actions/workflows/avm.res.db-for-postgre-sql.flexible-server.yml)
|

## Type of Change

<!-- Use the checkboxes [x] on the options that are relevant. -->

- [ ] Update to CI Environment or utilities (Non-module affecting
changes)
- [X] Azure Verified Module updates:
- [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [ ] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [X] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [ ] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [X] Update to documentation

## Checklist

- [X] I'm sure there are no other open Pull Requests for the same
update/change
- [X] I have run `Set-AVMModule` locally to generate the supporting
module files.
- [X] My corresponding pipelines / checks run clean and green without
any errors or warnings

<!-- Please keep up to date with the contribution guide at
https://aka.ms/avm/contribute/bicep -->

* fix: removed RP fix `ptn/lz/sub-vending` (#3781)

## Description

After removing the Time Series Insights RP in the last PR, I missed one
occurrence.

## Pipeline Reference

| Pipeline |
| -------- |
|
[![avm.ptn.lz.sub-vending](https://github.com/ReneHezser/bicep-registry-modules/actions/workflows/avm.ptn.lz.sub-vending.yml/badge.svg?branch=lz-sub-vending-fix)](https://github.com/ReneHezser/bicep-registry-modules/actions/workflows/avm.ptn.lz.sub-vending.yml)
|

## Type of Change

- [ ] Update to CI Environment or utilities (Non-module affecting
changes)
- [x] Azure Verified Module updates:
- [x] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [ ] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [x] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [ ] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [ ] Update to documentation

## Checklist

- [x] I'm sure there are no other open Pull Requests for the same
update/change
- [x] I have run `Set-AVMModule` locally to generate the supporting
module files.
- [ ] My corresponding pipelines / checks run clean and green without
any errors or warnings

* fix: Adding support for Cilium Network Policy (#3402)

# Supporting Cilium network policy in AKS

cilium data plane requires cilium network policy. when specifying azure
policy for cilium we get an error -
CiliumDataplaneRequiresNetworkPolicyCilium

Configuration
networkPolicy: 'azure'
networkPlugin: 'azure'
networkDataplane: 'cilium'

Detailed Error
```json
{
    "message": {
        "code": "BadRequest",
        "details": null,
        "message": "Cilium dataplane requires network policy cilium.",
        "subcode": "CiliumDataplaneRequiresNetworkPolicyCilium",
        "target": "networkProfile.networkPolicy"
    }
}
```

| Pipeline |
| -------- |
|
[![avm.res.container-service.managed-cluster](https://github.com/cv-gh/bicep-registry-modules/actions/workflows/avm.res.container-service.managed-cluster.yml/badge.svg)](https://github.com/cv-gh/bicep-registry-modules/actions/workflows/avm.res.container-service.managed-cluster.yml)
|

## Type of Change

<!-- Use the checkboxes [x] on the options that are relevant. -->

- [ ] Update to CI Environment or utilities (Non-module affecting
changes)
- [ ] Azure Verified Module updates:
- [ x] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [ ] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [ ] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [ ] Update to documentation

## Checklist

- [ x] I'm sure there are no other open Pull Requests for the same
update/change
- [ x] I have run `Set-AVMModule` locally to generate the supporting
module files.
- [x] My corresponding pipelines / checks run clean and green without
any errors or warnings

<!-- Please keep up to date with the contribution guide at
https://aka.ms/avm/contribute/bicep -->

---------

Co-authored-by: Ilhaan Rasheed <ilhaan@users.noreply.github.com>

* feat: Added types to `avm/res/cdn/profile` module (#3728)

## Description

<!--
>Thank you for your contribution !
> Please include a summary of the change and which issue is fixed.
> Please also include the context.
> List any dependencies that are required for this change.

Fixes #3727

-->

## Pipeline Reference

<!-- Insert your Pipeline Status Badge below -->

| Pipeline |
| -------- |
|
[![avm.res.cdn.profile](https://github.com/anderseide/avm-bicep-registry-modules/actions/workflows/avm.res.cdn.profile.yml/badge.svg?branch=types-avm-res-cdn-profile)](https://github.com/anderseide/avm-bicep-registry-modules/actions/workflows/avm.res.cdn.profile.yml)
|

## Type of Change

<!-- Use the checkboxes [x] on the options that are relevant. -->

- [ ] Update to CI Environment or utilities (Non-module affecting
changes)
- [X] Azure Verified Module updates:
- [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [ ] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [X] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [X] Update to documentation

## Checklist

- [X] I'm sure there are no other open Pull Requests for the same
update/change
- [X] I have run `Set-AVMModule` locally to generate the supporting
module files.
- [X] My corresponding pipelines / checks run clean and green without
any errors or warnings

<!-- Please keep up to date with the contribution guide at
https://aka.ms/avm/contribute/bicep -->

* feat: Add WAF Security PS Rule Config (#3745)

## Description

Add WAF Security PS Rule Config as agreed, defined below:

1. New PSRule custom baseline with explicit rules added based on WAF
security work, prioritizing top 20 resources
2. Run of PSRule with `Azure.Pillar.Security` in "audit only" mode
(`continue_on_error = true`)

## Pipeline Reference

<!-- Insert your Pipeline Status Badge below -->

| Pipeline |
| -------- |
|
[![avm.res.container-registry.registry](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.container-registry.registry.yml/badge.svg?branch=feat%2Fadd-waf-security)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.container-registry.registry.yml)
- Note failure is not due to changes and is in different job |
|
[![avm.res.network.firewall-policy](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.network.firewall-policy.yml/badge.svg)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.network.firewall-policy.yml)
- failing as rule is not passing as expected |
|
[![avm.res.network.azure-firewall](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.network.azure-firewall.yml/badge.svg?branch=feat%2Fadd-waf-security)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.network.azure-firewall.yml)
|

|[![avm.res.network.application-gateway-web-application-firewall-policy](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.network.application-gateway-web-application-firewall-policy.yml/badge.svg?branch=feat%2Fadd-waf-security)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.network.application-gateway-web-application-firewall-policy.yml)
|
|
[![avm.res.network.application-gateway](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.network.application-gateway.yml/badge.svg)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.network.application-gateway.yml)
- failing as expected |
|
[![avm.res.storage.storage-account](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.storage.storage-account.yml/badge.svg)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.storage.storage-account.yml)
- Note failure is not due to changes and is in different job|

## Type of Change

<!-- Use the checkboxes [x] on the options that are relevant. -->

- [x] Update to CI Environment or utilities (Non-module affecting
changes)
- [ ] Azure Verified Module updates:
- [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [ ] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [ ] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [ ] Update to documentation

## Checklist

- [x] I'm sure there are no other open Pull Requests for the same
update/change
- [x] I have run `Set-AVMModule` locally to generate the supporting
module files.
- [x] My corresponding pipelines / checks run clean and green without
any errors or warnings

<!-- Please keep up to date with the contribution guide at
https://aka.ms/avm/contribute/bicep -->

* Fixed Use the safe access (.?) operator instead of checking object contents with the 'contains' function. Added Secure Password for bicep linter

* Fixed secure password issue after bicep linter

* Fixed adminPassword

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Zach Olinske <zaolinsk@microsoft.com>
Co-authored-by: Nate Arnold <arnoldna@users.noreply.github.com>
Co-authored-by: Kris Baranek <20225789+krbar@users.noreply.github.com>
Co-authored-by: Alexander Sehr <ASehr@hotmail.de>
Co-authored-by: Tony Box <tonybox@gmail.com>
Co-authored-by: Rainer Halanek <61878316+rahalan@users.noreply.github.com>
Co-authored-by: René Hézser <rene@hezser.de>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Chetan Vaja <chetanv@outlook.com>
Co-authored-by: Ilhaan Rasheed <ilhaan@users.noreply.github.com>
Co-authored-by: Anders Eide <anders.eide@outlook.com>
Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>
---
 .../avm-validateModulePSRule/action.yml       |   29 +
 .github/workflows/avm.template.module.yml     |   48 +-
 .github/workflows/platform.ossf-scorecard.yml |    2 +-
 avm/ptn/lz/sub-vending/README.md              |   22 +-
 avm/ptn/lz/sub-vending/main.bicep             |   21 +-
 avm/ptn/lz/sub-vending/main.json              |   65 +-
 .../modules/subResourceWrapper.bicep          |    1 -
 .../service/api-version-set/main.json         |    4 +-
 .../service/api/diagnostics/main.json         |    4 +-
 avm/res/api-management/service/api/main.json  |   17 +-
 .../service/api/policy/main.json              |    4 +-
 .../service/authorization-server/main.json    |    4 +-
 .../api-management/service/backend/main.json  |    9 +-
 .../api-management/service/cache/main.json    |    9 +-
 .../service/identity-provider/main.json       |    9 +-
 .../service/{loggers => logger}/README.md     |   35 +-
 .../api-management/service/logger/main.bicep  |   55 +
 .../service/{loggers => logger}/main.json     |   13 +-
 .../api-management/service/loggers/main.bicep |   55 -
 avm/res/api-management/service/main.bicep     |    8 +-
 avm/res/api-management/service/main.json      |  119 +-
 .../service/named-value/main.json             |    9 +-
 .../api-management/service/policy/main.json   |    4 +-
 .../service/portalsetting/main.json           |    4 +-
 .../service/product/api/main.json             |    4 +-
 .../service/product/group/main.json           |    4 +-
 .../api-management/service/product/main.json  |   12 +-
 .../service/subscription/main.json            |    9 +-
 avm/res/cdn/profile/README.md                 |  681 +++++++
 avm/res/cdn/profile/afdEndpoint/README.md     |  199 ++
 avm/res/cdn/profile/afdEndpoint/main.bicep    |   26 +-
 avm/res/cdn/profile/afdEndpoint/main.json     |  430 ++++-
 .../cdn/profile/afdEndpoint/route/main.bicep  |   63 +
 .../cdn/profile/afdEndpoint/route/main.json   |  191 +-
 avm/res/cdn/profile/customdomain/README.md    |    1 +
 avm/res/cdn/profile/customdomain/main.bicep   |   38 +-
 avm/res/cdn/profile/customdomain/main.json    |   97 +-
 avm/res/cdn/profile/endpoint/main.json        |   26 +-
 avm/res/cdn/profile/endpoint/origin/main.json |   14 +-
 avm/res/cdn/profile/main.bicep                |   18 +-
 avm/res/cdn/profile/main.json                 | 1719 ++++++++++++++++-
 avm/res/cdn/profile/origingroup/main.bicep    |   53 +
 avm/res/cdn/profile/origingroup/main.json     |  315 ++-
 .../cdn/profile/origingroup/origin/main.bicep |   37 +
 .../cdn/profile/origingroup/origin/main.json  |   96 +-
 avm/res/cdn/profile/ruleset/main.bicep        |   13 +-
 avm/res/cdn/profile/ruleset/main.json         |  146 +-
 avm/res/cdn/profile/ruleset/rule/main.bicep   |   18 +
 avm/res/cdn/profile/ruleset/rule/main.json    |   61 +-
 avm/res/cdn/profile/secret/main.json          |    4 +-
 .../cdn/profile/securityPolicies/main.json    |    9 +-
 avm/res/cdn/profile/version.json              |    4 +-
 .../virtual-machine-scale-set/README.md       |   69 +-
 .../extension/main.json                       |    4 +-
 .../virtual-machine-scale-set/main.bicep      |  134 +-
 .../virtual-machine-scale-set/main.json       |  176 +-
 .../tests/e2e/linux.defaults/main.test.bicep  |    5 +
 .../tests/e2e/linux.max/main.test.bicep       |    6 +
 .../tests/e2e/linux.ssecmk/main.test.bicep    |    5 +
 avm/res/compute/virtual-machine/README.md     |  236 ++-
 avm/res/compute/virtual-machine/main.bicep    |   31 +-
 avm/res/compute/virtual-machine/main.json     |   49 +-
 .../e2e/windows.SSDv2/dependencies.bicep      |   30 +
 .../tests/e2e/windows.SSDv2/main.test.bicep   |  101 +
 avm/res/compute/virtual-machine/version.json  |    2 +-
 .../managed-cluster/README.md                 |    1 +
 .../managed-cluster/agent-pool/main.json      |    9 +-
 .../managed-cluster/main.bicep                |    5 +-
 .../managed-cluster/main.json                 |   29 +-
 .../maintenance-configurations/main.json      |    4 +-
 .../flexible-server/README.md                 |    6 +-
 .../flexible-server/main.bicep                |    2 +-
 .../flexible-server/main.json                 |    4 +-
 .../tests/e2e/max/main.test.bicep             |    2 +-
 avm/res/search/search-service/README.md       |  140 +-
 avm/res/search/search-service/main.bicep      |  221 +--
 avm/res/search/search-service/main.json       |  997 +++++-----
 .../shared-private-link-resource/main.json    |    9 +-
 .../tests/e2e/max/main.test.bicep             |    1 +
 avm/res/search/search-service/version.json    |   10 +-
 .../psrule/.ps-rule/cb-waf-security.Rule.yaml |   46 +
 81 files changed, 5786 insertions(+), 1386 deletions(-)
 rename avm/res/api-management/service/{loggers => logger}/README.md (92%)
 create mode 100644 avm/res/api-management/service/logger/main.bicep
 rename avm/res/api-management/service/{loggers => logger}/main.json (92%)
 delete mode 100644 avm/res/api-management/service/loggers/main.bicep
 create mode 100644 avm/res/compute/virtual-machine/tests/e2e/windows.SSDv2/dependencies.bicep
 create mode 100644 avm/res/compute/virtual-machine/tests/e2e/windows.SSDv2/main.test.bicep
 create mode 100644 avm/utilities/pipelines/staticValidation/psrule/.ps-rule/cb-waf-security.Rule.yaml

diff --git a/.github/actions/templates/avm-validateModulePSRule/action.yml b/.github/actions/templates/avm-validateModulePSRule/action.yml
index 88c123fca6..ab29a6d245 100644
--- a/.github/actions/templates/avm-validateModulePSRule/action.yml
+++ b/.github/actions/templates/avm-validateModulePSRule/action.yml
@@ -131,6 +131,35 @@ runs:
         source: "${{ inputs.psrulePath}}/.ps-rule/" # Path to folder containing suppression rules to use for analysis.
         summary: false # Disabling as taken care in customized task
 
+    - name: Run PSRule analysis - Security Pillar Only (Custom Security Pillar)
+      uses: microsoft/ps-rule@v2.9.0
+      if: ${{ inputs.psruleBaseline == 'CB.AVM.WAF.Security' }}
+      with:
+        modules: "PSRule.Rules.Azure"
+        prerelease: true
+        baseline: "${{ inputs.psruleBaseline }}"
+        inputPath: "${{ inputs.templateFilePath}}"
+        outputFormat: Csv
+        outputPath: "${{ inputs.templateFilePath}}-PSRule-output.csv"
+        option: "${{ github.workspace }}/${{ inputs.psrulePath}}/ps-rule.yaml" # Path to PSRule configuration options file
+        source: "${{ inputs.psrulePath}}/.ps-rule/" # Path to folder containing suppression rules to use for analysis.
+        summary: false # Disabling as taken care in customized task
+
+    - name: Run PSRule analysis - Security Pillar Only (Azure.Pillar.Security)
+      uses: microsoft/ps-rule@v2.9.0
+      if: ${{ inputs.psruleBaseline == 'Azure.Pillar.Security' }}
+      continue-on-error: true
+      with:
+        modules: "PSRule.Rules.Azure"
+        prerelease: true
+        baseline: "${{ inputs.psruleBaseline }}"
+        inputPath: "${{ inputs.templateFilePath}}"
+        outputFormat: Csv
+        outputPath: "${{ inputs.templateFilePath}}-PSRule-output.csv"
+        option: "${{ github.workspace }}/${{ inputs.psrulePath}}/ps-rule.yaml" # Path to PSRule configuration options file
+        source: "${{ inputs.psrulePath}}/.ps-rule/" # Path to folder containing suppression rules to use for analysis.
+        summary: false # Disabling as taken care in customized task
+
     - name: "Parse CSV content"
       if: always()
       uses: azure/powershell@v2
diff --git a/.github/workflows/avm.template.module.yml b/.github/workflows/avm.template.module.yml
index 3fcb5f96d4..252b92473d 100644
--- a/.github/workflows/avm.template.module.yml
+++ b/.github/workflows/avm.template.module.yml
@@ -94,6 +94,50 @@ jobs:
           psrulePath: "avm/utilities/pipelines/staticValidation/psrule" #'${{ github.workspace }}/avm'
           psruleBaseline: "Azure.Pillar.Reliability"
 
+  job_psrule_test_waf_security_cb: # Note: Please don't change this job name. It is used by the setEnvironment action to define which PS modules to install on runners.
+    name: "PSRule - WAF Security - AVM Custom Baseline [${{ matrix.testCases.name }}]"
+    runs-on: ubuntu-latest
+    if: ${{ inputs.psRuleModuleTestFilePaths != '' && (fromJson(inputs.workflowInput)).staticValidation == 'true'  }}
+    strategy:
+      fail-fast: false
+      matrix:
+        testCases: ${{ fromJson(inputs.psRuleModuleTestFilePaths) }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Set environment
+        uses: ./.github/actions/templates/avm-setEnvironment
+      - name: "Run PSRule validation with [${{ matrix.testCases.path }}]"
+        uses: ./.github/actions/templates/avm-validateModulePSRule
+        with:
+          templateFilePath: "${{ inputs.modulePath }}/${{ matrix.testCases.path }}"
+          subscriptionId: "${{ secrets.ARM_SUBSCRIPTION_ID }}"
+          managementGroupId: "${{ secrets.ARM_MGMTGROUP_ID }}"
+          psrulePath: "avm/utilities/pipelines/staticValidation/psrule" #'${{ github.workspace }}/avm'
+          psruleBaseline: "CB.AVM.WAF.Security"
+
+  job_psrule_test_waf_security: # Note: Please don't change this job name. It is used by the setEnvironment action to define which PS modules to install on runners.
+    name: "PSRule - WAF Security [${{ matrix.testCases.name }}]"
+    runs-on: ubuntu-latest
+    if: ${{ inputs.psRuleModuleTestFilePaths != '' && (fromJson(inputs.workflowInput)).staticValidation == 'true'  }}
+    strategy:
+      fail-fast: false
+      matrix:
+        testCases: ${{ fromJson(inputs.psRuleModuleTestFilePaths) }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Set environment
+        uses: ./.github/actions/templates/avm-setEnvironment
+      - name: "Run PSRule validation with [${{ matrix.testCases.path }}]"
+        uses: ./.github/actions/templates/avm-validateModulePSRule
+        with:
+          templateFilePath: "${{ inputs.modulePath }}/${{ matrix.testCases.path }}"
+          subscriptionId: "${{ secrets.ARM_SUBSCRIPTION_ID }}"
+          managementGroupId: "${{ secrets.ARM_MGMTGROUP_ID }}"
+          psrulePath: "avm/utilities/pipelines/staticValidation/psrule" #'${{ github.workspace }}/avm'
+          psruleBaseline: "Azure.Pillar.Security"
+
   #############################
   #   Deployment validation   #
   #############################
@@ -105,10 +149,12 @@ jobs:
       !cancelled() &&
       (fromJson(inputs.workflowInput)).deploymentValidation == 'true' &&
       needs.job_module_static_validation.result != 'failure' &&
-      needs.job_psrule_test_waf_reliability.result != 'failure'
+      needs.job_psrule_test_waf_reliability.result != 'failure' &&
+      needs.job_psrule_test_waf_security_cb.result != 'failure'
     needs:
       - job_module_static_validation
       - job_psrule_test_waf_reliability
+      - job_psrule_test_waf_security_cb
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/platform.ossf-scorecard.yml b/.github/workflows/platform.ossf-scorecard.yml
index ce176f4744..e387559274 100644
--- a/.github/workflows/platform.ossf-scorecard.yml
+++ b/.github/workflows/platform.ossf-scorecard.yml
@@ -68,6 +68,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
+        uses: github/codeql-action/upload-sarif@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3.27.3
         with:
           sarif_file: results.sarif
diff --git a/avm/ptn/lz/sub-vending/README.md b/avm/ptn/lz/sub-vending/README.md
index 76930aff30..d7a98d231b 100644
--- a/avm/ptn/lz/sub-vending/README.md
+++ b/avm/ptn/lz/sub-vending/README.md
@@ -796,7 +796,7 @@ param virtualNetworkResourceGroupName = '<virtualNetworkResourceGroupName>'
 | [`roleAssignments`](#parameter-roleassignments) | array | Supply an array of objects containing the details of the role assignments to create.<p><p>Each object must contain the following `keys`:<li>`principalId` = The Object ID of the User, Group, SPN, Managed Identity to assign the RBAC role too.<li>`definition` = The Name of one of the pre-defined built-In RBAC Roles or a Resource ID of a Built-in or custom RBAC Role Definition as follows:<p>  - You can only provide the RBAC role name of the pre-defined roles (Contributor, Owner, Reader, Role Based Access Control Administrator (Preview), and User Access Administrator). We only provide those roles as they are the most common ones to assign to a new subscription, also to reduce the template size and complexity in case we define each and every Built-in RBAC role.<p>  - You can provide the Resource ID of a Built-in or custom RBAC Role Definition<p>    - e.g. `/providers/Microsoft.Authorization/roleDefinitions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`<li>`relativeScope` = 2 options can be provided for input value:<p>    1. `''` *(empty string)* = Make RBAC Role Assignment to Subscription scope<p>    2. `'/resourceGroups/<RESOURCE GROUP NAME>'` = Make RBAC Role Assignment to specified Resource Group.<p> |
 | [`subscriptionAliasEnabled`](#parameter-subscriptionaliasenabled) | bool | Whether to create a new Subscription using the Subscription Alias resource. If `false`, supply an existing Subscription''s ID in the parameter named `existingSubscriptionId` instead to deploy resources to an existing Subscription. |
 | [`subscriptionAliasName`](#parameter-subscriptionaliasname) | string | The name of the Subscription Alias, that will be created by this module.<p><p>The string must be comprised of `a-z`, `A-Z`, `0-9`, `-`, `_` and ` ` (space). The maximum length is 63 characters.<p><p>> **Not required when providing an existing Subscription ID via the parameter `existingSubscriptionId`**.<p> |
-| [`subscriptionBillingScope`](#parameter-subscriptionbillingscope) | string | The Billing Scope for the new Subscription alias, that will be created by this module.<p><p>A valid Billing Scope starts with `/providers/Microsoft.Billing/billingAccounts/` and is case sensitive.<p><p>> **Not required when providing an existing Subscription ID via the parameter `existingSubscriptionId`**.<p> |
+| [`subscriptionBillingScope`](#parameter-subscriptionbillingscope) | string | The Billing Scope for the new Subscription alias, that will be created by this module.<p><p>A valid Billing Scope looks like `/providers/Microsoft.Billing/billingAccounts/{billingAccountName}/enrollmentAccounts/{enrollmentAccountName}` and is case sensitive.<p><p>> **Not required when providing an existing Subscription ID via the parameter `existingSubscriptionId`**.<p> |
 | [`subscriptionDisplayName`](#parameter-subscriptiondisplayname) | string | The name of the subscription alias. The string must be comprised of a-z, A-Z, 0-9, - and _. The maximum length is 63 characters.<p><p>The string must be comprised of `a-z`, `A-Z`, `0-9`, `-`, `_` and ` ` (space). The maximum length is 63 characters.<p><p>> The value for this parameter and the parameter named `subscriptionAliasName` are usually set to the same value for simplicity. But they can be different if required for a reason.<p><p>> **Not required when providing an existing Subscription ID via the parameter `existingSubscriptionId`**.<p> |
 | [`subscriptionManagementGroupAssociationEnabled`](#parameter-subscriptionmanagementgroupassociationenabled) | bool | Whether to move the Subscription to the specified Management Group supplied in the parameter `subscriptionManagementGroupId`.<p> |
 | [`subscriptionManagementGroupId`](#parameter-subscriptionmanagementgroupid) | string | The destination Management Group ID for the new Subscription that will be created by this module (or the existing one provided in the parameter `existingSubscriptionId`).<p><p>**IMPORTANT:** Do not supply the display name of the Management Group. The Management Group ID forms part of the Azure Resource ID. e.g., `/providers/Microsoft.Management/managementGroups/{managementGroupId}`.<p> |
@@ -983,7 +983,6 @@ An object of resource providers and resource providers features to register. If
       'Microsoft.Sql': []
       'Microsoft.Storage': []
       'Microsoft.StreamAnalytics': []
-      'Microsoft.TimeSeriesInsights': []
       'Microsoft.Web': []
   }
   ```
@@ -1003,6 +1002,23 @@ Supply an array of objects containing the details of the role assignments to cre
 - Required: No
 - Type: array
 - Default: `[]`
+- Example:
+  ```Bicep
+  [
+    {
+      // Contributor role assignment at subscription scope
+      principalId: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
+      definition: '/Contributor'
+      relativeScope: ''
+    }
+    {
+      // Owner role assignment at resource group scope
+      principalId: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
+      definition: '/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635'
+      relativeScope: '/resourceGroups/{resourceGroupName}'
+    }
+  ]
+  ```
 
 **Required parameters**
 
@@ -1099,7 +1115,7 @@ The name of the Subscription Alias, that will be created by this module.<p><p>Th
 
 ### Parameter: `subscriptionBillingScope`
 
-The Billing Scope for the new Subscription alias, that will be created by this module.<p><p>A valid Billing Scope starts with `/providers/Microsoft.Billing/billingAccounts/` and is case sensitive.<p><p>> **Not required when providing an existing Subscription ID via the parameter `existingSubscriptionId`**.<p>
+The Billing Scope for the new Subscription alias, that will be created by this module.<p><p>A valid Billing Scope looks like `/providers/Microsoft.Billing/billingAccounts/{billingAccountName}/enrollmentAccounts/{enrollmentAccountName}` and is case sensitive.<p><p>> **Not required when providing an existing Subscription ID via the parameter `existingSubscriptionId`**.<p>
 
 - Required: No
 - Type: string
diff --git a/avm/ptn/lz/sub-vending/main.bicep b/avm/ptn/lz/sub-vending/main.bicep
index 832fabd70e..0511f295b5 100644
--- a/avm/ptn/lz/sub-vending/main.bicep
+++ b/avm/ptn/lz/sub-vending/main.bicep
@@ -40,7 +40,7 @@ param subscriptionAliasName string = ''
 
 @description('''Optional. The Billing Scope for the new Subscription alias, that will be created by this module.
 
-A valid Billing Scope starts with `/providers/Microsoft.Billing/billingAccounts/` and is case sensitive.
+A valid Billing Scope looks like `/providers/Microsoft.Billing/billingAccounts/{billingAccountName}/enrollmentAccounts/{enrollmentAccountName}` and is case sensitive.
 
 > **Not required when providing an existing Subscription ID via the parameter `existingSubscriptionId`**.
 ''')
@@ -200,6 +200,24 @@ Each object must contain the following `keys`:
     1. `''` *(empty string)* = Make RBAC Role Assignment to Subscription scope
     2. `'/resourceGroups/<RESOURCE GROUP NAME>'` = Make RBAC Role Assignment to specified Resource Group.
 ''')
+@metadata({
+  example: '''
+  [
+    {
+      // Contributor role assignment at subscription scope
+      principalId: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
+      definition: '/Contributor'
+      relativeScope: ''
+    }
+    {
+      // Owner role assignment at resource group scope
+      principalId: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
+      definition: '/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635'
+      relativeScope: '/resourceGroups/{resourceGroupName}'
+    }
+  ]
+  '''
+})
 param roleAssignments roleAssignmentType = []
 
 @description('Optional. Enable/Disable usage telemetry for module.')
@@ -297,7 +315,6 @@ param resourceProviders object = {
   'Microsoft.Sql': []
   'Microsoft.Storage': []
   'Microsoft.StreamAnalytics': []
-  'Microsoft.TimeSeriesInsights': []
   'Microsoft.Web': []
 }
 
diff --git a/avm/ptn/lz/sub-vending/main.json b/avm/ptn/lz/sub-vending/main.json
index 094b1621df..3411c86bc6 100644
--- a/avm/ptn/lz/sub-vending/main.json
+++ b/avm/ptn/lz/sub-vending/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.23.60470",
-      "templateHash": "423999171457325305"
+      "version": "0.31.34.60546",
+      "templateHash": "5769743851515501504"
     },
     "name": "Sub-vending",
     "description": "This module deploys a subscription to accelerate deployment of landing zones. For more information on how to use it, please visit this [Wiki](https://github.com/Azure/bicep-lz-vending/wiki).",
@@ -257,7 +257,7 @@
       "type": "string",
       "defaultValue": "",
       "metadata": {
-        "description": "Optional. The Billing Scope for the new Subscription alias, that will be created by this module.\n\nA valid Billing Scope starts with `/providers/Microsoft.Billing/billingAccounts/` and is case sensitive.\n\n> **Not required when providing an existing Subscription ID via the parameter `existingSubscriptionId`**.\n"
+        "description": "Optional. The Billing Scope for the new Subscription alias, that will be created by this module.\n\nA valid Billing Scope looks like `/providers/Microsoft.Billing/billingAccounts/{billingAccountName}/enrollmentAccounts/{enrollmentAccountName}` and is case sensitive.\n\n> **Not required when providing an existing Subscription ID via the parameter `existingSubscriptionId`**.\n"
       }
     },
     "subscriptionWorkload": {
@@ -456,6 +456,7 @@
       "$ref": "#/definitions/roleAssignmentType",
       "defaultValue": [],
       "metadata": {
+        "example": "  [\n    {\n      // Contributor role assignment at subscription scope\n      principalId: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'\n      definition: '/Contributor'\n      relativeScope: ''\n    }\n    {\n      // Owner role assignment at resource group scope\n      principalId: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'\n      definition: '/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635'\n      relativeScope: '/resourceGroups/{resourceGroupName}'\n    }\n  ]\n  ",
         "description": "Optional. Supply an array of objects containing the details of the role assignments to create.\n\nEach object must contain the following `keys`:\n- `principalId` = The Object ID of the User, Group, SPN, Managed Identity to assign the RBAC role too.\n- `definition` = The Name of one of the pre-defined built-In RBAC Roles or a Resource ID of a Built-in or custom RBAC Role Definition as follows:\n  - You can only provide the RBAC role name of the pre-defined roles (Contributor, Owner, Reader, Role Based Access Control Administrator (Preview), and User Access Administrator). We only provide those roles as they are the most common ones to assign to a new subscription, also to reduce the template size and complexity in case we define each and every Built-in RBAC role.\n  - You can provide the Resource ID of a Built-in or custom RBAC Role Definition\n    - e.g. `/providers/Microsoft.Authorization/roleDefinitions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`\n- `relativeScope` = 2 options can be provided for input value:\n    1. `''` *(empty string)* = Make RBAC Role Assignment to Subscription scope\n    2. `'/resourceGroups/<RESOURCE GROUP NAME>'` = Make RBAC Role Assignment to specified Resource Group.\n"
       }
     },
@@ -589,7 +590,6 @@
         "Microsoft.Sql": [],
         "Microsoft.Storage": [],
         "Microsoft.StreamAnalytics": [],
-        "Microsoft.TimeSeriesInsights": [],
         "Microsoft.Web": []
       },
       "metadata": {
@@ -670,8 +670,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.23.60470",
-              "templateHash": "1611270751895734589"
+              "version": "0.31.34.60546",
+              "templateHash": "3457070988046201960"
             }
           },
           "parameters": {
@@ -881,8 +881,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.23.60470",
-              "templateHash": "6797720849193671192"
+              "version": "0.31.34.60546",
+              "templateHash": "15704136472131684900"
             },
             "name": "`/subResourcesWrapper/deploy.bicep` Parameters",
             "description": "This module is used by the [`bicep-lz-vending`](https://aka.ms/sub-vending/bicep) module to help orchestrate the deployment",
@@ -1474,7 +1474,6 @@
                 "Microsoft.Sql": [],
                 "Microsoft.Storage": [],
                 "Microsoft.StreamAnalytics": [],
-                "Microsoft.TimeSeriesInsights": [],
                 "Microsoft.Web": []
               },
               "metadata": {
@@ -1589,8 +1588,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.30.23.60470",
-                      "templateHash": "15074465703139369012"
+                      "version": "0.31.34.60546",
+                      "templateHash": "17907165258968798055"
                     }
                   },
                   "parameters": {
@@ -1650,8 +1649,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.30.23.60470",
-                      "templateHash": "15410141635305926698"
+                      "version": "0.31.34.60546",
+                      "templateHash": "3960537387423914398"
                     }
                   },
                   "parameters": {
@@ -1710,8 +1709,8 @@
                           "metadata": {
                             "_generator": {
                               "name": "bicep",
-                              "version": "0.30.23.60470",
-                              "templateHash": "5472979603320584709"
+                              "version": "0.31.34.60546",
+                              "templateHash": "4908789287090218941"
                             }
                           },
                           "parameters": {
@@ -1766,8 +1765,8 @@
                                   "metadata": {
                                     "_generator": {
                                       "name": "bicep",
-                                      "version": "0.30.23.60470",
-                                      "templateHash": "11343593259864722989"
+                                      "version": "0.31.34.60546",
+                                      "templateHash": "12493928637555451452"
                                     }
                                   },
                                   "parameters": {
@@ -1844,8 +1843,8 @@
                           "metadata": {
                             "_generator": {
                               "name": "bicep",
-                              "version": "0.30.23.60470",
-                              "templateHash": "13884963778440627255"
+                              "version": "0.31.34.60546",
+                              "templateHash": "12602325500495654095"
                             }
                           },
                           "parameters": {
@@ -1899,8 +1898,8 @@
                                   "metadata": {
                                     "_generator": {
                                       "name": "bicep",
-                                      "version": "0.30.23.60470",
-                                      "templateHash": "4428652978548820109"
+                                      "version": "0.31.34.60546",
+                                      "templateHash": "7409476431103411951"
                                     }
                                   },
                                   "parameters": {
@@ -2479,8 +2478,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.30.23.60470",
-                      "templateHash": "15410141635305926698"
+                      "version": "0.31.34.60546",
+                      "templateHash": "3960537387423914398"
                     }
                   },
                   "parameters": {
@@ -2539,8 +2538,8 @@
                           "metadata": {
                             "_generator": {
                               "name": "bicep",
-                              "version": "0.30.23.60470",
-                              "templateHash": "5472979603320584709"
+                              "version": "0.31.34.60546",
+                              "templateHash": "4908789287090218941"
                             }
                           },
                           "parameters": {
@@ -2595,8 +2594,8 @@
                                   "metadata": {
                                     "_generator": {
                                       "name": "bicep",
-                                      "version": "0.30.23.60470",
-                                      "templateHash": "11343593259864722989"
+                                      "version": "0.31.34.60546",
+                                      "templateHash": "12493928637555451452"
                                     }
                                   },
                                   "parameters": {
@@ -2673,8 +2672,8 @@
                           "metadata": {
                             "_generator": {
                               "name": "bicep",
-                              "version": "0.30.23.60470",
-                              "templateHash": "13884963778440627255"
+                              "version": "0.31.34.60546",
+                              "templateHash": "12602325500495654095"
                             }
                           },
                           "parameters": {
@@ -2728,8 +2727,8 @@
                                   "metadata": {
                                     "_generator": {
                                       "name": "bicep",
-                                      "version": "0.30.23.60470",
-                                      "templateHash": "4428652978548820109"
+                                      "version": "0.31.34.60546",
+                                      "templateHash": "7409476431103411951"
                                     }
                                   },
                                   "parameters": {
@@ -4425,8 +4424,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.30.23.60470",
-                      "templateHash": "15250207882926040999"
+                      "version": "0.31.34.60546",
+                      "templateHash": "11117025288711367178"
                     }
                   },
                   "parameters": {
diff --git a/avm/ptn/lz/sub-vending/modules/subResourceWrapper.bicep b/avm/ptn/lz/sub-vending/modules/subResourceWrapper.bicep
index 24e543a640..068205a588 100644
--- a/avm/ptn/lz/sub-vending/modules/subResourceWrapper.bicep
+++ b/avm/ptn/lz/sub-vending/modules/subResourceWrapper.bicep
@@ -178,7 +178,6 @@ param resourceProviders object = {
   'Microsoft.Sql': []
   'Microsoft.Storage': []
   'Microsoft.StreamAnalytics': []
-  'Microsoft.TimeSeriesInsights': []
   'Microsoft.Web': []
 }
 
diff --git a/avm/res/api-management/service/api-version-set/main.json b/avm/res/api-management/service/api-version-set/main.json
index 061641030c..5578690d60 100644
--- a/avm/res/api-management/service/api-version-set/main.json
+++ b/avm/res/api-management/service/api-version-set/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.23.60470",
-      "templateHash": "2492486199367242598"
+      "version": "0.31.34.60546",
+      "templateHash": "4169716301128870956"
     },
     "name": "API Management Service API Version Sets",
     "description": "This module deploys an API Management Service API Version Set.",
diff --git a/avm/res/api-management/service/api/diagnostics/main.json b/avm/res/api-management/service/api/diagnostics/main.json
index 6db7e0f400..f38a7d145b 100644
--- a/avm/res/api-management/service/api/diagnostics/main.json
+++ b/avm/res/api-management/service/api/diagnostics/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.23.60470",
-      "templateHash": "2531959928497745895"
+      "version": "0.31.34.60546",
+      "templateHash": "5353729184860596208"
     },
     "name": "API Management Service APIs Diagnostics.",
     "description": "This module deploys an API Management Service API Diagnostics.",
diff --git a/avm/res/api-management/service/api/main.json b/avm/res/api-management/service/api/main.json
index a87b3409db..32a0de7df8 100644
--- a/avm/res/api-management/service/api/main.json
+++ b/avm/res/api-management/service/api/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.23.60470",
-      "templateHash": "17036957862982683599"
+      "version": "0.31.34.60546",
+      "templateHash": "79502668979653596"
     },
     "name": "API Management Service APIs",
     "description": "This module deploys an API Management Service API.",
@@ -245,10 +245,7 @@
         "type": "[parameters('type')]",
         "value": "[parameters('value')]",
         "wsdlSelector": "[coalesce(parameters('wsdlSelector'), createObject())]"
-      },
-      "dependsOn": [
-        "service"
-      ]
+      }
     },
     "policy": {
       "copy": {
@@ -283,8 +280,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.23.60470",
-              "templateHash": "5643177447182050438"
+              "version": "0.31.34.60546",
+              "templateHash": "7084313641171504315"
             },
             "name": "API Management Service APIs Policies",
             "description": "This module deploys an API Management Service API Policy.",
@@ -430,8 +427,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.23.60470",
-              "templateHash": "2531959928497745895"
+              "version": "0.31.34.60546",
+              "templateHash": "5353729184860596208"
             },
             "name": "API Management Service APIs Diagnostics.",
             "description": "This module deploys an API Management Service API Diagnostics.",
diff --git a/avm/res/api-management/service/api/policy/main.json b/avm/res/api-management/service/api/policy/main.json
index af5ae11307..f65064267e 100644
--- a/avm/res/api-management/service/api/policy/main.json
+++ b/avm/res/api-management/service/api/policy/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.23.60470",
-      "templateHash": "5643177447182050438"
+      "version": "0.31.34.60546",
+      "templateHash": "7084313641171504315"
     },
     "name": "API Management Service APIs Policies",
     "description": "This module deploys an API Management Service API Policy.",
diff --git a/avm/res/api-management/service/authorization-server/main.json b/avm/res/api-management/service/authorization-server/main.json
index 50d0897a93..41509bb54c 100644
--- a/avm/res/api-management/service/authorization-server/main.json
+++ b/avm/res/api-management/service/authorization-server/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.23.60470",
-      "templateHash": "17927787726774417819"
+      "version": "0.31.34.60546",
+      "templateHash": "7143680740173420481"
     },
     "name": "API Management Service Authorization Servers",
     "description": "This module deploys an API Management Service Authorization Server.",
diff --git a/avm/res/api-management/service/backend/main.json b/avm/res/api-management/service/backend/main.json
index c3ae5f49b2..f6757a8df6 100644
--- a/avm/res/api-management/service/backend/main.json
+++ b/avm/res/api-management/service/backend/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.23.60470",
-      "templateHash": "14706757128951530017"
+      "version": "0.31.34.60546",
+      "templateHash": "8388368953433969607"
     },
     "name": "API Management Service Backends",
     "description": "This module deploys an API Management Service Backend.",
@@ -114,10 +114,7 @@
         "tls": "[parameters('tls')]",
         "url": "[parameters('url')]",
         "protocol": "[parameters('protocol')]"
-      },
-      "dependsOn": [
-        "service"
-      ]
+      }
     }
   },
   "outputs": {
diff --git a/avm/res/api-management/service/cache/main.json b/avm/res/api-management/service/cache/main.json
index 285f53b0fb..1e9937f722 100644
--- a/avm/res/api-management/service/cache/main.json
+++ b/avm/res/api-management/service/cache/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.23.60470",
-      "templateHash": "2750555671183513052"
+      "version": "0.31.34.60546",
+      "templateHash": "11909687365337883274"
     },
     "name": "API Management Service Caches",
     "description": "This module deploys an API Management Service Cache.",
@@ -68,10 +68,7 @@
         "connectionString": "[parameters('connectionString')]",
         "useFromLocation": "[parameters('useFromLocation')]",
         "resourceId": "[parameters('resourceId')]"
-      },
-      "dependsOn": [
-        "service"
-      ]
+      }
     }
   },
   "outputs": {
diff --git a/avm/res/api-management/service/identity-provider/main.json b/avm/res/api-management/service/identity-provider/main.json
index 6768ba8a3e..293b1b230a 100644
--- a/avm/res/api-management/service/identity-provider/main.json
+++ b/avm/res/api-management/service/identity-provider/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.23.60470",
-      "templateHash": "1342690797398622979"
+      "version": "0.31.34.60546",
+      "templateHash": "11902978823059118045"
     },
     "name": "API Management Service Identity Providers",
     "description": "This module deploys an API Management Service Identity Provider.",
@@ -141,10 +141,7 @@
         "clientId": "[parameters('clientId')]",
         "clientLibrary": "[parameters('clientLibrary')]",
         "clientSecret": "[parameters('clientSecret')]"
-      },
-      "dependsOn": [
-        "service"
-      ]
+      }
     }
   },
   "outputs": {
diff --git a/avm/res/api-management/service/loggers/README.md b/avm/res/api-management/service/logger/README.md
similarity index 92%
rename from avm/res/api-management/service/loggers/README.md
rename to avm/res/api-management/service/logger/README.md
index c0fabec510..769f788fe5 100644
--- a/avm/res/api-management/service/loggers/README.md
+++ b/avm/res/api-management/service/logger/README.md
@@ -20,8 +20,8 @@ This module deploys an API Management Service Logger.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`loggerType`](#parameter-loggertype) | string | Logger type. |
 | [`name`](#parameter-name) | string | Resource Name. |
+| [`type`](#parameter-type) | string | Logger type. |
 
 **Conditional parameters**
 
@@ -35,10 +35,17 @@ This module deploys an API Management Service Logger.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
+| [`description`](#parameter-description) | string | Logger description. |
 | [`isBuffered`](#parameter-isbuffered) | bool | Whether records are buffered in the logger before publishing. |
-| [`loggerDescription`](#parameter-loggerdescription) | string | Logger description. |
 
-### Parameter: `loggerType`
+### Parameter: `name`
+
+Resource Name.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `type`
 
 Logger type.
 
@@ -53,13 +60,6 @@ Logger type.
   ]
   ```
 
-### Parameter: `name`
-
-Resource Name.
-
-- Required: Yes
-- Type: string
-
 ### Parameter: `apiManagementServiceName`
 
 The name of the parent API Management service. Required if the template is used in a standalone deployment.
@@ -81,6 +81,14 @@ Required if loggerType = applicationInsights or azureEventHub. Azure Resource Id
 - Required: Yes
 - Type: string
 
+### Parameter: `description`
+
+Logger description.
+
+- Required: No
+- Type: string
+- Default: `''`
+
 ### Parameter: `isBuffered`
 
 Whether records are buffered in the logger before publishing.
@@ -89,13 +97,6 @@ Whether records are buffered in the logger before publishing.
 - Type: bool
 - Default: `True`
 
-### Parameter: `loggerDescription`
-
-Logger description.
-
-- Required: Yes
-- Type: string
-
 ## Outputs
 
 | Output | Type | Description |
diff --git a/avm/res/api-management/service/logger/main.bicep b/avm/res/api-management/service/logger/main.bicep
new file mode 100644
index 0000000000..0397eb4c99
--- /dev/null
+++ b/avm/res/api-management/service/logger/main.bicep
@@ -0,0 +1,55 @@
+metadata name = 'API Management Service Loggers'
+metadata description = 'This module deploys an API Management Service Logger.'
+metadata owner = 'Azure/module-maintainers'
+
+@sys.description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.')
+param apiManagementServiceName string
+
+@sys.description('Required. Resource Name.')
+param name string
+
+@sys.description('Optional. Logger description.')
+param description string = ''
+
+@sys.description('Optional. Whether records are buffered in the logger before publishing.')
+param isBuffered bool = true
+
+@sys.description('Required. Logger type.')
+@allowed([
+  'applicationInsights'
+  'azureEventHub'
+  'azureMonitor'
+])
+param type string
+
+@sys.description('Conditional. Required if loggerType = applicationInsights or azureEventHub. Azure Resource Id of a log target (either Azure Event Hub resource or Azure Application Insights resource).')
+param targetResourceId string
+
+@secure()
+@sys.description('Conditional. Required if loggerType = applicationInsights or azureEventHub. The name and SendRule connection string of the event hub for azureEventHub logger. Instrumentation key for applicationInsights logger.')
+param credentials object
+
+resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = {
+  name: apiManagementServiceName
+}
+
+resource loggers 'Microsoft.ApiManagement/service/loggers@2022-08-01' = {
+  name: name
+  parent: service
+  properties: {
+    credentials: credentials
+    description: description
+    isBuffered: isBuffered
+    loggerType: type
+    resourceId: targetResourceId
+  }
+}
+
+@sys.description('The resource ID of the logger.')
+output resourceId string = loggers.id
+
+@sys.description('The name of the logger.')
+output name string = loggers.name
+
+@sys.description('The resource group the named value was deployed into.')
+output resourceGroupName string = resourceGroup().name
diff --git a/avm/res/api-management/service/loggers/main.json b/avm/res/api-management/service/logger/main.json
similarity index 92%
rename from avm/res/api-management/service/loggers/main.json
rename to avm/res/api-management/service/logger/main.json
index 7d3305a3cd..cce73b9b5c 100644
--- a/avm/res/api-management/service/loggers/main.json
+++ b/avm/res/api-management/service/logger/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.23.60470",
-      "templateHash": "12834599511984803283"
+      "version": "0.31.34.60546",
+      "templateHash": "11518344218995825129"
     },
     "name": "API Management Service Loggers",
     "description": "This module deploys an API Management Service Logger.",
@@ -24,8 +24,9 @@
         "description": "Required. Resource Name."
       }
     },
-    "loggerDescription": {
+    "description": {
       "type": "string",
+      "defaultValue": "",
       "metadata": {
         "description": "Optional. Logger description."
       }
@@ -37,7 +38,7 @@
         "description": "Optional. Whether records are buffered in the logger before publishing."
       }
     },
-    "loggerType": {
+    "type": {
       "type": "string",
       "allowedValues": [
         "applicationInsights",
@@ -68,9 +69,9 @@
       "name": "[format('{0}/{1}', parameters('apiManagementServiceName'), parameters('name'))]",
       "properties": {
         "credentials": "[parameters('credentials')]",
-        "description": "[parameters('loggerDescription')]",
+        "description": "[parameters('description')]",
         "isBuffered": "[parameters('isBuffered')]",
-        "loggerType": "[parameters('loggerType')]",
+        "loggerType": "[parameters('type')]",
         "resourceId": "[parameters('targetResourceId')]"
       }
     }
diff --git a/avm/res/api-management/service/loggers/main.bicep b/avm/res/api-management/service/loggers/main.bicep
deleted file mode 100644
index 6f7d1af8fb..0000000000
--- a/avm/res/api-management/service/loggers/main.bicep
+++ /dev/null
@@ -1,55 +0,0 @@
-metadata name = 'API Management Service Loggers'
-metadata description = 'This module deploys an API Management Service Logger.'
-metadata owner = 'Azure/module-maintainers'
-
-@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.')
-param apiManagementServiceName string
-
-@description('Required. Resource Name.')
-param name string
-
-@description('Optional. Logger description.')
-param loggerDescription string
-
-@description('Optional. Whether records are buffered in the logger before publishing.')
-param isBuffered bool = true
-
-@description('Required. Logger type.')
-@allowed([
-  'applicationInsights'
-  'azureEventHub'
-  'azureMonitor'
-])
-param loggerType string
-
-@description('Conditional. Required if loggerType = applicationInsights or azureEventHub. Azure Resource Id of a log target (either Azure Event Hub resource or Azure Application Insights resource).')
-param targetResourceId string
-
-@secure()
-@description('Conditional. Required if loggerType = applicationInsights or azureEventHub. The name and SendRule connection string of the event hub for azureEventHub logger. Instrumentation key for applicationInsights logger.')
-param credentials object
-
-resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = {
-  name: apiManagementServiceName
-}
-
-resource loggers 'Microsoft.ApiManagement/service/loggers@2022-08-01' = {
-  name: name
-  parent: service
-  properties: {
-    credentials: credentials
-    description: loggerDescription
-    isBuffered: isBuffered
-    loggerType: loggerType
-    resourceId: targetResourceId
-  }
-}
-
-@description('The resource ID of the logger.')
-output resourceId string = loggers.id
-
-@description('The name of the logger.')
-output name string = loggers.name
-
-@description('The resource group the named value was deployed into.')
-output resourceGroupName string = resourceGroup().name
diff --git a/avm/res/api-management/service/main.bicep b/avm/res/api-management/service/main.bicep
index 37a49b86c0..cc18535d18 100644
--- a/avm/res/api-management/service/main.bicep
+++ b/avm/res/api-management/service/main.bicep
@@ -409,16 +409,16 @@ module service_identityProviders 'identity-provider/main.bicep' = [
   }
 ]
 
-module service_loggers 'loggers/main.bicep' = [
+module service_loggers 'logger/main.bicep' = [
   for (logger, index) in loggers: {
     name: '${uniqueString(deployment().name, location)}-Apim-Logger-${index}'
     params: {
       name: logger.name
       apiManagementServiceName: service.name
       credentials: logger.?credentials ?? {}
-      isBuffered: logger.?isBuffered ?? true
-      loggerDescription: logger.?loggerDescription ?? ''
-      loggerType: logger.?loggerType ?? 'azureMonitor'
+      isBuffered: logger.?isBuffered
+      description: logger.?loggerDescription
+      type: logger.?loggerType ?? 'azureMonitor'
       targetResourceId: logger.?targetResourceId ?? ''
     }
     dependsOn: [
diff --git a/avm/res/api-management/service/main.json b/avm/res/api-management/service/main.json
index fc42a71966..82b4b88203 100644
--- a/avm/res/api-management/service/main.json
+++ b/avm/res/api-management/service/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.23.60470",
-      "templateHash": "7676062632439815762"
+      "version": "0.31.34.60546",
+      "templateHash": "5338224658105001512"
     },
     "name": "API Management Services",
     "description": "This module deploys an API Management Service. The default deployment is set to use a Premium SKU to align with Microsoft WAF-aligned best practices. In most cases, non-prod deployments should use a lower-tier SKU.",
@@ -791,8 +791,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.23.60470",
-              "templateHash": "17036957862982683599"
+              "version": "0.31.34.60546",
+              "templateHash": "79502668979653596"
             },
             "name": "API Management Service APIs",
             "description": "This module deploys an API Management Service API.",
@@ -1031,10 +1031,7 @@
                 "type": "[parameters('type')]",
                 "value": "[parameters('value')]",
                 "wsdlSelector": "[coalesce(parameters('wsdlSelector'), createObject())]"
-              },
-              "dependsOn": [
-                "service"
-              ]
+              }
             },
             "policy": {
               "copy": {
@@ -1069,8 +1066,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.30.23.60470",
-                      "templateHash": "5643177447182050438"
+                      "version": "0.31.34.60546",
+                      "templateHash": "7084313641171504315"
                     },
                     "name": "API Management Service APIs Policies",
                     "description": "This module deploys an API Management Service API Policy.",
@@ -1216,8 +1213,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.30.23.60470",
-                      "templateHash": "2531959928497745895"
+                      "version": "0.31.34.60546",
+                      "templateHash": "5353729184860596208"
                     },
                     "name": "API Management Service APIs Diagnostics.",
                     "description": "This module deploys an API Management Service API Diagnostics.",
@@ -1444,8 +1441,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.23.60470",
-              "templateHash": "2492486199367242598"
+              "version": "0.31.34.60546",
+              "templateHash": "4169716301128870956"
             },
             "name": "API Management Service API Version Sets",
             "description": "This module deploys an API Management Service API Version Set.",
@@ -1585,8 +1582,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.23.60470",
-              "templateHash": "17927787726774417819"
+              "version": "0.31.34.60546",
+              "templateHash": "7143680740173420481"
             },
             "name": "API Management Service Authorization Servers",
             "description": "This module deploys an API Management Service Authorization Server.",
@@ -1835,8 +1832,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.23.60470",
-              "templateHash": "14706757128951530017"
+              "version": "0.31.34.60546",
+              "templateHash": "8388368953433969607"
             },
             "name": "API Management Service Backends",
             "description": "This module deploys an API Management Service Backend.",
@@ -1944,10 +1941,7 @@
                 "tls": "[parameters('tls')]",
                 "url": "[parameters('url')]",
                 "protocol": "[parameters('protocol')]"
-              },
-              "dependsOn": [
-                "service"
-              ]
+              }
             }
           },
           "outputs": {
@@ -2019,8 +2013,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.23.60470",
-              "templateHash": "2750555671183513052"
+              "version": "0.31.34.60546",
+              "templateHash": "11909687365337883274"
             },
             "name": "API Management Service Caches",
             "description": "This module deploys an API Management Service Cache.",
@@ -2082,10 +2076,7 @@
                 "connectionString": "[parameters('connectionString')]",
                 "useFromLocation": "[parameters('useFromLocation')]",
                 "resourceId": "[parameters('resourceId')]"
-              },
-              "dependsOn": [
-                "service"
-              ]
+              }
             }
           },
           "outputs": {
@@ -2177,8 +2168,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.23.60470",
-              "templateHash": "2531959928497745895"
+              "version": "0.31.34.60546",
+              "templateHash": "5353729184860596208"
             },
             "name": "API Management Service APIs Diagnostics.",
             "description": "This module deploys an API Management Service API Diagnostics.",
@@ -2407,8 +2398,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.23.60470",
-              "templateHash": "1342690797398622979"
+              "version": "0.31.34.60546",
+              "templateHash": "11902978823059118045"
             },
             "name": "API Management Service Identity Providers",
             "description": "This module deploys an API Management Service Identity Provider.",
@@ -2543,10 +2534,7 @@
                 "clientId": "[parameters('clientId')]",
                 "clientLibrary": "[parameters('clientLibrary')]",
                 "clientSecret": "[parameters('clientSecret')]"
-              },
-              "dependsOn": [
-                "service"
-              ]
+              }
             }
           },
           "outputs": {
@@ -2602,12 +2590,12 @@
             "value": "[coalesce(tryGet(parameters('loggers')[copyIndex()], 'credentials'), createObject())]"
           },
           "isBuffered": {
-            "value": "[coalesce(tryGet(parameters('loggers')[copyIndex()], 'isBuffered'), true())]"
+            "value": "[tryGet(parameters('loggers')[copyIndex()], 'isBuffered')]"
           },
-          "loggerDescription": {
-            "value": "[coalesce(tryGet(parameters('loggers')[copyIndex()], 'loggerDescription'), '')]"
+          "description": {
+            "value": "[tryGet(parameters('loggers')[copyIndex()], 'loggerDescription')]"
           },
-          "loggerType": {
+          "type": {
             "value": "[coalesce(tryGet(parameters('loggers')[copyIndex()], 'loggerType'), 'azureMonitor')]"
           },
           "targetResourceId": {
@@ -2620,8 +2608,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.23.60470",
-              "templateHash": "12834599511984803283"
+              "version": "0.31.34.60546",
+              "templateHash": "11518344218995825129"
             },
             "name": "API Management Service Loggers",
             "description": "This module deploys an API Management Service Logger.",
@@ -2640,8 +2628,9 @@
                 "description": "Required. Resource Name."
               }
             },
-            "loggerDescription": {
+            "description": {
               "type": "string",
+              "defaultValue": "",
               "metadata": {
                 "description": "Optional. Logger description."
               }
@@ -2653,7 +2642,7 @@
                 "description": "Optional. Whether records are buffered in the logger before publishing."
               }
             },
-            "loggerType": {
+            "type": {
               "type": "string",
               "allowedValues": [
                 "applicationInsights",
@@ -2684,9 +2673,9 @@
               "name": "[format('{0}/{1}', parameters('apiManagementServiceName'), parameters('name'))]",
               "properties": {
                 "credentials": "[parameters('credentials')]",
-                "description": "[parameters('loggerDescription')]",
+                "description": "[parameters('description')]",
                 "isBuffered": "[parameters('isBuffered')]",
-                "loggerType": "[parameters('loggerType')]",
+                "loggerType": "[parameters('type')]",
                 "resourceId": "[parameters('targetResourceId')]"
               }
             }
@@ -2764,8 +2753,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.23.60470",
-              "templateHash": "10162843567606353040"
+              "version": "0.31.34.60546",
+              "templateHash": "5493266151487858395"
             },
             "name": "API Management Service Named Values",
             "description": "This module deploys an API Management Service Named Value.",
@@ -2839,10 +2828,7 @@
                 "displayName": "[parameters('displayName')]",
                 "value": "[if(variables('keyVaultEmpty'), parameters('value'), null())]",
                 "keyVault": "[if(not(variables('keyVaultEmpty')), parameters('keyVault'), null())]"
-              },
-              "dependsOn": [
-                "service"
-              ]
+              }
             }
           },
           "outputs": {
@@ -2905,8 +2891,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.23.60470",
-              "templateHash": "14869704072680236257"
+              "version": "0.31.34.60546",
+              "templateHash": "9587521329160400551"
             },
             "name": "API Management Service Portal Settings",
             "description": "This module deploys an API Management Service Portal Setting.",
@@ -3004,8 +2990,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.23.60470",
-              "templateHash": "9395795206748286282"
+              "version": "0.31.34.60546",
+              "templateHash": "957115286202001780"
             },
             "name": "API Management Service Policies",
             "description": "This module deploys an API Management Service Policy.",
@@ -3139,8 +3125,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.23.60470",
-              "templateHash": "8029364311033748838"
+              "version": "0.31.34.60546",
+              "templateHash": "3551579457056086397"
             },
             "name": "API Management Service Products",
             "description": "This module deploys an API Management Service Product.",
@@ -3268,8 +3254,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.30.23.60470",
-                      "templateHash": "602104798329438871"
+                      "version": "0.31.34.60546",
+                      "templateHash": "11213919899113582129"
                     },
                     "name": "API Management Service Products APIs",
                     "description": "This module deploys an API Management Service Product API.",
@@ -3358,8 +3344,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.30.23.60470",
-                      "templateHash": "5238408376918932137"
+                      "version": "0.31.34.60546",
+                      "templateHash": "10245602090275457578"
                     },
                     "name": "API Management Service Products Groups",
                     "description": "This module deploys an API Management Service Product Group.",
@@ -3518,8 +3504,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.23.60470",
-              "templateHash": "16082435269276611452"
+              "version": "0.31.34.60546",
+              "templateHash": "17857709197993310769"
             },
             "name": "API Management Service Subscriptions",
             "description": "This module deploys an API Management Service Subscription.",
@@ -3607,10 +3593,7 @@
                 "secondaryKey": "[parameters('secondaryKey')]",
                 "state": "[parameters('state')]",
                 "allowTracing": "[parameters('allowTracing')]"
-              },
-              "dependsOn": [
-                "service"
-              ]
+              }
             }
           },
           "outputs": {
diff --git a/avm/res/api-management/service/named-value/main.json b/avm/res/api-management/service/named-value/main.json
index b182535671..7e25a3a988 100644
--- a/avm/res/api-management/service/named-value/main.json
+++ b/avm/res/api-management/service/named-value/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.23.60470",
-      "templateHash": "10162843567606353040"
+      "version": "0.31.34.60546",
+      "templateHash": "5493266151487858395"
     },
     "name": "API Management Service Named Values",
     "description": "This module deploys an API Management Service Named Value.",
@@ -80,10 +80,7 @@
         "displayName": "[parameters('displayName')]",
         "value": "[if(variables('keyVaultEmpty'), parameters('value'), null())]",
         "keyVault": "[if(not(variables('keyVaultEmpty')), parameters('keyVault'), null())]"
-      },
-      "dependsOn": [
-        "service"
-      ]
+      }
     }
   },
   "outputs": {
diff --git a/avm/res/api-management/service/policy/main.json b/avm/res/api-management/service/policy/main.json
index dd3c7eab82..d4d4505da4 100644
--- a/avm/res/api-management/service/policy/main.json
+++ b/avm/res/api-management/service/policy/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.23.60470",
-      "templateHash": "9395795206748286282"
+      "version": "0.31.34.60546",
+      "templateHash": "957115286202001780"
     },
     "name": "API Management Service Policies",
     "description": "This module deploys an API Management Service Policy.",
diff --git a/avm/res/api-management/service/portalsetting/main.json b/avm/res/api-management/service/portalsetting/main.json
index d68c8ed791..505ef1bb18 100644
--- a/avm/res/api-management/service/portalsetting/main.json
+++ b/avm/res/api-management/service/portalsetting/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.23.60470",
-      "templateHash": "14869704072680236257"
+      "version": "0.31.34.60546",
+      "templateHash": "9587521329160400551"
     },
     "name": "API Management Service Portal Settings",
     "description": "This module deploys an API Management Service Portal Setting.",
diff --git a/avm/res/api-management/service/product/api/main.json b/avm/res/api-management/service/product/api/main.json
index 5603f9f789..f959bf4191 100644
--- a/avm/res/api-management/service/product/api/main.json
+++ b/avm/res/api-management/service/product/api/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.23.60470",
-      "templateHash": "602104798329438871"
+      "version": "0.31.34.60546",
+      "templateHash": "11213919899113582129"
     },
     "name": "API Management Service Products APIs",
     "description": "This module deploys an API Management Service Product API.",
diff --git a/avm/res/api-management/service/product/group/main.json b/avm/res/api-management/service/product/group/main.json
index 28d5460152..0dcdd2026c 100644
--- a/avm/res/api-management/service/product/group/main.json
+++ b/avm/res/api-management/service/product/group/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.23.60470",
-      "templateHash": "5238408376918932137"
+      "version": "0.31.34.60546",
+      "templateHash": "10245602090275457578"
     },
     "name": "API Management Service Products Groups",
     "description": "This module deploys an API Management Service Product Group.",
diff --git a/avm/res/api-management/service/product/main.json b/avm/res/api-management/service/product/main.json
index 892a25de5c..aa02572e7d 100644
--- a/avm/res/api-management/service/product/main.json
+++ b/avm/res/api-management/service/product/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.23.60470",
-      "templateHash": "8029364311033748838"
+      "version": "0.31.34.60546",
+      "templateHash": "3551579457056086397"
     },
     "name": "API Management Service Products",
     "description": "This module deploys an API Management Service Product.",
@@ -133,8 +133,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.23.60470",
-              "templateHash": "602104798329438871"
+              "version": "0.31.34.60546",
+              "templateHash": "11213919899113582129"
             },
             "name": "API Management Service Products APIs",
             "description": "This module deploys an API Management Service Product API.",
@@ -223,8 +223,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.23.60470",
-              "templateHash": "5238408376918932137"
+              "version": "0.31.34.60546",
+              "templateHash": "10245602090275457578"
             },
             "name": "API Management Service Products Groups",
             "description": "This module deploys an API Management Service Product Group.",
diff --git a/avm/res/api-management/service/subscription/main.json b/avm/res/api-management/service/subscription/main.json
index 6abc772cc3..2c53fdfa76 100644
--- a/avm/res/api-management/service/subscription/main.json
+++ b/avm/res/api-management/service/subscription/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.23.60470",
-      "templateHash": "16082435269276611452"
+      "version": "0.31.34.60546",
+      "templateHash": "17857709197993310769"
     },
     "name": "API Management Service Subscriptions",
     "description": "This module deploys an API Management Service Subscription.",
@@ -94,10 +94,7 @@
         "secondaryKey": "[parameters('secondaryKey')]",
         "state": "[parameters('state')]",
         "allowTracing": "[parameters('allowTracing')]"
-      },
-      "dependsOn": [
-        "service"
-      ]
+      }
     }
   },
   "outputs": {
diff --git a/avm/res/cdn/profile/README.md b/avm/res/cdn/profile/README.md
index cdbbe70b4d..1a43a43d99 100644
--- a/avm/res/cdn/profile/README.md
+++ b/avm/res/cdn/profile/README.md
@@ -1211,6 +1211,250 @@ Array of origin group objects. Required if the afdEndpoints is specified.
 - Type: array
 - Default: `[]`
 
+**Required parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`loadBalancingSettings`](#parameter-origingroupsloadbalancingsettings) | object | Load balancing settings for a backend pool. |
+| [`name`](#parameter-origingroupsname) | string | The name of the origin group. |
+| [`origins`](#parameter-origingroupsorigins) | array | The list of origins within the origin group. |
+
+**Optional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`healthProbeSettings`](#parameter-origingroupshealthprobesettings) | object | Health probe settings to the origin that is used to determine the health of the origin. |
+| [`sessionAffinityState`](#parameter-origingroupssessionaffinitystate) | string | Whether to allow session affinity on this host. |
+| [`trafficRestorationTimeToHealedOrNewEndpointsInMinutes`](#parameter-origingroupstrafficrestorationtimetohealedornewendpointsinminutes) | int | Time in minutes to shift the traffic to the endpoint gradually when an unhealthy endpoint comes healthy or a new endpoint is added. Default is 10 mins. |
+
+### Parameter: `originGroups.loadBalancingSettings`
+
+Load balancing settings for a backend pool.
+
+- Required: Yes
+- Type: object
+
+**Required parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`additionalLatencyInMilliseconds`](#parameter-origingroupsloadbalancingsettingsadditionallatencyinmilliseconds) | int | Additional latency in milliseconds for probes to the backend. Must be between 0 and 1000. |
+| [`sampleSize`](#parameter-origingroupsloadbalancingsettingssamplesize) | int | Number of samples to consider for load balancing decisions. |
+| [`successfulSamplesRequired`](#parameter-origingroupsloadbalancingsettingssuccessfulsamplesrequired) | int | Number of samples within the sample window that must be successful to mark the backend as healthy. |
+
+### Parameter: `originGroups.loadBalancingSettings.additionalLatencyInMilliseconds`
+
+Additional latency in milliseconds for probes to the backend. Must be between 0 and 1000.
+
+- Required: Yes
+- Type: int
+
+### Parameter: `originGroups.loadBalancingSettings.sampleSize`
+
+Number of samples to consider for load balancing decisions.
+
+- Required: Yes
+- Type: int
+
+### Parameter: `originGroups.loadBalancingSettings.successfulSamplesRequired`
+
+Number of samples within the sample window that must be successful to mark the backend as healthy.
+
+- Required: Yes
+- Type: int
+
+### Parameter: `originGroups.name`
+
+The name of the origin group.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `originGroups.origins`
+
+The list of origins within the origin group.
+
+- Required: Yes
+- Type: array
+
+**Required parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`hostName`](#parameter-origingroupsoriginshostname) | string | The address of the origin. Domain names, IPv4 addresses, and IPv6 addresses are supported.This should be unique across all origins in an endpoint. |
+| [`name`](#parameter-origingroupsoriginsname) | string | The name of the origion. |
+
+**Optional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`enabledState`](#parameter-origingroupsoriginsenabledstate) | string | Whether to enable health probes to be made against backends defined under backendPools. Health probes can only be disabled if there is a single enabled backend in single enabled backend pool. |
+| [`enforceCertificateNameCheck`](#parameter-origingroupsoriginsenforcecertificatenamecheck) | bool | Whether to enable certificate name check at origin level. |
+| [`httpPort`](#parameter-origingroupsoriginshttpport) | int | The value of the HTTP port. Must be between 1 and 65535. |
+| [`httpsPort`](#parameter-origingroupsoriginshttpsport) | int | The value of the HTTPS port. Must be between 1 and 65535. |
+| [`originHostHeader`](#parameter-origingroupsoriginsoriginhostheader) | string | The host header value sent to the origin with each request. If you leave this blank, the request hostname determines this value. Azure Front Door origins, such as Web Apps, Blob Storage, and Cloud Services require this host header value to match the origin hostname by default. This overrides the host header defined at Endpoint. |
+| [`priority`](#parameter-origingroupsoriginspriority) | int | Priority of origin in given origin group for load balancing. Higher priorities will not be used for load balancing if any lower priority origin is healthy.Must be between 1 and 5. |
+| [`sharedPrivateLinkResource`](#parameter-origingroupsoriginssharedprivatelinkresource) | object | The properties of the private link resource for private origin. |
+| [`weight`](#parameter-origingroupsoriginsweight) | int | Weight of the origin in given origin group for load balancing. Must be between 1 and 1000. |
+
+### Parameter: `originGroups.origins.hostName`
+
+The address of the origin. Domain names, IPv4 addresses, and IPv6 addresses are supported.This should be unique across all origins in an endpoint.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `originGroups.origins.name`
+
+The name of the origion.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `originGroups.origins.enabledState`
+
+Whether to enable health probes to be made against backends defined under backendPools. Health probes can only be disabled if there is a single enabled backend in single enabled backend pool.
+
+- Required: No
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    'Disabled'
+    'Enabled'
+  ]
+  ```
+
+### Parameter: `originGroups.origins.enforceCertificateNameCheck`
+
+Whether to enable certificate name check at origin level.
+
+- Required: No
+- Type: bool
+
+### Parameter: `originGroups.origins.httpPort`
+
+The value of the HTTP port. Must be between 1 and 65535.
+
+- Required: No
+- Type: int
+
+### Parameter: `originGroups.origins.httpsPort`
+
+The value of the HTTPS port. Must be between 1 and 65535.
+
+- Required: No
+- Type: int
+
+### Parameter: `originGroups.origins.originHostHeader`
+
+The host header value sent to the origin with each request. If you leave this blank, the request hostname determines this value. Azure Front Door origins, such as Web Apps, Blob Storage, and Cloud Services require this host header value to match the origin hostname by default. This overrides the host header defined at Endpoint.
+
+- Required: No
+- Type: string
+
+### Parameter: `originGroups.origins.priority`
+
+Priority of origin in given origin group for load balancing. Higher priorities will not be used for load balancing if any lower priority origin is healthy.Must be between 1 and 5.
+
+- Required: No
+- Type: int
+
+### Parameter: `originGroups.origins.sharedPrivateLinkResource`
+
+The properties of the private link resource for private origin.
+
+- Required: No
+- Type: object
+
+### Parameter: `originGroups.origins.weight`
+
+Weight of the origin in given origin group for load balancing. Must be between 1 and 1000.
+
+- Required: No
+- Type: int
+
+### Parameter: `originGroups.healthProbeSettings`
+
+Health probe settings to the origin that is used to determine the health of the origin.
+
+- Required: No
+- Type: object
+
+**Optional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`probeIntervalInSeconds`](#parameter-origingroupshealthprobesettingsprobeintervalinseconds) | int | The number of seconds between health probes.Default is 240sec. |
+| [`probePath`](#parameter-origingroupshealthprobesettingsprobepath) | string | The path relative to the origin that is used to determine the health of the origin. |
+| [`probeProtocol`](#parameter-origingroupshealthprobesettingsprobeprotocol) | string | Protocol to use for health probe. |
+| [`probeRequestType`](#parameter-origingroupshealthprobesettingsproberequesttype) | string | The request type to probe. |
+
+### Parameter: `originGroups.healthProbeSettings.probeIntervalInSeconds`
+
+The number of seconds between health probes.Default is 240sec.
+
+- Required: No
+- Type: int
+
+### Parameter: `originGroups.healthProbeSettings.probePath`
+
+The path relative to the origin that is used to determine the health of the origin.
+
+- Required: No
+- Type: string
+
+### Parameter: `originGroups.healthProbeSettings.probeProtocol`
+
+Protocol to use for health probe.
+
+- Required: No
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    'Http'
+    'Https'
+    'NotSet'
+  ]
+  ```
+
+### Parameter: `originGroups.healthProbeSettings.probeRequestType`
+
+The request type to probe.
+
+- Required: No
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    'GET'
+    'HEAD'
+    'NotSet'
+  ]
+  ```
+
+### Parameter: `originGroups.sessionAffinityState`
+
+Whether to allow session affinity on this host.
+
+- Required: No
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    'Disabled'
+    'Enabled'
+  ]
+  ```
+
+### Parameter: `originGroups.trafficRestorationTimeToHealedOrNewEndpointsInMinutes`
+
+Time in minutes to shift the traffic to the endpoint gradually when an unhealthy endpoint comes healthy or a new endpoint is added. Default is 10 mins.
+
+- Required: No
+- Type: int
+
 ### Parameter: `afdEndpoints`
 
 Array of AFD endpoint objects.
@@ -1219,6 +1463,271 @@ Array of AFD endpoint objects.
 - Type: array
 - Default: `[]`
 
+**Required parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`name`](#parameter-afdendpointsname) | string | The name of the AFD Endpoint. |
+
+**Optional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`autoGeneratedDomainNameLabelScope`](#parameter-afdendpointsautogenerateddomainnamelabelscope) | string | The scope of the auto-generated domain name label. |
+| [`enabledState`](#parameter-afdendpointsenabledstate) | string | The state of the AFD Endpoint. |
+| [`routes`](#parameter-afdendpointsroutes) | array | The list of routes for this AFD Endpoint. |
+| [`tags`](#parameter-afdendpointstags) | object | The tags for the AFD Endpoint. |
+
+### Parameter: `afdEndpoints.name`
+
+The name of the AFD Endpoint.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `afdEndpoints.autoGeneratedDomainNameLabelScope`
+
+The scope of the auto-generated domain name label.
+
+- Required: No
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    'NoReuse'
+    'ResourceGroupReuse'
+    'SubscriptionReuse'
+    'TenantReuse'
+  ]
+  ```
+
+### Parameter: `afdEndpoints.enabledState`
+
+The state of the AFD Endpoint.
+
+- Required: No
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    'Disabled'
+    'Enabled'
+  ]
+  ```
+
+### Parameter: `afdEndpoints.routes`
+
+The list of routes for this AFD Endpoint.
+
+- Required: No
+- Type: array
+
+**Required parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`name`](#parameter-afdendpointsroutesname) | string | The name of the route. |
+| [`originGroupName`](#parameter-afdendpointsroutesorigingroupname) | string | The name of the origin group. |
+
+**Optional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`cacheConfiguration`](#parameter-afdendpointsroutescacheconfiguration) | object | The caching configuration for this route. To disable caching, do not provide a cacheConfiguration object. |
+| [`customDomainNames`](#parameter-afdendpointsroutescustomdomainnames) | array | The names of the custom domains. |
+| [`enabledState`](#parameter-afdendpointsroutesenabledstate) | string | Whether to enable use of this rule. |
+| [`forwardingProtocol`](#parameter-afdendpointsroutesforwardingprotocol) | string | The protocol this rule will use when forwarding traffic to backends. |
+| [`httpsRedirect`](#parameter-afdendpointsrouteshttpsredirect) | string | Whether to automatically redirect HTTP traffic to HTTPS traffic. |
+| [`linkToDefaultDomain`](#parameter-afdendpointsrouteslinktodefaultdomain) | string | Whether this route will be linked to the default endpoint domain. |
+| [`originPath`](#parameter-afdendpointsroutesoriginpath) | string | A directory path on the origin that AzureFrontDoor can use to retrieve content from, e.g. contoso.cloudapp.net/originpath. |
+| [`patternsToMatch`](#parameter-afdendpointsroutespatternstomatch) | array | The route patterns of the rule. |
+| [`ruleSets`](#parameter-afdendpointsroutesrulesets) | array | The rule sets of the rule. |
+| [`supportedProtocols`](#parameter-afdendpointsroutessupportedprotocols) | array | The supported protocols of the rule. |
+
+### Parameter: `afdEndpoints.routes.name`
+
+The name of the route.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `afdEndpoints.routes.originGroupName`
+
+The name of the origin group.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `afdEndpoints.routes.cacheConfiguration`
+
+The caching configuration for this route. To disable caching, do not provide a cacheConfiguration object.
+
+- Required: No
+- Type: object
+
+**Required parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`compressionSettings`](#parameter-afdendpointsroutescacheconfigurationcompressionsettings) | object | Compression settings. |
+| [`queryParameters`](#parameter-afdendpointsroutescacheconfigurationqueryparameters) | string | Query parameters to include or exclude (comma separated). |
+| [`queryStringCachingBehavior`](#parameter-afdendpointsroutescacheconfigurationquerystringcachingbehavior) | string | Defines how Frontdoor caches requests that include query strings. |
+
+### Parameter: `afdEndpoints.routes.cacheConfiguration.compressionSettings`
+
+Compression settings.
+
+- Required: Yes
+- Type: object
+
+**Required parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`contentTypesToCompress`](#parameter-afdendpointsroutescacheconfigurationcompressionsettingscontenttypestocompress) | array | List of content types on which compression applies. The value should be a valid MIME type. |
+
+**Optional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`iscontentTypeToCompressAll`](#parameter-afdendpointsroutescacheconfigurationcompressionsettingsiscontenttypetocompressall) | bool | Indicates whether content compression is enabled on AzureFrontDoor. Default value is false. If compression is enabled, content will be served as compressed if user requests for a compressed version. Content won't be compressed on AzureFrontDoor when requested content is smaller than 1 byte or larger than 1 MB. |
+
+### Parameter: `afdEndpoints.routes.cacheConfiguration.compressionSettings.contentTypesToCompress`
+
+List of content types on which compression applies. The value should be a valid MIME type.
+
+- Required: Yes
+- Type: array
+
+### Parameter: `afdEndpoints.routes.cacheConfiguration.compressionSettings.iscontentTypeToCompressAll`
+
+Indicates whether content compression is enabled on AzureFrontDoor. Default value is false. If compression is enabled, content will be served as compressed if user requests for a compressed version. Content won't be compressed on AzureFrontDoor when requested content is smaller than 1 byte or larger than 1 MB.
+
+- Required: No
+- Type: bool
+
+### Parameter: `afdEndpoints.routes.cacheConfiguration.queryParameters`
+
+Query parameters to include or exclude (comma separated).
+
+- Required: Yes
+- Type: string
+
+### Parameter: `afdEndpoints.routes.cacheConfiguration.queryStringCachingBehavior`
+
+Defines how Frontdoor caches requests that include query strings.
+
+- Required: Yes
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    'IgnoreQueryString'
+    'IgnoreSpecifiedQueryStrings'
+    'IncludeSpecifiedQueryStrings'
+    'UseQueryString'
+  ]
+  ```
+
+### Parameter: `afdEndpoints.routes.customDomainNames`
+
+The names of the custom domains.
+
+- Required: No
+- Type: array
+
+### Parameter: `afdEndpoints.routes.enabledState`
+
+Whether to enable use of this rule.
+
+- Required: No
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    'Disabled'
+    'Enabled'
+  ]
+  ```
+
+### Parameter: `afdEndpoints.routes.forwardingProtocol`
+
+The protocol this rule will use when forwarding traffic to backends.
+
+- Required: No
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    'HttpOnly'
+    'HttpsOnly'
+    'MatchRequest'
+  ]
+  ```
+
+### Parameter: `afdEndpoints.routes.httpsRedirect`
+
+Whether to automatically redirect HTTP traffic to HTTPS traffic.
+
+- Required: No
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    'Disabled'
+    'Enabled'
+  ]
+  ```
+
+### Parameter: `afdEndpoints.routes.linkToDefaultDomain`
+
+Whether this route will be linked to the default endpoint domain.
+
+- Required: No
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    'Disabled'
+    'Enabled'
+  ]
+  ```
+
+### Parameter: `afdEndpoints.routes.originPath`
+
+A directory path on the origin that AzureFrontDoor can use to retrieve content from, e.g. contoso.cloudapp.net/originpath.
+
+- Required: No
+- Type: string
+
+### Parameter: `afdEndpoints.routes.patternsToMatch`
+
+The route patterns of the rule.
+
+- Required: No
+- Type: array
+
+### Parameter: `afdEndpoints.routes.ruleSets`
+
+The rule sets of the rule.
+
+- Required: No
+- Type: array
+
+### Parameter: `afdEndpoints.routes.supportedProtocols`
+
+The supported protocols of the rule.
+
+- Required: No
+- Type: array
+
+### Parameter: `afdEndpoints.tags`
+
+The tags for the AFD Endpoint.
+
+- Required: No
+- Type: object
+
 ### Parameter: `customDomains`
 
 Array of custom domain objects.
@@ -1227,6 +1736,95 @@ Array of custom domain objects.
 - Type: array
 - Default: `[]`
 
+**Required parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`certificateType`](#parameter-customdomainscertificatetype) | string | The type of the certificate. |
+| [`hostName`](#parameter-customdomainshostname) | string | The host name of the custom domain. |
+| [`name`](#parameter-customdomainsname) | string | The name of the custom domain. |
+
+**Optional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`azureDnsZoneResourceId`](#parameter-customdomainsazurednszoneresourceid) | string | The resource ID of the Azure DNS zone. |
+| [`extendedProperties`](#parameter-customdomainsextendedproperties) | object | Extended properties. |
+| [`minimumTlsVersion`](#parameter-customdomainsminimumtlsversion) | string | The minimum TLS version. |
+| [`preValidatedCustomDomainResourceId`](#parameter-customdomainsprevalidatedcustomdomainresourceid) | string | The resource ID of the pre-validated custom domain. |
+| [`secretName`](#parameter-customdomainssecretname) | string | The name of the secret. |
+
+### Parameter: `customDomains.certificateType`
+
+The type of the certificate.
+
+- Required: Yes
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    'AzureFirstPartyManagedCertificate'
+    'CustomerCertificate'
+    'ManagedCertificate'
+  ]
+  ```
+
+### Parameter: `customDomains.hostName`
+
+The host name of the custom domain.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `customDomains.name`
+
+The name of the custom domain.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `customDomains.azureDnsZoneResourceId`
+
+The resource ID of the Azure DNS zone.
+
+- Required: No
+- Type: string
+
+### Parameter: `customDomains.extendedProperties`
+
+Extended properties.
+
+- Required: No
+- Type: object
+
+### Parameter: `customDomains.minimumTlsVersion`
+
+The minimum TLS version.
+
+- Required: No
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    'TLS10'
+    'TLS12'
+  ]
+  ```
+
+### Parameter: `customDomains.preValidatedCustomDomainResourceId`
+
+The resource ID of the pre-validated custom domain.
+
+- Required: No
+- Type: string
+
+### Parameter: `customDomains.secretName`
+
+The name of the secret.
+
+- Required: No
+- Type: string
+
 ### Parameter: `enableTelemetry`
 
 Enable/Disable usage telemetry for module.
@@ -1444,6 +2042,89 @@ Array of rule set objects.
 - Type: array
 - Default: `[]`
 
+**Required parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`name`](#parameter-rulesetsname) | string | Name of the rule set. |
+
+**Optional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`rules`](#parameter-rulesetsrules) | array | Array of rules. |
+
+### Parameter: `ruleSets.name`
+
+Name of the rule set.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `ruleSets.rules`
+
+Array of rules.
+
+- Required: No
+- Type: array
+
+**Required parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`name`](#parameter-rulesetsrulesname) | string | The name of the rule. |
+| [`order`](#parameter-rulesetsrulesorder) | int | The order in which the rules are applied for the endpoint. |
+
+**Optional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`actions`](#parameter-rulesetsrulesactions) | array | A list of actions that are executed when all the conditions of a rule are satisfied.. |
+| [`conditions`](#parameter-rulesetsrulesconditions) | array | A list of conditions that must be matched for the actions to be executed. |
+| [`matchProcessingBehavior`](#parameter-rulesetsrulesmatchprocessingbehavior) | string | If this rule is a match should the rules engine continue running the remaining rules or stop. If not present, defaults to Continue. |
+
+### Parameter: `ruleSets.rules.name`
+
+The name of the rule.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `ruleSets.rules.order`
+
+The order in which the rules are applied for the endpoint.
+
+- Required: Yes
+- Type: int
+
+### Parameter: `ruleSets.rules.actions`
+
+A list of actions that are executed when all the conditions of a rule are satisfied..
+
+- Required: No
+- Type: array
+
+### Parameter: `ruleSets.rules.conditions`
+
+A list of conditions that must be matched for the actions to be executed.
+
+- Required: No
+- Type: array
+
+### Parameter: `ruleSets.rules.matchProcessingBehavior`
+
+If this rule is a match should the rules engine continue running the remaining rules or stop. If not present, defaults to Continue.
+
+- Required: No
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    'Continue'
+    'Stop'
+  ]
+  ```
+
 ### Parameter: `secrets`
 
 Array of secret objects.
diff --git a/avm/res/cdn/profile/afdEndpoint/README.md b/avm/res/cdn/profile/afdEndpoint/README.md
index 910c0df19c..49f50fa42a 100644
--- a/avm/res/cdn/profile/afdEndpoint/README.md
+++ b/avm/res/cdn/profile/afdEndpoint/README.md
@@ -100,6 +100,205 @@ The list of routes for this AFD Endpoint.
 - Required: No
 - Type: array
 
+**Required parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`name`](#parameter-routesname) | string | The name of the route. |
+| [`originGroupName`](#parameter-routesorigingroupname) | string | The name of the origin group. |
+
+**Optional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`cacheConfiguration`](#parameter-routescacheconfiguration) | object | The caching configuration for this route. To disable caching, do not provide a cacheConfiguration object. |
+| [`customDomainNames`](#parameter-routescustomdomainnames) | array | The names of the custom domains. |
+| [`enabledState`](#parameter-routesenabledstate) | string | Whether to enable use of this rule. |
+| [`forwardingProtocol`](#parameter-routesforwardingprotocol) | string | The protocol this rule will use when forwarding traffic to backends. |
+| [`httpsRedirect`](#parameter-routeshttpsredirect) | string | Whether to automatically redirect HTTP traffic to HTTPS traffic. |
+| [`linkToDefaultDomain`](#parameter-routeslinktodefaultdomain) | string | Whether this route will be linked to the default endpoint domain. |
+| [`originPath`](#parameter-routesoriginpath) | string | A directory path on the origin that AzureFrontDoor can use to retrieve content from, e.g. contoso.cloudapp.net/originpath. |
+| [`patternsToMatch`](#parameter-routespatternstomatch) | array | The route patterns of the rule. |
+| [`ruleSets`](#parameter-routesrulesets) | array | The rule sets of the rule. |
+| [`supportedProtocols`](#parameter-routessupportedprotocols) | array | The supported protocols of the rule. |
+
+### Parameter: `routes.name`
+
+The name of the route.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `routes.originGroupName`
+
+The name of the origin group.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `routes.cacheConfiguration`
+
+The caching configuration for this route. To disable caching, do not provide a cacheConfiguration object.
+
+- Required: No
+- Type: object
+
+**Required parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`compressionSettings`](#parameter-routescacheconfigurationcompressionsettings) | object | Compression settings. |
+| [`queryParameters`](#parameter-routescacheconfigurationqueryparameters) | string | Query parameters to include or exclude (comma separated). |
+| [`queryStringCachingBehavior`](#parameter-routescacheconfigurationquerystringcachingbehavior) | string | Defines how Frontdoor caches requests that include query strings. |
+
+### Parameter: `routes.cacheConfiguration.compressionSettings`
+
+Compression settings.
+
+- Required: Yes
+- Type: object
+
+**Required parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`contentTypesToCompress`](#parameter-routescacheconfigurationcompressionsettingscontenttypestocompress) | array | List of content types on which compression applies. The value should be a valid MIME type. |
+
+**Optional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`iscontentTypeToCompressAll`](#parameter-routescacheconfigurationcompressionsettingsiscontenttypetocompressall) | bool | Indicates whether content compression is enabled on AzureFrontDoor. Default value is false. If compression is enabled, content will be served as compressed if user requests for a compressed version. Content won't be compressed on AzureFrontDoor when requested content is smaller than 1 byte or larger than 1 MB. |
+
+### Parameter: `routes.cacheConfiguration.compressionSettings.contentTypesToCompress`
+
+List of content types on which compression applies. The value should be a valid MIME type.
+
+- Required: Yes
+- Type: array
+
+### Parameter: `routes.cacheConfiguration.compressionSettings.iscontentTypeToCompressAll`
+
+Indicates whether content compression is enabled on AzureFrontDoor. Default value is false. If compression is enabled, content will be served as compressed if user requests for a compressed version. Content won't be compressed on AzureFrontDoor when requested content is smaller than 1 byte or larger than 1 MB.
+
+- Required: No
+- Type: bool
+
+### Parameter: `routes.cacheConfiguration.queryParameters`
+
+Query parameters to include or exclude (comma separated).
+
+- Required: Yes
+- Type: string
+
+### Parameter: `routes.cacheConfiguration.queryStringCachingBehavior`
+
+Defines how Frontdoor caches requests that include query strings.
+
+- Required: Yes
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    'IgnoreQueryString'
+    'IgnoreSpecifiedQueryStrings'
+    'IncludeSpecifiedQueryStrings'
+    'UseQueryString'
+  ]
+  ```
+
+### Parameter: `routes.customDomainNames`
+
+The names of the custom domains.
+
+- Required: No
+- Type: array
+
+### Parameter: `routes.enabledState`
+
+Whether to enable use of this rule.
+
+- Required: No
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    'Disabled'
+    'Enabled'
+  ]
+  ```
+
+### Parameter: `routes.forwardingProtocol`
+
+The protocol this rule will use when forwarding traffic to backends.
+
+- Required: No
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    'HttpOnly'
+    'HttpsOnly'
+    'MatchRequest'
+  ]
+  ```
+
+### Parameter: `routes.httpsRedirect`
+
+Whether to automatically redirect HTTP traffic to HTTPS traffic.
+
+- Required: No
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    'Disabled'
+    'Enabled'
+  ]
+  ```
+
+### Parameter: `routes.linkToDefaultDomain`
+
+Whether this route will be linked to the default endpoint domain.
+
+- Required: No
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    'Disabled'
+    'Enabled'
+  ]
+  ```
+
+### Parameter: `routes.originPath`
+
+A directory path on the origin that AzureFrontDoor can use to retrieve content from, e.g. contoso.cloudapp.net/originpath.
+
+- Required: No
+- Type: string
+
+### Parameter: `routes.patternsToMatch`
+
+The route patterns of the rule.
+
+- Required: No
+- Type: array
+
+### Parameter: `routes.ruleSets`
+
+The rule sets of the rule.
+
+- Required: No
+- Type: array
+
+### Parameter: `routes.supportedProtocols`
+
+The supported protocols of the rule.
+
+- Required: No
+- Type: array
+
 ### Parameter: `tags`
 
 The tags of the AFD Endpoint.
diff --git a/avm/res/cdn/profile/afdEndpoint/main.bicep b/avm/res/cdn/profile/afdEndpoint/main.bicep
index a280fcf07f..84644ab9ff 100644
--- a/avm/res/cdn/profile/afdEndpoint/main.bicep
+++ b/avm/res/cdn/profile/afdEndpoint/main.bicep
@@ -31,7 +31,7 @@ param autoGeneratedDomainNameLabelScope string = 'TenantReuse'
 param enabledState string = 'Enabled'
 
 @description('Optional. The list of routes for this AFD Endpoint.')
-param routes array?
+param routes routeType[]?
 
 resource profile 'Microsoft.Cdn/profiles@2023-05-01' existing = {
   name: profileName
@@ -84,3 +84,27 @@ output location string = afdEndpoint.location
 
 @description('The list of routes assigned to the AFD endpoint.')
 output routes array = routes ?? []
+
+// =============== //
+//   Definitions   //
+// =============== //
+
+import { routeType } from './route/main.bicep'
+
+@export()
+type afdEndpointType = {
+  @description('Required. The name of the AFD Endpoint.')
+  name: string
+
+  @description('Optional. The list of routes for this AFD Endpoint.')
+  routes: routeType[]?
+
+  @description('Optional. The tags for the AFD Endpoint.')
+  tags: object?
+
+  @description('Optional. The scope of the auto-generated domain name label.')
+  autoGeneratedDomainNameLabelScope: 'NoReuse' | 'ResourceGroupReuse' | 'SubscriptionReuse' | 'TenantReuse' | null
+
+  @description('Optional. The state of the AFD Endpoint.')
+  enabledState: 'Enabled' | 'Disabled' | null
+}
diff --git a/avm/res/cdn/profile/afdEndpoint/main.json b/avm/res/cdn/profile/afdEndpoint/main.json
index 7cfef24e3f..866c19c60f 100644
--- a/avm/res/cdn/profile/afdEndpoint/main.json
+++ b/avm/res/cdn/profile/afdEndpoint/main.json
@@ -5,13 +5,237 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.23.60470",
-      "templateHash": "792735746278824384"
+      "version": "0.31.34.60546",
+      "templateHash": "16899001110062450573"
     },
     "name": "CDN Profiles AFD Endpoints",
     "description": "This module deploys a CDN Profile AFD Endpoint.",
     "owner": "Azure/module-maintainers"
   },
+  "definitions": {
+    "afdEndpointType": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The name of the AFD Endpoint."
+          }
+        },
+        "routes": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/routeType"
+          },
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The list of routes for this AFD Endpoint."
+          }
+        },
+        "tags": {
+          "type": "object",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The tags for the AFD Endpoint."
+          }
+        },
+        "autoGeneratedDomainNameLabelScope": {
+          "type": "string",
+          "allowedValues": [
+            "NoReuse",
+            "ResourceGroupReuse",
+            "SubscriptionReuse",
+            "TenantReuse"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The scope of the auto-generated domain name label."
+          }
+        },
+        "enabledState": {
+          "type": "string",
+          "allowedValues": [
+            "Disabled",
+            "Enabled"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The state of the AFD Endpoint."
+          }
+        }
+      },
+      "metadata": {
+        "__bicep_export!": true
+      }
+    },
+    "_1.afdRoutecacheConfigurationType": {
+      "type": "object",
+      "properties": {
+        "compressionSettings": {
+          "type": "object",
+          "properties": {
+            "contentTypesToCompress": {
+              "type": "array",
+              "items": {
+                "type": "string"
+              },
+              "metadata": {
+                "description": "Required. List of content types on which compression applies. The value should be a valid MIME type."
+              }
+            },
+            "iscontentTypeToCompressAll": {
+              "type": "bool",
+              "nullable": true,
+              "metadata": {
+                "description": "Optional. Indicates whether content compression is enabled on AzureFrontDoor. Default value is false. If compression is enabled, content will be served as compressed if user requests for a compressed version. Content won't be compressed on AzureFrontDoor when requested content is smaller than 1 byte or larger than 1 MB."
+              }
+            }
+          },
+          "metadata": {
+            "description": "Required. Compression settings."
+          }
+        },
+        "queryParameters": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. Query parameters to include or exclude (comma separated)."
+          }
+        },
+        "queryStringCachingBehavior": {
+          "type": "string",
+          "allowedValues": [
+            "IgnoreQueryString",
+            "IgnoreSpecifiedQueryStrings",
+            "IncludeSpecifiedQueryStrings",
+            "UseQueryString"
+          ],
+          "metadata": {
+            "description": "Required. Defines how Frontdoor caches requests that include query strings."
+          }
+        }
+      },
+      "metadata": {
+        "__bicep_imported_from!": {
+          "sourceTemplate": "route/main.bicep"
+        }
+      }
+    },
+    "routeType": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The name of the route."
+          }
+        },
+        "cacheConfiguration": {
+          "$ref": "#/definitions/_1.afdRoutecacheConfigurationType",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The caching configuration for this route. To disable caching, do not provide a cacheConfiguration object."
+          }
+        },
+        "customDomainNames": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The names of the custom domains."
+          }
+        },
+        "enabledState": {
+          "type": "string",
+          "allowedValues": [
+            "Disabled",
+            "Enabled"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Whether to enable use of this rule."
+          }
+        },
+        "forwardingProtocol": {
+          "type": "string",
+          "allowedValues": [
+            "HttpOnly",
+            "HttpsOnly",
+            "MatchRequest"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The protocol this rule will use when forwarding traffic to backends."
+          }
+        },
+        "httpsRedirect": {
+          "type": "string",
+          "allowedValues": [
+            "Disabled",
+            "Enabled"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Whether to automatically redirect HTTP traffic to HTTPS traffic."
+          }
+        },
+        "linkToDefaultDomain": {
+          "type": "string",
+          "allowedValues": [
+            "Disabled",
+            "Enabled"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Whether this route will be linked to the default endpoint domain."
+          }
+        },
+        "originGroupName": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The name of the origin group."
+          }
+        },
+        "originPath": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. A directory path on the origin that AzureFrontDoor can use to retrieve content from, e.g. contoso.cloudapp.net/originpath."
+          }
+        },
+        "patternsToMatch": {
+          "type": "array",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The route patterns of the rule."
+          }
+        },
+        "ruleSets": {
+          "type": "array",
+          "items": {
+            "type": "object"
+          },
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The rule sets of the rule."
+          }
+        },
+        "supportedProtocols": {
+          "type": "array",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The supported protocols of the rule."
+          }
+        }
+      },
+      "metadata": {
+        "__bicep_imported_from!": {
+          "sourceTemplate": "route/main.bicep"
+        }
+      }
+    }
+  },
   "parameters": {
     "name": {
       "type": "string",
@@ -65,6 +289,9 @@
     },
     "routes": {
       "type": "array",
+      "items": {
+        "$ref": "#/definitions/routeType"
+      },
       "nullable": true,
       "metadata": {
         "description": "Optional. The list of routes for this AFD Endpoint."
@@ -87,10 +314,7 @@
       "properties": {
         "autoGeneratedDomainNameLabelScope": "[parameters('autoGeneratedDomainNameLabelScope')]",
         "enabledState": "[parameters('enabledState')]"
-      },
-      "dependsOn": [
-        "profile"
-      ]
+      }
     },
     "afdEndpoint_routes": {
       "copy": {
@@ -156,13 +380,175 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.23.60470",
-              "templateHash": "1034122698174669197"
+              "version": "0.31.34.60546",
+              "templateHash": "15873678240851060540"
             },
             "name": "CDN Profiles AFD Endpoint Route",
             "description": "This module deploys a CDN Profile AFD Endpoint route.",
             "owner": "Azure/module-maintainers"
           },
+          "definitions": {
+            "routeType": {
+              "type": "object",
+              "properties": {
+                "name": {
+                  "type": "string",
+                  "metadata": {
+                    "description": "Required. The name of the route."
+                  }
+                },
+                "cacheConfiguration": {
+                  "$ref": "#/definitions/afdRoutecacheConfigurationType",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The caching configuration for this route. To disable caching, do not provide a cacheConfiguration object."
+                  }
+                },
+                "customDomainNames": {
+                  "type": "array",
+                  "items": {
+                    "type": "string"
+                  },
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The names of the custom domains."
+                  }
+                },
+                "enabledState": {
+                  "type": "string",
+                  "allowedValues": [
+                    "Disabled",
+                    "Enabled"
+                  ],
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. Whether to enable use of this rule."
+                  }
+                },
+                "forwardingProtocol": {
+                  "type": "string",
+                  "allowedValues": [
+                    "HttpOnly",
+                    "HttpsOnly",
+                    "MatchRequest"
+                  ],
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The protocol this rule will use when forwarding traffic to backends."
+                  }
+                },
+                "httpsRedirect": {
+                  "type": "string",
+                  "allowedValues": [
+                    "Disabled",
+                    "Enabled"
+                  ],
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. Whether to automatically redirect HTTP traffic to HTTPS traffic."
+                  }
+                },
+                "linkToDefaultDomain": {
+                  "type": "string",
+                  "allowedValues": [
+                    "Disabled",
+                    "Enabled"
+                  ],
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. Whether this route will be linked to the default endpoint domain."
+                  }
+                },
+                "originGroupName": {
+                  "type": "string",
+                  "metadata": {
+                    "description": "Required. The name of the origin group."
+                  }
+                },
+                "originPath": {
+                  "type": "string",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. A directory path on the origin that AzureFrontDoor can use to retrieve content from, e.g. contoso.cloudapp.net/originpath."
+                  }
+                },
+                "patternsToMatch": {
+                  "type": "array",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The route patterns of the rule."
+                  }
+                },
+                "ruleSets": {
+                  "type": "array",
+                  "items": {
+                    "type": "object"
+                  },
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The rule sets of the rule."
+                  }
+                },
+                "supportedProtocols": {
+                  "type": "array",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The supported protocols of the rule."
+                  }
+                }
+              },
+              "metadata": {
+                "__bicep_export!": true
+              }
+            },
+            "afdRoutecacheConfigurationType": {
+              "type": "object",
+              "properties": {
+                "compressionSettings": {
+                  "type": "object",
+                  "properties": {
+                    "contentTypesToCompress": {
+                      "type": "array",
+                      "items": {
+                        "type": "string"
+                      },
+                      "metadata": {
+                        "description": "Required. List of content types on which compression applies. The value should be a valid MIME type."
+                      }
+                    },
+                    "iscontentTypeToCompressAll": {
+                      "type": "bool",
+                      "nullable": true,
+                      "metadata": {
+                        "description": "Optional. Indicates whether content compression is enabled on AzureFrontDoor. Default value is false. If compression is enabled, content will be served as compressed if user requests for a compressed version. Content won't be compressed on AzureFrontDoor when requested content is smaller than 1 byte or larger than 1 MB."
+                      }
+                    }
+                  },
+                  "metadata": {
+                    "description": "Required. Compression settings."
+                  }
+                },
+                "queryParameters": {
+                  "type": "string",
+                  "metadata": {
+                    "description": "Required. Query parameters to include or exclude (comma separated)."
+                  }
+                },
+                "queryStringCachingBehavior": {
+                  "type": "string",
+                  "allowedValues": [
+                    "IgnoreQueryString",
+                    "IgnoreSpecifiedQueryStrings",
+                    "IncludeSpecifiedQueryStrings",
+                    "UseQueryString"
+                  ],
+                  "metadata": {
+                    "description": "Required. Defines how Frontdoor caches requests that include query strings."
+                  }
+                }
+              }
+            }
+          },
           "parameters": {
             "name": {
               "type": "string",
@@ -288,10 +674,7 @@
               "existing": true,
               "type": "Microsoft.Cdn/profiles/afdEndpoints",
               "apiVersion": "2023-05-01",
-              "name": "[format('{0}/{1}', parameters('profileName'), parameters('afdEndpointName'))]",
-              "dependsOn": [
-                "profile"
-              ]
+              "name": "[format('{0}/{1}', parameters('profileName'), parameters('afdEndpointName'))]"
             },
             "profile::customDomains": {
               "copy": {
@@ -301,19 +684,13 @@
               "existing": true,
               "type": "Microsoft.Cdn/profiles/customDomains",
               "apiVersion": "2023-05-01",
-              "name": "[format('{0}/{1}', parameters('profileName'), coalesce(parameters('customDomainNames'), createArray())[copyIndex()])]",
-              "dependsOn": [
-                "profile"
-              ]
+              "name": "[format('{0}/{1}', parameters('profileName'), coalesce(parameters('customDomainNames'), createArray())[copyIndex()])]"
             },
             "profile::originGroup": {
               "existing": true,
               "type": "Microsoft.Cdn/profiles/originGroups",
               "apiVersion": "2023-05-01",
-              "name": "[format('{0}/{1}', parameters('profileName'), parameters('originGroupName'))]",
-              "dependsOn": [
-                "profile"
-              ]
+              "name": "[format('{0}/{1}', parameters('profileName'), parameters('originGroupName'))]"
             },
             "profile::ruleSet": {
               "copy": {
@@ -323,10 +700,7 @@
               "existing": true,
               "type": "Microsoft.Cdn/profiles/ruleSets",
               "apiVersion": "2023-05-01",
-              "name": "[format('{0}/{1}', parameters('profileName'), parameters('ruleSets')[copyIndex()].name)]",
-              "dependsOn": [
-                "profile"
-              ]
+              "name": "[format('{0}/{1}', parameters('profileName'), parameters('ruleSets')[copyIndex()].name)]"
             },
             "profile": {
               "existing": true,
@@ -366,10 +740,7 @@
                 "originPath": "[parameters('originPath')]",
                 "patternsToMatch": "[parameters('patternsToMatch')]",
                 "supportedProtocols": "[parameters('supportedProtocols')]"
-              },
-              "dependsOn": [
-                "profile::afdEndpoint"
-              ]
+              }
             }
           },
           "outputs": {
@@ -398,8 +769,7 @@
         }
       },
       "dependsOn": [
-        "afdEndpoint",
-        "profile"
+        "afdEndpoint"
       ]
     }
   },
diff --git a/avm/res/cdn/profile/afdEndpoint/route/main.bicep b/avm/res/cdn/profile/afdEndpoint/route/main.bicep
index 36bfd40c15..265bd43405 100644
--- a/avm/res/cdn/profile/afdEndpoint/route/main.bicep
+++ b/avm/res/cdn/profile/afdEndpoint/route/main.bicep
@@ -122,3 +122,66 @@ output resourceId string = route.id
 
 @description('The name of the resource group the route was created in.')
 output resourceGroupName string = resourceGroup().name
+
+// =============== //
+//   Definitions   //
+// =============== //
+
+@export()
+type routeType = {
+  @description('Required. The name of the route.')
+  name: string
+
+  @description('Optional. The caching configuration for this route. To disable caching, do not provide a cacheConfiguration object.')
+  cacheConfiguration: afdRoutecacheConfigurationType?
+
+  @description('Optional. The names of the custom domains.')
+  customDomainNames: string[]?
+
+  @description('Optional. Whether to enable use of this rule.')
+  enabledState: 'Enabled' | 'Disabled' | null
+
+  @description('Optional. The protocol this rule will use when forwarding traffic to backends.')
+  forwardingProtocol: 'HttpOnly' | 'HttpsOnly' | 'MatchRequest' | null
+
+  @description('Optional. Whether to automatically redirect HTTP traffic to HTTPS traffic.')
+  httpsRedirect: 'Enabled' | 'Disabled' | null
+
+  @description('Optional. Whether this route will be linked to the default endpoint domain.')
+  linkToDefaultDomain: 'Enabled' | 'Disabled' | null
+
+  @description('Required. The name of the origin group.')
+  originGroupName: string
+
+  @description('Optional. A directory path on the origin that AzureFrontDoor can use to retrieve content from, e.g. contoso.cloudapp.net/originpath.')
+  originPath: string?
+
+  @description('Optional. The route patterns of the rule.')
+  patternsToMatch: array?
+
+  @description('Optional. The rule sets of the rule.')
+  ruleSets: object[]?
+
+  @description('Optional. The supported protocols of the rule.')
+  supportedProtocols: array?
+}
+
+type afdRoutecacheConfigurationType = {
+  @description('Required. Compression settings.')
+  compressionSettings: {
+    @description('Required. List of content types on which compression applies. The value should be a valid MIME type.')
+    contentTypesToCompress: string[]
+
+    @description('Optional. Indicates whether content compression is enabled on AzureFrontDoor. Default value is false. If compression is enabled, content will be served as compressed if user requests for a compressed version. Content won\'t be compressed on AzureFrontDoor when requested content is smaller than 1 byte or larger than 1 MB.')
+    iscontentTypeToCompressAll: bool?
+  }
+  @description('Required. Query parameters to include or exclude (comma separated).')
+  queryParameters: string
+
+  @description('Required. Defines how Frontdoor caches requests that include query strings.')
+  queryStringCachingBehavior:
+    | 'IgnoreQueryString'
+    | 'IgnoreSpecifiedQueryStrings'
+    | 'IncludeSpecifiedQueryStrings'
+    | 'UseQueryString'
+}
diff --git a/avm/res/cdn/profile/afdEndpoint/route/main.json b/avm/res/cdn/profile/afdEndpoint/route/main.json
index 852e97f10c..eae2b5bfce 100644
--- a/avm/res/cdn/profile/afdEndpoint/route/main.json
+++ b/avm/res/cdn/profile/afdEndpoint/route/main.json
@@ -5,13 +5,175 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.23.60470",
-      "templateHash": "1034122698174669197"
+      "version": "0.31.34.60546",
+      "templateHash": "15873678240851060540"
     },
     "name": "CDN Profiles AFD Endpoint Route",
     "description": "This module deploys a CDN Profile AFD Endpoint route.",
     "owner": "Azure/module-maintainers"
   },
+  "definitions": {
+    "routeType": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The name of the route."
+          }
+        },
+        "cacheConfiguration": {
+          "$ref": "#/definitions/afdRoutecacheConfigurationType",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The caching configuration for this route. To disable caching, do not provide a cacheConfiguration object."
+          }
+        },
+        "customDomainNames": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The names of the custom domains."
+          }
+        },
+        "enabledState": {
+          "type": "string",
+          "allowedValues": [
+            "Disabled",
+            "Enabled"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Whether to enable use of this rule."
+          }
+        },
+        "forwardingProtocol": {
+          "type": "string",
+          "allowedValues": [
+            "HttpOnly",
+            "HttpsOnly",
+            "MatchRequest"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The protocol this rule will use when forwarding traffic to backends."
+          }
+        },
+        "httpsRedirect": {
+          "type": "string",
+          "allowedValues": [
+            "Disabled",
+            "Enabled"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Whether to automatically redirect HTTP traffic to HTTPS traffic."
+          }
+        },
+        "linkToDefaultDomain": {
+          "type": "string",
+          "allowedValues": [
+            "Disabled",
+            "Enabled"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Whether this route will be linked to the default endpoint domain."
+          }
+        },
+        "originGroupName": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The name of the origin group."
+          }
+        },
+        "originPath": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. A directory path on the origin that AzureFrontDoor can use to retrieve content from, e.g. contoso.cloudapp.net/originpath."
+          }
+        },
+        "patternsToMatch": {
+          "type": "array",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The route patterns of the rule."
+          }
+        },
+        "ruleSets": {
+          "type": "array",
+          "items": {
+            "type": "object"
+          },
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The rule sets of the rule."
+          }
+        },
+        "supportedProtocols": {
+          "type": "array",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The supported protocols of the rule."
+          }
+        }
+      },
+      "metadata": {
+        "__bicep_export!": true
+      }
+    },
+    "afdRoutecacheConfigurationType": {
+      "type": "object",
+      "properties": {
+        "compressionSettings": {
+          "type": "object",
+          "properties": {
+            "contentTypesToCompress": {
+              "type": "array",
+              "items": {
+                "type": "string"
+              },
+              "metadata": {
+                "description": "Required. List of content types on which compression applies. The value should be a valid MIME type."
+              }
+            },
+            "iscontentTypeToCompressAll": {
+              "type": "bool",
+              "nullable": true,
+              "metadata": {
+                "description": "Optional. Indicates whether content compression is enabled on AzureFrontDoor. Default value is false. If compression is enabled, content will be served as compressed if user requests for a compressed version. Content won't be compressed on AzureFrontDoor when requested content is smaller than 1 byte or larger than 1 MB."
+              }
+            }
+          },
+          "metadata": {
+            "description": "Required. Compression settings."
+          }
+        },
+        "queryParameters": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. Query parameters to include or exclude (comma separated)."
+          }
+        },
+        "queryStringCachingBehavior": {
+          "type": "string",
+          "allowedValues": [
+            "IgnoreQueryString",
+            "IgnoreSpecifiedQueryStrings",
+            "IncludeSpecifiedQueryStrings",
+            "UseQueryString"
+          ],
+          "metadata": {
+            "description": "Required. Defines how Frontdoor caches requests that include query strings."
+          }
+        }
+      }
+    }
+  },
   "parameters": {
     "name": {
       "type": "string",
@@ -137,10 +299,7 @@
       "existing": true,
       "type": "Microsoft.Cdn/profiles/afdEndpoints",
       "apiVersion": "2023-05-01",
-      "name": "[format('{0}/{1}', parameters('profileName'), parameters('afdEndpointName'))]",
-      "dependsOn": [
-        "profile"
-      ]
+      "name": "[format('{0}/{1}', parameters('profileName'), parameters('afdEndpointName'))]"
     },
     "profile::customDomains": {
       "copy": {
@@ -150,19 +309,13 @@
       "existing": true,
       "type": "Microsoft.Cdn/profiles/customDomains",
       "apiVersion": "2023-05-01",
-      "name": "[format('{0}/{1}', parameters('profileName'), coalesce(parameters('customDomainNames'), createArray())[copyIndex()])]",
-      "dependsOn": [
-        "profile"
-      ]
+      "name": "[format('{0}/{1}', parameters('profileName'), coalesce(parameters('customDomainNames'), createArray())[copyIndex()])]"
     },
     "profile::originGroup": {
       "existing": true,
       "type": "Microsoft.Cdn/profiles/originGroups",
       "apiVersion": "2023-05-01",
-      "name": "[format('{0}/{1}', parameters('profileName'), parameters('originGroupName'))]",
-      "dependsOn": [
-        "profile"
-      ]
+      "name": "[format('{0}/{1}', parameters('profileName'), parameters('originGroupName'))]"
     },
     "profile::ruleSet": {
       "copy": {
@@ -172,10 +325,7 @@
       "existing": true,
       "type": "Microsoft.Cdn/profiles/ruleSets",
       "apiVersion": "2023-05-01",
-      "name": "[format('{0}/{1}', parameters('profileName'), parameters('ruleSets')[copyIndex()].name)]",
-      "dependsOn": [
-        "profile"
-      ]
+      "name": "[format('{0}/{1}', parameters('profileName'), parameters('ruleSets')[copyIndex()].name)]"
     },
     "profile": {
       "existing": true,
@@ -215,10 +365,7 @@
         "originPath": "[parameters('originPath')]",
         "patternsToMatch": "[parameters('patternsToMatch')]",
         "supportedProtocols": "[parameters('supportedProtocols')]"
-      },
-      "dependsOn": [
-        "profile::afdEndpoint"
-      ]
+      }
     }
   },
   "outputs": {
diff --git a/avm/res/cdn/profile/customdomain/README.md b/avm/res/cdn/profile/customdomain/README.md
index 39077a14be..37e9d735de 100644
--- a/avm/res/cdn/profile/customdomain/README.md
+++ b/avm/res/cdn/profile/customdomain/README.md
@@ -49,6 +49,7 @@ The type of the certificate used for secure delivery.
 - Allowed:
   ```Bicep
   [
+    'AzureFirstPartyManagedCertificate'
     'CustomerCertificate'
     'ManagedCertificate'
   ]
diff --git a/avm/res/cdn/profile/customdomain/main.bicep b/avm/res/cdn/profile/customdomain/main.bicep
index a0a4f4477f..efe67a0569 100644
--- a/avm/res/cdn/profile/customdomain/main.bicep
+++ b/avm/res/cdn/profile/customdomain/main.bicep
@@ -21,6 +21,7 @@ param extendedProperties object = {}
 param preValidatedCustomDomainResourceId string = ''
 
 @allowed([
+  'AzureFirstPartyManagedCertificate'
   'CustomerCertificate'
   'ManagedCertificate'
 ])
@@ -40,10 +41,9 @@ param secretName string = ''
 resource profile 'Microsoft.Cdn/profiles@2023-05-01' existing = {
   name: profileName
 
-  resource secrect 'secrets@2023-05-01' existing =
-    if (!empty(secretName)) {
-      name: secretName
-    }
+  resource secrect 'secrets@2023-05-01' existing = if (!empty(secretName)) {
+    name: secretName
+  }
 }
 
 resource customDomain 'Microsoft.Cdn/profiles/customDomains@2023-05-01' = {
@@ -82,3 +82,33 @@ output resourceId string = customDomain.id
 
 @description('The name of the resource group the custom domain was created in.')
 output resourceGroupName string = resourceGroup().name
+
+// =============== //
+//   Definitions   //
+// =============== //
+@export()
+type customDomainType = {
+  @description('Required. The name of the custom domain.')
+  name: string
+
+  @description('Required. The host name of the custom domain.')
+  hostName: string
+
+  @description('Required. The type of the certificate.')
+  certificateType: 'AzureFirstPartyManagedCertificate' | 'CustomerCertificate' | 'ManagedCertificate'
+
+  @description('Optional. The resource ID of the Azure DNS zone.')
+  azureDnsZoneResourceId: string?
+
+  @description('Optional. The resource ID of the pre-validated custom domain.')
+  preValidatedCustomDomainResourceId: string?
+
+  @description('Optional. The name of the secret.')
+  secretName: string?
+
+  @description('Optional. The minimum TLS version.')
+  minimumTlsVersion: 'TLS10' | 'TLS12' | null
+
+  @description('Optional. Extended properties.')
+  extendedProperties: object?
+}
diff --git a/avm/res/cdn/profile/customdomain/main.json b/avm/res/cdn/profile/customdomain/main.json
index e45727e4ad..b88c221734 100644
--- a/avm/res/cdn/profile/customdomain/main.json
+++ b/avm/res/cdn/profile/customdomain/main.json
@@ -1,16 +1,89 @@
 {
   "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "languageVersion": "2.0",
   "contentVersion": "1.0.0.0",
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.23.60470",
-      "templateHash": "16955838730426729961"
+      "version": "0.31.34.60546",
+      "templateHash": "10387694873442665915"
     },
     "name": "CDN Profiles Custom Domains",
     "description": "This module deploys a CDN Profile Custom Domains.",
     "owner": "Azure/module-maintainers"
   },
+  "definitions": {
+    "customDomainType": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The name of the custom domain."
+          }
+        },
+        "hostName": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The host name of the custom domain."
+          }
+        },
+        "certificateType": {
+          "type": "string",
+          "allowedValues": [
+            "AzureFirstPartyManagedCertificate",
+            "CustomerCertificate",
+            "ManagedCertificate"
+          ],
+          "metadata": {
+            "description": "Required. The type of the certificate."
+          }
+        },
+        "azureDnsZoneResourceId": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The resource ID of the Azure DNS zone."
+          }
+        },
+        "preValidatedCustomDomainResourceId": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The resource ID of the pre-validated custom domain."
+          }
+        },
+        "secretName": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The name of the secret."
+          }
+        },
+        "minimumTlsVersion": {
+          "type": "string",
+          "allowedValues": [
+            "TLS10",
+            "TLS12"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The minimum TLS version."
+          }
+        },
+        "extendedProperties": {
+          "type": "object",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Extended properties."
+          }
+        }
+      },
+      "metadata": {
+        "__bicep_export!": true
+      }
+    }
+  },
   "parameters": {
     "name": {
       "type": "string",
@@ -54,6 +127,7 @@
     "certificateType": {
       "type": "string",
       "allowedValues": [
+        "AzureFirstPartyManagedCertificate",
         "CustomerCertificate",
         "ManagedCertificate"
       ],
@@ -80,8 +154,21 @@
       }
     }
   },
-  "resources": [
-    {
+  "resources": {
+    "profile::secrect": {
+      "condition": "[not(empty(parameters('secretName')))]",
+      "existing": true,
+      "type": "Microsoft.Cdn/profiles/secrets",
+      "apiVersion": "2023-05-01",
+      "name": "[format('{0}/{1}', parameters('profileName'), parameters('secretName'))]"
+    },
+    "profile": {
+      "existing": true,
+      "type": "Microsoft.Cdn/profiles",
+      "apiVersion": "2023-05-01",
+      "name": "[parameters('profileName')]"
+    },
+    "customDomain": {
       "type": "Microsoft.Cdn/profiles/customDomains",
       "apiVersion": "2023-05-01",
       "name": "[format('{0}/{1}', parameters('profileName'), parameters('name'))]",
@@ -97,7 +184,7 @@
         }
       }
     }
-  ],
+  },
   "outputs": {
     "name": {
       "type": "string",
diff --git a/avm/res/cdn/profile/endpoint/main.json b/avm/res/cdn/profile/endpoint/main.json
index 273dbe9fce..ca9c1a9478 100644
--- a/avm/res/cdn/profile/endpoint/main.json
+++ b/avm/res/cdn/profile/endpoint/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.23.60470",
-      "templateHash": "3460565146034921053"
+      "version": "0.31.34.60546",
+      "templateHash": "5709530270456479127"
     },
     "name": "CDN Profiles Endpoints",
     "description": "This module deploys a CDN Profile Endpoint.",
@@ -59,10 +59,7 @@
       "name": "[format('{0}/{1}', parameters('profileName'), parameters('name'))]",
       "location": "[parameters('location')]",
       "properties": "[parameters('properties')]",
-      "tags": "[parameters('tags')]",
-      "dependsOn": [
-        "profile"
-      ]
+      "tags": "[parameters('tags')]"
     },
     "endpoint_origins": {
       "copy": {
@@ -125,8 +122,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.23.60470",
-              "templateHash": "4151069688274070352"
+              "version": "0.31.34.60546",
+              "templateHash": "12416203553821456162"
             },
             "name": "CDN Profiles Endpoints Origins",
             "description": "This module deploys a CDN Profile Endpoint Origin.",
@@ -233,19 +230,13 @@
               "existing": true,
               "type": "Microsoft.Cdn/profiles/endpoints",
               "apiVersion": "2021-06-01",
-              "name": "[format('{0}/{1}', parameters('profileName'), parameters('endpointName'))]",
-              "dependsOn": [
-                "profile"
-              ]
+              "name": "[format('{0}/{1}', parameters('profileName'), parameters('endpointName'))]"
             },
             "origin": {
               "type": "Microsoft.Cdn/profiles/endpoints/origins",
               "apiVersion": "2021-06-01",
               "name": "[format('{0}/{1}/{2}', parameters('profileName'), parameters('endpointName'), parameters('name'))]",
-              "properties": "[union(createObject('hostName', parameters('hostName'), 'httpPort', parameters('httpPort'), 'enabled', parameters('enabled'), 'httpsPort', parameters('httpsPort')), if(or(greater(parameters('priority'), 0), greater(parameters('weight'), 0)), createObject('priority', parameters('priority'), 'weight', parameters('weight')), createObject()), if(and(not(empty(parameters('privateLinkAlias'))), not(empty(parameters('privateLinkLocation')))), createObject('privateLinkAlias', parameters('privateLinkAlias'), 'privateLinkLocation', parameters('privateLinkLocation')), createObject()), if(not(empty(parameters('privateLinkResourceId'))), createObject('privateLinkResourceId', parameters('privateLinkResourceId')), createObject()), if(not(empty(parameters('originHostHeader'))), createObject('originHostHeader', parameters('originHostHeader')), createObject()))]",
-              "dependsOn": [
-                "endpoint"
-              ]
+              "properties": "[union(createObject('hostName', parameters('hostName'), 'httpPort', parameters('httpPort'), 'enabled', parameters('enabled'), 'httpsPort', parameters('httpsPort')), if(or(greater(parameters('priority'), 0), greater(parameters('weight'), 0)), createObject('priority', parameters('priority'), 'weight', parameters('weight')), createObject()), if(and(not(empty(parameters('privateLinkAlias'))), not(empty(parameters('privateLinkLocation')))), createObject('privateLinkAlias', parameters('privateLinkAlias'), 'privateLinkLocation', parameters('privateLinkLocation')), createObject()), if(not(empty(parameters('privateLinkResourceId'))), createObject('privateLinkResourceId', parameters('privateLinkResourceId')), createObject()), if(not(empty(parameters('originHostHeader'))), createObject('originHostHeader', parameters('originHostHeader')), createObject()))]"
             }
           },
           "outputs": {
@@ -281,8 +272,7 @@
         }
       },
       "dependsOn": [
-        "endpoint",
-        "profile"
+        "endpoint"
       ]
     }
   },
diff --git a/avm/res/cdn/profile/endpoint/origin/main.json b/avm/res/cdn/profile/endpoint/origin/main.json
index f4c079ff44..e71c4745c1 100644
--- a/avm/res/cdn/profile/endpoint/origin/main.json
+++ b/avm/res/cdn/profile/endpoint/origin/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.23.60470",
-      "templateHash": "4151069688274070352"
+      "version": "0.31.34.60546",
+      "templateHash": "12416203553821456162"
     },
     "name": "CDN Profiles Endpoints Origins",
     "description": "This module deploys a CDN Profile Endpoint Origin.",
@@ -113,19 +113,13 @@
       "existing": true,
       "type": "Microsoft.Cdn/profiles/endpoints",
       "apiVersion": "2021-06-01",
-      "name": "[format('{0}/{1}', parameters('profileName'), parameters('endpointName'))]",
-      "dependsOn": [
-        "profile"
-      ]
+      "name": "[format('{0}/{1}', parameters('profileName'), parameters('endpointName'))]"
     },
     "origin": {
       "type": "Microsoft.Cdn/profiles/endpoints/origins",
       "apiVersion": "2021-06-01",
       "name": "[format('{0}/{1}/{2}', parameters('profileName'), parameters('endpointName'), parameters('name'))]",
-      "properties": "[union(createObject('hostName', parameters('hostName'), 'httpPort', parameters('httpPort'), 'enabled', parameters('enabled'), 'httpsPort', parameters('httpsPort')), if(or(greater(parameters('priority'), 0), greater(parameters('weight'), 0)), createObject('priority', parameters('priority'), 'weight', parameters('weight')), createObject()), if(and(not(empty(parameters('privateLinkAlias'))), not(empty(parameters('privateLinkLocation')))), createObject('privateLinkAlias', parameters('privateLinkAlias'), 'privateLinkLocation', parameters('privateLinkLocation')), createObject()), if(not(empty(parameters('privateLinkResourceId'))), createObject('privateLinkResourceId', parameters('privateLinkResourceId')), createObject()), if(not(empty(parameters('originHostHeader'))), createObject('originHostHeader', parameters('originHostHeader')), createObject()))]",
-      "dependsOn": [
-        "endpoint"
-      ]
+      "properties": "[union(createObject('hostName', parameters('hostName'), 'httpPort', parameters('httpPort'), 'enabled', parameters('enabled'), 'httpsPort', parameters('httpsPort')), if(or(greater(parameters('priority'), 0), greater(parameters('weight'), 0)), createObject('priority', parameters('priority'), 'weight', parameters('weight')), createObject()), if(and(not(empty(parameters('privateLinkAlias'))), not(empty(parameters('privateLinkLocation')))), createObject('privateLinkAlias', parameters('privateLinkAlias'), 'privateLinkLocation', parameters('privateLinkLocation')), createObject()), if(not(empty(parameters('privateLinkResourceId'))), createObject('privateLinkResourceId', parameters('privateLinkResourceId')), createObject()), if(not(empty(parameters('originHostHeader'))), createObject('originHostHeader', parameters('originHostHeader')), createObject()))]"
     }
   },
   "outputs": {
diff --git a/avm/res/cdn/profile/main.bicep b/avm/res/cdn/profile/main.bicep
index 2c30c0c2e2..ae15d9234b 100644
--- a/avm/res/cdn/profile/main.bicep
+++ b/avm/res/cdn/profile/main.bicep
@@ -38,16 +38,16 @@ param endpointProperties object?
 param secrets array = []
 
 @description('Optional. Array of custom domain objects.')
-param customDomains array = []
+param customDomains customDomainType[] = []
 
 @description('Conditional. Array of origin group objects. Required if the afdEndpoints is specified.')
-param originGroups array = []
+param originGroups originGroupType[] = []
 
 @description('Optional. Array of rule set objects.')
-param ruleSets array = []
+param ruleSets ruleSetType[] = []
 
 @description('Optional. Array of AFD endpoint objects.')
-param afdEndpoints array = []
+param afdEndpoints afdEndpointType[] = []
 
 @description('Optional. Array of Security Policy objects (see https://learn.microsoft.com/en-us/azure/templates/microsoft.cdn/profiles/securitypolicies for details).')
 param securityPolicies securityPolicyType = []
@@ -320,6 +320,14 @@ output systemAssignedMIPrincipalId string = profile.?identity.?principalId ?? ''
 //   Definitions   //
 // =============== //
 
+import { afdEndpointType } from 'afdEndpoint/main.bicep'
+import { customDomainType } from 'customdomain/main.bicep'
+import { originGroupType } from 'origingroup/main.bicep'
+import { originType } from 'origingroup//origin/main.bicep'
+import { associationsType } from 'securityPolicies/main.bicep'
+import { ruleSetType } from 'ruleset/main.bicep'
+import { ruleType } from 'ruleset/rule/main.bicep'
+
 type managedIdentitiesType = {
   @description('Optional. Enables system assigned managed identity on the resource.')
   systemAssigned: bool?
@@ -328,7 +336,7 @@ type managedIdentitiesType = {
   userAssignedResourceIds: string[]?
 }?
 
-import { associationsType } from 'securityPolicies/main.bicep'
+@export()
 type securityPolicyType = {
   @description('Required. Name of the security policy.')
   name: string
diff --git a/avm/res/cdn/profile/main.json b/avm/res/cdn/profile/main.json
index ff95fa664e..1d5952c679 100644
--- a/avm/res/cdn/profile/main.json
+++ b/avm/res/cdn/profile/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.23.60470",
-      "templateHash": "17027452417371199673"
+      "version": "0.31.34.60546",
+      "templateHash": "10761375864597089825"
     },
     "name": "CDN Profiles",
     "description": "This module deploys a CDN Profile.",
@@ -60,6 +60,9 @@
             }
           }
         }
+      },
+      "metadata": {
+        "__bicep_export!": true
       }
     },
     "lockType": {
@@ -160,6 +163,388 @@
       },
       "nullable": true
     },
+    "_1.afdRoutecacheConfigurationType": {
+      "type": "object",
+      "properties": {
+        "compressionSettings": {
+          "type": "object",
+          "properties": {
+            "contentTypesToCompress": {
+              "type": "array",
+              "items": {
+                "type": "string"
+              },
+              "metadata": {
+                "description": "Required. List of content types on which compression applies. The value should be a valid MIME type."
+              }
+            },
+            "iscontentTypeToCompressAll": {
+              "type": "bool",
+              "nullable": true,
+              "metadata": {
+                "description": "Optional. Indicates whether content compression is enabled on AzureFrontDoor. Default value is false. If compression is enabled, content will be served as compressed if user requests for a compressed version. Content won't be compressed on AzureFrontDoor when requested content is smaller than 1 byte or larger than 1 MB."
+              }
+            }
+          },
+          "metadata": {
+            "description": "Required. Compression settings."
+          }
+        },
+        "queryParameters": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. Query parameters to include or exclude (comma separated)."
+          }
+        },
+        "queryStringCachingBehavior": {
+          "type": "string",
+          "allowedValues": [
+            "IgnoreQueryString",
+            "IgnoreSpecifiedQueryStrings",
+            "IncludeSpecifiedQueryStrings",
+            "UseQueryString"
+          ],
+          "metadata": {
+            "description": "Required. Defines how Frontdoor caches requests that include query strings."
+          }
+        }
+      },
+      "metadata": {
+        "__bicep_imported_from!": {
+          "sourceTemplate": "afdEndpoint/route/main.bicep"
+        }
+      }
+    },
+    "_1.routeType": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The name of the route."
+          }
+        },
+        "cacheConfiguration": {
+          "$ref": "#/definitions/_1.afdRoutecacheConfigurationType",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The caching configuration for this route. To disable caching, do not provide a cacheConfiguration object."
+          }
+        },
+        "customDomainNames": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The names of the custom domains."
+          }
+        },
+        "enabledState": {
+          "type": "string",
+          "allowedValues": [
+            "Disabled",
+            "Enabled"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Whether to enable use of this rule."
+          }
+        },
+        "forwardingProtocol": {
+          "type": "string",
+          "allowedValues": [
+            "HttpOnly",
+            "HttpsOnly",
+            "MatchRequest"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The protocol this rule will use when forwarding traffic to backends."
+          }
+        },
+        "httpsRedirect": {
+          "type": "string",
+          "allowedValues": [
+            "Disabled",
+            "Enabled"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Whether to automatically redirect HTTP traffic to HTTPS traffic."
+          }
+        },
+        "linkToDefaultDomain": {
+          "type": "string",
+          "allowedValues": [
+            "Disabled",
+            "Enabled"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Whether this route will be linked to the default endpoint domain."
+          }
+        },
+        "originGroupName": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The name of the origin group."
+          }
+        },
+        "originPath": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. A directory path on the origin that AzureFrontDoor can use to retrieve content from, e.g. contoso.cloudapp.net/originpath."
+          }
+        },
+        "patternsToMatch": {
+          "type": "array",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The route patterns of the rule."
+          }
+        },
+        "ruleSets": {
+          "type": "array",
+          "items": {
+            "type": "object"
+          },
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The rule sets of the rule."
+          }
+        },
+        "supportedProtocols": {
+          "type": "array",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The supported protocols of the rule."
+          }
+        }
+      },
+      "metadata": {
+        "__bicep_imported_from!": {
+          "sourceTemplate": "afdEndpoint/route/main.bicep"
+        }
+      }
+    },
+    "_2.healthProbeSettingsType": {
+      "type": "object",
+      "properties": {
+        "probePath": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The path relative to the origin that is used to determine the health of the origin."
+          }
+        },
+        "probeProtocol": {
+          "type": "string",
+          "allowedValues": [
+            "Http",
+            "Https",
+            "NotSet"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Protocol to use for health probe."
+          }
+        },
+        "probeRequestType": {
+          "type": "string",
+          "allowedValues": [
+            "GET",
+            "HEAD",
+            "NotSet"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The request type to probe."
+          }
+        },
+        "probeIntervalInSeconds": {
+          "type": "int",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The number of seconds between health probes.Default is 240sec."
+          }
+        }
+      },
+      "metadata": {
+        "__bicep_imported_from!": {
+          "sourceTemplate": "origingroup/main.bicep"
+        }
+      }
+    },
+    "_2.loadBalancingSettingsType": {
+      "type": "object",
+      "properties": {
+        "additionalLatencyInMilliseconds": {
+          "type": "int",
+          "metadata": {
+            "description": "Required. Additional latency in milliseconds for probes to the backend. Must be between 0 and 1000."
+          }
+        },
+        "sampleSize": {
+          "type": "int",
+          "metadata": {
+            "description": "Required. Number of samples to consider for load balancing decisions."
+          }
+        },
+        "successfulSamplesRequired": {
+          "type": "int",
+          "metadata": {
+            "description": "Required. Number of samples within the sample window that must be successful to mark the backend as healthy."
+          }
+        }
+      },
+      "metadata": {
+        "__bicep_imported_from!": {
+          "sourceTemplate": "origingroup/main.bicep"
+        }
+      }
+    },
+    "_3.originType": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The name of the origion."
+          }
+        },
+        "hostName": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The address of the origin. Domain names, IPv4 addresses, and IPv6 addresses are supported.This should be unique across all origins in an endpoint."
+          }
+        },
+        "enabledState": {
+          "type": "string",
+          "allowedValues": [
+            "Disabled",
+            "Enabled"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Whether to enable health probes to be made against backends defined under backendPools. Health probes can only be disabled if there is a single enabled backend in single enabled backend pool."
+          }
+        },
+        "enforceCertificateNameCheck": {
+          "type": "bool",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Whether to enable certificate name check at origin level."
+          }
+        },
+        "httpPort": {
+          "type": "int",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The value of the HTTP port. Must be between 1 and 65535."
+          }
+        },
+        "httpsPort": {
+          "type": "int",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The value of the HTTPS port. Must be between 1 and 65535."
+          }
+        },
+        "originHostHeader": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The host header value sent to the origin with each request. If you leave this blank, the request hostname determines this value. Azure Front Door origins, such as Web Apps, Blob Storage, and Cloud Services require this host header value to match the origin hostname by default. This overrides the host header defined at Endpoint."
+          }
+        },
+        "priority": {
+          "type": "int",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Priority of origin in given origin group for load balancing. Higher priorities will not be used for load balancing if any lower priority origin is healthy.Must be between 1 and 5."
+          }
+        },
+        "weight": {
+          "type": "int",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Weight of the origin in given origin group for load balancing. Must be between 1 and 1000."
+          }
+        },
+        "sharedPrivateLinkResource": {
+          "type": "object",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The properties of the private link resource for private origin."
+          }
+        }
+      },
+      "metadata": {
+        "__bicep_imported_from!": {
+          "sourceTemplate": "origingroup/origin/main.bicep"
+        }
+      }
+    },
+    "afdEndpointType": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The name of the AFD Endpoint."
+          }
+        },
+        "routes": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/_1.routeType"
+          },
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The list of routes for this AFD Endpoint."
+          }
+        },
+        "tags": {
+          "type": "object",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The tags for the AFD Endpoint."
+          }
+        },
+        "autoGeneratedDomainNameLabelScope": {
+          "type": "string",
+          "allowedValues": [
+            "NoReuse",
+            "ResourceGroupReuse",
+            "SubscriptionReuse",
+            "TenantReuse"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The scope of the auto-generated domain name label."
+          }
+        },
+        "enabledState": {
+          "type": "string",
+          "allowedValues": [
+            "Disabled",
+            "Enabled"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The state of the AFD Endpoint."
+          }
+        }
+      },
+      "metadata": {
+        "__bicep_imported_from!": {
+          "sourceTemplate": "afdEndpoint/main.bicep"
+        }
+      }
+    },
     "associationsType": {
       "type": "array",
       "items": {
@@ -195,7 +580,290 @@
       },
       "metadata": {
         "__bicep_imported_from!": {
-          "sourceTemplate": "securityPolicies/main.bicep"
+          "sourceTemplate": "securityPolicies/main.bicep"
+        }
+      }
+    },
+    "customDomainType": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The name of the custom domain."
+          }
+        },
+        "hostName": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The host name of the custom domain."
+          }
+        },
+        "certificateType": {
+          "type": "string",
+          "allowedValues": [
+            "AzureFirstPartyManagedCertificate",
+            "CustomerCertificate",
+            "ManagedCertificate"
+          ],
+          "metadata": {
+            "description": "Required. The type of the certificate."
+          }
+        },
+        "azureDnsZoneResourceId": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The resource ID of the Azure DNS zone."
+          }
+        },
+        "preValidatedCustomDomainResourceId": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The resource ID of the pre-validated custom domain."
+          }
+        },
+        "secretName": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The name of the secret."
+          }
+        },
+        "minimumTlsVersion": {
+          "type": "string",
+          "allowedValues": [
+            "TLS10",
+            "TLS12"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The minimum TLS version."
+          }
+        },
+        "extendedProperties": {
+          "type": "object",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Extended properties."
+          }
+        }
+      },
+      "metadata": {
+        "__bicep_imported_from!": {
+          "sourceTemplate": "customdomain/main.bicep"
+        }
+      }
+    },
+    "originGroupType": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The name of the origin group."
+          }
+        },
+        "loadBalancingSettings": {
+          "$ref": "#/definitions/_2.loadBalancingSettingsType",
+          "metadata": {
+            "description": "Required. Load balancing settings for a backend pool."
+          }
+        },
+        "healthProbeSettings": {
+          "$ref": "#/definitions/_2.healthProbeSettingsType",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Health probe settings to the origin that is used to determine the health of the origin."
+          }
+        },
+        "sessionAffinityState": {
+          "type": "string",
+          "allowedValues": [
+            "Disabled",
+            "Enabled"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Whether to allow session affinity on this host."
+          }
+        },
+        "trafficRestorationTimeToHealedOrNewEndpointsInMinutes": {
+          "type": "int",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Time in minutes to shift the traffic to the endpoint gradually when an unhealthy endpoint comes healthy or a new endpoint is added. Default is 10 mins."
+          }
+        },
+        "origins": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/_3.originType"
+          },
+          "metadata": {
+            "description": "Required. The list of origins within the origin group."
+          }
+        }
+      },
+      "metadata": {
+        "__bicep_imported_from!": {
+          "sourceTemplate": "origingroup/main.bicep"
+        }
+      }
+    },
+    "originType": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The name of the origion."
+          }
+        },
+        "hostName": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The address of the origin. Domain names, IPv4 addresses, and IPv6 addresses are supported.This should be unique across all origins in an endpoint."
+          }
+        },
+        "enabledState": {
+          "type": "string",
+          "allowedValues": [
+            "Disabled",
+            "Enabled"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Whether to enable health probes to be made against backends defined under backendPools. Health probes can only be disabled if there is a single enabled backend in single enabled backend pool."
+          }
+        },
+        "enforceCertificateNameCheck": {
+          "type": "bool",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Whether to enable certificate name check at origin level."
+          }
+        },
+        "httpPort": {
+          "type": "int",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The value of the HTTP port. Must be between 1 and 65535."
+          }
+        },
+        "httpsPort": {
+          "type": "int",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The value of the HTTPS port. Must be between 1 and 65535."
+          }
+        },
+        "originHostHeader": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The host header value sent to the origin with each request. If you leave this blank, the request hostname determines this value. Azure Front Door origins, such as Web Apps, Blob Storage, and Cloud Services require this host header value to match the origin hostname by default. This overrides the host header defined at Endpoint."
+          }
+        },
+        "priority": {
+          "type": "int",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Priority of origin in given origin group for load balancing. Higher priorities will not be used for load balancing if any lower priority origin is healthy.Must be between 1 and 5."
+          }
+        },
+        "weight": {
+          "type": "int",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Weight of the origin in given origin group for load balancing. Must be between 1 and 1000."
+          }
+        },
+        "sharedPrivateLinkResource": {
+          "type": "object",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The properties of the private link resource for private origin."
+          }
+        }
+      },
+      "metadata": {
+        "__bicep_imported_from!": {
+          "sourceTemplate": "origingroup//origin/main.bicep"
+        }
+      }
+    },
+    "ruleSetType": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. Name of the rule set."
+          }
+        },
+        "rules": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/ruleType"
+          },
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Array of rules."
+          }
+        }
+      },
+      "metadata": {
+        "__bicep_imported_from!": {
+          "sourceTemplate": "ruleset/main.bicep"
+        }
+      }
+    },
+    "ruleType": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The name of the rule."
+          }
+        },
+        "order": {
+          "type": "int",
+          "metadata": {
+            "description": "Required. The order in which the rules are applied for the endpoint."
+          }
+        },
+        "actions": {
+          "type": "array",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. A list of actions that are executed when all the conditions of a rule are satisfied.."
+          }
+        },
+        "conditions": {
+          "type": "array",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. A list of conditions that must be matched for the actions to be executed."
+          }
+        },
+        "matchProcessingBehavior": {
+          "type": "string",
+          "allowedValues": [
+            "Continue",
+            "Stop"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. If this rule is a match should the rules engine continue running the remaining rules or stop. If not present, defaults to Continue."
+          }
+        }
+      },
+      "metadata": {
+        "__bicep_imported_from!": {
+          "sourceTemplate": "ruleset/rule/main.bicep"
         }
       }
     }
@@ -264,6 +932,9 @@
     },
     "customDomains": {
       "type": "array",
+      "items": {
+        "$ref": "#/definitions/customDomainType"
+      },
       "defaultValue": [],
       "metadata": {
         "description": "Optional. Array of custom domain objects."
@@ -271,6 +942,9 @@
     },
     "originGroups": {
       "type": "array",
+      "items": {
+        "$ref": "#/definitions/originGroupType"
+      },
       "defaultValue": [],
       "metadata": {
         "description": "Conditional. Array of origin group objects. Required if the afdEndpoints is specified."
@@ -278,6 +952,9 @@
     },
     "ruleSets": {
       "type": "array",
+      "items": {
+        "$ref": "#/definitions/ruleSetType"
+      },
       "defaultValue": [],
       "metadata": {
         "description": "Optional. Array of rule set objects."
@@ -285,6 +962,9 @@
     },
     "afdEndpoints": {
       "type": "array",
+      "items": {
+        "$ref": "#/definitions/afdEndpointType"
+      },
       "defaultValue": [],
       "metadata": {
         "description": "Optional. Array of AFD endpoint objects."
@@ -454,8 +1134,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.23.60470",
-              "templateHash": "3460565146034921053"
+              "version": "0.31.34.60546",
+              "templateHash": "5709530270456479127"
             },
             "name": "CDN Profiles Endpoints",
             "description": "This module deploys a CDN Profile Endpoint.",
@@ -508,10 +1188,7 @@
               "name": "[format('{0}/{1}', parameters('profileName'), parameters('name'))]",
               "location": "[parameters('location')]",
               "properties": "[parameters('properties')]",
-              "tags": "[parameters('tags')]",
-              "dependsOn": [
-                "profile"
-              ]
+              "tags": "[parameters('tags')]"
             },
             "endpoint_origins": {
               "copy": {
@@ -574,8 +1251,8 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.30.23.60470",
-                      "templateHash": "4151069688274070352"
+                      "version": "0.31.34.60546",
+                      "templateHash": "12416203553821456162"
                     },
                     "name": "CDN Profiles Endpoints Origins",
                     "description": "This module deploys a CDN Profile Endpoint Origin.",
@@ -682,19 +1359,13 @@
                       "existing": true,
                       "type": "Microsoft.Cdn/profiles/endpoints",
                       "apiVersion": "2021-06-01",
-                      "name": "[format('{0}/{1}', parameters('profileName'), parameters('endpointName'))]",
-                      "dependsOn": [
-                        "profile"
-                      ]
+                      "name": "[format('{0}/{1}', parameters('profileName'), parameters('endpointName'))]"
                     },
                     "origin": {
                       "type": "Microsoft.Cdn/profiles/endpoints/origins",
                       "apiVersion": "2021-06-01",
                       "name": "[format('{0}/{1}/{2}', parameters('profileName'), parameters('endpointName'), parameters('name'))]",
-                      "properties": "[union(createObject('hostName', parameters('hostName'), 'httpPort', parameters('httpPort'), 'enabled', parameters('enabled'), 'httpsPort', parameters('httpsPort')), if(or(greater(parameters('priority'), 0), greater(parameters('weight'), 0)), createObject('priority', parameters('priority'), 'weight', parameters('weight')), createObject()), if(and(not(empty(parameters('privateLinkAlias'))), not(empty(parameters('privateLinkLocation')))), createObject('privateLinkAlias', parameters('privateLinkAlias'), 'privateLinkLocation', parameters('privateLinkLocation')), createObject()), if(not(empty(parameters('privateLinkResourceId'))), createObject('privateLinkResourceId', parameters('privateLinkResourceId')), createObject()), if(not(empty(parameters('originHostHeader'))), createObject('originHostHeader', parameters('originHostHeader')), createObject()))]",
-                      "dependsOn": [
-                        "endpoint"
-                      ]
+                      "properties": "[union(createObject('hostName', parameters('hostName'), 'httpPort', parameters('httpPort'), 'enabled', parameters('enabled'), 'httpsPort', parameters('httpsPort')), if(or(greater(parameters('priority'), 0), greater(parameters('weight'), 0)), createObject('priority', parameters('priority'), 'weight', parameters('weight')), createObject()), if(and(not(empty(parameters('privateLinkAlias'))), not(empty(parameters('privateLinkLocation')))), createObject('privateLinkAlias', parameters('privateLinkAlias'), 'privateLinkLocation', parameters('privateLinkLocation')), createObject()), if(not(empty(parameters('privateLinkResourceId'))), createObject('privateLinkResourceId', parameters('privateLinkResourceId')), createObject()), if(not(empty(parameters('originHostHeader'))), createObject('originHostHeader', parameters('originHostHeader')), createObject()))]"
                     }
                   },
                   "outputs": {
@@ -730,8 +1401,7 @@
                 }
               },
               "dependsOn": [
-                "endpoint",
-                "profile"
+                "endpoint"
               ]
             }
           },
@@ -827,8 +1497,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.23.60470",
-              "templateHash": "9127977884501208410"
+              "version": "0.31.34.60546",
+              "templateHash": "135211401759640973"
             },
             "name": "CDN Profiles Secret",
             "description": "This module deploys a CDN Profile Secret.",
@@ -972,17 +1642,90 @@
         },
         "template": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "languageVersion": "2.0",
           "contentVersion": "1.0.0.0",
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.23.60470",
-              "templateHash": "16955838730426729961"
+              "version": "0.31.34.60546",
+              "templateHash": "10387694873442665915"
             },
             "name": "CDN Profiles Custom Domains",
             "description": "This module deploys a CDN Profile Custom Domains.",
             "owner": "Azure/module-maintainers"
           },
+          "definitions": {
+            "customDomainType": {
+              "type": "object",
+              "properties": {
+                "name": {
+                  "type": "string",
+                  "metadata": {
+                    "description": "Required. The name of the custom domain."
+                  }
+                },
+                "hostName": {
+                  "type": "string",
+                  "metadata": {
+                    "description": "Required. The host name of the custom domain."
+                  }
+                },
+                "certificateType": {
+                  "type": "string",
+                  "allowedValues": [
+                    "AzureFirstPartyManagedCertificate",
+                    "CustomerCertificate",
+                    "ManagedCertificate"
+                  ],
+                  "metadata": {
+                    "description": "Required. The type of the certificate."
+                  }
+                },
+                "azureDnsZoneResourceId": {
+                  "type": "string",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The resource ID of the Azure DNS zone."
+                  }
+                },
+                "preValidatedCustomDomainResourceId": {
+                  "type": "string",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The resource ID of the pre-validated custom domain."
+                  }
+                },
+                "secretName": {
+                  "type": "string",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The name of the secret."
+                  }
+                },
+                "minimumTlsVersion": {
+                  "type": "string",
+                  "allowedValues": [
+                    "TLS10",
+                    "TLS12"
+                  ],
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The minimum TLS version."
+                  }
+                },
+                "extendedProperties": {
+                  "type": "object",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. Extended properties."
+                  }
+                }
+              },
+              "metadata": {
+                "__bicep_export!": true
+              }
+            }
+          },
           "parameters": {
             "name": {
               "type": "string",
@@ -1026,6 +1769,7 @@
             "certificateType": {
               "type": "string",
               "allowedValues": [
+                "AzureFirstPartyManagedCertificate",
                 "CustomerCertificate",
                 "ManagedCertificate"
               ],
@@ -1052,8 +1796,21 @@
               }
             }
           },
-          "resources": [
-            {
+          "resources": {
+            "profile::secrect": {
+              "condition": "[not(empty(parameters('secretName')))]",
+              "existing": true,
+              "type": "Microsoft.Cdn/profiles/secrets",
+              "apiVersion": "2023-05-01",
+              "name": "[format('{0}/{1}', parameters('profileName'), parameters('secretName'))]"
+            },
+            "profile": {
+              "existing": true,
+              "type": "Microsoft.Cdn/profiles",
+              "apiVersion": "2023-05-01",
+              "name": "[parameters('profileName')]"
+            },
+            "customDomain": {
               "type": "Microsoft.Cdn/profiles/customDomains",
               "apiVersion": "2023-05-01",
               "name": "[format('{0}/{1}', parameters('profileName'), parameters('name'))]",
@@ -1069,7 +1826,7 @@
                 }
               }
             }
-          ],
+          },
           "outputs": {
             "name": {
               "type": "string",
@@ -1143,13 +1900,223 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.23.60470",
-              "templateHash": "16948516107556143812"
+              "version": "0.31.34.60546",
+              "templateHash": "15886213526918072525"
             },
             "name": "CDN Profiles Origin Group",
             "description": "This module deploys a CDN Profile Origin Group.",
             "owner": "Azure/module-maintainers"
           },
+          "definitions": {
+            "originGroupType": {
+              "type": "object",
+              "properties": {
+                "name": {
+                  "type": "string",
+                  "metadata": {
+                    "description": "Required. The name of the origin group."
+                  }
+                },
+                "loadBalancingSettings": {
+                  "$ref": "#/definitions/loadBalancingSettingsType",
+                  "metadata": {
+                    "description": "Required. Load balancing settings for a backend pool."
+                  }
+                },
+                "healthProbeSettings": {
+                  "$ref": "#/definitions/healthProbeSettingsType",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. Health probe settings to the origin that is used to determine the health of the origin."
+                  }
+                },
+                "sessionAffinityState": {
+                  "type": "string",
+                  "allowedValues": [
+                    "Disabled",
+                    "Enabled"
+                  ],
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. Whether to allow session affinity on this host."
+                  }
+                },
+                "trafficRestorationTimeToHealedOrNewEndpointsInMinutes": {
+                  "type": "int",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. Time in minutes to shift the traffic to the endpoint gradually when an unhealthy endpoint comes healthy or a new endpoint is added. Default is 10 mins."
+                  }
+                },
+                "origins": {
+                  "type": "array",
+                  "items": {
+                    "$ref": "#/definitions/originType"
+                  },
+                  "metadata": {
+                    "description": "Required. The list of origins within the origin group."
+                  }
+                }
+              },
+              "metadata": {
+                "__bicep_export!": true
+              }
+            },
+            "loadBalancingSettingsType": {
+              "type": "object",
+              "properties": {
+                "additionalLatencyInMilliseconds": {
+                  "type": "int",
+                  "metadata": {
+                    "description": "Required. Additional latency in milliseconds for probes to the backend. Must be between 0 and 1000."
+                  }
+                },
+                "sampleSize": {
+                  "type": "int",
+                  "metadata": {
+                    "description": "Required. Number of samples to consider for load balancing decisions."
+                  }
+                },
+                "successfulSamplesRequired": {
+                  "type": "int",
+                  "metadata": {
+                    "description": "Required. Number of samples within the sample window that must be successful to mark the backend as healthy."
+                  }
+                }
+              },
+              "metadata": {
+                "__bicep_export!": true
+              }
+            },
+            "healthProbeSettingsType": {
+              "type": "object",
+              "properties": {
+                "probePath": {
+                  "type": "string",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The path relative to the origin that is used to determine the health of the origin."
+                  }
+                },
+                "probeProtocol": {
+                  "type": "string",
+                  "allowedValues": [
+                    "Http",
+                    "Https",
+                    "NotSet"
+                  ],
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. Protocol to use for health probe."
+                  }
+                },
+                "probeRequestType": {
+                  "type": "string",
+                  "allowedValues": [
+                    "GET",
+                    "HEAD",
+                    "NotSet"
+                  ],
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The request type to probe."
+                  }
+                },
+                "probeIntervalInSeconds": {
+                  "type": "int",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The number of seconds between health probes.Default is 240sec."
+                  }
+                }
+              },
+              "metadata": {
+                "__bicep_export!": true
+              }
+            },
+            "originType": {
+              "type": "object",
+              "properties": {
+                "name": {
+                  "type": "string",
+                  "metadata": {
+                    "description": "Required. The name of the origion."
+                  }
+                },
+                "hostName": {
+                  "type": "string",
+                  "metadata": {
+                    "description": "Required. The address of the origin. Domain names, IPv4 addresses, and IPv6 addresses are supported.This should be unique across all origins in an endpoint."
+                  }
+                },
+                "enabledState": {
+                  "type": "string",
+                  "allowedValues": [
+                    "Disabled",
+                    "Enabled"
+                  ],
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. Whether to enable health probes to be made against backends defined under backendPools. Health probes can only be disabled if there is a single enabled backend in single enabled backend pool."
+                  }
+                },
+                "enforceCertificateNameCheck": {
+                  "type": "bool",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. Whether to enable certificate name check at origin level."
+                  }
+                },
+                "httpPort": {
+                  "type": "int",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The value of the HTTP port. Must be between 1 and 65535."
+                  }
+                },
+                "httpsPort": {
+                  "type": "int",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The value of the HTTPS port. Must be between 1 and 65535."
+                  }
+                },
+                "originHostHeader": {
+                  "type": "string",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The host header value sent to the origin with each request. If you leave this blank, the request hostname determines this value. Azure Front Door origins, such as Web Apps, Blob Storage, and Cloud Services require this host header value to match the origin hostname by default. This overrides the host header defined at Endpoint."
+                  }
+                },
+                "priority": {
+                  "type": "int",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. Priority of origin in given origin group for load balancing. Higher priorities will not be used for load balancing if any lower priority origin is healthy.Must be between 1 and 5."
+                  }
+                },
+                "weight": {
+                  "type": "int",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. Weight of the origin in given origin group for load balancing. Must be between 1 and 1000."
+                  }
+                },
+                "sharedPrivateLinkResource": {
+                  "type": "object",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The properties of the private link resource for private origin."
+                  }
+                }
+              },
+              "metadata": {
+                "__bicep_imported_from!": {
+                  "sourceTemplate": "origin/main.bicep"
+                }
+              }
+            }
+          },
           "parameters": {
             "name": {
               "type": "string",
@@ -1217,10 +2184,7 @@
                 "loadBalancingSettings": "[parameters('loadBalancingSettings')]",
                 "sessionAffinityState": "[parameters('sessionAffinityState')]",
                 "trafficRestorationTimeToHealedOrNewEndpointsInMinutes": "[parameters('trafficRestorationTimeToHealedOrNewEndpointsInMinutes')]"
-              },
-              "dependsOn": [
-                "profile"
-              ]
+              }
             },
             "originGroup_origins": {
               "copy": {
@@ -1280,13 +2244,95 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.30.23.60470",
-                      "templateHash": "4669077701065465911"
+                      "version": "0.31.34.60546",
+                      "templateHash": "3615112055594041997"
                     },
                     "name": "CDN Profiles Origin",
                     "description": "This module deploys a CDN Profile Origin.",
                     "owner": "Azure/module-maintainers"
                   },
+                  "definitions": {
+                    "originType": {
+                      "type": "object",
+                      "properties": {
+                        "name": {
+                          "type": "string",
+                          "metadata": {
+                            "description": "Required. The name of the origion."
+                          }
+                        },
+                        "hostName": {
+                          "type": "string",
+                          "metadata": {
+                            "description": "Required. The address of the origin. Domain names, IPv4 addresses, and IPv6 addresses are supported.This should be unique across all origins in an endpoint."
+                          }
+                        },
+                        "enabledState": {
+                          "type": "string",
+                          "allowedValues": [
+                            "Disabled",
+                            "Enabled"
+                          ],
+                          "nullable": true,
+                          "metadata": {
+                            "description": "Optional. Whether to enable health probes to be made against backends defined under backendPools. Health probes can only be disabled if there is a single enabled backend in single enabled backend pool."
+                          }
+                        },
+                        "enforceCertificateNameCheck": {
+                          "type": "bool",
+                          "nullable": true,
+                          "metadata": {
+                            "description": "Optional. Whether to enable certificate name check at origin level."
+                          }
+                        },
+                        "httpPort": {
+                          "type": "int",
+                          "nullable": true,
+                          "metadata": {
+                            "description": "Optional. The value of the HTTP port. Must be between 1 and 65535."
+                          }
+                        },
+                        "httpsPort": {
+                          "type": "int",
+                          "nullable": true,
+                          "metadata": {
+                            "description": "Optional. The value of the HTTPS port. Must be between 1 and 65535."
+                          }
+                        },
+                        "originHostHeader": {
+                          "type": "string",
+                          "nullable": true,
+                          "metadata": {
+                            "description": "Optional. The host header value sent to the origin with each request. If you leave this blank, the request hostname determines this value. Azure Front Door origins, such as Web Apps, Blob Storage, and Cloud Services require this host header value to match the origin hostname by default. This overrides the host header defined at Endpoint."
+                          }
+                        },
+                        "priority": {
+                          "type": "int",
+                          "nullable": true,
+                          "metadata": {
+                            "description": "Optional. Priority of origin in given origin group for load balancing. Higher priorities will not be used for load balancing if any lower priority origin is healthy.Must be between 1 and 5."
+                          }
+                        },
+                        "weight": {
+                          "type": "int",
+                          "nullable": true,
+                          "metadata": {
+                            "description": "Optional. Weight of the origin in given origin group for load balancing. Must be between 1 and 1000."
+                          }
+                        },
+                        "sharedPrivateLinkResource": {
+                          "type": "object",
+                          "nullable": true,
+                          "metadata": {
+                            "description": "Optional. The properties of the private link resource for private origin."
+                          }
+                        }
+                      },
+                      "metadata": {
+                        "__bicep_export!": true
+                      }
+                    }
+                  },
                   "parameters": {
                     "name": {
                       "type": "string",
@@ -1378,10 +2424,7 @@
                       "existing": true,
                       "type": "Microsoft.Cdn/profiles/originGroups",
                       "apiVersion": "2023-05-01",
-                      "name": "[format('{0}/{1}', parameters('profileName'), parameters('originGroupName'))]",
-                      "dependsOn": [
-                        "profile"
-                      ]
+                      "name": "[format('{0}/{1}', parameters('profileName'), parameters('originGroupName'))]"
                     },
                     "profile": {
                       "existing": true,
@@ -1403,10 +2446,7 @@
                         "priority": "[parameters('priority')]",
                         "sharedPrivateLinkResource": "[parameters('sharedPrivateLinkResource')]",
                         "weight": "[parameters('weight')]"
-                      },
-                      "dependsOn": [
-                        "profile::originGroup"
-                      ]
+                      }
                     }
                   },
                   "outputs": {
@@ -1506,12 +2546,85 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.23.60470",
-              "templateHash": "11520922481694023973"
+              "version": "0.31.34.60546",
+              "templateHash": "4753233857701337613"
+            },
+            "name": "CDN Profiles Rule Sets",
+            "description": "This module deploys a CDN Profile rule set.",
+            "owner": "Azure/module-maintainers"
+          },
+          "definitions": {
+            "ruleSetType": {
+              "type": "object",
+              "properties": {
+                "name": {
+                  "type": "string",
+                  "metadata": {
+                    "description": "Required. Name of the rule set."
+                  }
+                },
+                "rules": {
+                  "type": "array",
+                  "items": {
+                    "$ref": "#/definitions/ruleType"
+                  },
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. Array of rules."
+                  }
+                }
+              },
+              "metadata": {
+                "__bicep_export!": true
+              }
             },
-            "name": "CDN Profiles Rule Sets",
-            "description": "This module deploys a CDN Profile rule set.",
-            "owner": "Azure/module-maintainers"
+            "ruleType": {
+              "type": "object",
+              "properties": {
+                "name": {
+                  "type": "string",
+                  "metadata": {
+                    "description": "Required. The name of the rule."
+                  }
+                },
+                "order": {
+                  "type": "int",
+                  "metadata": {
+                    "description": "Required. The order in which the rules are applied for the endpoint."
+                  }
+                },
+                "actions": {
+                  "type": "array",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. A list of actions that are executed when all the conditions of a rule are satisfied.."
+                  }
+                },
+                "conditions": {
+                  "type": "array",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. A list of conditions that must be matched for the actions to be executed."
+                  }
+                },
+                "matchProcessingBehavior": {
+                  "type": "string",
+                  "allowedValues": [
+                    "Continue",
+                    "Stop"
+                  ],
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. If this rule is a match should the rules engine continue running the remaining rules or stop. If not present, defaults to Continue."
+                  }
+                }
+              },
+              "metadata": {
+                "__bicep_imported_from!": {
+                  "sourceTemplate": "rule/main.bicep"
+                }
+              }
+            }
           },
           "parameters": {
             "name": {
@@ -1528,6 +2641,9 @@
             },
             "rules": {
               "type": "array",
+              "items": {
+                "$ref": "#/definitions/ruleType"
+              },
               "nullable": true,
               "metadata": {
                 "description": "Optinal. The rules to apply to the rule set."
@@ -1544,10 +2660,7 @@
             "ruleSet": {
               "type": "Microsoft.Cdn/profiles/ruleSets",
               "apiVersion": "2023-05-01",
-              "name": "[format('{0}/{1}', parameters('profileName'), parameters('name'))]",
-              "dependsOn": [
-                "profile"
-              ]
+              "name": "[format('{0}/{1}', parameters('profileName'), parameters('name'))]"
             },
             "ruleSet_rules": {
               "copy": {
@@ -1592,13 +2705,60 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.30.23.60470",
-                      "templateHash": "8818585542646204223"
+                      "version": "0.31.34.60546",
+                      "templateHash": "11756620080021514486"
                     },
                     "name": "CDN Profiles Rules",
                     "description": "This module deploys a CDN Profile rule.",
                     "owner": "Azure/module-maintainers"
                   },
+                  "definitions": {
+                    "ruleType": {
+                      "type": "object",
+                      "properties": {
+                        "name": {
+                          "type": "string",
+                          "metadata": {
+                            "description": "Required. The name of the rule."
+                          }
+                        },
+                        "order": {
+                          "type": "int",
+                          "metadata": {
+                            "description": "Required. The order in which the rules are applied for the endpoint."
+                          }
+                        },
+                        "actions": {
+                          "type": "array",
+                          "nullable": true,
+                          "metadata": {
+                            "description": "Optional. A list of actions that are executed when all the conditions of a rule are satisfied.."
+                          }
+                        },
+                        "conditions": {
+                          "type": "array",
+                          "nullable": true,
+                          "metadata": {
+                            "description": "Optional. A list of conditions that must be matched for the actions to be executed."
+                          }
+                        },
+                        "matchProcessingBehavior": {
+                          "type": "string",
+                          "allowedValues": [
+                            "Continue",
+                            "Stop"
+                          ],
+                          "nullable": true,
+                          "metadata": {
+                            "description": "Optional. If this rule is a match should the rules engine continue running the remaining rules or stop. If not present, defaults to Continue."
+                          }
+                        }
+                      },
+                      "metadata": {
+                        "__bicep_export!": true
+                      }
+                    }
+                  },
                   "parameters": {
                     "name": {
                       "type": "string",
@@ -1655,10 +2815,7 @@
                       "existing": true,
                       "type": "Microsoft.Cdn/profiles/ruleSets",
                       "apiVersion": "2023-05-01",
-                      "name": "[format('{0}/{1}', parameters('profileName'), parameters('ruleSetName'))]",
-                      "dependsOn": [
-                        "profile"
-                      ]
+                      "name": "[format('{0}/{1}', parameters('profileName'), parameters('ruleSetName'))]"
                     },
                     "profile": {
                       "existing": true,
@@ -1675,10 +2832,7 @@
                         "actions": "[parameters('actions')]",
                         "conditions": "[parameters('conditions')]",
                         "matchProcessingBehavior": "[parameters('matchProcessingBehavior')]"
-                      },
-                      "dependsOn": [
-                        "profile::ruleSet"
-                      ]
+                      }
                     }
                   },
                   "outputs": {
@@ -1780,13 +2934,237 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.23.60470",
-              "templateHash": "792735746278824384"
+              "version": "0.31.34.60546",
+              "templateHash": "16899001110062450573"
             },
             "name": "CDN Profiles AFD Endpoints",
             "description": "This module deploys a CDN Profile AFD Endpoint.",
             "owner": "Azure/module-maintainers"
           },
+          "definitions": {
+            "afdEndpointType": {
+              "type": "object",
+              "properties": {
+                "name": {
+                  "type": "string",
+                  "metadata": {
+                    "description": "Required. The name of the AFD Endpoint."
+                  }
+                },
+                "routes": {
+                  "type": "array",
+                  "items": {
+                    "$ref": "#/definitions/routeType"
+                  },
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The list of routes for this AFD Endpoint."
+                  }
+                },
+                "tags": {
+                  "type": "object",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The tags for the AFD Endpoint."
+                  }
+                },
+                "autoGeneratedDomainNameLabelScope": {
+                  "type": "string",
+                  "allowedValues": [
+                    "NoReuse",
+                    "ResourceGroupReuse",
+                    "SubscriptionReuse",
+                    "TenantReuse"
+                  ],
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The scope of the auto-generated domain name label."
+                  }
+                },
+                "enabledState": {
+                  "type": "string",
+                  "allowedValues": [
+                    "Disabled",
+                    "Enabled"
+                  ],
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The state of the AFD Endpoint."
+                  }
+                }
+              },
+              "metadata": {
+                "__bicep_export!": true
+              }
+            },
+            "_1.afdRoutecacheConfigurationType": {
+              "type": "object",
+              "properties": {
+                "compressionSettings": {
+                  "type": "object",
+                  "properties": {
+                    "contentTypesToCompress": {
+                      "type": "array",
+                      "items": {
+                        "type": "string"
+                      },
+                      "metadata": {
+                        "description": "Required. List of content types on which compression applies. The value should be a valid MIME type."
+                      }
+                    },
+                    "iscontentTypeToCompressAll": {
+                      "type": "bool",
+                      "nullable": true,
+                      "metadata": {
+                        "description": "Optional. Indicates whether content compression is enabled on AzureFrontDoor. Default value is false. If compression is enabled, content will be served as compressed if user requests for a compressed version. Content won't be compressed on AzureFrontDoor when requested content is smaller than 1 byte or larger than 1 MB."
+                      }
+                    }
+                  },
+                  "metadata": {
+                    "description": "Required. Compression settings."
+                  }
+                },
+                "queryParameters": {
+                  "type": "string",
+                  "metadata": {
+                    "description": "Required. Query parameters to include or exclude (comma separated)."
+                  }
+                },
+                "queryStringCachingBehavior": {
+                  "type": "string",
+                  "allowedValues": [
+                    "IgnoreQueryString",
+                    "IgnoreSpecifiedQueryStrings",
+                    "IncludeSpecifiedQueryStrings",
+                    "UseQueryString"
+                  ],
+                  "metadata": {
+                    "description": "Required. Defines how Frontdoor caches requests that include query strings."
+                  }
+                }
+              },
+              "metadata": {
+                "__bicep_imported_from!": {
+                  "sourceTemplate": "route/main.bicep"
+                }
+              }
+            },
+            "routeType": {
+              "type": "object",
+              "properties": {
+                "name": {
+                  "type": "string",
+                  "metadata": {
+                    "description": "Required. The name of the route."
+                  }
+                },
+                "cacheConfiguration": {
+                  "$ref": "#/definitions/_1.afdRoutecacheConfigurationType",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The caching configuration for this route. To disable caching, do not provide a cacheConfiguration object."
+                  }
+                },
+                "customDomainNames": {
+                  "type": "array",
+                  "items": {
+                    "type": "string"
+                  },
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The names of the custom domains."
+                  }
+                },
+                "enabledState": {
+                  "type": "string",
+                  "allowedValues": [
+                    "Disabled",
+                    "Enabled"
+                  ],
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. Whether to enable use of this rule."
+                  }
+                },
+                "forwardingProtocol": {
+                  "type": "string",
+                  "allowedValues": [
+                    "HttpOnly",
+                    "HttpsOnly",
+                    "MatchRequest"
+                  ],
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The protocol this rule will use when forwarding traffic to backends."
+                  }
+                },
+                "httpsRedirect": {
+                  "type": "string",
+                  "allowedValues": [
+                    "Disabled",
+                    "Enabled"
+                  ],
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. Whether to automatically redirect HTTP traffic to HTTPS traffic."
+                  }
+                },
+                "linkToDefaultDomain": {
+                  "type": "string",
+                  "allowedValues": [
+                    "Disabled",
+                    "Enabled"
+                  ],
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. Whether this route will be linked to the default endpoint domain."
+                  }
+                },
+                "originGroupName": {
+                  "type": "string",
+                  "metadata": {
+                    "description": "Required. The name of the origin group."
+                  }
+                },
+                "originPath": {
+                  "type": "string",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. A directory path on the origin that AzureFrontDoor can use to retrieve content from, e.g. contoso.cloudapp.net/originpath."
+                  }
+                },
+                "patternsToMatch": {
+                  "type": "array",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The route patterns of the rule."
+                  }
+                },
+                "ruleSets": {
+                  "type": "array",
+                  "items": {
+                    "type": "object"
+                  },
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The rule sets of the rule."
+                  }
+                },
+                "supportedProtocols": {
+                  "type": "array",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The supported protocols of the rule."
+                  }
+                }
+              },
+              "metadata": {
+                "__bicep_imported_from!": {
+                  "sourceTemplate": "route/main.bicep"
+                }
+              }
+            }
+          },
           "parameters": {
             "name": {
               "type": "string",
@@ -1840,6 +3218,9 @@
             },
             "routes": {
               "type": "array",
+              "items": {
+                "$ref": "#/definitions/routeType"
+              },
               "nullable": true,
               "metadata": {
                 "description": "Optional. The list of routes for this AFD Endpoint."
@@ -1862,10 +3243,7 @@
               "properties": {
                 "autoGeneratedDomainNameLabelScope": "[parameters('autoGeneratedDomainNameLabelScope')]",
                 "enabledState": "[parameters('enabledState')]"
-              },
-              "dependsOn": [
-                "profile"
-              ]
+              }
             },
             "afdEndpoint_routes": {
               "copy": {
@@ -1931,13 +3309,175 @@
                   "metadata": {
                     "_generator": {
                       "name": "bicep",
-                      "version": "0.30.23.60470",
-                      "templateHash": "1034122698174669197"
+                      "version": "0.31.34.60546",
+                      "templateHash": "15873678240851060540"
                     },
                     "name": "CDN Profiles AFD Endpoint Route",
                     "description": "This module deploys a CDN Profile AFD Endpoint route.",
                     "owner": "Azure/module-maintainers"
                   },
+                  "definitions": {
+                    "routeType": {
+                      "type": "object",
+                      "properties": {
+                        "name": {
+                          "type": "string",
+                          "metadata": {
+                            "description": "Required. The name of the route."
+                          }
+                        },
+                        "cacheConfiguration": {
+                          "$ref": "#/definitions/afdRoutecacheConfigurationType",
+                          "nullable": true,
+                          "metadata": {
+                            "description": "Optional. The caching configuration for this route. To disable caching, do not provide a cacheConfiguration object."
+                          }
+                        },
+                        "customDomainNames": {
+                          "type": "array",
+                          "items": {
+                            "type": "string"
+                          },
+                          "nullable": true,
+                          "metadata": {
+                            "description": "Optional. The names of the custom domains."
+                          }
+                        },
+                        "enabledState": {
+                          "type": "string",
+                          "allowedValues": [
+                            "Disabled",
+                            "Enabled"
+                          ],
+                          "nullable": true,
+                          "metadata": {
+                            "description": "Optional. Whether to enable use of this rule."
+                          }
+                        },
+                        "forwardingProtocol": {
+                          "type": "string",
+                          "allowedValues": [
+                            "HttpOnly",
+                            "HttpsOnly",
+                            "MatchRequest"
+                          ],
+                          "nullable": true,
+                          "metadata": {
+                            "description": "Optional. The protocol this rule will use when forwarding traffic to backends."
+                          }
+                        },
+                        "httpsRedirect": {
+                          "type": "string",
+                          "allowedValues": [
+                            "Disabled",
+                            "Enabled"
+                          ],
+                          "nullable": true,
+                          "metadata": {
+                            "description": "Optional. Whether to automatically redirect HTTP traffic to HTTPS traffic."
+                          }
+                        },
+                        "linkToDefaultDomain": {
+                          "type": "string",
+                          "allowedValues": [
+                            "Disabled",
+                            "Enabled"
+                          ],
+                          "nullable": true,
+                          "metadata": {
+                            "description": "Optional. Whether this route will be linked to the default endpoint domain."
+                          }
+                        },
+                        "originGroupName": {
+                          "type": "string",
+                          "metadata": {
+                            "description": "Required. The name of the origin group."
+                          }
+                        },
+                        "originPath": {
+                          "type": "string",
+                          "nullable": true,
+                          "metadata": {
+                            "description": "Optional. A directory path on the origin that AzureFrontDoor can use to retrieve content from, e.g. contoso.cloudapp.net/originpath."
+                          }
+                        },
+                        "patternsToMatch": {
+                          "type": "array",
+                          "nullable": true,
+                          "metadata": {
+                            "description": "Optional. The route patterns of the rule."
+                          }
+                        },
+                        "ruleSets": {
+                          "type": "array",
+                          "items": {
+                            "type": "object"
+                          },
+                          "nullable": true,
+                          "metadata": {
+                            "description": "Optional. The rule sets of the rule."
+                          }
+                        },
+                        "supportedProtocols": {
+                          "type": "array",
+                          "nullable": true,
+                          "metadata": {
+                            "description": "Optional. The supported protocols of the rule."
+                          }
+                        }
+                      },
+                      "metadata": {
+                        "__bicep_export!": true
+                      }
+                    },
+                    "afdRoutecacheConfigurationType": {
+                      "type": "object",
+                      "properties": {
+                        "compressionSettings": {
+                          "type": "object",
+                          "properties": {
+                            "contentTypesToCompress": {
+                              "type": "array",
+                              "items": {
+                                "type": "string"
+                              },
+                              "metadata": {
+                                "description": "Required. List of content types on which compression applies. The value should be a valid MIME type."
+                              }
+                            },
+                            "iscontentTypeToCompressAll": {
+                              "type": "bool",
+                              "nullable": true,
+                              "metadata": {
+                                "description": "Optional. Indicates whether content compression is enabled on AzureFrontDoor. Default value is false. If compression is enabled, content will be served as compressed if user requests for a compressed version. Content won't be compressed on AzureFrontDoor when requested content is smaller than 1 byte or larger than 1 MB."
+                              }
+                            }
+                          },
+                          "metadata": {
+                            "description": "Required. Compression settings."
+                          }
+                        },
+                        "queryParameters": {
+                          "type": "string",
+                          "metadata": {
+                            "description": "Required. Query parameters to include or exclude (comma separated)."
+                          }
+                        },
+                        "queryStringCachingBehavior": {
+                          "type": "string",
+                          "allowedValues": [
+                            "IgnoreQueryString",
+                            "IgnoreSpecifiedQueryStrings",
+                            "IncludeSpecifiedQueryStrings",
+                            "UseQueryString"
+                          ],
+                          "metadata": {
+                            "description": "Required. Defines how Frontdoor caches requests that include query strings."
+                          }
+                        }
+                      }
+                    }
+                  },
                   "parameters": {
                     "name": {
                       "type": "string",
@@ -2063,10 +3603,7 @@
                       "existing": true,
                       "type": "Microsoft.Cdn/profiles/afdEndpoints",
                       "apiVersion": "2023-05-01",
-                      "name": "[format('{0}/{1}', parameters('profileName'), parameters('afdEndpointName'))]",
-                      "dependsOn": [
-                        "profile"
-                      ]
+                      "name": "[format('{0}/{1}', parameters('profileName'), parameters('afdEndpointName'))]"
                     },
                     "profile::customDomains": {
                       "copy": {
@@ -2076,19 +3613,13 @@
                       "existing": true,
                       "type": "Microsoft.Cdn/profiles/customDomains",
                       "apiVersion": "2023-05-01",
-                      "name": "[format('{0}/{1}', parameters('profileName'), coalesce(parameters('customDomainNames'), createArray())[copyIndex()])]",
-                      "dependsOn": [
-                        "profile"
-                      ]
+                      "name": "[format('{0}/{1}', parameters('profileName'), coalesce(parameters('customDomainNames'), createArray())[copyIndex()])]"
                     },
                     "profile::originGroup": {
                       "existing": true,
                       "type": "Microsoft.Cdn/profiles/originGroups",
                       "apiVersion": "2023-05-01",
-                      "name": "[format('{0}/{1}', parameters('profileName'), parameters('originGroupName'))]",
-                      "dependsOn": [
-                        "profile"
-                      ]
+                      "name": "[format('{0}/{1}', parameters('profileName'), parameters('originGroupName'))]"
                     },
                     "profile::ruleSet": {
                       "copy": {
@@ -2098,10 +3629,7 @@
                       "existing": true,
                       "type": "Microsoft.Cdn/profiles/ruleSets",
                       "apiVersion": "2023-05-01",
-                      "name": "[format('{0}/{1}', parameters('profileName'), parameters('ruleSets')[copyIndex()].name)]",
-                      "dependsOn": [
-                        "profile"
-                      ]
+                      "name": "[format('{0}/{1}', parameters('profileName'), parameters('ruleSets')[copyIndex()].name)]"
                     },
                     "profile": {
                       "existing": true,
@@ -2141,10 +3669,7 @@
                         "originPath": "[parameters('originPath')]",
                         "patternsToMatch": "[parameters('patternsToMatch')]",
                         "supportedProtocols": "[parameters('supportedProtocols')]"
-                      },
-                      "dependsOn": [
-                        "profile::afdEndpoint"
-                      ]
+                      }
                     }
                   },
                   "outputs": {
@@ -2173,8 +3698,7 @@
                 }
               },
               "dependsOn": [
-                "afdEndpoint",
-                "profile"
+                "afdEndpoint"
               ]
             }
           },
@@ -2258,8 +3782,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.23.60470",
-              "templateHash": "11561080659040848436"
+              "version": "0.31.34.60546",
+              "templateHash": "3914917842985483427"
             },
             "name": "CDN Profiles Security Policy",
             "description": "This module deploys a CDN Profile Security Policy.",
@@ -2349,10 +3873,7 @@
                   },
                   "associations": "[parameters('associations')]"
                 }
-              },
-              "dependsOn": [
-                "profile"
-              ]
+              }
             }
           },
           "outputs": {
diff --git a/avm/res/cdn/profile/origingroup/main.bicep b/avm/res/cdn/profile/origingroup/main.bicep
index 258f75686f..f404a050eb 100644
--- a/avm/res/cdn/profile/origingroup/main.bicep
+++ b/avm/res/cdn/profile/origingroup/main.bicep
@@ -73,3 +73,56 @@ output resourceGroupName string = resourceGroup().name
 
 @description('The location the resource was deployed into.')
 output location string = profile.location
+
+// =============== //
+//   Definitions   //
+// =============== //
+
+import { originType } from './origin/main.bicep'
+@export()
+type originGroupType = {
+  @description('Required. The name of the origin group.')
+  name: string
+
+  @description('Required. Load balancing settings for a backend pool.')
+  loadBalancingSettings: loadBalancingSettingsType
+
+  @description('Optional. Health probe settings to the origin that is used to determine the health of the origin.')
+  healthProbeSettings: healthProbeSettingsType?
+
+  @description('Optional. Whether to allow session affinity on this host.')
+  sessionAffinityState: 'Enabled' | 'Disabled' | null
+
+  @description('Optional. Time in minutes to shift the traffic to the endpoint gradually when an unhealthy endpoint comes healthy or a new endpoint is added. Default is 10 mins.')
+  trafficRestorationTimeToHealedOrNewEndpointsInMinutes: int?
+
+  @description('Required. The list of origins within the origin group.')
+  origins: originType[]
+}
+
+@export()
+type loadBalancingSettingsType = {
+  @description('Required. Additional latency in milliseconds for probes to the backend. Must be between 0 and 1000.')
+  additionalLatencyInMilliseconds: int
+
+  @description('Required. Number of samples to consider for load balancing decisions.')
+  sampleSize: int
+
+  @description('Required. Number of samples within the sample window that must be successful to mark the backend as healthy.')
+  successfulSamplesRequired: int
+}
+
+@export()
+type healthProbeSettingsType = {
+  @description('Optional. The path relative to the origin that is used to determine the health of the origin.')
+  probePath: string?
+
+  @description('Optional. Protocol to use for health probe.')
+  probeProtocol: 'Http' | 'Https' | 'NotSet' | null
+
+  @description('Optional. The request type to probe.')
+  probeRequestType: 'GET' | 'HEAD' | 'NotSet' | null
+
+  @description('Optional. The number of seconds between health probes.Default is 240sec.')
+  probeIntervalInSeconds: int?
+}
diff --git a/avm/res/cdn/profile/origingroup/main.json b/avm/res/cdn/profile/origingroup/main.json
index af9a692a27..7dd74caff6 100644
--- a/avm/res/cdn/profile/origingroup/main.json
+++ b/avm/res/cdn/profile/origingroup/main.json
@@ -5,13 +5,223 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.23.60470",
-      "templateHash": "16948516107556143812"
+      "version": "0.31.34.60546",
+      "templateHash": "15886213526918072525"
     },
     "name": "CDN Profiles Origin Group",
     "description": "This module deploys a CDN Profile Origin Group.",
     "owner": "Azure/module-maintainers"
   },
+  "definitions": {
+    "originGroupType": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The name of the origin group."
+          }
+        },
+        "loadBalancingSettings": {
+          "$ref": "#/definitions/loadBalancingSettingsType",
+          "metadata": {
+            "description": "Required. Load balancing settings for a backend pool."
+          }
+        },
+        "healthProbeSettings": {
+          "$ref": "#/definitions/healthProbeSettingsType",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Health probe settings to the origin that is used to determine the health of the origin."
+          }
+        },
+        "sessionAffinityState": {
+          "type": "string",
+          "allowedValues": [
+            "Disabled",
+            "Enabled"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Whether to allow session affinity on this host."
+          }
+        },
+        "trafficRestorationTimeToHealedOrNewEndpointsInMinutes": {
+          "type": "int",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Time in minutes to shift the traffic to the endpoint gradually when an unhealthy endpoint comes healthy or a new endpoint is added. Default is 10 mins."
+          }
+        },
+        "origins": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/originType"
+          },
+          "metadata": {
+            "description": "Required. The list of origins within the origin group."
+          }
+        }
+      },
+      "metadata": {
+        "__bicep_export!": true
+      }
+    },
+    "loadBalancingSettingsType": {
+      "type": "object",
+      "properties": {
+        "additionalLatencyInMilliseconds": {
+          "type": "int",
+          "metadata": {
+            "description": "Required. Additional latency in milliseconds for probes to the backend. Must be between 0 and 1000."
+          }
+        },
+        "sampleSize": {
+          "type": "int",
+          "metadata": {
+            "description": "Required. Number of samples to consider for load balancing decisions."
+          }
+        },
+        "successfulSamplesRequired": {
+          "type": "int",
+          "metadata": {
+            "description": "Required. Number of samples within the sample window that must be successful to mark the backend as healthy."
+          }
+        }
+      },
+      "metadata": {
+        "__bicep_export!": true
+      }
+    },
+    "healthProbeSettingsType": {
+      "type": "object",
+      "properties": {
+        "probePath": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The path relative to the origin that is used to determine the health of the origin."
+          }
+        },
+        "probeProtocol": {
+          "type": "string",
+          "allowedValues": [
+            "Http",
+            "Https",
+            "NotSet"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Protocol to use for health probe."
+          }
+        },
+        "probeRequestType": {
+          "type": "string",
+          "allowedValues": [
+            "GET",
+            "HEAD",
+            "NotSet"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The request type to probe."
+          }
+        },
+        "probeIntervalInSeconds": {
+          "type": "int",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The number of seconds between health probes.Default is 240sec."
+          }
+        }
+      },
+      "metadata": {
+        "__bicep_export!": true
+      }
+    },
+    "originType": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The name of the origion."
+          }
+        },
+        "hostName": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The address of the origin. Domain names, IPv4 addresses, and IPv6 addresses are supported.This should be unique across all origins in an endpoint."
+          }
+        },
+        "enabledState": {
+          "type": "string",
+          "allowedValues": [
+            "Disabled",
+            "Enabled"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Whether to enable health probes to be made against backends defined under backendPools. Health probes can only be disabled if there is a single enabled backend in single enabled backend pool."
+          }
+        },
+        "enforceCertificateNameCheck": {
+          "type": "bool",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Whether to enable certificate name check at origin level."
+          }
+        },
+        "httpPort": {
+          "type": "int",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The value of the HTTP port. Must be between 1 and 65535."
+          }
+        },
+        "httpsPort": {
+          "type": "int",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The value of the HTTPS port. Must be between 1 and 65535."
+          }
+        },
+        "originHostHeader": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The host header value sent to the origin with each request. If you leave this blank, the request hostname determines this value. Azure Front Door origins, such as Web Apps, Blob Storage, and Cloud Services require this host header value to match the origin hostname by default. This overrides the host header defined at Endpoint."
+          }
+        },
+        "priority": {
+          "type": "int",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Priority of origin in given origin group for load balancing. Higher priorities will not be used for load balancing if any lower priority origin is healthy.Must be between 1 and 5."
+          }
+        },
+        "weight": {
+          "type": "int",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Weight of the origin in given origin group for load balancing. Must be between 1 and 1000."
+          }
+        },
+        "sharedPrivateLinkResource": {
+          "type": "object",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The properties of the private link resource for private origin."
+          }
+        }
+      },
+      "metadata": {
+        "__bicep_imported_from!": {
+          "sourceTemplate": "origin/main.bicep"
+        }
+      }
+    }
+  },
   "parameters": {
     "name": {
       "type": "string",
@@ -79,10 +289,7 @@
         "loadBalancingSettings": "[parameters('loadBalancingSettings')]",
         "sessionAffinityState": "[parameters('sessionAffinityState')]",
         "trafficRestorationTimeToHealedOrNewEndpointsInMinutes": "[parameters('trafficRestorationTimeToHealedOrNewEndpointsInMinutes')]"
-      },
-      "dependsOn": [
-        "profile"
-      ]
+      }
     },
     "originGroup_origins": {
       "copy": {
@@ -142,13 +349,95 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.23.60470",
-              "templateHash": "4669077701065465911"
+              "version": "0.31.34.60546",
+              "templateHash": "3615112055594041997"
             },
             "name": "CDN Profiles Origin",
             "description": "This module deploys a CDN Profile Origin.",
             "owner": "Azure/module-maintainers"
           },
+          "definitions": {
+            "originType": {
+              "type": "object",
+              "properties": {
+                "name": {
+                  "type": "string",
+                  "metadata": {
+                    "description": "Required. The name of the origion."
+                  }
+                },
+                "hostName": {
+                  "type": "string",
+                  "metadata": {
+                    "description": "Required. The address of the origin. Domain names, IPv4 addresses, and IPv6 addresses are supported.This should be unique across all origins in an endpoint."
+                  }
+                },
+                "enabledState": {
+                  "type": "string",
+                  "allowedValues": [
+                    "Disabled",
+                    "Enabled"
+                  ],
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. Whether to enable health probes to be made against backends defined under backendPools. Health probes can only be disabled if there is a single enabled backend in single enabled backend pool."
+                  }
+                },
+                "enforceCertificateNameCheck": {
+                  "type": "bool",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. Whether to enable certificate name check at origin level."
+                  }
+                },
+                "httpPort": {
+                  "type": "int",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The value of the HTTP port. Must be between 1 and 65535."
+                  }
+                },
+                "httpsPort": {
+                  "type": "int",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The value of the HTTPS port. Must be between 1 and 65535."
+                  }
+                },
+                "originHostHeader": {
+                  "type": "string",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The host header value sent to the origin with each request. If you leave this blank, the request hostname determines this value. Azure Front Door origins, such as Web Apps, Blob Storage, and Cloud Services require this host header value to match the origin hostname by default. This overrides the host header defined at Endpoint."
+                  }
+                },
+                "priority": {
+                  "type": "int",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. Priority of origin in given origin group for load balancing. Higher priorities will not be used for load balancing if any lower priority origin is healthy.Must be between 1 and 5."
+                  }
+                },
+                "weight": {
+                  "type": "int",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. Weight of the origin in given origin group for load balancing. Must be between 1 and 1000."
+                  }
+                },
+                "sharedPrivateLinkResource": {
+                  "type": "object",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. The properties of the private link resource for private origin."
+                  }
+                }
+              },
+              "metadata": {
+                "__bicep_export!": true
+              }
+            }
+          },
           "parameters": {
             "name": {
               "type": "string",
@@ -240,10 +529,7 @@
               "existing": true,
               "type": "Microsoft.Cdn/profiles/originGroups",
               "apiVersion": "2023-05-01",
-              "name": "[format('{0}/{1}', parameters('profileName'), parameters('originGroupName'))]",
-              "dependsOn": [
-                "profile"
-              ]
+              "name": "[format('{0}/{1}', parameters('profileName'), parameters('originGroupName'))]"
             },
             "profile": {
               "existing": true,
@@ -265,10 +551,7 @@
                 "priority": "[parameters('priority')]",
                 "sharedPrivateLinkResource": "[parameters('sharedPrivateLinkResource')]",
                 "weight": "[parameters('weight')]"
-              },
-              "dependsOn": [
-                "profile::originGroup"
-              ]
+              }
             }
           },
           "outputs": {
diff --git a/avm/res/cdn/profile/origingroup/origin/main.bicep b/avm/res/cdn/profile/origingroup/origin/main.bicep
index ccf7a62aa1..166e2b43ac 100644
--- a/avm/res/cdn/profile/origingroup/origin/main.bicep
+++ b/avm/res/cdn/profile/origingroup/origin/main.bicep
@@ -74,3 +74,40 @@ output resourceId string = origin.id
 
 @description('The name of the resource group the origin was created in.')
 output resourceGroupName string = resourceGroup().name
+
+// =============== //
+//   Definitions   //
+// =============== //
+
+@export()
+type originType = {
+  @description('Required. The name of the origion.')
+  name: string
+
+  @description('Required. The address of the origin. Domain names, IPv4 addresses, and IPv6 addresses are supported.This should be unique across all origins in an endpoint.')
+  hostName: string
+
+  @description('Optional. Whether to enable health probes to be made against backends defined under backendPools. Health probes can only be disabled if there is a single enabled backend in single enabled backend pool.')
+  enabledState: 'Enabled' | 'Disabled' | null
+
+  @description('Optional. Whether to enable certificate name check at origin level.')
+  enforceCertificateNameCheck: bool?
+
+  @description('Optional. The value of the HTTP port. Must be between 1 and 65535.')
+  httpPort: int?
+
+  @description('Optional. The value of the HTTPS port. Must be between 1 and 65535.')
+  httpsPort: int?
+
+  @description('Optional. The host header value sent to the origin with each request. If you leave this blank, the request hostname determines this value. Azure Front Door origins, such as Web Apps, Blob Storage, and Cloud Services require this host header value to match the origin hostname by default. This overrides the host header defined at Endpoint.')
+  originHostHeader: string?
+
+  @description('Optional. Priority of origin in given origin group for load balancing. Higher priorities will not be used for load balancing if any lower priority origin is healthy.Must be between 1 and 5.')
+  priority: int?
+
+  @description('Optional. Weight of the origin in given origin group for load balancing. Must be between 1 and 1000.')
+  weight: int?
+
+  @description('Optional. The properties of the private link resource for private origin.')
+  sharedPrivateLinkResource: object?
+}
diff --git a/avm/res/cdn/profile/origingroup/origin/main.json b/avm/res/cdn/profile/origingroup/origin/main.json
index 8ee5bf04df..6488e9907f 100644
--- a/avm/res/cdn/profile/origingroup/origin/main.json
+++ b/avm/res/cdn/profile/origingroup/origin/main.json
@@ -5,13 +5,95 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.23.60470",
-      "templateHash": "4669077701065465911"
+      "version": "0.31.34.60546",
+      "templateHash": "3615112055594041997"
     },
     "name": "CDN Profiles Origin",
     "description": "This module deploys a CDN Profile Origin.",
     "owner": "Azure/module-maintainers"
   },
+  "definitions": {
+    "originType": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The name of the origion."
+          }
+        },
+        "hostName": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The address of the origin. Domain names, IPv4 addresses, and IPv6 addresses are supported.This should be unique across all origins in an endpoint."
+          }
+        },
+        "enabledState": {
+          "type": "string",
+          "allowedValues": [
+            "Disabled",
+            "Enabled"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Whether to enable health probes to be made against backends defined under backendPools. Health probes can only be disabled if there is a single enabled backend in single enabled backend pool."
+          }
+        },
+        "enforceCertificateNameCheck": {
+          "type": "bool",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Whether to enable certificate name check at origin level."
+          }
+        },
+        "httpPort": {
+          "type": "int",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The value of the HTTP port. Must be between 1 and 65535."
+          }
+        },
+        "httpsPort": {
+          "type": "int",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The value of the HTTPS port. Must be between 1 and 65535."
+          }
+        },
+        "originHostHeader": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The host header value sent to the origin with each request. If you leave this blank, the request hostname determines this value. Azure Front Door origins, such as Web Apps, Blob Storage, and Cloud Services require this host header value to match the origin hostname by default. This overrides the host header defined at Endpoint."
+          }
+        },
+        "priority": {
+          "type": "int",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Priority of origin in given origin group for load balancing. Higher priorities will not be used for load balancing if any lower priority origin is healthy.Must be between 1 and 5."
+          }
+        },
+        "weight": {
+          "type": "int",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Weight of the origin in given origin group for load balancing. Must be between 1 and 1000."
+          }
+        },
+        "sharedPrivateLinkResource": {
+          "type": "object",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The properties of the private link resource for private origin."
+          }
+        }
+      },
+      "metadata": {
+        "__bicep_export!": true
+      }
+    }
+  },
   "parameters": {
     "name": {
       "type": "string",
@@ -103,10 +185,7 @@
       "existing": true,
       "type": "Microsoft.Cdn/profiles/originGroups",
       "apiVersion": "2023-05-01",
-      "name": "[format('{0}/{1}', parameters('profileName'), parameters('originGroupName'))]",
-      "dependsOn": [
-        "profile"
-      ]
+      "name": "[format('{0}/{1}', parameters('profileName'), parameters('originGroupName'))]"
     },
     "profile": {
       "existing": true,
@@ -128,10 +207,7 @@
         "priority": "[parameters('priority')]",
         "sharedPrivateLinkResource": "[parameters('sharedPrivateLinkResource')]",
         "weight": "[parameters('weight')]"
-      },
-      "dependsOn": [
-        "profile::originGroup"
-      ]
+      }
     }
   },
   "outputs": {
diff --git a/avm/res/cdn/profile/ruleset/main.bicep b/avm/res/cdn/profile/ruleset/main.bicep
index 9d96381236..dbaf29f99c 100644
--- a/avm/res/cdn/profile/ruleset/main.bicep
+++ b/avm/res/cdn/profile/ruleset/main.bicep
@@ -9,7 +9,7 @@ param name string
 param profileName string
 
 @description('Optinal. The rules to apply to the rule set.')
-param rules array?
+param rules ruleType[]?
 
 resource profile 'Microsoft.Cdn/profiles@2023-05-01' existing = {
   name: profileName
@@ -35,6 +35,17 @@ module ruleSet_rules 'rule/main.bicep' = [
   }
 ]
 
+import { ruleType } from './rule/main.bicep'
+
+@export()
+type ruleSetType = {
+  @description('Required. Name of the rule set.')
+  name: string
+
+  @description('Optional. Array of rules.')
+  rules: ruleType[]?
+}
+
 @description('The name of the rule set.')
 output name string = ruleSet.name
 
diff --git a/avm/res/cdn/profile/ruleset/main.json b/avm/res/cdn/profile/ruleset/main.json
index 2d040690b5..cffc63c7ee 100644
--- a/avm/res/cdn/profile/ruleset/main.json
+++ b/avm/res/cdn/profile/ruleset/main.json
@@ -5,13 +5,86 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.23.60470",
-      "templateHash": "11520922481694023973"
+      "version": "0.31.34.60546",
+      "templateHash": "4753233857701337613"
     },
     "name": "CDN Profiles Rule Sets",
     "description": "This module deploys a CDN Profile rule set.",
     "owner": "Azure/module-maintainers"
   },
+  "definitions": {
+    "ruleSetType": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. Name of the rule set."
+          }
+        },
+        "rules": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/ruleType"
+          },
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Array of rules."
+          }
+        }
+      },
+      "metadata": {
+        "__bicep_export!": true
+      }
+    },
+    "ruleType": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The name of the rule."
+          }
+        },
+        "order": {
+          "type": "int",
+          "metadata": {
+            "description": "Required. The order in which the rules are applied for the endpoint."
+          }
+        },
+        "actions": {
+          "type": "array",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. A list of actions that are executed when all the conditions of a rule are satisfied.."
+          }
+        },
+        "conditions": {
+          "type": "array",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. A list of conditions that must be matched for the actions to be executed."
+          }
+        },
+        "matchProcessingBehavior": {
+          "type": "string",
+          "allowedValues": [
+            "Continue",
+            "Stop"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. If this rule is a match should the rules engine continue running the remaining rules or stop. If not present, defaults to Continue."
+          }
+        }
+      },
+      "metadata": {
+        "__bicep_imported_from!": {
+          "sourceTemplate": "rule/main.bicep"
+        }
+      }
+    }
+  },
   "parameters": {
     "name": {
       "type": "string",
@@ -27,6 +100,9 @@
     },
     "rules": {
       "type": "array",
+      "items": {
+        "$ref": "#/definitions/ruleType"
+      },
       "nullable": true,
       "metadata": {
         "description": "Optinal. The rules to apply to the rule set."
@@ -43,10 +119,7 @@
     "ruleSet": {
       "type": "Microsoft.Cdn/profiles/ruleSets",
       "apiVersion": "2023-05-01",
-      "name": "[format('{0}/{1}', parameters('profileName'), parameters('name'))]",
-      "dependsOn": [
-        "profile"
-      ]
+      "name": "[format('{0}/{1}', parameters('profileName'), parameters('name'))]"
     },
     "ruleSet_rules": {
       "copy": {
@@ -91,13 +164,60 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.23.60470",
-              "templateHash": "8818585542646204223"
+              "version": "0.31.34.60546",
+              "templateHash": "11756620080021514486"
             },
             "name": "CDN Profiles Rules",
             "description": "This module deploys a CDN Profile rule.",
             "owner": "Azure/module-maintainers"
           },
+          "definitions": {
+            "ruleType": {
+              "type": "object",
+              "properties": {
+                "name": {
+                  "type": "string",
+                  "metadata": {
+                    "description": "Required. The name of the rule."
+                  }
+                },
+                "order": {
+                  "type": "int",
+                  "metadata": {
+                    "description": "Required. The order in which the rules are applied for the endpoint."
+                  }
+                },
+                "actions": {
+                  "type": "array",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. A list of actions that are executed when all the conditions of a rule are satisfied.."
+                  }
+                },
+                "conditions": {
+                  "type": "array",
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. A list of conditions that must be matched for the actions to be executed."
+                  }
+                },
+                "matchProcessingBehavior": {
+                  "type": "string",
+                  "allowedValues": [
+                    "Continue",
+                    "Stop"
+                  ],
+                  "nullable": true,
+                  "metadata": {
+                    "description": "Optional. If this rule is a match should the rules engine continue running the remaining rules or stop. If not present, defaults to Continue."
+                  }
+                }
+              },
+              "metadata": {
+                "__bicep_export!": true
+              }
+            }
+          },
           "parameters": {
             "name": {
               "type": "string",
@@ -154,10 +274,7 @@
               "existing": true,
               "type": "Microsoft.Cdn/profiles/ruleSets",
               "apiVersion": "2023-05-01",
-              "name": "[format('{0}/{1}', parameters('profileName'), parameters('ruleSetName'))]",
-              "dependsOn": [
-                "profile"
-              ]
+              "name": "[format('{0}/{1}', parameters('profileName'), parameters('ruleSetName'))]"
             },
             "profile": {
               "existing": true,
@@ -174,10 +291,7 @@
                 "actions": "[parameters('actions')]",
                 "conditions": "[parameters('conditions')]",
                 "matchProcessingBehavior": "[parameters('matchProcessingBehavior')]"
-              },
-              "dependsOn": [
-                "profile::ruleSet"
-              ]
+              }
             }
           },
           "outputs": {
diff --git a/avm/res/cdn/profile/ruleset/rule/main.bicep b/avm/res/cdn/profile/ruleset/rule/main.bicep
index 7851860264..2f172c93ce 100644
--- a/avm/res/cdn/profile/ruleset/rule/main.bicep
+++ b/avm/res/cdn/profile/ruleset/rule/main.bicep
@@ -54,3 +54,21 @@ output resourceId string = rule.id
 
 @description('The name of the resource group the custom domain was created in.')
 output resourceGroupName string = resourceGroup().name
+
+@export()
+type ruleType = {
+  @description('Required. The name of the rule.')
+  name: string
+
+  @description('Required. The order in which the rules are applied for the endpoint.')
+  order: int
+
+  @description('Optional. A list of actions that are executed when all the conditions of a rule are satisfied..')
+  actions: array?
+
+  @description('Optional. A list of conditions that must be matched for the actions to be executed.')
+  conditions: array?
+
+  @description('Optional. If this rule is a match should the rules engine continue running the remaining rules or stop. If not present, defaults to Continue.')
+  matchProcessingBehavior: 'Continue' | 'Stop' | null
+}
diff --git a/avm/res/cdn/profile/ruleset/rule/main.json b/avm/res/cdn/profile/ruleset/rule/main.json
index 98e0f0fef8..465bed9ee5 100644
--- a/avm/res/cdn/profile/ruleset/rule/main.json
+++ b/avm/res/cdn/profile/ruleset/rule/main.json
@@ -5,13 +5,60 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.23.60470",
-      "templateHash": "8818585542646204223"
+      "version": "0.31.34.60546",
+      "templateHash": "11756620080021514486"
     },
     "name": "CDN Profiles Rules",
     "description": "This module deploys a CDN Profile rule.",
     "owner": "Azure/module-maintainers"
   },
+  "definitions": {
+    "ruleType": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The name of the rule."
+          }
+        },
+        "order": {
+          "type": "int",
+          "metadata": {
+            "description": "Required. The order in which the rules are applied for the endpoint."
+          }
+        },
+        "actions": {
+          "type": "array",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. A list of actions that are executed when all the conditions of a rule are satisfied.."
+          }
+        },
+        "conditions": {
+          "type": "array",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. A list of conditions that must be matched for the actions to be executed."
+          }
+        },
+        "matchProcessingBehavior": {
+          "type": "string",
+          "allowedValues": [
+            "Continue",
+            "Stop"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. If this rule is a match should the rules engine continue running the remaining rules or stop. If not present, defaults to Continue."
+          }
+        }
+      },
+      "metadata": {
+        "__bicep_export!": true
+      }
+    }
+  },
   "parameters": {
     "name": {
       "type": "string",
@@ -68,10 +115,7 @@
       "existing": true,
       "type": "Microsoft.Cdn/profiles/ruleSets",
       "apiVersion": "2023-05-01",
-      "name": "[format('{0}/{1}', parameters('profileName'), parameters('ruleSetName'))]",
-      "dependsOn": [
-        "profile"
-      ]
+      "name": "[format('{0}/{1}', parameters('profileName'), parameters('ruleSetName'))]"
     },
     "profile": {
       "existing": true,
@@ -88,10 +132,7 @@
         "actions": "[parameters('actions')]",
         "conditions": "[parameters('conditions')]",
         "matchProcessingBehavior": "[parameters('matchProcessingBehavior')]"
-      },
-      "dependsOn": [
-        "profile::ruleSet"
-      ]
+      }
     }
   },
   "outputs": {
diff --git a/avm/res/cdn/profile/secret/main.json b/avm/res/cdn/profile/secret/main.json
index 77dc6a600b..4c2f0abd3c 100644
--- a/avm/res/cdn/profile/secret/main.json
+++ b/avm/res/cdn/profile/secret/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.23.60470",
-      "templateHash": "9127977884501208410"
+      "version": "0.31.34.60546",
+      "templateHash": "135211401759640973"
     },
     "name": "CDN Profiles Secret",
     "description": "This module deploys a CDN Profile Secret.",
diff --git a/avm/res/cdn/profile/securityPolicies/main.json b/avm/res/cdn/profile/securityPolicies/main.json
index be06e14c99..e94a644cf3 100644
--- a/avm/res/cdn/profile/securityPolicies/main.json
+++ b/avm/res/cdn/profile/securityPolicies/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.23.60470",
-      "templateHash": "11561080659040848436"
+      "version": "0.31.34.60546",
+      "templateHash": "3914917842985483427"
     },
     "name": "CDN Profiles Security Policy",
     "description": "This module deploys a CDN Profile Security Policy.",
@@ -96,10 +96,7 @@
           },
           "associations": "[parameters('associations')]"
         }
-      },
-      "dependsOn": [
-        "profile"
-      ]
+      }
     }
   },
   "outputs": {
diff --git a/avm/res/cdn/profile/version.json b/avm/res/cdn/profile/version.json
index 35040975ae..0f81d22abc 100644
--- a/avm/res/cdn/profile/version.json
+++ b/avm/res/cdn/profile/version.json
@@ -1,7 +1,7 @@
 {
     "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#",
-    "version": "0.7",
+    "version": "0.8",
     "pathFilters": [
         "./main.json"
     ]
-}
+}
\ No newline at end of file
diff --git a/avm/res/compute/virtual-machine-scale-set/README.md b/avm/res/compute/virtual-machine-scale-set/README.md
index 5acfd1bba6..732090609f 100644
--- a/avm/res/compute/virtual-machine-scale-set/README.md
+++ b/avm/res/compute/virtual-machine-scale-set/README.md
@@ -49,6 +49,7 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s
   name: 'virtualMachineScaleSetDeployment'
   params: {
     // Required parameters
+    adminPassword: '<adminPassword>'
     adminUsername: 'scaleSetAdmin'
     imageReference: {
       offer: '0001-com-ubuntu-server-jammy'
@@ -110,6 +111,9 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s
   "contentVersion": "1.0.0.0",
   "parameters": {
     // Required parameters
+    "adminPassword": {
+      "value": "<adminPassword>"
+    },
     "adminUsername": {
       "value": "scaleSetAdmin"
     },
@@ -189,6 +193,7 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s
 using 'br/public:avm/res/compute/virtual-machine-scale-set:<version>'
 
 // Required parameters
+param adminPassword = '<adminPassword>'
 param adminUsername = 'scaleSetAdmin'
 param imageReference = {
   offer: '0001-com-ubuntu-server-jammy'
@@ -252,6 +257,7 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s
   name: 'virtualMachineScaleSetDeployment'
   params: {
     // Required parameters
+    adminPassword: '<adminPassword>'
     adminUsername: 'scaleSetAdmin'
     imageReference: {
       offer: '0001-com-ubuntu-server-jammy'
@@ -291,7 +297,8 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s
     availabilityZones: [
       '2'
     ]
-    bootDiagnosticEnabled: false
+    bootDiagnosticEnabled: true
+    bootDiagnosticStorageAccountName: '<bootDiagnosticStorageAccountName>'
     dataDisks: [
       {
         caching: 'ReadOnly'
@@ -423,6 +430,9 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s
   "contentVersion": "1.0.0.0",
   "parameters": {
     // Required parameters
+    "adminPassword": {
+      "value": "<adminPassword>"
+    },
     "adminUsername": {
       "value": "scaleSetAdmin"
     },
@@ -479,7 +489,10 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s
       ]
     },
     "bootDiagnosticEnabled": {
-      "value": false
+      "value": true
+    },
+    "bootDiagnosticStorageAccountName": {
+      "value": "<bootDiagnosticStorageAccountName>"
     },
     "dataDisks": {
       "value": [
@@ -650,6 +663,7 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s
 using 'br/public:avm/res/compute/virtual-machine-scale-set:<version>'
 
 // Required parameters
+param adminPassword = '<adminPassword>'
 param adminUsername = 'scaleSetAdmin'
 param imageReference = {
   offer: '0001-com-ubuntu-server-jammy'
@@ -689,7 +703,8 @@ param skuName = 'Standard_B12ms'
 param availabilityZones = [
   '2'
 ]
-param bootDiagnosticEnabled = false
+param bootDiagnosticEnabled = true
+param bootDiagnosticStorageAccountName = '<bootDiagnosticStorageAccountName>'
 param dataDisks = [
   {
     caching: 'ReadOnly'
@@ -823,6 +838,7 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s
   name: 'virtualMachineScaleSetDeployment'
   params: {
     // Required parameters
+    adminPassword: '<adminPassword>'
     adminUsername: 'scaleSetAdmin'
     imageReference: {
       offer: '0001-com-ubuntu-server-jammy'
@@ -903,6 +919,9 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s
   "contentVersion": "1.0.0.0",
   "parameters": {
     // Required parameters
+    "adminPassword": {
+      "value": "<adminPassword>"
+    },
     "adminUsername": {
       "value": "scaleSetAdmin"
     },
@@ -1005,6 +1024,7 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s
 using 'br/public:avm/res/compute/virtual-machine-scale-set:<version>'
 
 // Required parameters
+param adminPassword = '<adminPassword>'
 param adminUsername = 'scaleSetAdmin'
 param imageReference = {
   offer: '0001-com-ubuntu-server-jammy'
@@ -1087,6 +1107,7 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s
   name: 'virtualMachineScaleSetDeployment'
   params: {
     // Required parameters
+    adminPassword: '<adminPassword>'
     adminUsername: 'localAdminUser'
     imageReference: {
       offer: 'WindowsServer'
@@ -1123,7 +1144,6 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s
     osType: 'Windows'
     skuName: 'Standard_B12ms'
     // Non-required parameters
-    adminPassword: '<adminPassword>'
     location: '<location>'
   }
 }
@@ -1142,6 +1162,9 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s
   "contentVersion": "1.0.0.0",
   "parameters": {
     // Required parameters
+    "adminPassword": {
+      "value": "<adminPassword>"
+    },
     "adminUsername": {
       "value": "localAdminUser"
     },
@@ -1192,9 +1215,6 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s
       "value": "Standard_B12ms"
     },
     // Non-required parameters
-    "adminPassword": {
-      "value": "<adminPassword>"
-    },
     "location": {
       "value": "<location>"
     }
@@ -1213,6 +1233,7 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s
 using 'br/public:avm/res/compute/virtual-machine-scale-set:<version>'
 
 // Required parameters
+param adminPassword = '<adminPassword>'
 param adminUsername = 'localAdminUser'
 param imageReference = {
   offer: 'WindowsServer'
@@ -1249,7 +1270,6 @@ param osDisk = {
 param osType = 'Windows'
 param skuName = 'Standard_B12ms'
 // Non-required parameters
-param adminPassword = '<adminPassword>'
 param location = '<location>'
 ```
 
@@ -1270,6 +1290,7 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s
   name: 'virtualMachineScaleSetDeployment'
   params: {
     // Required parameters
+    adminPassword: '<adminPassword>'
     adminUsername: 'localAdminUser'
     imageReference: {
       offer: 'WindowsServer'
@@ -1306,7 +1327,6 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s
     osType: 'Windows'
     skuName: 'Standard_B12ms'
     // Non-required parameters
-    adminPassword: '<adminPassword>'
     diagnosticSettings: [
       {
         eventHubAuthorizationRuleResourceId: '<eventHubAuthorizationRuleResourceId>'
@@ -1441,6 +1461,9 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s
   "contentVersion": "1.0.0.0",
   "parameters": {
     // Required parameters
+    "adminPassword": {
+      "value": "<adminPassword>"
+    },
     "adminUsername": {
       "value": "localAdminUser"
     },
@@ -1491,9 +1514,6 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s
       "value": "Standard_B12ms"
     },
     // Non-required parameters
-    "adminPassword": {
-      "value": "<adminPassword>"
-    },
     "diagnosticSettings": {
       "value": [
         {
@@ -1664,6 +1684,7 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s
 using 'br/public:avm/res/compute/virtual-machine-scale-set:<version>'
 
 // Required parameters
+param adminPassword = '<adminPassword>'
 param adminUsername = 'localAdminUser'
 param imageReference = {
   offer: 'WindowsServer'
@@ -1700,7 +1721,6 @@ param osDisk = {
 param osType = 'Windows'
 param skuName = 'Standard_B12ms'
 // Non-required parameters
-param adminPassword = '<adminPassword>'
 param diagnosticSettings = [
   {
     eventHubAuthorizationRuleResourceId: '<eventHubAuthorizationRuleResourceId>'
@@ -1837,6 +1857,7 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s
   name: 'virtualMachineScaleSetDeployment'
   params: {
     // Required parameters
+    adminPassword: '<adminPassword>'
     adminUsername: 'localAdminUser'
     imageReference: {
       offer: 'WindowsServer'
@@ -1873,7 +1894,6 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s
     osType: 'Windows'
     skuName: 'Standard_B12ms'
     // Non-required parameters
-    adminPassword: '<adminPassword>'
     diagnosticSettings: [
       {
         eventHubAuthorizationRuleResourceId: '<eventHubAuthorizationRuleResourceId>'
@@ -1977,6 +1997,9 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s
   "contentVersion": "1.0.0.0",
   "parameters": {
     // Required parameters
+    "adminPassword": {
+      "value": "<adminPassword>"
+    },
     "adminUsername": {
       "value": "localAdminUser"
     },
@@ -2027,9 +2050,6 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s
       "value": "Standard_B12ms"
     },
     // Non-required parameters
-    "adminPassword": {
-      "value": "<adminPassword>"
-    },
     "diagnosticSettings": {
       "value": [
         {
@@ -2163,6 +2183,7 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s
 using 'br/public:avm/res/compute/virtual-machine-scale-set:<version>'
 
 // Required parameters
+param adminPassword = '<adminPassword>'
 param adminUsername = 'localAdminUser'
 param imageReference = {
   offer: 'WindowsServer'
@@ -2199,7 +2220,6 @@ param osDisk = {
 param osType = 'Windows'
 param skuName = 'Standard_B12ms'
 // Non-required parameters
-param adminPassword = '<adminPassword>'
 param diagnosticSettings = [
   {
     eventHubAuthorizationRuleResourceId: '<eventHubAuthorizationRuleResourceId>'
@@ -2313,8 +2333,8 @@ param vmPriority = 'Regular'
 | [`adminPassword`](#parameter-adminpassword) | securestring | When specifying a Windows Virtual Machine, this value should be passed. |
 | [`automaticRepairsPolicyEnabled`](#parameter-automaticrepairspolicyenabled) | bool | Specifies whether automatic repairs should be enabled on the virtual machine scale set. |
 | [`availabilityZones`](#parameter-availabilityzones) | array | The virtual machine scale set zones. NOTE: Availability zones can only be set when you create the scale set. |
-| [`bootDiagnosticEnabled`](#parameter-bootDiagnosticEnabled) | string | Enable boot diagnostics to use default managed or secure storage. Defaults to false. |
-| [`bootDiagnosticStorageAccountName`](#parameter-bootdiagnosticstorageaccountname) | string | The name of the boot diagnostic storage account. Provide this if you want to use your own storage account for security reasons instead of the recommended Microsoft Managed Storage Account..|
+| [`bootDiagnosticEnabled`](#parameter-bootdiagnosticenabled) | bool | Enable boot diagnostics to use default managed or secure storage. Defaults set to false. |
+| [`bootDiagnosticStorageAccountName`](#parameter-bootdiagnosticstorageaccountname) | string | The name of the boot diagnostic storage account. Provide this if you want to use your own storage account for security reasons instead of the recommended Microsoft Managed Storage Account. |
 | [`bootDiagnosticStorageAccountUri`](#parameter-bootdiagnosticstorageaccounturi) | string | Storage account boot diagnostic base URI. |
 | [`bypassPlatformSafetyChecksOnUserSchedule`](#parameter-bypassplatformsafetychecksonuserschedule) | bool | Enables customer to schedule patching without accidental upgrades. |
 | [`customData`](#parameter-customdata) | string | Custom data associated to the VM, this value will be automatically converted into base64 to account for the expected VM format. |
@@ -2456,9 +2476,8 @@ Specifies additional base-64 encoded XML formatted information that can be inclu
 
 When specifying a Windows Virtual Machine, this value should be passed.
 
-- Required: No
+- Required: Yes
 - Type: securestring
-- Default: `''`
 
 ### Parameter: `automaticRepairsPolicyEnabled`
 
@@ -2485,11 +2504,11 @@ The virtual machine scale set zones. NOTE: Availability zones can only be set wh
 
 ### Parameter: `bootDiagnosticEnabled`
 
-Enable boot diagnostics to use default managed or secure storage.
+Enable boot diagnostics to use default managed or secure storage. Defaults set to false.
 
 - Required: No
-- Type: boolen
-- Default: false
+- Type: bool
+- Default: `False`
 
 ### Parameter: `bootDiagnosticStorageAccountName`
 
diff --git a/avm/res/compute/virtual-machine-scale-set/extension/main.json b/avm/res/compute/virtual-machine-scale-set/extension/main.json
index db232f5964..83c7f96d89 100644
--- a/avm/res/compute/virtual-machine-scale-set/extension/main.json
+++ b/avm/res/compute/virtual-machine-scale-set/extension/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "10358696382777462468"
+      "version": "0.31.92.45157",
+      "templateHash": "10486700103731235941"
     },
     "name": "Virtual Machine Scale Set Extensions",
     "description": "This module deploys a Virtual Machine Scale Set Extension.",
diff --git a/avm/res/compute/virtual-machine-scale-set/main.bicep b/avm/res/compute/virtual-machine-scale-set/main.bicep
index cf89488f57..8846ccb937 100644
--- a/avm/res/compute/virtual-machine-scale-set/main.bicep
+++ b/avm/res/compute/virtual-machine-scale-set/main.bicep
@@ -41,7 +41,7 @@ param adminUsername string
 
 @description('Optional. When specifying a Windows Virtual Machine, this value should be passed.')
 @secure()
-param adminPassword string = ''
+param adminPassword string
 
 @description('Optional. Custom data associated to the VM, this value will be automatically converted into base64 to account for the expected VM format.')
 param customData string = ''
@@ -363,11 +363,7 @@ var windowsConfiguration = {
     : null
   timeZone: empty(timeZone) ? null : timeZone
   additionalUnattendContent: empty(additionalUnattendContent) ? null : additionalUnattendContent
-  winRM: !empty(winRM)
-    ? {
-        listeners: winRM
-      }
-    : null
+  winRM: !empty(winRM) ? { listeners: winRM.listeners } : null
 }
 
 var accountSasProperties = {
@@ -529,7 +525,7 @@ resource vmss 'Microsoft.Compute/virtualMachineScaleSets@2023-09-01' = {
       osProfile: {
         computerNamePrefix: vmNamePrefix
         adminUsername: adminUsername
-        adminPassword: !empty(adminPassword) ? adminPassword : null
+        adminPassword: adminPassword
         customData: !empty(customData) ? base64(customData) : null
         windowsConfiguration: osType == 'Windows' ? windowsConfiguration : null
         linuxConfiguration: osType == 'Linux' ? linuxConfiguration : null
@@ -550,12 +546,12 @@ resource vmss 'Microsoft.Compute/virtualMachineScaleSets@2023-09-01' = {
         osDisk: {
           createOption: osDisk.createOption
           diskSizeGB: osDisk.diskSizeGB
-          caching: contains(osDisk, 'caching') ? osDisk.caching : null
-          writeAcceleratorEnabled: contains(osDisk, 'writeAcceleratorEnabled') ? osDisk.writeAcceleratorEnabled : null
-          diffDiskSettings: contains(osDisk, 'diffDiskSettings') ? osDisk.diffDiskSettings : null
-          osType: contains(osDisk, 'osType') ? osDisk.osType : null
-          image: contains(osDisk, 'image') ? osDisk.image : null
-          vhdContainers: contains(osDisk, 'vhdContainers') ? osDisk.vhdContainers : null
+          caching: osDisk.?caching
+          writeAcceleratorEnabled: osDisk.?writeAcceleratorEnabled
+          diffDiskSettings: osDisk.?diffDiskSettings
+          osType: osDisk.?osType
+          image: osDisk.?image
+          vhdContainers: osDisk.?vhdContainers
           managedDisk: {
             storageAccountType: osDisk.managedDisk.storageAccountType
             diskEncryptionSet: contains(osDisk.managedDisk, 'diskEncryptionSet')
@@ -571,7 +567,7 @@ resource vmss 'Microsoft.Compute/virtualMachineScaleSets@2023-09-01' = {
             diskSizeGB: dataDisk.diskSizeGB
             createOption: dataDisk.createOption
             caching: dataDisk.caching
-            writeAcceleratorEnabled: contains(osDisk, 'writeAcceleratorEnabled') ? osDisk.writeAcceleratorEnabled : null
+            writeAcceleratorEnabled: osDisk.?writeAcceleratorEnabled
             managedDisk: {
               storageAccountType: dataDisk.managedDisk.storageAccountType
               diskEncryptionSet: contains(dataDisk.managedDisk, 'diskEncryptionSet')
@@ -592,9 +588,7 @@ resource vmss 'Microsoft.Compute/virtualMachineScaleSets@2023-09-01' = {
             name: '${name}${nicConfiguration.nicSuffix}configuration-${index}'
             properties: {
               primary: (index == 0) ? true : any(null)
-              enableAcceleratedNetworking: contains(nicConfiguration, 'enableAcceleratedNetworking')
-                ? nicConfiguration.enableAcceleratedNetworking
-                : true
+              enableAcceleratedNetworking: nicConfiguration.?enableAcceleratedNetworking ?? true
               networkSecurityGroup: contains(nicConfiguration, 'nsgId')
                 ? {
                     id: nicConfiguration.nsgId
@@ -669,15 +663,9 @@ module vmss_domainJoinExtension 'extension/main.bicep' = if (extensionDomainJoin
     name: 'DomainJoin'
     publisher: 'Microsoft.Compute'
     type: 'JsonADDomainExtension'
-    typeHandlerVersion: contains(extensionDomainJoinConfig, 'typeHandlerVersion')
-      ? extensionDomainJoinConfig.typeHandlerVersion
-      : '1.3'
-    autoUpgradeMinorVersion: contains(extensionDomainJoinConfig, 'autoUpgradeMinorVersion')
-      ? extensionDomainJoinConfig.autoUpgradeMinorVersion
-      : true
-    enableAutomaticUpgrade: contains(extensionDomainJoinConfig, 'enableAutomaticUpgrade')
-      ? extensionDomainJoinConfig.enableAutomaticUpgrade
-      : false
+    typeHandlerVersion: extensionDomainJoinConfig.?typeHandlerVersion ?? '1.3'
+    autoUpgradeMinorVersion: extensionDomainJoinConfig.?autoUpgradeMinorVersion ?? true
+    enableAutomaticUpgrade: extensionDomainJoinConfig.?enableAutomaticUpgrade ?? false
     settings: extensionDomainJoinConfig.settings
     protectedSettings: {
       Password: extensionDomainJoinPassword
@@ -692,15 +680,9 @@ module vmss_microsoftAntiMalwareExtension 'extension/main.bicep' = if (extension
     name: 'MicrosoftAntiMalware'
     publisher: 'Microsoft.Azure.Security'
     type: 'IaaSAntimalware'
-    typeHandlerVersion: contains(extensionAntiMalwareConfig, 'typeHandlerVersion')
-      ? extensionAntiMalwareConfig.typeHandlerVersion
-      : '1.3'
-    autoUpgradeMinorVersion: contains(extensionAntiMalwareConfig, 'autoUpgradeMinorVersion')
-      ? extensionAntiMalwareConfig.autoUpgradeMinorVersion
-      : true
-    enableAutomaticUpgrade: contains(extensionAntiMalwareConfig, 'enableAutomaticUpgrade')
-      ? extensionAntiMalwareConfig.enableAutomaticUpgrade
-      : false
+    typeHandlerVersion: extensionAntiMalwareConfig.?typeHandlerVersion ?? '1.3'
+    autoUpgradeMinorVersion: extensionAntiMalwareConfig.?autoUpgradeMinorVersion ?? true
+    enableAutomaticUpgrade: extensionAntiMalwareConfig.?enableAutomaticUpgrade ?? false
     settings: extensionAntiMalwareConfig.settings
   }
   dependsOn: [
@@ -723,15 +705,11 @@ module vmss_azureMonitorAgentExtension 'extension/main.bicep' = if (extensionMon
     name: 'AzureMonitorAgent'
     publisher: 'Microsoft.Azure.Monitor'
     type: osType == 'Windows' ? 'AzureMonitorWindowsAgent' : 'AzureMonitorLinuxAgent'
-    typeHandlerVersion: contains(extensionMonitoringAgentConfig, 'typeHandlerVersion')
+    typeHandlerVersion: extensionMonitoringAgentConfig.?typeHandlerVersion != null
       ? extensionMonitoringAgentConfig.typeHandlerVersion
       : (osType == 'Windows' ? '1.22' : '1.29')
-    autoUpgradeMinorVersion: contains(extensionMonitoringAgentConfig, 'autoUpgradeMinorVersion')
-      ? extensionMonitoringAgentConfig.autoUpgradeMinorVersion
-      : true
-    enableAutomaticUpgrade: contains(extensionMonitoringAgentConfig, 'enableAutomaticUpgrade')
-      ? extensionMonitoringAgentConfig.enableAutomaticUpgrade
-      : false
+    autoUpgradeMinorVersion: extensionMonitoringAgentConfig.autoUpgradeMinorVersion ?? true
+    enableAutomaticUpgrade: extensionMonitoringAgentConfig.?enableAutomaticUpgrade ?? false
     settings: {
       workspaceId: !empty(monitoringWorkspaceResourceId) ? vmss_logAnalyticsWorkspace.properties.customerId : ''
       GCS_AUTO_CONFIG: osType == 'Linux' ? true : null
@@ -752,15 +730,9 @@ module vmss_dependencyAgentExtension 'extension/main.bicep' = if (extensionDepen
     name: 'DependencyAgent'
     publisher: 'Microsoft.Azure.Monitoring.DependencyAgent'
     type: osType == 'Windows' ? 'DependencyAgentWindows' : 'DependencyAgentLinux'
-    typeHandlerVersion: contains(extensionDependencyAgentConfig, 'typeHandlerVersion')
-      ? extensionDependencyAgentConfig.typeHandlerVersion
-      : '9.5'
-    autoUpgradeMinorVersion: contains(extensionDependencyAgentConfig, 'autoUpgradeMinorVersion')
-      ? extensionDependencyAgentConfig.autoUpgradeMinorVersion
-      : true
-    enableAutomaticUpgrade: contains(extensionDependencyAgentConfig, 'enableAutomaticUpgrade')
-      ? extensionDependencyAgentConfig.enableAutomaticUpgrade
-      : true
+    typeHandlerVersion: extensionDependencyAgentConfig.?typeHandlerVersion ?? '9.5'
+    autoUpgradeMinorVersion: extensionDependencyAgentConfig.?autoUpgradeMinorVersion ?? true
+    enableAutomaticUpgrade: extensionDependencyAgentConfig.?enableAutomaticUpgrade ?? true
   }
   dependsOn: [
     vmss_azureMonitorAgentExtension
@@ -774,15 +746,9 @@ module vmss_networkWatcherAgentExtension 'extension/main.bicep' = if (extensionN
     name: 'NetworkWatcherAgent'
     publisher: 'Microsoft.Azure.NetworkWatcher'
     type: osType == 'Windows' ? 'NetworkWatcherAgentWindows' : 'NetworkWatcherAgentLinux'
-    typeHandlerVersion: contains(extensionNetworkWatcherAgentConfig, 'typeHandlerVersion')
-      ? extensionNetworkWatcherAgentConfig.typeHandlerVersion
-      : '1.4'
-    autoUpgradeMinorVersion: contains(extensionNetworkWatcherAgentConfig, 'autoUpgradeMinorVersion')
-      ? extensionNetworkWatcherAgentConfig.autoUpgradeMinorVersion
-      : true
-    enableAutomaticUpgrade: contains(extensionNetworkWatcherAgentConfig, 'enableAutomaticUpgrade')
-      ? extensionNetworkWatcherAgentConfig.enableAutomaticUpgrade
-      : false
+    typeHandlerVersion: extensionNetworkWatcherAgentConfig.?typeHandlerVersion ?? '1.4'
+    autoUpgradeMinorVersion: extensionNetworkWatcherAgentConfig.?autoUpgradeMinorVersion ?? true
+    enableAutomaticUpgrade: extensionNetworkWatcherAgentConfig.?enableAutomaticUpgrade ?? false
   }
   dependsOn: [
     vmss_dependencyAgentExtension
@@ -796,17 +762,11 @@ module vmss_desiredStateConfigurationExtension 'extension/main.bicep' = if (exte
     name: 'DesiredStateConfiguration'
     publisher: 'Microsoft.Powershell'
     type: 'DSC'
-    typeHandlerVersion: contains(extensionDSCConfig, 'typeHandlerVersion')
-      ? extensionDSCConfig.typeHandlerVersion
-      : '2.77'
-    autoUpgradeMinorVersion: contains(extensionDSCConfig, 'autoUpgradeMinorVersion')
-      ? extensionDSCConfig.autoUpgradeMinorVersion
-      : true
-    enableAutomaticUpgrade: contains(extensionDSCConfig, 'enableAutomaticUpgrade')
-      ? extensionDSCConfig.enableAutomaticUpgrade
-      : false
-    settings: contains(extensionDSCConfig, 'settings') ? extensionDSCConfig.settings : {}
-    protectedSettings: contains(extensionDSCConfig, 'protectedSettings') ? extensionDSCConfig.protectedSettings : {}
+    typeHandlerVersion: extensionDSCConfig.?typeHandlerVersion ?? '2.77'
+    autoUpgradeMinorVersion: extensionDSCConfig.?autoUpgradeMinorVersion ?? true
+    enableAutomaticUpgrade: extensionDSCConfig.?enableAutomaticUpgrade ?? false
+    settings: extensionDSCConfig.?settings ?? {}
+    protectedSettings: extensionDSCConfig.?protectedSettings ?? {}
   }
   dependsOn: [
     vmss_networkWatcherAgentExtension
@@ -820,15 +780,9 @@ module vmss_customScriptExtension 'extension/main.bicep' = if (extensionCustomSc
     name: 'CustomScriptExtension'
     publisher: osType == 'Windows' ? 'Microsoft.Compute' : 'Microsoft.Azure.Extensions'
     type: osType == 'Windows' ? 'CustomScriptExtension' : 'CustomScript'
-    typeHandlerVersion: contains(extensionCustomScriptConfig, 'typeHandlerVersion')
-      ? extensionCustomScriptConfig.typeHandlerVersion
-      : (osType == 'Windows' ? '1.10' : '2.1')
-    autoUpgradeMinorVersion: contains(extensionCustomScriptConfig, 'autoUpgradeMinorVersion')
-      ? extensionCustomScriptConfig.autoUpgradeMinorVersion
-      : true
-    enableAutomaticUpgrade: contains(extensionCustomScriptConfig, 'enableAutomaticUpgrade')
-      ? extensionCustomScriptConfig.enableAutomaticUpgrade
-      : false
+    typeHandlerVersion: extensionCustomScriptConfig.?typeHandlerVersion ?? (osType == 'Windows' ? '1.10' : '2.1')
+    autoUpgradeMinorVersion: extensionCustomScriptConfig.?autoUpgradeMinorVersion ?? true
+    enableAutomaticUpgrade: extensionCustomScriptConfig.?enableAutomaticUpgrade ?? false
     settings: {
       fileUris: [
         for fileData in extensionCustomScriptConfig.fileData: contains(fileData, 'storageAccountId')
@@ -836,9 +790,7 @@ module vmss_customScriptExtension 'extension/main.bicep' = if (extensionCustomSc
           : fileData.uri
       ]
     }
-    protectedSettings: contains(extensionCustomScriptConfig, 'protectedSettings')
-      ? extensionCustomScriptConfig.protectedSettings
-      : {}
+    protectedSettings: extensionCustomScriptConfig.?protectedSettings ?? {}
   }
   dependsOn: [
     vmss_desiredStateConfigurationExtension
@@ -852,18 +804,10 @@ module vmss_azureDiskEncryptionExtension 'extension/main.bicep' = if (extensionA
     name: 'AzureDiskEncryption'
     publisher: 'Microsoft.Azure.Security'
     type: osType == 'Windows' ? 'AzureDiskEncryption' : 'AzureDiskEncryptionForLinux'
-    typeHandlerVersion: contains(extensionAzureDiskEncryptionConfig, 'typeHandlerVersion')
-      ? extensionAzureDiskEncryptionConfig.typeHandlerVersion
-      : (osType == 'Windows' ? '2.2' : '1.1')
-    autoUpgradeMinorVersion: contains(extensionAzureDiskEncryptionConfig, 'autoUpgradeMinorVersion')
-      ? extensionAzureDiskEncryptionConfig.autoUpgradeMinorVersion
-      : true
-    enableAutomaticUpgrade: contains(extensionAzureDiskEncryptionConfig, 'enableAutomaticUpgrade')
-      ? extensionAzureDiskEncryptionConfig.enableAutomaticUpgrade
-      : false
-    forceUpdateTag: contains(extensionAzureDiskEncryptionConfig, 'forceUpdateTag')
-      ? extensionAzureDiskEncryptionConfig.forceUpdateTag
-      : '1.0'
+    typeHandlerVersion: extensionAzureDiskEncryptionConfig.?typeHandlerVersion ?? (osType == 'Windows' ? '2.2' : '1.1')
+    autoUpgradeMinorVersion: extensionAzureDiskEncryptionConfig.?autoUpgradeMinorVersion ?? true
+    enableAutomaticUpgrade: extensionAzureDiskEncryptionConfig.?enableAutomaticUpgrade ?? false
+    forceUpdateTag: extensionAzureDiskEncryptionConfig.?forceUpdateTag ?? '1.0'
     settings: extensionAzureDiskEncryptionConfig.settings
   }
   dependsOn: [
diff --git a/avm/res/compute/virtual-machine-scale-set/main.json b/avm/res/compute/virtual-machine-scale-set/main.json
index daba092548..4605e9dd17 100644
--- a/avm/res/compute/virtual-machine-scale-set/main.json
+++ b/avm/res/compute/virtual-machine-scale-set/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "2308330663598453138"
+      "version": "0.31.92.45157",
+      "templateHash": "7915489647265046739"
     },
     "name": "Virtual Machine Scale Sets",
     "description": "This module deploys a Virtual Machine Scale Set.",
@@ -305,7 +305,6 @@
     },
     "adminPassword": {
       "type": "securestring",
-      "defaultValue": "",
       "metadata": {
         "description": "Optional. When specifying a Windows Virtual Machine, this value should be passed."
       }
@@ -500,7 +499,14 @@
       "type": "string",
       "defaultValue": "",
       "metadata": {
-        "description": "Optional. Storage account used to store boot diagnostic information. Boot diagnostics will be disabled if no value is provided."
+        "description": "Optional. The name of the boot diagnostic storage account. Provide this if you want to use your own storage account for security reasons instead of the recommended Microsoft Managed Storage Account."
+      }
+    },
+    "bootDiagnosticEnabled": {
+      "type": "bool",
+      "defaultValue": false,
+      "metadata": {
+        "description": "Optional. Enable boot diagnostics to use default managed or secure storage. Defaults set to false."
       }
     },
     "diagnosticSettings": {
@@ -877,7 +883,7 @@
       "patchSettings": "[if(and(parameters('provisionVMAgent'), or(or(equals(toLower(parameters('patchMode')), toLower('AutomaticByPlatform')), equals(toLower(parameters('patchMode')), toLower('AutomaticByOS'))), equals(toLower(parameters('patchMode')), toLower('Manual')))), createObject('patchMode', parameters('patchMode'), 'assessmentMode', parameters('patchAssessmentMode'), 'automaticByPlatformSettings', if(equals(toLower(parameters('patchMode')), toLower('AutomaticByPlatform')), createObject('bypassPlatformSafetyChecksOnUserSchedule', parameters('bypassPlatformSafetyChecksOnUserSchedule'), 'rebootSetting', parameters('rebootSetting')), null())), null())]",
       "timeZone": "[if(empty(parameters('timeZone')), null(), parameters('timeZone'))]",
       "additionalUnattendContent": "[if(empty(parameters('additionalUnattendContent')), null(), parameters('additionalUnattendContent'))]",
-      "winRM": "[if(not(empty(parameters('winRM'))), createObject('listeners', parameters('winRM')), null())]"
+      "winRM": "[if(not(empty(parameters('winRM'))), createObject('listeners', parameters('winRM').listeners), null())]"
     },
     "accountSasProperties": {
       "signedServices": "b",
@@ -957,7 +963,7 @@
           "osProfile": {
             "computerNamePrefix": "[parameters('vmNamePrefix')]",
             "adminUsername": "[parameters('adminUsername')]",
-            "adminPassword": "[if(not(empty(parameters('adminPassword'))), parameters('adminPassword'), null())]",
+            "adminPassword": "[parameters('adminPassword')]",
             "customData": "[if(not(empty(parameters('customData'))), base64(parameters('customData')), null())]",
             "windowsConfiguration": "[if(equals(parameters('osType'), 'Windows'), variables('windowsConfiguration'), null())]",
             "linuxConfiguration": "[if(equals(parameters('osType'), 'Linux'), variables('linuxConfiguration'), null())]",
@@ -978,7 +984,7 @@
                   "diskSizeGB": "[parameters('dataDisks')[copyIndex('dataDisks')].diskSizeGB]",
                   "createOption": "[parameters('dataDisks')[copyIndex('dataDisks')].createOption]",
                   "caching": "[parameters('dataDisks')[copyIndex('dataDisks')].caching]",
-                  "writeAcceleratorEnabled": "[if(contains(parameters('osDisk'), 'writeAcceleratorEnabled'), parameters('osDisk').writeAcceleratorEnabled, null())]",
+                  "writeAcceleratorEnabled": "[tryGet(parameters('osDisk'), 'writeAcceleratorEnabled')]",
                   "managedDisk": {
                     "storageAccountType": "[parameters('dataDisks')[copyIndex('dataDisks')].managedDisk.storageAccountType]",
                     "diskEncryptionSet": "[if(contains(parameters('dataDisks')[copyIndex('dataDisks')].managedDisk, 'diskEncryptionSet'), createObject('id', parameters('dataDisks')[copyIndex('dataDisks')].managedDisk.diskEncryptionSet.id), null())]"
@@ -992,12 +998,12 @@
             "osDisk": {
               "createOption": "[parameters('osDisk').createOption]",
               "diskSizeGB": "[parameters('osDisk').diskSizeGB]",
-              "caching": "[if(contains(parameters('osDisk'), 'caching'), parameters('osDisk').caching, null())]",
-              "writeAcceleratorEnabled": "[if(contains(parameters('osDisk'), 'writeAcceleratorEnabled'), parameters('osDisk').writeAcceleratorEnabled, null())]",
-              "diffDiskSettings": "[if(contains(parameters('osDisk'), 'diffDiskSettings'), parameters('osDisk').diffDiskSettings, null())]",
-              "osType": "[if(contains(parameters('osDisk'), 'osType'), parameters('osDisk').osType, null())]",
-              "image": "[if(contains(parameters('osDisk'), 'image'), parameters('osDisk').image, null())]",
-              "vhdContainers": "[if(contains(parameters('osDisk'), 'vhdContainers'), parameters('osDisk').vhdContainers, null())]",
+              "caching": "[tryGet(parameters('osDisk'), 'caching')]",
+              "writeAcceleratorEnabled": "[tryGet(parameters('osDisk'), 'writeAcceleratorEnabled')]",
+              "diffDiskSettings": "[tryGet(parameters('osDisk'), 'diffDiskSettings')]",
+              "osType": "[tryGet(parameters('osDisk'), 'osType')]",
+              "image": "[tryGet(parameters('osDisk'), 'image')]",
+              "vhdContainers": "[tryGet(parameters('osDisk'), 'vhdContainers')]",
               "managedDisk": {
                 "storageAccountType": "[parameters('osDisk').managedDisk.storageAccountType]",
                 "diskEncryptionSet": "[if(contains(parameters('osDisk').managedDisk, 'diskEncryptionSet'), createObject('id', parameters('osDisk').managedDisk.diskEncryptionSet.id), null())]"
@@ -1013,7 +1019,7 @@
                   "name": "[format('{0}{1}configuration-{2}', parameters('name'), parameters('nicConfigurations')[copyIndex('networkInterfaceConfigurations')].nicSuffix, copyIndex('networkInterfaceConfigurations'))]",
                   "properties": {
                     "primary": "[if(equals(copyIndex('networkInterfaceConfigurations'), 0), true(), null())]",
-                    "enableAcceleratedNetworking": "[if(contains(parameters('nicConfigurations')[copyIndex('networkInterfaceConfigurations')], 'enableAcceleratedNetworking'), parameters('nicConfigurations')[copyIndex('networkInterfaceConfigurations')].enableAcceleratedNetworking, true())]",
+                    "enableAcceleratedNetworking": "[coalesce(tryGet(parameters('nicConfigurations')[copyIndex('networkInterfaceConfigurations')], 'enableAcceleratedNetworking'), true())]",
                     "networkSecurityGroup": "[if(contains(parameters('nicConfigurations')[copyIndex('networkInterfaceConfigurations')], 'nsgId'), createObject('id', parameters('nicConfigurations')[copyIndex('networkInterfaceConfigurations')].nsgId), null())]",
                     "ipConfigurations": "[parameters('nicConfigurations')[copyIndex('networkInterfaceConfigurations')].ipConfigurations]"
                   }
@@ -1151,9 +1157,15 @@
           "type": {
             "value": "JsonADDomainExtension"
           },
-          "typeHandlerVersion": "[if(contains(parameters('extensionDomainJoinConfig'), 'typeHandlerVersion'), createObject('value', parameters('extensionDomainJoinConfig').typeHandlerVersion), createObject('value', '1.3'))]",
-          "autoUpgradeMinorVersion": "[if(contains(parameters('extensionDomainJoinConfig'), 'autoUpgradeMinorVersion'), createObject('value', parameters('extensionDomainJoinConfig').autoUpgradeMinorVersion), createObject('value', true()))]",
-          "enableAutomaticUpgrade": "[if(contains(parameters('extensionDomainJoinConfig'), 'enableAutomaticUpgrade'), createObject('value', parameters('extensionDomainJoinConfig').enableAutomaticUpgrade), createObject('value', false()))]",
+          "typeHandlerVersion": {
+            "value": "[coalesce(tryGet(parameters('extensionDomainJoinConfig'), 'typeHandlerVersion'), '1.3')]"
+          },
+          "autoUpgradeMinorVersion": {
+            "value": "[coalesce(tryGet(parameters('extensionDomainJoinConfig'), 'autoUpgradeMinorVersion'), true())]"
+          },
+          "enableAutomaticUpgrade": {
+            "value": "[coalesce(tryGet(parameters('extensionDomainJoinConfig'), 'enableAutomaticUpgrade'), false())]"
+          },
           "settings": {
             "value": "[parameters('extensionDomainJoinConfig').settings]"
           },
@@ -1169,8 +1181,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "10358696382777462468"
+              "version": "0.31.92.45157",
+              "templateHash": "10486700103731235941"
             },
             "name": "Virtual Machine Scale Set Extensions",
             "description": "This module deploys a Virtual Machine Scale Set Extension.",
@@ -1318,9 +1330,15 @@
           "type": {
             "value": "IaaSAntimalware"
           },
-          "typeHandlerVersion": "[if(contains(parameters('extensionAntiMalwareConfig'), 'typeHandlerVersion'), createObject('value', parameters('extensionAntiMalwareConfig').typeHandlerVersion), createObject('value', '1.3'))]",
-          "autoUpgradeMinorVersion": "[if(contains(parameters('extensionAntiMalwareConfig'), 'autoUpgradeMinorVersion'), createObject('value', parameters('extensionAntiMalwareConfig').autoUpgradeMinorVersion), createObject('value', true()))]",
-          "enableAutomaticUpgrade": "[if(contains(parameters('extensionAntiMalwareConfig'), 'enableAutomaticUpgrade'), createObject('value', parameters('extensionAntiMalwareConfig').enableAutomaticUpgrade), createObject('value', false()))]",
+          "typeHandlerVersion": {
+            "value": "[coalesce(tryGet(parameters('extensionAntiMalwareConfig'), 'typeHandlerVersion'), '1.3')]"
+          },
+          "autoUpgradeMinorVersion": {
+            "value": "[coalesce(tryGet(parameters('extensionAntiMalwareConfig'), 'autoUpgradeMinorVersion'), true())]"
+          },
+          "enableAutomaticUpgrade": {
+            "value": "[coalesce(tryGet(parameters('extensionAntiMalwareConfig'), 'enableAutomaticUpgrade'), false())]"
+          },
           "settings": {
             "value": "[parameters('extensionAntiMalwareConfig').settings]"
           }
@@ -1331,8 +1349,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "10358696382777462468"
+              "version": "0.31.92.45157",
+              "templateHash": "10486700103731235941"
             },
             "name": "Virtual Machine Scale Set Extensions",
             "description": "This module deploys a Virtual Machine Scale Set Extension.",
@@ -1479,9 +1497,13 @@
             "value": "Microsoft.Azure.Monitor"
           },
           "type": "[if(equals(parameters('osType'), 'Windows'), createObject('value', 'AzureMonitorWindowsAgent'), createObject('value', 'AzureMonitorLinuxAgent'))]",
-          "typeHandlerVersion": "[if(contains(parameters('extensionMonitoringAgentConfig'), 'typeHandlerVersion'), createObject('value', parameters('extensionMonitoringAgentConfig').typeHandlerVersion), if(equals(parameters('osType'), 'Windows'), createObject('value', '1.22'), createObject('value', '1.29')))]",
-          "autoUpgradeMinorVersion": "[if(contains(parameters('extensionMonitoringAgentConfig'), 'autoUpgradeMinorVersion'), createObject('value', parameters('extensionMonitoringAgentConfig').autoUpgradeMinorVersion), createObject('value', true()))]",
-          "enableAutomaticUpgrade": "[if(contains(parameters('extensionMonitoringAgentConfig'), 'enableAutomaticUpgrade'), createObject('value', parameters('extensionMonitoringAgentConfig').enableAutomaticUpgrade), createObject('value', false()))]",
+          "typeHandlerVersion": "[if(not(equals(tryGet(parameters('extensionMonitoringAgentConfig'), 'typeHandlerVersion'), null())), createObject('value', parameters('extensionMonitoringAgentConfig').typeHandlerVersion), if(equals(parameters('osType'), 'Windows'), createObject('value', '1.22'), createObject('value', '1.29')))]",
+          "autoUpgradeMinorVersion": {
+            "value": "[coalesce(parameters('extensionMonitoringAgentConfig').autoUpgradeMinorVersion, true())]"
+          },
+          "enableAutomaticUpgrade": {
+            "value": "[coalesce(tryGet(parameters('extensionMonitoringAgentConfig'), 'enableAutomaticUpgrade'), false())]"
+          },
           "settings": {
             "value": {
               "workspaceId": "[if(not(empty(parameters('monitoringWorkspaceResourceId'))), reference('vmss_logAnalyticsWorkspace').customerId, '')]",
@@ -1500,8 +1522,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "10358696382777462468"
+              "version": "0.31.92.45157",
+              "templateHash": "10486700103731235941"
             },
             "name": "Virtual Machine Scale Set Extensions",
             "description": "This module deploys a Virtual Machine Scale Set Extension.",
@@ -1649,9 +1671,15 @@
             "value": "Microsoft.Azure.Monitoring.DependencyAgent"
           },
           "type": "[if(equals(parameters('osType'), 'Windows'), createObject('value', 'DependencyAgentWindows'), createObject('value', 'DependencyAgentLinux'))]",
-          "typeHandlerVersion": "[if(contains(parameters('extensionDependencyAgentConfig'), 'typeHandlerVersion'), createObject('value', parameters('extensionDependencyAgentConfig').typeHandlerVersion), createObject('value', '9.5'))]",
-          "autoUpgradeMinorVersion": "[if(contains(parameters('extensionDependencyAgentConfig'), 'autoUpgradeMinorVersion'), createObject('value', parameters('extensionDependencyAgentConfig').autoUpgradeMinorVersion), createObject('value', true()))]",
-          "enableAutomaticUpgrade": "[if(contains(parameters('extensionDependencyAgentConfig'), 'enableAutomaticUpgrade'), createObject('value', parameters('extensionDependencyAgentConfig').enableAutomaticUpgrade), createObject('value', true()))]"
+          "typeHandlerVersion": {
+            "value": "[coalesce(tryGet(parameters('extensionDependencyAgentConfig'), 'typeHandlerVersion'), '9.5')]"
+          },
+          "autoUpgradeMinorVersion": {
+            "value": "[coalesce(tryGet(parameters('extensionDependencyAgentConfig'), 'autoUpgradeMinorVersion'), true())]"
+          },
+          "enableAutomaticUpgrade": {
+            "value": "[coalesce(tryGet(parameters('extensionDependencyAgentConfig'), 'enableAutomaticUpgrade'), true())]"
+          }
         },
         "template": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
@@ -1659,8 +1687,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "10358696382777462468"
+              "version": "0.31.92.45157",
+              "templateHash": "10486700103731235941"
             },
             "name": "Virtual Machine Scale Set Extensions",
             "description": "This module deploys a Virtual Machine Scale Set Extension.",
@@ -1807,9 +1835,15 @@
             "value": "Microsoft.Azure.NetworkWatcher"
           },
           "type": "[if(equals(parameters('osType'), 'Windows'), createObject('value', 'NetworkWatcherAgentWindows'), createObject('value', 'NetworkWatcherAgentLinux'))]",
-          "typeHandlerVersion": "[if(contains(parameters('extensionNetworkWatcherAgentConfig'), 'typeHandlerVersion'), createObject('value', parameters('extensionNetworkWatcherAgentConfig').typeHandlerVersion), createObject('value', '1.4'))]",
-          "autoUpgradeMinorVersion": "[if(contains(parameters('extensionNetworkWatcherAgentConfig'), 'autoUpgradeMinorVersion'), createObject('value', parameters('extensionNetworkWatcherAgentConfig').autoUpgradeMinorVersion), createObject('value', true()))]",
-          "enableAutomaticUpgrade": "[if(contains(parameters('extensionNetworkWatcherAgentConfig'), 'enableAutomaticUpgrade'), createObject('value', parameters('extensionNetworkWatcherAgentConfig').enableAutomaticUpgrade), createObject('value', false()))]"
+          "typeHandlerVersion": {
+            "value": "[coalesce(tryGet(parameters('extensionNetworkWatcherAgentConfig'), 'typeHandlerVersion'), '1.4')]"
+          },
+          "autoUpgradeMinorVersion": {
+            "value": "[coalesce(tryGet(parameters('extensionNetworkWatcherAgentConfig'), 'autoUpgradeMinorVersion'), true())]"
+          },
+          "enableAutomaticUpgrade": {
+            "value": "[coalesce(tryGet(parameters('extensionNetworkWatcherAgentConfig'), 'enableAutomaticUpgrade'), false())]"
+          }
         },
         "template": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
@@ -1817,8 +1851,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "10358696382777462468"
+              "version": "0.31.92.45157",
+              "templateHash": "10486700103731235941"
             },
             "name": "Virtual Machine Scale Set Extensions",
             "description": "This module deploys a Virtual Machine Scale Set Extension.",
@@ -1967,11 +2001,21 @@
           "type": {
             "value": "DSC"
           },
-          "typeHandlerVersion": "[if(contains(parameters('extensionDSCConfig'), 'typeHandlerVersion'), createObject('value', parameters('extensionDSCConfig').typeHandlerVersion), createObject('value', '2.77'))]",
-          "autoUpgradeMinorVersion": "[if(contains(parameters('extensionDSCConfig'), 'autoUpgradeMinorVersion'), createObject('value', parameters('extensionDSCConfig').autoUpgradeMinorVersion), createObject('value', true()))]",
-          "enableAutomaticUpgrade": "[if(contains(parameters('extensionDSCConfig'), 'enableAutomaticUpgrade'), createObject('value', parameters('extensionDSCConfig').enableAutomaticUpgrade), createObject('value', false()))]",
-          "settings": "[if(contains(parameters('extensionDSCConfig'), 'settings'), createObject('value', parameters('extensionDSCConfig').settings), createObject('value', createObject()))]",
-          "protectedSettings": "[if(contains(parameters('extensionDSCConfig'), 'protectedSettings'), createObject('value', parameters('extensionDSCConfig').protectedSettings), createObject('value', createObject()))]"
+          "typeHandlerVersion": {
+            "value": "[coalesce(tryGet(parameters('extensionDSCConfig'), 'typeHandlerVersion'), '2.77')]"
+          },
+          "autoUpgradeMinorVersion": {
+            "value": "[coalesce(tryGet(parameters('extensionDSCConfig'), 'autoUpgradeMinorVersion'), true())]"
+          },
+          "enableAutomaticUpgrade": {
+            "value": "[coalesce(tryGet(parameters('extensionDSCConfig'), 'enableAutomaticUpgrade'), false())]"
+          },
+          "settings": {
+            "value": "[coalesce(tryGet(parameters('extensionDSCConfig'), 'settings'), createObject())]"
+          },
+          "protectedSettings": {
+            "value": "[coalesce(tryGet(parameters('extensionDSCConfig'), 'protectedSettings'), createObject())]"
+          }
         },
         "template": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
@@ -1979,8 +2023,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "10358696382777462468"
+              "version": "0.31.92.45157",
+              "templateHash": "10486700103731235941"
             },
             "name": "Virtual Machine Scale Set Extensions",
             "description": "This module deploys a Virtual Machine Scale Set Extension.",
@@ -2125,9 +2169,15 @@
           },
           "publisher": "[if(equals(parameters('osType'), 'Windows'), createObject('value', 'Microsoft.Compute'), createObject('value', 'Microsoft.Azure.Extensions'))]",
           "type": "[if(equals(parameters('osType'), 'Windows'), createObject('value', 'CustomScriptExtension'), createObject('value', 'CustomScript'))]",
-          "typeHandlerVersion": "[if(contains(parameters('extensionCustomScriptConfig'), 'typeHandlerVersion'), createObject('value', parameters('extensionCustomScriptConfig').typeHandlerVersion), if(equals(parameters('osType'), 'Windows'), createObject('value', '1.10'), createObject('value', '2.1')))]",
-          "autoUpgradeMinorVersion": "[if(contains(parameters('extensionCustomScriptConfig'), 'autoUpgradeMinorVersion'), createObject('value', parameters('extensionCustomScriptConfig').autoUpgradeMinorVersion), createObject('value', true()))]",
-          "enableAutomaticUpgrade": "[if(contains(parameters('extensionCustomScriptConfig'), 'enableAutomaticUpgrade'), createObject('value', parameters('extensionCustomScriptConfig').enableAutomaticUpgrade), createObject('value', false()))]",
+          "typeHandlerVersion": {
+            "value": "[coalesce(tryGet(parameters('extensionCustomScriptConfig'), 'typeHandlerVersion'), if(equals(parameters('osType'), 'Windows'), '1.10', '2.1'))]"
+          },
+          "autoUpgradeMinorVersion": {
+            "value": "[coalesce(tryGet(parameters('extensionCustomScriptConfig'), 'autoUpgradeMinorVersion'), true())]"
+          },
+          "enableAutomaticUpgrade": {
+            "value": "[coalesce(tryGet(parameters('extensionCustomScriptConfig'), 'enableAutomaticUpgrade'), false())]"
+          },
           "settings": {
             "value": {
               "copy": [
@@ -2139,7 +2189,9 @@
               ]
             }
           },
-          "protectedSettings": "[if(contains(parameters('extensionCustomScriptConfig'), 'protectedSettings'), createObject('value', parameters('extensionCustomScriptConfig').protectedSettings), createObject('value', createObject()))]"
+          "protectedSettings": {
+            "value": "[coalesce(tryGet(parameters('extensionCustomScriptConfig'), 'protectedSettings'), createObject())]"
+          }
         },
         "template": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
@@ -2147,8 +2199,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "10358696382777462468"
+              "version": "0.31.92.45157",
+              "templateHash": "10486700103731235941"
             },
             "name": "Virtual Machine Scale Set Extensions",
             "description": "This module deploys a Virtual Machine Scale Set Extension.",
@@ -2295,10 +2347,18 @@
             "value": "Microsoft.Azure.Security"
           },
           "type": "[if(equals(parameters('osType'), 'Windows'), createObject('value', 'AzureDiskEncryption'), createObject('value', 'AzureDiskEncryptionForLinux'))]",
-          "typeHandlerVersion": "[if(contains(parameters('extensionAzureDiskEncryptionConfig'), 'typeHandlerVersion'), createObject('value', parameters('extensionAzureDiskEncryptionConfig').typeHandlerVersion), if(equals(parameters('osType'), 'Windows'), createObject('value', '2.2'), createObject('value', '1.1')))]",
-          "autoUpgradeMinorVersion": "[if(contains(parameters('extensionAzureDiskEncryptionConfig'), 'autoUpgradeMinorVersion'), createObject('value', parameters('extensionAzureDiskEncryptionConfig').autoUpgradeMinorVersion), createObject('value', true()))]",
-          "enableAutomaticUpgrade": "[if(contains(parameters('extensionAzureDiskEncryptionConfig'), 'enableAutomaticUpgrade'), createObject('value', parameters('extensionAzureDiskEncryptionConfig').enableAutomaticUpgrade), createObject('value', false()))]",
-          "forceUpdateTag": "[if(contains(parameters('extensionAzureDiskEncryptionConfig'), 'forceUpdateTag'), createObject('value', parameters('extensionAzureDiskEncryptionConfig').forceUpdateTag), createObject('value', '1.0'))]",
+          "typeHandlerVersion": {
+            "value": "[coalesce(tryGet(parameters('extensionAzureDiskEncryptionConfig'), 'typeHandlerVersion'), if(equals(parameters('osType'), 'Windows'), '2.2', '1.1'))]"
+          },
+          "autoUpgradeMinorVersion": {
+            "value": "[coalesce(tryGet(parameters('extensionAzureDiskEncryptionConfig'), 'autoUpgradeMinorVersion'), true())]"
+          },
+          "enableAutomaticUpgrade": {
+            "value": "[coalesce(tryGet(parameters('extensionAzureDiskEncryptionConfig'), 'enableAutomaticUpgrade'), false())]"
+          },
+          "forceUpdateTag": {
+            "value": "[coalesce(tryGet(parameters('extensionAzureDiskEncryptionConfig'), 'forceUpdateTag'), '1.0')]"
+          },
           "settings": {
             "value": "[parameters('extensionAzureDiskEncryptionConfig').settings]"
           }
@@ -2309,8 +2369,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "10358696382777462468"
+              "version": "0.31.92.45157",
+              "templateHash": "10486700103731235941"
             },
             "name": "Virtual Machine Scale Set Extensions",
             "description": "This module deploys a Virtual Machine Scale Set Extension.",
diff --git a/avm/res/compute/virtual-machine-scale-set/tests/e2e/linux.defaults/main.test.bicep b/avm/res/compute/virtual-machine-scale-set/tests/e2e/linux.defaults/main.test.bicep
index c762304bb7..780da5e663 100644
--- a/avm/res/compute/virtual-machine-scale-set/tests/e2e/linux.defaults/main.test.bicep
+++ b/avm/res/compute/virtual-machine-scale-set/tests/e2e/linux.defaults/main.test.bicep
@@ -17,6 +17,10 @@ param resourceLocation string = deployment().location
 @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
 param serviceShort string = 'cvmsslinmin'
 
+@description('Optional. The password to leverage for the login.')
+@secure()
+param password string = newGuid()
+
 @description('Optional. A token to inject into the name of each resource.')
 param namePrefix string = '#_namePrefix_#'
 
@@ -56,6 +60,7 @@ module testDeployment '../../../main.bicep' = [
       location: resourceLocation
       name: '${namePrefix}${serviceShort}001'
       adminUsername: 'scaleSetAdmin'
+      adminPassword: password
       imageReference: {
         publisher: 'Canonical'
         offer: '0001-com-ubuntu-server-jammy'
diff --git a/avm/res/compute/virtual-machine-scale-set/tests/e2e/linux.max/main.test.bicep b/avm/res/compute/virtual-machine-scale-set/tests/e2e/linux.max/main.test.bicep
index 391d985bcd..793c8d3395 100644
--- a/avm/res/compute/virtual-machine-scale-set/tests/e2e/linux.max/main.test.bicep
+++ b/avm/res/compute/virtual-machine-scale-set/tests/e2e/linux.max/main.test.bicep
@@ -17,6 +17,10 @@ param resourceLocation string = deployment().location
 @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
 param serviceShort string = 'cvmsslinmax'
 
+@description('Optional. The password to leverage for the login.')
+@secure()
+param password string = newGuid()
+
 @description('Optional. A token to inject into the name of each resource.')
 param namePrefix string = '#_namePrefix_#'
 
@@ -73,6 +77,7 @@ module testDeployment '../../../main.bicep' = [
       location: resourceLocation
       name: '${namePrefix}${serviceShort}001'
       adminUsername: 'scaleSetAdmin'
+      adminPassword: password
       imageReference: {
         publisher: 'Canonical'
         offer: '0001-com-ubuntu-server-jammy'
@@ -91,6 +96,7 @@ module testDeployment '../../../main.bicep' = [
       availabilityZones: [
         '2'
       ]
+      bootDiagnosticEnabled: true
       bootDiagnosticStorageAccountName: nestedDependencies.outputs.storageAccountName
       dataDisks: [
         {
diff --git a/avm/res/compute/virtual-machine-scale-set/tests/e2e/linux.ssecmk/main.test.bicep b/avm/res/compute/virtual-machine-scale-set/tests/e2e/linux.ssecmk/main.test.bicep
index 0123911437..4523fe89af 100644
--- a/avm/res/compute/virtual-machine-scale-set/tests/e2e/linux.ssecmk/main.test.bicep
+++ b/avm/res/compute/virtual-machine-scale-set/tests/e2e/linux.ssecmk/main.test.bicep
@@ -17,6 +17,10 @@ param resourceLocation string = deployment().location
 @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
 param serviceShort string = 'cvmsslcmk'
 
+@description('Optional. The password to leverage for the login.')
+@secure()
+param password string = newGuid()
+
 @description('Generated. Used as a basis for unique resource names.')
 param baseTime string = utcNow('u')
 
@@ -64,6 +68,7 @@ module testDeployment '../../../main.bicep' = [
       location: resourceLocation
       name: '${namePrefix}${serviceShort}001'
       adminUsername: 'scaleSetAdmin'
+      adminPassword: password
       imageReference: {
         publisher: 'Canonical'
         offer: '0001-com-ubuntu-server-jammy'
diff --git a/avm/res/compute/virtual-machine/README.md b/avm/res/compute/virtual-machine/README.md
index 0da857033a..3fd239938e 100644
--- a/avm/res/compute/virtual-machine/README.md
+++ b/avm/res/compute/virtual-machine/README.md
@@ -19,6 +19,7 @@ This module deploys a Virtual Machine with one or multiple NICs and optionally o
 | `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) |
 | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
 | `Microsoft.Automanage/configurationProfileAssignments` | [2022-05-04](https://learn.microsoft.com/en-us/azure/templates) |
+| `Microsoft.Compute/disks` | [2024-03-02](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Compute/2024-03-02/disks) |
 | `Microsoft.Compute/virtualMachines` | [2024-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Compute/2024-07-01/virtualMachines) |
 | `Microsoft.Compute/virtualMachines/extensions` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Compute/2022-11-01/virtualMachines/extensions) |
 | `Microsoft.DevTestLab/schedules` | [2018-09-15](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DevTestLab/2018-09-15/schedules) |
@@ -47,8 +48,9 @@ The following section provides usage examples for the module, which were used to
 - [Using a host pool to register the VM](#example-7-using-a-host-pool-to-register-the-vm)
 - [Using large parameter set for Windows](#example-8-using-large-parameter-set-for-windows)
 - [Deploy a VM with nVidia graphic card](#example-9-deploy-a-vm-with-nvidia-graphic-card)
-- [Using disk encryption set for the VM.](#example-10-using-disk-encryption-set-for-the-vm)
-- [Adding the VM to a VMSS.](#example-11-adding-the-vm-to-a-vmss)
+- [Deploying Windows VM with premium SSDv2 data disk](#example-10-deploying-windows-vm-with-premium-ssdv2-data-disk)
+- [Using disk encryption set for the VM.](#example-11-using-disk-encryption-set-for-the-vm)
+- [Adding the VM to a VMSS.](#example-12-adding-the-vm-to-a-vmss)
 
 ### Example 1: _Using automanage for the VM._
 
@@ -4152,7 +4154,209 @@ param location = '<location>'
 </details>
 <p>
 
-### Example 10: _Using disk encryption set for the VM._
+### Example 10: _Deploying Windows VM with premium SSDv2 data disk_
+
+This instance deploys the module with premium SSDv2 data disk.
+
+
+<details>
+
+<summary>via Bicep module</summary>
+
+```bicep
+module virtualMachine 'br/public:avm/res/compute/virtual-machine:<version>' = {
+  name: 'virtualMachineDeployment'
+  params: {
+    // Required parameters
+    adminUsername: 'localAdminUser'
+    imageReference: {
+      offer: 'WindowsServer'
+      publisher: 'MicrosoftWindowsServer'
+      sku: '2022-datacenter-azure-edition'
+      version: 'latest'
+    }
+    name: 'cvmwinssdv2'
+    nicConfigurations: [
+      {
+        ipConfigurations: [
+          {
+            name: 'ipconfig01'
+            subnetResourceId: '<subnetResourceId>'
+          }
+        ]
+        nicSuffix: '-nic-01'
+      }
+    ]
+    osDisk: {
+      caching: 'ReadWrite'
+      diskSizeGB: 128
+      managedDisk: {
+        storageAccountType: 'Premium_LRS'
+      }
+    }
+    osType: 'Windows'
+    vmSize: 'Standard_D2s_v3'
+    zone: 1
+    // Non-required parameters
+    adminPassword: '<adminPassword>'
+    dataDisks: [
+      {
+        caching: 'None'
+        diskIOPSReadWrite: 3000
+        diskMBpsReadWrite: 125
+        diskSizeGB: 1024
+        managedDisk: {
+          storageAccountType: 'PremiumV2_LRS'
+        }
+      }
+    ]
+    location: '<location>'
+  }
+}
+```
+
+</details>
+<p>
+
+<details>
+
+<summary>via JSON parameters file</summary>
+
+```json
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    // Required parameters
+    "adminUsername": {
+      "value": "localAdminUser"
+    },
+    "imageReference": {
+      "value": {
+        "offer": "WindowsServer",
+        "publisher": "MicrosoftWindowsServer",
+        "sku": "2022-datacenter-azure-edition",
+        "version": "latest"
+      }
+    },
+    "name": {
+      "value": "cvmwinssdv2"
+    },
+    "nicConfigurations": {
+      "value": [
+        {
+          "ipConfigurations": [
+            {
+              "name": "ipconfig01",
+              "subnetResourceId": "<subnetResourceId>"
+            }
+          ],
+          "nicSuffix": "-nic-01"
+        }
+      ]
+    },
+    "osDisk": {
+      "value": {
+        "caching": "ReadWrite",
+        "diskSizeGB": 128,
+        "managedDisk": {
+          "storageAccountType": "Premium_LRS"
+        }
+      }
+    },
+    "osType": {
+      "value": "Windows"
+    },
+    "vmSize": {
+      "value": "Standard_D2s_v3"
+    },
+    "zone": {
+      "value": 1
+    },
+    // Non-required parameters
+    "adminPassword": {
+      "value": "<adminPassword>"
+    },
+    "dataDisks": {
+      "value": [
+        {
+          "caching": "None",
+          "diskIOPSReadWrite": 3000,
+          "diskMBpsReadWrite": 125,
+          "diskSizeGB": 1024,
+          "managedDisk": {
+            "storageAccountType": "PremiumV2_LRS"
+          }
+        }
+      ]
+    },
+    "location": {
+      "value": "<location>"
+    }
+  }
+}
+```
+
+</details>
+<p>
+
+<details>
+
+<summary>via Bicep parameters file</summary>
+
+```bicep-params
+using 'br/public:avm/res/compute/virtual-machine:<version>'
+
+// Required parameters
+param adminUsername = 'localAdminUser'
+param imageReference = {
+  offer: 'WindowsServer'
+  publisher: 'MicrosoftWindowsServer'
+  sku: '2022-datacenter-azure-edition'
+  version: 'latest'
+}
+param name = 'cvmwinssdv2'
+param nicConfigurations = [
+  {
+    ipConfigurations: [
+      {
+        name: 'ipconfig01'
+        subnetResourceId: '<subnetResourceId>'
+      }
+    ]
+    nicSuffix: '-nic-01'
+  }
+]
+param osDisk = {
+  caching: 'ReadWrite'
+  diskSizeGB: 128
+  managedDisk: {
+    storageAccountType: 'Premium_LRS'
+  }
+}
+param osType = 'Windows'
+param vmSize = 'Standard_D2s_v3'
+param zone = 1
+// Non-required parameters
+param adminPassword = '<adminPassword>'
+param dataDisks = [
+  {
+    caching: 'None'
+    diskIOPSReadWrite: 3000
+    diskMBpsReadWrite: 125
+    diskSizeGB: 1024
+    managedDisk: {
+      storageAccountType: 'PremiumV2_LRS'
+    }
+  }
+]
+param location = '<location>'
+```
+
+</details>
+<p>
+
+### Example 11: _Using disk encryption set for the VM._
 
 This instance deploys the module with disk enryption set.
 
@@ -4360,7 +4564,7 @@ param location = '<location>'
 </details>
 <p>
 
-### Example 11: _Adding the VM to a VMSS._
+### Example 12: _Adding the VM to a VMSS._
 
 This instance deploys the module with the minimum set of required parameters and adds it to a VMSS.
 
@@ -4959,6 +5163,8 @@ Specifies the data disks. For security reasons, it is recommended to specify Dis
 | [`caching`](#parameter-datadiskscaching) | string | Specifies the caching requirements. |
 | [`createOption`](#parameter-datadiskscreateoption) | string | Specifies how the virtual machine should be created. |
 | [`deleteOption`](#parameter-datadisksdeleteoption) | string | Specifies whether data disk should be deleted or detached upon VM deletion. |
+| [`diskIOPSReadWrite`](#parameter-datadisksdiskiopsreadwrite) | int | The number of IOPS allowed for this disk; only settable for UltraSSD disks. One operation can transfer between 4k and 256k bytes. |
+| [`diskMBpsReadWrite`](#parameter-datadisksdiskmbpsreadwrite) | int | The bandwidth allowed for this disk; only settable for UltraSSD disks. MBps means millions of bytes per second - MB here uses the ISO notation, of powers of 10. |
 | [`lun`](#parameter-datadiskslun) | int | Specifies the logical unit number of the data disk. |
 | [`name`](#parameter-datadisksname) | string | The disk name. |
 
@@ -4987,6 +5193,7 @@ The managed disk parameters.
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
 | [`diskEncryptionSetResourceId`](#parameter-datadisksmanageddiskdiskencryptionsetresourceid) | string | Specifies the customer managed disk encryption set resource id for the managed disk. |
+| [`id`](#parameter-datadisksmanageddiskid) | string | Specifies the customer managed disk id for the managed disk. |
 
 ### Parameter: `dataDisks.managedDisk.storageAccountType`
 
@@ -5014,6 +5221,13 @@ Specifies the customer managed disk encryption set resource id for the managed d
 - Required: No
 - Type: string
 
+### Parameter: `dataDisks.managedDisk.id`
+
+Specifies the customer managed disk id for the managed disk.
+
+- Required: No
+- Type: string
+
 ### Parameter: `dataDisks.caching`
 
 Specifies the caching requirements.
@@ -5058,6 +5272,20 @@ Specifies whether data disk should be deleted or detached upon VM deletion.
   ]
   ```
 
+### Parameter: `dataDisks.diskIOPSReadWrite`
+
+The number of IOPS allowed for this disk; only settable for UltraSSD disks. One operation can transfer between 4k and 256k bytes.
+
+- Required: No
+- Type: int
+
+### Parameter: `dataDisks.diskMBpsReadWrite`
+
+The bandwidth allowed for this disk; only settable for UltraSSD disks. MBps means millions of bytes per second - MB here uses the ISO notation, of powers of 10.
+
+- Required: No
+- Type: int
+
 ### Parameter: `dataDisks.lun`
 
 Specifies the logical unit number of the data disk.
diff --git a/avm/res/compute/virtual-machine/main.bicep b/avm/res/compute/virtual-machine/main.bicep
index acef30c476..27c7365be7 100644
--- a/avm/res/compute/virtual-machine/main.bicep
+++ b/avm/res/compute/virtual-machine/main.bicep
@@ -500,6 +500,25 @@ module vm_nic 'modules/nic-configuration.bicep' = [
   }
 ]
 
+resource managedDataDisks 'Microsoft.Compute/disks@2024-03-02' = [
+  for (dataDisk, index) in dataDisks ?? []: {
+    location: location
+    name: dataDisk.?name ?? '${name}-disk-data-${padLeft((index + 1), 2, '0')}'
+    sku: {
+      name: dataDisk.managedDisk.storageAccountType
+    }
+    properties: {
+      diskSizeGB: dataDisk.diskSizeGB
+      creationData: {
+        createOption: dataDisk.?createoption ?? 'Empty'
+      }
+      diskIOPSReadWrite: dataDisk.?diskIOPSReadWrite
+      diskMBpsReadWrite: dataDisk.?diskMBpsReadWrite
+    }
+    zones: zone != 0 ? array(string(zone)) : null
+  }
+]
+
 resource vm 'Microsoft.Compute/virtualMachines@2024-07-01' = {
   name: name
   location: location
@@ -541,11 +560,12 @@ resource vm 'Microsoft.Compute/virtualMachines@2024-07-01' = {
           lun: dataDisk.?lun ?? index
           name: dataDisk.?name ?? '${name}-disk-data-${padLeft((index + 1), 2, '0')}'
           diskSizeGB: dataDisk.diskSizeGB
-          createOption: dataDisk.?createoption ?? 'Empty'
+          createOption: (managedDataDisks[index].?id != null) ? 'Attach' : dataDisk.?createoption ?? 'Empty'
           deleteOption: dataDisk.?deleteOption ?? 'Delete'
           caching: dataDisk.?caching ?? 'ReadOnly'
           managedDisk: {
             storageAccountType: dataDisk.managedDisk.storageAccountType
+            id: managedDataDisks[index].?id
             diskEncryptionSet: {
               id: dataDisk.managedDisk.?diskEncryptionSetResourceId
             }
@@ -1111,6 +1131,12 @@ type dataDisksType = {
   @description('Optional. Specifies the caching requirements.')
   caching: 'None' | 'ReadOnly' | 'ReadWrite'?
 
+  @description('Optional. The number of IOPS allowed for this disk; only settable for UltraSSD disks. One operation can transfer between 4k and 256k bytes.')
+  diskIOPSReadWrite: int?
+
+  @description('Optional. The bandwidth allowed for this disk; only settable for UltraSSD disks. MBps means millions of bytes per second - MB here uses the ISO notation, of powers of 10.')
+  diskMBpsReadWrite: int?
+
   @description('Required. The managed disk parameters.')
   managedDisk: {
     @description('Required. Specifies the storage account type for the managed disk.')
@@ -1125,5 +1151,8 @@ type dataDisksType = {
 
     @description('Optional. Specifies the customer managed disk encryption set resource id for the managed disk.')
     diskEncryptionSetResourceId: string?
+
+    @description('Optional. Specifies the customer managed disk id for the managed disk.')
+    id: string?
   }
 }[]?
diff --git a/avm/res/compute/virtual-machine/main.json b/avm/res/compute/virtual-machine/main.json
index 79ec3e2c48..ee412188a1 100644
--- a/avm/res/compute/virtual-machine/main.json
+++ b/avm/res/compute/virtual-machine/main.json
@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.31.34.60546",
-      "templateHash": "15583840681812853598"
+      "templateHash": "8773273774920281983"
     },
     "name": "Virtual Machines",
     "description": "This module deploys a Virtual Machine with one or multiple NICs and optionally one or multiple public IPs.",
@@ -279,6 +279,20 @@
               "description": "Optional. Specifies the caching requirements."
             }
           },
+          "diskIOPSReadWrite": {
+            "type": "int",
+            "nullable": true,
+            "metadata": {
+              "description": "Optional. The number of IOPS allowed for this disk; only settable for UltraSSD disks. One operation can transfer between 4k and 256k bytes."
+            }
+          },
+          "diskMBpsReadWrite": {
+            "type": "int",
+            "nullable": true,
+            "metadata": {
+              "description": "Optional. The bandwidth allowed for this disk; only settable for UltraSSD disks. MBps means millions of bytes per second - MB here uses the ISO notation, of powers of 10."
+            }
+          },
           "managedDisk": {
             "type": "object",
             "properties": {
@@ -303,6 +317,13 @@
                 "metadata": {
                   "description": "Optional. Specifies the customer managed disk encryption set resource id for the managed disk."
                 }
+              },
+              "id": {
+                "type": "string",
+                "nullable": true,
+                "metadata": {
+                  "description": "Optional. Specifies the customer managed disk id for the managed disk."
+                }
               }
             },
             "metadata": {
@@ -980,6 +1001,28 @@
         }
       }
     },
+    "managedDataDisks": {
+      "copy": {
+        "name": "managedDataDisks",
+        "count": "[length(coalesce(parameters('dataDisks'), createArray()))]"
+      },
+      "type": "Microsoft.Compute/disks",
+      "apiVersion": "2024-03-02",
+      "name": "[coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex()], 'name'), format('{0}-disk-data-{1}', parameters('name'), padLeft(add(copyIndex(), 1), 2, '0')))]",
+      "location": "[parameters('location')]",
+      "sku": {
+        "name": "[coalesce(parameters('dataDisks'), createArray())[copyIndex()].managedDisk.storageAccountType]"
+      },
+      "properties": {
+        "diskSizeGB": "[coalesce(parameters('dataDisks'), createArray())[copyIndex()].diskSizeGB]",
+        "creationData": {
+          "createOption": "[coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex()], 'createoption'), 'Empty')]"
+        },
+        "diskIOPSReadWrite": "[tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex()], 'diskIOPSReadWrite')]",
+        "diskMBpsReadWrite": "[tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex()], 'diskMBpsReadWrite')]"
+      },
+      "zones": "[if(not(equals(parameters('zone'), 0)), array(string(parameters('zone'))), null())]"
+    },
     "vm": {
       "type": "Microsoft.Compute/virtualMachines",
       "apiVersion": "2024-07-01",
@@ -1007,11 +1050,12 @@
                 "lun": "[coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')], 'lun'), copyIndex('dataDisks'))]",
                 "name": "[coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')], 'name'), format('{0}-disk-data-{1}', parameters('name'), padLeft(add(copyIndex('dataDisks'), 1), 2, '0')))]",
                 "diskSizeGB": "[coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')].diskSizeGB]",
-                "createOption": "[coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')], 'createoption'), 'Empty')]",
+                "createOption": "[if(not(equals(resourceId('Microsoft.Compute/disks', coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')], 'name'), format('{0}-disk-data-{1}', parameters('name'), padLeft(add(copyIndex('dataDisks'), 1), 2, '0')))), null())), 'Attach', coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')], 'createoption'), 'Empty'))]",
                 "deleteOption": "[coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')], 'deleteOption'), 'Delete')]",
                 "caching": "[coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')], 'caching'), 'ReadOnly')]",
                 "managedDisk": {
                   "storageAccountType": "[coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')].managedDisk.storageAccountType]",
+                  "id": "[resourceId('Microsoft.Compute/disks', coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')], 'name'), format('{0}-disk-data-{1}', parameters('name'), padLeft(add(copyIndex('dataDisks'), 1), 2, '0'))))]",
                   "diskEncryptionSet": {
                     "id": "[tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex('dataDisks')].managedDisk, 'diskEncryptionSetResourceId')]"
                   }
@@ -1080,6 +1124,7 @@
         "userData": "[if(not(empty(parameters('userData'))), base64(parameters('userData')), null())]"
       },
       "dependsOn": [
+        "managedDataDisks",
         "vm_nic"
       ]
     },
diff --git a/avm/res/compute/virtual-machine/tests/e2e/windows.SSDv2/dependencies.bicep b/avm/res/compute/virtual-machine/tests/e2e/windows.SSDv2/dependencies.bicep
new file mode 100644
index 0000000000..68972ec7ec
--- /dev/null
+++ b/avm/res/compute/virtual-machine/tests/e2e/windows.SSDv2/dependencies.bicep
@@ -0,0 +1,30 @@
+@description('Required. The name of the Virtual Network to create.')
+param virtualNetworkName string
+
+@description('Optional. The location to deploy to.')
+param location string = resourceGroup().location
+
+var addressPrefix = '10.0.0.0/16'
+
+resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = {
+  name: virtualNetworkName
+  location: location
+  properties: {
+    addressSpace: {
+      addressPrefixes: [
+        addressPrefix
+      ]
+    }
+    subnets: [
+      {
+        name: 'defaultSubnet'
+        properties: {
+          addressPrefix: cidrSubnet(addressPrefix, 16, 0)
+        }
+      }
+    ]
+  }
+}
+
+@description('The resource ID of the created Virtual Network Subnet.')
+output subnetResourceId string = virtualNetwork.properties.subnets[0].id
diff --git a/avm/res/compute/virtual-machine/tests/e2e/windows.SSDv2/main.test.bicep b/avm/res/compute/virtual-machine/tests/e2e/windows.SSDv2/main.test.bicep
new file mode 100644
index 0000000000..d2e547f0cc
--- /dev/null
+++ b/avm/res/compute/virtual-machine/tests/e2e/windows.SSDv2/main.test.bicep
@@ -0,0 +1,101 @@
+targetScope = 'subscription'
+
+metadata name = 'Deploying Windows VM with premium SSDv2 data disk'
+metadata description = 'This instance deploys the module with premium SSDv2 data disk.'
+
+// ========== //
+// Parameters //
+// ========== //
+
+@description('Optional. The name of the resource group to deploy for testing purposes.')
+@maxLength(90)
+param resourceGroupName string = 'dep-${namePrefix}-compute.virtualMachines-${serviceShort}-rg'
+
+// Capacity constraints for VM type
+#disable-next-line no-hardcoded-location
+var enforcedLocation = 'uksouth'
+
+@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
+param serviceShort string = 'cvmwinssdv2'
+
+@description('Optional. The password to leverage for the login.')
+@secure()
+param password string = newGuid()
+
+@description('Optional. A token to inject into the name of each resource.')
+param namePrefix string = '#_namePrefix_#'
+
+// ============ //
+// Dependencies //
+// ============ //
+
+// General resources
+// =================
+resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
+  name: resourceGroupName
+  location: enforcedLocation
+}
+
+module nestedDependencies 'dependencies.bicep' = {
+  scope: resourceGroup
+  name: '${uniqueString(deployment().name, enforcedLocation)}-nestedDependencies'
+  params: {
+    location: enforcedLocation
+    virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}'
+  }
+}
+
+// ============== //
+// Test Execution //
+// ============== //
+@batchSize(1)
+module testDeployment '../../../main.bicep' = [
+  for iteration in ['init', 'idem']: {
+    scope: resourceGroup
+    name: '${uniqueString(deployment().name, enforcedLocation)}-test-${serviceShort}-${iteration}'
+    params: {
+      location: enforcedLocation
+      name: '${namePrefix}${serviceShort}'
+      adminUsername: 'localAdminUser'
+      imageReference: {
+        publisher: 'MicrosoftWindowsServer'
+        offer: 'WindowsServer'
+        sku: '2022-datacenter-azure-edition'
+        version: 'latest'
+      }
+      zone: 1
+      nicConfigurations: [
+        {
+          ipConfigurations: [
+            {
+              name: 'ipconfig01'
+              subnetResourceId: nestedDependencies.outputs.subnetResourceId
+            }
+          ]
+          nicSuffix: '-nic-01'
+        }
+      ]
+      osDisk: {
+        diskSizeGB: 128
+        caching: 'ReadWrite'
+        managedDisk: {
+          storageAccountType: 'Premium_LRS'
+        }
+      }
+      dataDisks: [
+        {
+          diskSizeGB: 1024
+          caching: 'None'
+          managedDisk: {
+            storageAccountType: 'PremiumV2_LRS'
+          }
+          diskIOPSReadWrite: 3000
+          diskMBpsReadWrite: 125
+        }
+      ]
+      osType: 'Windows'
+      vmSize: 'Standard_D2s_v3'
+      adminPassword: password
+    }
+  }
+]
diff --git a/avm/res/compute/virtual-machine/version.json b/avm/res/compute/virtual-machine/version.json
index 6b6be93891..a830c3d961 100644
--- a/avm/res/compute/virtual-machine/version.json
+++ b/avm/res/compute/virtual-machine/version.json
@@ -1,6 +1,6 @@
 {
   "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#",
-  "version": "0.9",
+  "version": "0.10",
   "pathFilters": [
     "./main.json"
   ]
diff --git a/avm/res/container-service/managed-cluster/README.md b/avm/res/container-service/managed-cluster/README.md
index a5f83980ea..8ff9e062da 100644
--- a/avm/res/container-service/managed-cluster/README.md
+++ b/avm/res/container-service/managed-cluster/README.md
@@ -4645,6 +4645,7 @@ Specifies the network policy used for building Kubernetes network. - calico or a
   [
     'azure'
     'calico'
+    'cilium'
   ]
   ```
 
diff --git a/avm/res/container-service/managed-cluster/agent-pool/main.json b/avm/res/container-service/managed-cluster/agent-pool/main.json
index 65a21588ad..11965a3fab 100644
--- a/avm/res/container-service/managed-cluster/agent-pool/main.json
+++ b/avm/res/container-service/managed-cluster/agent-pool/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.23.60470",
-      "templateHash": "13856766172443517827"
+      "version": "0.31.34.60546",
+      "templateHash": "13504241837980660061"
     },
     "name": "Azure Kubernetes Service (AKS) Managed Cluster Agent Pools",
     "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Agent Pool.",
@@ -355,10 +355,7 @@
         "vmSize": "[parameters('vmSize')]",
         "vnetSubnetID": "[parameters('vnetSubnetResourceId')]",
         "workloadRuntime": "[parameters('workloadRuntime')]"
-      },
-      "dependsOn": [
-        "managedCluster"
-      ]
+      }
     }
   },
   "outputs": {
diff --git a/avm/res/container-service/managed-cluster/main.bicep b/avm/res/container-service/managed-cluster/main.bicep
index ea126b9dea..3aecff5f78 100644
--- a/avm/res/container-service/managed-cluster/main.bicep
+++ b/avm/res/container-service/managed-cluster/main.bicep
@@ -38,6 +38,7 @@ param networkPluginMode string?
 @allowed([
   'azure'
   'calico'
+  'cilium'
 ])
 param networkPolicy string?
 
@@ -720,8 +721,8 @@ resource managedCluster 'Microsoft.ContainerService/managedClusters@2024-03-02-p
     networkProfile: {
       networkDataplane: networkDataplane
       networkPlugin: networkPlugin
-      networkPluginMode: networkPluginMode
-      networkPolicy: networkPolicy
+      networkPluginMode: networkDataplane == 'cilium' ? 'overlay' : networkPluginMode
+      networkPolicy: networkDataplane == 'cilium' ? 'cilium' : networkPolicy
       podCidr: podCidr
       serviceCidr: serviceCidr
       dnsServiceIP: dnsServiceIP
diff --git a/avm/res/container-service/managed-cluster/main.json b/avm/res/container-service/managed-cluster/main.json
index 40b0d76ed4..3f20739576 100644
--- a/avm/res/container-service/managed-cluster/main.json
+++ b/avm/res/container-service/managed-cluster/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.23.60470",
-      "templateHash": "543007463534644066"
+      "version": "0.31.34.60546",
+      "templateHash": "178765084464759811"
     },
     "name": "Azure Kubernetes Service (AKS) Managed Clusters",
     "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster.",
@@ -812,7 +812,8 @@
       "nullable": true,
       "allowedValues": [
         "azure",
-        "calico"
+        "calico",
+        "cilium"
       ],
       "metadata": {
         "description": "Optional. Specifies the network policy used for building Kubernetes network. - calico or azure."
@@ -1677,10 +1678,7 @@
       "apiVersion": "2023-02-01",
       "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]",
       "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]",
-      "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]",
-      "dependsOn": [
-        "cMKKeyVault"
-      ]
+      "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]"
     },
     "avmTelemetry": {
       "condition": "[parameters('enableTelemetry')]",
@@ -1791,8 +1789,8 @@
         "networkProfile": {
           "networkDataplane": "[parameters('networkDataplane')]",
           "networkPlugin": "[parameters('networkPlugin')]",
-          "networkPluginMode": "[parameters('networkPluginMode')]",
-          "networkPolicy": "[parameters('networkPolicy')]",
+          "networkPluginMode": "[if(equals(parameters('networkDataplane'), 'cilium'), 'overlay', parameters('networkPluginMode'))]",
+          "networkPolicy": "[if(equals(parameters('networkDataplane'), 'cilium'), 'cilium', parameters('networkPolicy'))]",
           "podCidr": "[parameters('podCidr')]",
           "serviceCidr": "[parameters('serviceCidr')]",
           "dnsServiceIP": "[parameters('dnsServiceIP')]",
@@ -2007,8 +2005,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.23.60470",
-              "templateHash": "2505380725266419010"
+              "version": "0.31.34.60546",
+              "templateHash": "3191846535289543816"
             },
             "name": "Azure Kubernetes Service (AKS) Managed Cluster Maintenance Configurations",
             "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Maintenance Configurations.",
@@ -2204,8 +2202,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.23.60470",
-              "templateHash": "13856766172443517827"
+              "version": "0.31.34.60546",
+              "templateHash": "13504241837980660061"
             },
             "name": "Azure Kubernetes Service (AKS) Managed Cluster Agent Pools",
             "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Agent Pool.",
@@ -2554,10 +2552,7 @@
                 "vmSize": "[parameters('vmSize')]",
                 "vnetSubnetID": "[parameters('vnetSubnetResourceId')]",
                 "workloadRuntime": "[parameters('workloadRuntime')]"
-              },
-              "dependsOn": [
-                "managedCluster"
-              ]
+              }
             }
           },
           "outputs": {
diff --git a/avm/res/container-service/managed-cluster/maintenance-configurations/main.json b/avm/res/container-service/managed-cluster/maintenance-configurations/main.json
index 22e9300b85..64b5e4c229 100644
--- a/avm/res/container-service/managed-cluster/maintenance-configurations/main.json
+++ b/avm/res/container-service/managed-cluster/maintenance-configurations/main.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.23.60470",
-      "templateHash": "2505380725266419010"
+      "version": "0.31.34.60546",
+      "templateHash": "3191846535289543816"
     },
     "name": "Azure Kubernetes Service (AKS) Managed Cluster Maintenance Configurations",
     "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Maintenance Configurations.",
diff --git a/avm/res/db-for-postgre-sql/flexible-server/README.md b/avm/res/db-for-postgre-sql/flexible-server/README.md
index e60599fc89..aa55439fe8 100644
--- a/avm/res/db-for-postgre-sql/flexible-server/README.md
+++ b/avm/res/db-for-postgre-sql/flexible-server/README.md
@@ -147,7 +147,7 @@ module flexibleServer 'br/public:avm/res/db-for-postgre-sql/flexible-server:<ver
   name: 'flexibleServerDeployment'
   params: {
     // Required parameters
-    name: 'dfpsfsmax001'
+    name: 'dfpfmax001'
     skuName: 'Standard_D2s_v3'
     tier: 'GeneralPurpose'
     // Non-required parameters
@@ -1317,7 +1317,7 @@ param tags = {
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`administratorLogin`](#parameter-administratorlogin) | string | The administrator login name of a server. Can only be specified when the PostgreSQL server is being created. |
+| [`administratorLogin`](#parameter-administratorlogin) | string | The administrator login name for the server. Can only be specified when the PostgreSQL server is being created. |
 | [`administratorLoginPassword`](#parameter-administratorloginpassword) | securestring | The administrator login password. |
 | [`administrators`](#parameter-administrators) | array | The Azure AD administrators when AAD authentication enabled. |
 | [`availabilityZone`](#parameter-availabilityzone) | string | Availability zone information of the server. Default will have no preference set. |
@@ -1410,7 +1410,7 @@ Required if 'createMode' is set to 'PointInTimeRestore'.
 
 ### Parameter: `administratorLogin`
 
-The administrator login name of a server. Can only be specified when the PostgreSQL server is being created.
+The administrator login name for the server. Can only be specified when the PostgreSQL server is being created.
 
 - Required: No
 - Type: string
diff --git a/avm/res/db-for-postgre-sql/flexible-server/main.bicep b/avm/res/db-for-postgre-sql/flexible-server/main.bicep
index b869d8ea22..b0488e73f0 100644
--- a/avm/res/db-for-postgre-sql/flexible-server/main.bicep
+++ b/avm/res/db-for-postgre-sql/flexible-server/main.bicep
@@ -5,7 +5,7 @@ metadata owner = 'Azure/module-maintainers'
 @description('Required. The name of the PostgreSQL flexible server.')
 param name string
 
-@description('Optional. The administrator login name of a server. Can only be specified when the PostgreSQL server is being created.')
+@description('Optional. The administrator login name for the server. Can only be specified when the PostgreSQL server is being created.')
 param administratorLogin string?
 
 @description('Optional. The administrator login password.')
diff --git a/avm/res/db-for-postgre-sql/flexible-server/main.json b/avm/res/db-for-postgre-sql/flexible-server/main.json
index 0d2d84b298..5df3bdd416 100644
--- a/avm/res/db-for-postgre-sql/flexible-server/main.json
+++ b/avm/res/db-for-postgre-sql/flexible-server/main.json
@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.31.34.60546",
-      "templateHash": "5647574015243372031"
+      "templateHash": "13236500116916645585"
     },
     "name": "DBforPostgreSQL Flexible Servers",
     "description": "This module deploys a DBforPostgreSQL Flexible Server.",
@@ -561,7 +561,7 @@
       "type": "string",
       "nullable": true,
       "metadata": {
-        "description": "Optional. The administrator login name of a server. Can only be specified when the PostgreSQL server is being created."
+        "description": "Optional. The administrator login name for the server. Can only be specified when the PostgreSQL server is being created."
       }
     },
     "administratorLoginPassword": {
diff --git a/avm/res/db-for-postgre-sql/flexible-server/tests/e2e/max/main.test.bicep b/avm/res/db-for-postgre-sql/flexible-server/tests/e2e/max/main.test.bicep
index 0054aa8f13..9013b6e853 100644
--- a/avm/res/db-for-postgre-sql/flexible-server/tests/e2e/max/main.test.bicep
+++ b/avm/res/db-for-postgre-sql/flexible-server/tests/e2e/max/main.test.bicep
@@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-dbforpostgresql.flexibleserv
 param resourceLocation string = deployment().location
 
 @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
-param serviceShort string = 'dfpsfsmax'
+param serviceShort string = 'dfpfmax'
 
 @description('Generated. Used as a basis for unique resource names.')
 param baseTime string = utcNow('u')
diff --git a/avm/res/search/search-service/README.md b/avm/res/search/search-service/README.md
index 6de0311d62..22bf2edaaf 100644
--- a/avm/res/search/search-service/README.md
+++ b/avm/res/search/search-service/README.md
@@ -255,6 +255,7 @@ module searchService 'br/public:avm/res/search/search-service:<version>' = {
       ]
     }
     networkRuleSet: {
+      bypass: 'AzurePortal'
       ipRules: [
         {
           value: '40.74.28.0/23'
@@ -364,6 +365,7 @@ module searchService 'br/public:avm/res/search/search-service:<version>' = {
     },
     "networkRuleSet": {
       "value": {
+        "bypass": "AzurePortal",
         "ipRules": [
           {
             "value": "40.74.28.0/23"
@@ -465,6 +467,7 @@ param managedIdentities = {
   ]
 }
 param networkRuleSet = {
+  bypass: 'AzurePortal'
   ipRules: [
     {
       value: '40.74.28.0/23'
@@ -971,7 +974,7 @@ param tags = {
 | [`enableTelemetry`](#parameter-enabletelemetry) | bool | Enable/Disable usage telemetry for module. |
 | [`hostingMode`](#parameter-hostingmode) | string | Applicable only for the standard3 SKU. You can set this property to enable up to 3 high density partitions that allow up to 1000 indexes, which is much higher than the maximum indexes allowed for any other SKU. For the standard3 SKU, the value is either 'default' or 'highDensity'. For all other SKUs, this value must be 'default'. |
 | [`location`](#parameter-location) | string | Location for all Resources. |
-| [`lock`](#parameter-lock) | object | The lock settings of the service. |
+| [`lock`](#parameter-lock) | object | The lock settings for all Resources in the solution. |
 | [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. |
 | [`networkRuleSet`](#parameter-networkruleset) | object | Network specific rules that determine how the Azure Cognitive Search service may be reached. |
 | [`partitionCount`](#parameter-partitioncount) | int | The number of partitions in the search service; if specified, it can be 1, 2, 3, 4, 6, or 12. Values greater than 1 are only valid for standard SKUs. For 'standard3' services with hostingMode set to 'highDensity', the allowed values are between 1 and 3. |
@@ -998,7 +1001,47 @@ Defines the options for how the data plane API of a Search service authenticates
 
 - Required: No
 - Type: object
-- Default: `{}`
+
+**Optional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`aadOrApiKey`](#parameter-authoptionsaadorapikey) | object | Indicates that either the API key or an access token from a Microsoft Entra ID tenant can be used for authentication. |
+| [`apiKeyOnly`](#parameter-authoptionsapikeyonly) | object | Indicates that only the API key can be used for authentication. |
+
+### Parameter: `authOptions.aadOrApiKey`
+
+Indicates that either the API key or an access token from a Microsoft Entra ID tenant can be used for authentication.
+
+- Required: No
+- Type: object
+
+**Optional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`aadAuthFailureMode`](#parameter-authoptionsaadorapikeyaadauthfailuremode) | string | Describes what response the data plane API of a search service would send for requests that failed authentication. |
+
+### Parameter: `authOptions.aadOrApiKey.aadAuthFailureMode`
+
+Describes what response the data plane API of a search service would send for requests that failed authentication.
+
+- Required: No
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    'http401WithBearerChallenge'
+    'http403'
+  ]
+  ```
+
+### Parameter: `authOptions.apiKeyOnly`
+
+Indicates that only the API key can be used for authentication.
+
+- Required: No
+- Type: object
 
 ### Parameter: `cmkEnforcement`
 
@@ -1033,7 +1076,7 @@ The diagnostic settings of the service.
 | [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to `[]` to disable log collection. |
 | [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. |
 | [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of metrics that will be streamed. "allMetrics" includes all possible metrics for the resource. Set to `[]` to disable metric collection. |
-| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. |
+| [`name`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting. |
 | [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. |
 | [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. |
 
@@ -1143,7 +1186,7 @@ Enable or disable the category explicitly. Default is `true`.
 
 ### Parameter: `diagnosticSettings.name`
 
-The name of diagnostic setting.
+The name of the diagnostic setting.
 
 - Required: No
 - Type: string
@@ -1203,7 +1246,7 @@ Location for all Resources.
 
 ### Parameter: `lock`
 
-The lock settings of the service.
+The lock settings for all Resources in the solution.
 
 - Required: No
 - Type: object
@@ -1271,7 +1314,47 @@ Network specific rules that determine how the Azure Cognitive Search service may
 
 - Required: No
 - Type: object
-- Default: `{}`
+
+**Optional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`bypass`](#parameter-networkrulesetbypass) | string | Network specific rules that determine how the Azure AI Search service may be reached. |
+| [`ipRules`](#parameter-networkrulesetiprules) | array | A list of IP restriction rules that defines the inbound network(s) with allowing access to the search service endpoint. At the meantime, all other public IP networks are blocked by the firewall. These restriction rules are applied only when the 'publicNetworkAccess' of the search service is 'enabled'; otherwise, traffic over public interface is not allowed even with any public IP rules, and private endpoint connections would be the exclusive access method. |
+
+### Parameter: `networkRuleSet.bypass`
+
+Network specific rules that determine how the Azure AI Search service may be reached.
+
+- Required: No
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    'AzurePortal'
+    'None'
+  ]
+  ```
+
+### Parameter: `networkRuleSet.ipRules`
+
+A list of IP restriction rules that defines the inbound network(s) with allowing access to the search service endpoint. At the meantime, all other public IP networks are blocked by the firewall. These restriction rules are applied only when the 'publicNetworkAccess' of the search service is 'enabled'; otherwise, traffic over public interface is not allowed even with any public IP rules, and private endpoint connections would be the exclusive access method.
+
+- Required: No
+- Type: array
+
+**Required parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`value`](#parameter-networkrulesetiprulesvalue) | string | Value corresponding to a single IPv4 address (eg., 123.1.2.3) or an IP range in CIDR format (eg., 123.1.2.3/24) to be allowed. |
+
+### Parameter: `networkRuleSet.ipRules.value`
+
+Value corresponding to a single IPv4 address (eg., 123.1.2.3) or an IP range in CIDR format (eg., 123.1.2.3/24) to be allowed.
+
+- Required: Yes
+- Type: string
 
 ### Parameter: `partitionCount`
 
@@ -1298,22 +1381,22 @@ Configuration details for private endpoints. For security reasons, it is recomme
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. |
+| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the Private Endpoint IP configuration is included. |
 | [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. |
-| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. |
+| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the Private Endpoint. |
 | [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. |
-| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. |
+| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the Private Endpoint. This will be used to map to the first-party Service endpoints. |
 | [`isManualConnection`](#parameter-privateendpointsismanualconnection) | bool | If Manual Private Link Connection is required. |
-| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. |
+| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the Private Endpoint to. |
 | [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. |
 | [`manualConnectionRequestMessage`](#parameter-privateendpointsmanualconnectionrequestmessage) | string | A message passed to the owner of the remote resource with the manual connection request. |
-| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. |
-| [`privateDnsZoneGroup`](#parameter-privateendpointsprivatednszonegroup) | object | The private DNS zone group to configure for the private endpoint. |
+| [`name`](#parameter-privateendpointsname) | string | The name of the Private Endpoint. |
+| [`privateDnsZoneGroup`](#parameter-privateendpointsprivatednszonegroup) | object | The private DNS Zone Group to configure for the Private Endpoint. |
 | [`privateLinkServiceConnectionName`](#parameter-privateendpointsprivatelinkserviceconnectionname) | string | The name of the private link connection to create. |
-| [`resourceGroupName`](#parameter-privateendpointsresourcegroupname) | string | Specify if you want to deploy the Private Endpoint into a different resource group than the main resource. |
+| [`resourceGroupName`](#parameter-privateendpointsresourcegroupname) | string | Specify if you want to deploy the Private Endpoint into a different Resource Group than the main resource. |
 | [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. |
-| [`service`](#parameter-privateendpointsservice) | string | The subresource to deploy the private endpoint for. For example "vault", "mysqlServer" or "dataFactory". |
-| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. |
+| [`service`](#parameter-privateendpointsservice) | string | The subresource to deploy the Private Endpoint for. For example "vault" for a Key Vault Private Endpoint. |
+| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/Resource Groups in this deployment. |
 
 ### Parameter: `privateEndpoints.subnetResourceId`
 
@@ -1324,7 +1407,7 @@ Resource ID of the subnet where the endpoint needs to be created.
 
 ### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds`
 
-Application security groups in which the private endpoint IP configuration is included.
+Application security groups in which the Private Endpoint IP configuration is included.
 
 - Required: No
 - Type: array
@@ -1364,7 +1447,7 @@ FQDN that resolves to private endpoint IP address.
 
 ### Parameter: `privateEndpoints.customNetworkInterfaceName`
 
-The custom name of the network interface attached to the private endpoint.
+The custom name of the network interface attached to the Private Endpoint.
 
 - Required: No
 - Type: string
@@ -1378,7 +1461,7 @@ Enable/Disable usage telemetry for module.
 
 ### Parameter: `privateEndpoints.ipConfigurations`
 
-A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.
+A list of IP configurations of the Private Endpoint. This will be used to map to the first-party Service endpoints.
 
 - Required: No
 - Type: array
@@ -1442,7 +1525,7 @@ If Manual Private Link Connection is required.
 
 ### Parameter: `privateEndpoints.location`
 
-The location to deploy the private endpoint to.
+The location to deploy the Private Endpoint to.
 
 - Required: No
 - Type: string
@@ -1492,14 +1575,14 @@ A message passed to the owner of the remote resource with the manual connection
 
 ### Parameter: `privateEndpoints.name`
 
-The name of the private endpoint.
+The name of the Private Endpoint.
 
 - Required: No
 - Type: string
 
 ### Parameter: `privateEndpoints.privateDnsZoneGroup`
 
-The private DNS zone group to configure for the private endpoint.
+The private DNS Zone Group to configure for the Private Endpoint.
 
 - Required: No
 - Type: object
@@ -1508,7 +1591,7 @@ The private DNS zone group to configure for the private endpoint.
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`privateDnsZoneGroupConfigs`](#parameter-privateendpointsprivatednszonegroupprivatednszonegroupconfigs) | array | The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones. |
+| [`privateDnsZoneGroupConfigs`](#parameter-privateendpointsprivatednszonegroupprivatednszonegroupconfigs) | array | The private DNS Zone Groups to associate the Private Endpoint. A DNS Zone Group can support up to 5 DNS zones. |
 
 **Optional parameters**
 
@@ -1518,7 +1601,7 @@ The private DNS zone group to configure for the private endpoint.
 
 ### Parameter: `privateEndpoints.privateDnsZoneGroup.privateDnsZoneGroupConfigs`
 
-The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones.
+The private DNS Zone Groups to associate the Private Endpoint. A DNS Zone Group can support up to 5 DNS zones.
 
 - Required: Yes
 - Type: array
@@ -1533,7 +1616,7 @@ The private DNS zone groups to associate the private endpoint. A DNS zone group
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`name`](#parameter-privateendpointsprivatednszonegroupprivatednszonegroupconfigsname) | string | The name of the private DNS zone group config. |
+| [`name`](#parameter-privateendpointsprivatednszonegroupprivatednszonegroupconfigsname) | string | The name of the private DNS Zone Group config. |
 
 ### Parameter: `privateEndpoints.privateDnsZoneGroup.privateDnsZoneGroupConfigs.privateDnsZoneResourceId`
 
@@ -1544,7 +1627,7 @@ The resource id of the private DNS zone.
 
 ### Parameter: `privateEndpoints.privateDnsZoneGroup.privateDnsZoneGroupConfigs.name`
 
-The name of the private DNS zone group config.
+The name of the private DNS Zone Group config.
 
 - Required: No
 - Type: string
@@ -1565,7 +1648,7 @@ The name of the private link connection to create.
 
 ### Parameter: `privateEndpoints.resourceGroupName`
 
-Specify if you want to deploy the Private Endpoint into a different resource group than the main resource.
+Specify if you want to deploy the Private Endpoint into a different Resource Group than the main resource.
 
 - Required: No
 - Type: string
@@ -1680,14 +1763,14 @@ The principal type of the assigned principal ID.
 
 ### Parameter: `privateEndpoints.service`
 
-The subresource to deploy the private endpoint for. For example "vault", "mysqlServer" or "dataFactory".
+The subresource to deploy the Private Endpoint for. For example "vault" for a Key Vault Private Endpoint.
 
 - Required: No
 - Type: string
 
 ### Parameter: `privateEndpoints.tags`
 
-Tags to be applied on all resources/resource groups in this deployment.
+Tags to be applied on all resources/Resource Groups in this deployment.
 
 - Required: No
 - Type: object
@@ -1930,6 +2013,7 @@ This section gives you an overview of all local-referenced module files (i.e., o
 | Reference | Type |
 | :-- | :-- |
 | `br/public:avm/res/network/private-endpoint:0.7.1` | Remote reference |
+| `br/public:avm/utl/types/avm-common-types:0.3.0` | Remote reference |
 
 ## Data Collection
 
diff --git a/avm/res/search/search-service/main.bicep b/avm/res/search/search-service/main.bicep
index 4adadf8896..b9868f4b64 100644
--- a/avm/res/search/search-service/main.bicep
+++ b/avm/res/search/search-service/main.bicep
@@ -10,7 +10,7 @@ metadata owner = 'Azure/module-maintainers'
 param name string
 
 @description('Optional. Defines the options for how the data plane API of a Search service authenticates requests. Must remain an empty object {} if \'disableLocalAuth\' is set to true.')
-param authOptions object = {}
+param authOptions authOptionsType?
 
 @description('Optional. When set to true, calls to the search service will not be permitted to utilize API keys for authentication. This cannot be set to true if \'authOptions\' are defined.')
 param disableLocalAuth bool = true
@@ -36,19 +36,21 @@ param hostingMode string = 'default'
 @description('Optional. Location for all Resources.')
 param location string = resourceGroup().location
 
-@description('Optional. The lock settings of the service.')
-param lock lockType
+import { lockType } from 'br/public:avm/utl/types/avm-common-types:0.3.0'
+@description('Optional. The lock settings for all Resources in the solution.')
+param lock lockType?
 
 @description('Optional. Network specific rules that determine how the Azure Cognitive Search service may be reached.')
-param networkRuleSet object = {}
+param networkRuleSet networkRuleSetType?
 
 @description('Optional. The number of partitions in the search service; if specified, it can be 1, 2, 3, 4, 6, or 12. Values greater than 1 are only valid for standard SKUs. For \'standard3\' services with hostingMode set to \'highDensity\', the allowed values are between 1 and 3.')
 @minValue(1)
 @maxValue(12)
 param partitionCount int = 1
 
+import { privateEndpointSingleServiceType } from 'br/public:avm/utl/types/avm-common-types:0.3.0'
 @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.')
-param privateEndpoints privateEndpointType
+param privateEndpoints privateEndpointSingleServiceType[]?
 
 @description('Optional. The sharedPrivateLinkResources to create as part of the search Service.')
 param sharedPrivateLinkResources array = []
@@ -68,8 +70,9 @@ param secretsExportConfiguration secretsExportConfigurationType?
 @maxValue(12)
 param replicaCount int = 3
 
+import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.3.0'
 @description('Optional. Array of role assignments to create.')
-param roleAssignments roleAssignmentType
+param roleAssignments roleAssignmentType[]?
 
 @allowed([
   'disabled'
@@ -91,11 +94,13 @@ param semanticSearch string?
 ])
 param sku string = 'standard'
 
+import { managedIdentityAllType } from 'br/public:avm/utl/types/avm-common-types:0.3.0'
 @description('Optional. The managed identity definition for this resource.')
-param managedIdentities managedIdentitiesType
+param managedIdentities managedIdentityAllType?
 
+import { diagnosticSettingFullType } from 'br/public:avm/utl/types/avm-common-types:0.3.0'
 @description('Optional. The diagnostic settings of the service.')
-param diagnosticSettings diagnosticSettingType
+param diagnosticSettings diagnosticSettingFullType[]?
 
 @description('Optional. Tags to help categorize the resource in the Azure portal.')
 param tags object?
@@ -187,7 +192,7 @@ resource searchService 'Microsoft.Search/searchServices@2024-03-01-preview' = {
   tags: tags
   identity: identity
   properties: {
-    authOptions: !empty(authOptions) ? authOptions : null
+    authOptions: authOptions
     disableLocalAuth: disableLocalAuth
     encryptionWithCmk: {
       enforcement: cmkEnforcement
@@ -385,179 +390,6 @@ output exportedSecrets secretsOutputType = (secretsExportConfiguration != null)
 //   Definitions   //
 // =============== //
 
-type managedIdentitiesType = {
-  @description('Optional. Enables system assigned managed identity on the resource.')
-  systemAssigned: bool?
-
-  @description('Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption.')
-  userAssignedResourceIds: string[]?
-}?
-
-type lockType = {
-  @description('Optional. Specify the name of lock.')
-  name: string?
-
-  @description('Optional. Specify the type of lock.')
-  kind: ('CanNotDelete' | 'ReadOnly' | 'None')?
-}?
-
-type roleAssignmentType = {
-  @description('Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated.')
-  name: string?
-
-  @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.')
-  roleDefinitionIdOrName: string
-
-  @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.')
-  principalId: string
-
-  @description('Optional. The principal type of the assigned principal ID.')
-  principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')?
-
-  @description('Optional. The description of the role assignment.')
-  description: string?
-
-  @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".')
-  condition: string?
-
-  @description('Optional. Version of the condition.')
-  conditionVersion: '2.0'?
-
-  @description('Optional. The Resource Id of the delegated managed identity resource.')
-  delegatedManagedIdentityResourceId: string?
-}[]?
-
-type privateEndpointType = {
-  @description('Optional. The name of the private endpoint.')
-  name: string?
-
-  @description('Optional. The location to deploy the private endpoint to.')
-  location: string?
-
-  @description('Optional. The name of the private link connection to create.')
-  privateLinkServiceConnectionName: string?
-
-  @description('Optional. The subresource to deploy the private endpoint for. For example "vault", "mysqlServer" or "dataFactory".')
-  service: string?
-
-  @description('Required. Resource ID of the subnet where the endpoint needs to be created.')
-  subnetResourceId: string
-
-  @description('Optional. The private DNS zone group to configure for the private endpoint.')
-  privateDnsZoneGroup: {
-    @description('Optional. The name of the Private DNS Zone Group.')
-    name: string?
-
-    @description('Required. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones.')
-    privateDnsZoneGroupConfigs: {
-      @description('Optional. The name of the private DNS zone group config.')
-      name: string?
-
-      @description('Required. The resource id of the private DNS zone.')
-      privateDnsZoneResourceId: string
-    }[]
-  }?
-
-  @description('Optional. If Manual Private Link Connection is required.')
-  isManualConnection: bool?
-
-  @description('Optional. A message passed to the owner of the remote resource with the manual connection request.')
-  @maxLength(140)
-  manualConnectionRequestMessage: string?
-
-  @description('Optional. Custom DNS configurations.')
-  customDnsConfigs: {
-    @description('Optional. FQDN that resolves to private endpoint IP address.')
-    fqdn: string?
-
-    @description('Required. A list of private IP addresses of the private endpoint.')
-    ipAddresses: string[]
-  }[]?
-
-  @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.')
-  ipConfigurations: {
-    @description('Required. The name of the resource that is unique within a resource group.')
-    name: string
-
-    @description('Required. Properties of private endpoint IP configurations.')
-    properties: {
-      @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.')
-      groupId: string
-
-      @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.')
-      memberName: string
-
-      @description('Required. A private IP address obtained from the private endpoint\'s subnet.')
-      privateIPAddress: string
-    }
-  }[]?
-
-  @description('Optional. Application security groups in which the private endpoint IP configuration is included.')
-  applicationSecurityGroupResourceIds: string[]?
-
-  @description('Optional. The custom name of the network interface attached to the private endpoint.')
-  customNetworkInterfaceName: string?
-
-  @description('Optional. Specify the type of lock.')
-  lock: lockType
-
-  @description('Optional. Array of role assignments to create.')
-  roleAssignments: roleAssignmentType
-
-  @description('Optional. Tags to be applied on all resources/resource groups in this deployment.')
-  tags: object?
-
-  @description('Optional. Enable/Disable usage telemetry for module.')
-  enableTelemetry: bool?
-
-  @description('Optional. Specify if you want to deploy the Private Endpoint into a different resource group than the main resource.')
-  resourceGroupName: string?
-}[]?
-
-type diagnosticSettingType = {
-  @description('Optional. The name of diagnostic setting.')
-  name: string?
-
-  @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to `[]` to disable log collection.')
-  logCategoriesAndGroups: {
-    @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.')
-    category: string?
-
-    @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs.')
-    categoryGroup: string?
-
-    @description('Optional. Enable or disable the category explicitly. Default is `true`.')
-    enabled: bool?
-  }[]?
-
-  @description('Optional. The name of metrics that will be streamed. "allMetrics" includes all possible metrics for the resource. Set to `[]` to disable metric collection.')
-  metricCategories: {
-    @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics.')
-    category: string
-
-    @description('Optional. Enable or disable the category explicitly. Default is `true`.')
-    enabled: bool?
-  }[]?
-
-  @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.')
-  logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')?
-
-  @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.')
-  workspaceResourceId: string?
-
-  @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.')
-  storageAccountResourceId: string?
-
-  @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.')
-  eventHubAuthorizationRuleResourceId: string?
-
-  @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.')
-  eventHubName: string?
-
-  @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.')
-  marketplacePartnerResourceId: string?
-}[]?
-
 type secretsExportConfigurationType = {
   @description('Required. The key vault name where to store the API Admin keys generated by the modules.')
   keyVaultResourceId: string
@@ -574,3 +406,28 @@ type secretsOutputType = {
   @description('An exported secret\'s references.')
   *: secretSetType
 }
+
+@export()
+type authOptionsType = {
+  @description('Optional. Indicates that either the API key or an access token from a Microsoft Entra ID tenant can be used for authentication.')
+  aadOrApiKey: {
+    @description('Optional. Describes what response the data plane API of a search service would send for requests that failed authentication.')
+    aadAuthFailureMode: ('http401WithBearerChallenge' | 'http403')?
+  }?
+  @description('Optional. Indicates that only the API key can be used for authentication.')
+  apiKeyOnly: object?
+}
+
+@export()
+type networkRuleSetType = {
+  @description('Optional. Network specific rules that determine how the Azure AI Search service may be reached.')
+  bypass: ('AzurePortal' | 'None')?
+  @description('Optional. A list of IP restriction rules that defines the inbound network(s) with allowing access to the search service endpoint. At the meantime, all other public IP networks are blocked by the firewall. These restriction rules are applied only when the \'publicNetworkAccess\' of the search service is \'enabled\'; otherwise, traffic over public interface is not allowed even with any public IP rules, and private endpoint connections would be the exclusive access method.')
+  ipRules: ipRuleType[]?
+}
+
+@export()
+type ipRuleType = {
+  @description('Required. Value corresponding to a single IPv4 address (eg., 123.1.2.3) or an IP range in CIDR format (eg., 123.1.2.3/24) to be allowed.')
+  value: string
+}
diff --git a/avm/res/search/search-service/main.json b/avm/res/search/search-service/main.json
index 7166a21a5d..d2fd601fa8 100644
--- a/avm/res/search/search-service/main.json
+++ b/avm/res/search/search-service/main.json
@@ -5,507 +5,630 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.23.60470",
-      "templateHash": "2146382794975309304"
+      "version": "0.31.34.60546",
+      "templateHash": "18312735267946671495"
     },
     "name": "Search Services",
     "description": "This module deploys a Search Service.",
     "owner": "Azure/module-maintainers"
   },
   "definitions": {
-    "managedIdentitiesType": {
+    "secretsExportConfigurationType": {
       "type": "object",
       "properties": {
-        "systemAssigned": {
-          "type": "bool",
+        "keyVaultResourceId": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The key vault name where to store the API Admin keys generated by the modules."
+          }
+        },
+        "primaryAdminKeyName": {
+          "type": "string",
           "nullable": true,
           "metadata": {
-            "description": "Optional. Enables system assigned managed identity on the resource."
+            "description": "Optional. The primaryAdminKey secret name to create."
           }
         },
-        "userAssignedResourceIds": {
-          "type": "array",
-          "items": {
-            "type": "string"
-          },
+        "secondaryAdminKeyName": {
+          "type": "string",
           "nullable": true,
           "metadata": {
-            "description": "Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption."
+            "description": "Optional. The secondaryAdminKey secret name to create."
           }
         }
-      },
-      "nullable": true
+      }
     },
-    "lockType": {
+    "secretsOutputType": {
+      "type": "object",
+      "properties": {},
+      "additionalProperties": {
+        "$ref": "#/definitions/secretSetType",
+        "metadata": {
+          "description": "An exported secret's references."
+        }
+      }
+    },
+    "authOptionsType": {
       "type": "object",
       "properties": {
-        "name": {
-          "type": "string",
+        "aadOrApiKey": {
+          "type": "object",
+          "properties": {
+            "aadAuthFailureMode": {
+              "type": "string",
+              "allowedValues": [
+                "http401WithBearerChallenge",
+                "http403"
+              ],
+              "nullable": true,
+              "metadata": {
+                "description": "Optional. Describes what response the data plane API of a search service would send for requests that failed authentication."
+              }
+            }
+          },
           "nullable": true,
           "metadata": {
-            "description": "Optional. Specify the name of lock."
+            "description": "Optional. Indicates that either the API key or an access token from a Microsoft Entra ID tenant can be used for authentication."
           }
         },
-        "kind": {
+        "apiKeyOnly": {
+          "type": "object",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Indicates that only the API key can be used for authentication."
+          }
+        }
+      },
+      "metadata": {
+        "__bicep_export!": true
+      }
+    },
+    "networkRuleSetType": {
+      "type": "object",
+      "properties": {
+        "bypass": {
           "type": "string",
           "allowedValues": [
-            "CanNotDelete",
-            "None",
-            "ReadOnly"
+            "AzurePortal",
+            "None"
           ],
           "nullable": true,
           "metadata": {
-            "description": "Optional. Specify the type of lock."
+            "description": "Optional. Network specific rules that determine how the Azure AI Search service may be reached."
+          }
+        },
+        "ipRules": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/ipRuleType"
+          },
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. A list of IP restriction rules that defines the inbound network(s) with allowing access to the search service endpoint. At the meantime, all other public IP networks are blocked by the firewall. These restriction rules are applied only when the 'publicNetworkAccess' of the search service is 'enabled'; otherwise, traffic over public interface is not allowed even with any public IP rules, and private endpoint connections would be the exclusive access method."
           }
         }
       },
-      "nullable": true
+      "metadata": {
+        "__bicep_export!": true
+      }
     },
-    "roleAssignmentType": {
-      "type": "array",
-      "items": {
-        "type": "object",
-        "properties": {
-          "name": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated."
-            }
-          },
-          "roleDefinitionIdOrName": {
-            "type": "string",
-            "metadata": {
-              "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'."
-            }
-          },
-          "principalId": {
-            "type": "string",
-            "metadata": {
-              "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to."
-            }
-          },
-          "principalType": {
-            "type": "string",
-            "allowedValues": [
-              "Device",
-              "ForeignGroup",
-              "Group",
-              "ServicePrincipal",
-              "User"
-            ],
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The principal type of the assigned principal ID."
-            }
-          },
-          "description": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The description of the role assignment."
-            }
-          },
-          "condition": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"."
-            }
-          },
-          "conditionVersion": {
-            "type": "string",
-            "allowedValues": [
-              "2.0"
-            ],
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. Version of the condition."
-            }
+    "ipRuleType": {
+      "type": "object",
+      "properties": {
+        "value": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. Value corresponding to a single IPv4 address (eg., 123.1.2.3) or an IP range in CIDR format (eg., 123.1.2.3/24) to be allowed."
+          }
+        }
+      },
+      "metadata": {
+        "__bicep_export!": true
+      }
+    },
+    "_1.privateEndpointCustomDnsConfigType": {
+      "type": "object",
+      "properties": {
+        "fqdn": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. FQDN that resolves to private endpoint IP address."
+          }
+        },
+        "ipAddresses": {
+          "type": "array",
+          "items": {
+            "type": "string"
           },
-          "delegatedManagedIdentityResourceId": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The Resource Id of the delegated managed identity resource."
-            }
+          "metadata": {
+            "description": "Required. A list of private IP addresses of the private endpoint."
           }
         }
       },
-      "nullable": true
+      "metadata": {
+        "__bicep_imported_from!": {
+          "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.3.0"
+        }
+      }
     },
-    "privateEndpointType": {
-      "type": "array",
-      "items": {
-        "type": "object",
+    "_1.privateEndpointIpConfigurationType": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The name of the resource that is unique within a resource group."
+          }
+        },
         "properties": {
-          "name": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The name of the private endpoint."
-            }
-          },
-          "location": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The location to deploy the private endpoint to."
-            }
-          },
-          "privateLinkServiceConnectionName": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The name of the private link connection to create."
-            }
-          },
-          "service": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The subresource to deploy the private endpoint for. For example \"vault\", \"mysqlServer\" or \"dataFactory\"."
-            }
-          },
-          "subnetResourceId": {
-            "type": "string",
-            "metadata": {
-              "description": "Required. Resource ID of the subnet where the endpoint needs to be created."
+          "type": "object",
+          "properties": {
+            "groupId": {
+              "type": "string",
+              "metadata": {
+                "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to."
+              }
+            },
+            "memberName": {
+              "type": "string",
+              "metadata": {
+                "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to."
+              }
+            },
+            "privateIPAddress": {
+              "type": "string",
+              "metadata": {
+                "description": "Required. A private IP address obtained from the private endpoint's subnet."
+              }
             }
           },
-          "privateDnsZoneGroup": {
+          "metadata": {
+            "description": "Required. Properties of private endpoint IP configurations."
+          }
+        }
+      },
+      "metadata": {
+        "__bicep_imported_from!": {
+          "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.3.0"
+        }
+      }
+    },
+    "_1.privateEndpointPrivateDnsZoneGroupType": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The name of the Private DNS Zone Group."
+          }
+        },
+        "privateDnsZoneGroupConfigs": {
+          "type": "array",
+          "items": {
             "type": "object",
             "properties": {
               "name": {
                 "type": "string",
                 "nullable": true,
                 "metadata": {
-                  "description": "Optional. The name of the Private DNS Zone Group."
+                  "description": "Optional. The name of the private DNS Zone Group config."
                 }
               },
-              "privateDnsZoneGroupConfigs": {
-                "type": "array",
-                "items": {
-                  "type": "object",
-                  "properties": {
-                    "name": {
-                      "type": "string",
-                      "nullable": true,
-                      "metadata": {
-                        "description": "Optional. The name of the private DNS zone group config."
-                      }
-                    },
-                    "privateDnsZoneResourceId": {
-                      "type": "string",
-                      "metadata": {
-                        "description": "Required. The resource id of the private DNS zone."
-                      }
-                    }
-                  }
-                },
+              "privateDnsZoneResourceId": {
+                "type": "string",
                 "metadata": {
-                  "description": "Required. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones."
+                  "description": "Required. The resource id of the private DNS zone."
                 }
               }
-            },
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The private DNS zone group to configure for the private endpoint."
-            }
-          },
-          "isManualConnection": {
-            "type": "bool",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. If Manual Private Link Connection is required."
-            }
-          },
-          "manualConnectionRequestMessage": {
-            "type": "string",
-            "nullable": true,
-            "maxLength": 140,
-            "metadata": {
-              "description": "Optional. A message passed to the owner of the remote resource with the manual connection request."
             }
           },
-          "customDnsConfigs": {
-            "type": "array",
-            "items": {
-              "type": "object",
-              "properties": {
-                "fqdn": {
-                  "type": "string",
-                  "nullable": true,
-                  "metadata": {
-                    "description": "Optional. FQDN that resolves to private endpoint IP address."
-                  }
-                },
-                "ipAddresses": {
-                  "type": "array",
-                  "items": {
-                    "type": "string"
-                  },
-                  "metadata": {
-                    "description": "Required. A list of private IP addresses of the private endpoint."
-                  }
+          "metadata": {
+            "description": "Required. The private DNS Zone Groups to associate the Private Endpoint. A DNS Zone Group can support up to 5 DNS zones."
+          }
+        }
+      },
+      "metadata": {
+        "__bicep_imported_from!": {
+          "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.3.0"
+        }
+      }
+    },
+    "diagnosticSettingFullType": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The name of the diagnostic setting."
+          }
+        },
+        "logCategoriesAndGroups": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "category": {
+                "type": "string",
+                "nullable": true,
+                "metadata": {
+                  "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here."
                 }
-              }
-            },
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. Custom DNS configurations."
-            }
-          },
-          "ipConfigurations": {
-            "type": "array",
-            "items": {
-              "type": "object",
-              "properties": {
-                "name": {
-                  "type": "string",
-                  "metadata": {
-                    "description": "Required. The name of the resource that is unique within a resource group."
-                  }
-                },
-                "properties": {
-                  "type": "object",
-                  "properties": {
-                    "groupId": {
-                      "type": "string",
-                      "metadata": {
-                        "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to."
-                      }
-                    },
-                    "memberName": {
-                      "type": "string",
-                      "metadata": {
-                        "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to."
-                      }
-                    },
-                    "privateIPAddress": {
-                      "type": "string",
-                      "metadata": {
-                        "description": "Required. A private IP address obtained from the private endpoint's subnet."
-                      }
-                    }
-                  },
-                  "metadata": {
-                    "description": "Required. Properties of private endpoint IP configurations."
-                  }
+              },
+              "categoryGroup": {
+                "type": "string",
+                "nullable": true,
+                "metadata": {
+                  "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs."
+                }
+              },
+              "enabled": {
+                "type": "bool",
+                "nullable": true,
+                "metadata": {
+                  "description": "Optional. Enable or disable the category explicitly. Default is `true`."
                 }
               }
-            },
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints."
-            }
-          },
-          "applicationSecurityGroupResourceIds": {
-            "type": "array",
-            "items": {
-              "type": "string"
-            },
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. Application security groups in which the private endpoint IP configuration is included."
-            }
-          },
-          "customNetworkInterfaceName": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The custom name of the network interface attached to the private endpoint."
             }
           },
-          "lock": {
-            "$ref": "#/definitions/lockType",
-            "metadata": {
-              "description": "Optional. Specify the type of lock."
-            }
-          },
-          "roleAssignments": {
-            "$ref": "#/definitions/roleAssignmentType",
-            "metadata": {
-              "description": "Optional. Array of role assignments to create."
-            }
-          },
-          "tags": {
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to `[]` to disable log collection."
+          }
+        },
+        "metricCategories": {
+          "type": "array",
+          "items": {
             "type": "object",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. Tags to be applied on all resources/resource groups in this deployment."
-            }
-          },
-          "enableTelemetry": {
-            "type": "bool",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. Enable/Disable usage telemetry for module."
+            "properties": {
+              "category": {
+                "type": "string",
+                "metadata": {
+                  "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics."
+                }
+              },
+              "enabled": {
+                "type": "bool",
+                "nullable": true,
+                "metadata": {
+                  "description": "Optional. Enable or disable the category explicitly. Default is `true`."
+                }
+              }
             }
           },
-          "resourceGroupName": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. Specify if you want to deploy the Private Endpoint into a different resource group than the main resource."
-            }
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The name of metrics that will be streamed. \"allMetrics\" includes all possible metrics for the resource. Set to `[]` to disable metric collection."
+          }
+        },
+        "logAnalyticsDestinationType": {
+          "type": "string",
+          "allowedValues": [
+            "AzureDiagnostics",
+            "Dedicated"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type."
+          }
+        },
+        "workspaceResourceId": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub."
+          }
+        },
+        "storageAccountResourceId": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub."
+          }
+        },
+        "eventHubAuthorizationRuleResourceId": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to."
+          }
+        },
+        "eventHubName": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub."
+          }
+        },
+        "marketplacePartnerResourceId": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs."
+          }
+        }
+      },
+      "metadata": {
+        "description": "An AVM-aligned type for a diagnostic setting. To be used if both logs & metrics are supported by the resource provider.",
+        "__bicep_imported_from!": {
+          "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.3.0"
+        }
+      }
+    },
+    "lockType": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Specify the name of lock."
+          }
+        },
+        "kind": {
+          "type": "string",
+          "allowedValues": [
+            "CanNotDelete",
+            "None",
+            "ReadOnly"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Specify the type of lock."
           }
         }
       },
-      "nullable": true
+      "metadata": {
+        "description": "An AVM-aligned type for a lock.",
+        "__bicep_imported_from!": {
+          "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.3.0"
+        }
+      }
     },
-    "diagnosticSettingType": {
-      "type": "array",
-      "items": {
-        "type": "object",
-        "properties": {
-          "name": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The name of diagnostic setting."
-            }
-          },
-          "logCategoriesAndGroups": {
-            "type": "array",
-            "items": {
-              "type": "object",
-              "properties": {
-                "category": {
-                  "type": "string",
-                  "nullable": true,
-                  "metadata": {
-                    "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here."
-                  }
-                },
-                "categoryGroup": {
-                  "type": "string",
-                  "nullable": true,
-                  "metadata": {
-                    "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs."
-                  }
-                },
-                "enabled": {
-                  "type": "bool",
-                  "nullable": true,
-                  "metadata": {
-                    "description": "Optional. Enable or disable the category explicitly. Default is `true`."
-                  }
-                }
-              }
-            },
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to `[]` to disable log collection."
-            }
-          },
-          "metricCategories": {
-            "type": "array",
-            "items": {
-              "type": "object",
-              "properties": {
-                "category": {
-                  "type": "string",
-                  "metadata": {
-                    "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics."
-                  }
-                },
-                "enabled": {
-                  "type": "bool",
-                  "nullable": true,
-                  "metadata": {
-                    "description": "Optional. Enable or disable the category explicitly. Default is `true`."
-                  }
-                }
-              }
-            },
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The name of metrics that will be streamed. \"allMetrics\" includes all possible metrics for the resource. Set to `[]` to disable metric collection."
-            }
-          },
-          "logAnalyticsDestinationType": {
-            "type": "string",
-            "allowedValues": [
-              "AzureDiagnostics",
-              "Dedicated"
-            ],
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type."
-            }
+    "managedIdentityAllType": {
+      "type": "object",
+      "properties": {
+        "systemAssigned": {
+          "type": "bool",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Enables system assigned managed identity on the resource."
+          }
+        },
+        "userAssignedResourceIds": {
+          "type": "array",
+          "items": {
+            "type": "string"
           },
-          "workspaceResourceId": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub."
-            }
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption."
+          }
+        }
+      },
+      "metadata": {
+        "description": "An AVM-aligned type for a managed identity configuration. To be used if both a system-assigned & user-assigned identities are supported by the resource provider.",
+        "__bicep_imported_from!": {
+          "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.3.0"
+        }
+      }
+    },
+    "privateEndpointSingleServiceType": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The name of the Private Endpoint."
+          }
+        },
+        "location": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The location to deploy the Private Endpoint to."
+          }
+        },
+        "privateLinkServiceConnectionName": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The name of the private link connection to create."
+          }
+        },
+        "service": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The subresource to deploy the Private Endpoint for. For example \"vault\" for a Key Vault Private Endpoint."
+          }
+        },
+        "subnetResourceId": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. Resource ID of the subnet where the endpoint needs to be created."
+          }
+        },
+        "privateDnsZoneGroup": {
+          "$ref": "#/definitions/_1.privateEndpointPrivateDnsZoneGroupType",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The private DNS Zone Group to configure for the Private Endpoint."
+          }
+        },
+        "isManualConnection": {
+          "type": "bool",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. If Manual Private Link Connection is required."
+          }
+        },
+        "manualConnectionRequestMessage": {
+          "type": "string",
+          "nullable": true,
+          "maxLength": 140,
+          "metadata": {
+            "description": "Optional. A message passed to the owner of the remote resource with the manual connection request."
+          }
+        },
+        "customDnsConfigs": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/_1.privateEndpointCustomDnsConfigType"
           },
-          "storageAccountResourceId": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub."
-            }
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Custom DNS configurations."
+          }
+        },
+        "ipConfigurations": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/_1.privateEndpointIpConfigurationType"
           },
-          "eventHubAuthorizationRuleResourceId": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to."
-            }
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. A list of IP configurations of the Private Endpoint. This will be used to map to the first-party Service endpoints."
+          }
+        },
+        "applicationSecurityGroupResourceIds": {
+          "type": "array",
+          "items": {
+            "type": "string"
           },
-          "eventHubName": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub."
-            }
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Application security groups in which the Private Endpoint IP configuration is included."
+          }
+        },
+        "customNetworkInterfaceName": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The custom name of the network interface attached to the Private Endpoint."
+          }
+        },
+        "lock": {
+          "$ref": "#/definitions/lockType",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Specify the type of lock."
+          }
+        },
+        "roleAssignments": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/roleAssignmentType"
           },
-          "marketplacePartnerResourceId": {
-            "type": "string",
-            "nullable": true,
-            "metadata": {
-              "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs."
-            }
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Array of role assignments to create."
+          }
+        },
+        "tags": {
+          "type": "object",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Tags to be applied on all resources/Resource Groups in this deployment."
+          }
+        },
+        "enableTelemetry": {
+          "type": "bool",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Enable/Disable usage telemetry for module."
+          }
+        },
+        "resourceGroupName": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Specify if you want to deploy the Private Endpoint into a different Resource Group than the main resource."
           }
         }
       },
-      "nullable": true
+      "metadata": {
+        "description": "An AVM-aligned type for a private endpoint. To be used if the private endpoint's default service / groupId can be assumed (i.e., for services that only have one Private Endpoint type like 'vault' for key vault).",
+        "__bicep_imported_from!": {
+          "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.3.0"
+        }
+      }
     },
-    "secretsExportConfigurationType": {
+    "roleAssignmentType": {
       "type": "object",
       "properties": {
-        "keyVaultResourceId": {
+        "name": {
           "type": "string",
+          "nullable": true,
           "metadata": {
-            "description": "Required. The key vault name where to store the API Admin keys generated by the modules."
+            "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated."
           }
         },
-        "primaryAdminKeyName": {
+        "roleDefinitionIdOrName": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'."
+          }
+        },
+        "principalId": {
           "type": "string",
+          "metadata": {
+            "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to."
+          }
+        },
+        "principalType": {
+          "type": "string",
+          "allowedValues": [
+            "Device",
+            "ForeignGroup",
+            "Group",
+            "ServicePrincipal",
+            "User"
+          ],
           "nullable": true,
           "metadata": {
-            "description": "Optional. The primaryAdminKey secret name to create."
+            "description": "Optional. The principal type of the assigned principal ID."
           }
         },
-        "secondaryAdminKeyName": {
+        "description": {
           "type": "string",
           "nullable": true,
           "metadata": {
-            "description": "Optional. The secondaryAdminKey secret name to create."
+            "description": "Optional. The description of the role assignment."
+          }
+        },
+        "condition": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"."
+          }
+        },
+        "conditionVersion": {
+          "type": "string",
+          "allowedValues": [
+            "2.0"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Version of the condition."
+          }
+        },
+        "delegatedManagedIdentityResourceId": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. The Resource Id of the delegated managed identity resource."
           }
         }
-      }
-    },
-    "secretsOutputType": {
-      "type": "object",
-      "properties": {},
-      "additionalProperties": {
-        "$ref": "#/definitions/secretSetType",
-        "metadata": {
-          "description": "An exported secret's references."
+      },
+      "metadata": {
+        "description": "An AVM-aligned type for a role assignment.",
+        "__bicep_imported_from!": {
+          "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.3.0"
         }
       }
     },
@@ -540,8 +663,8 @@
       }
     },
     "authOptions": {
-      "type": "object",
-      "defaultValue": {},
+      "$ref": "#/definitions/authOptionsType",
+      "nullable": true,
       "metadata": {
         "description": "Optional. Defines the options for how the data plane API of a Search service authenticates requests. Must remain an empty object {} if 'disableLocalAuth' is set to true."
       }
@@ -592,13 +715,14 @@
     },
     "lock": {
       "$ref": "#/definitions/lockType",
+      "nullable": true,
       "metadata": {
-        "description": "Optional. The lock settings of the service."
+        "description": "Optional. The lock settings for all Resources in the solution."
       }
     },
     "networkRuleSet": {
-      "type": "object",
-      "defaultValue": {},
+      "$ref": "#/definitions/networkRuleSetType",
+      "nullable": true,
       "metadata": {
         "description": "Optional. Network specific rules that determine how the Azure Cognitive Search service may be reached."
       }
@@ -613,7 +737,11 @@
       }
     },
     "privateEndpoints": {
-      "$ref": "#/definitions/privateEndpointType",
+      "type": "array",
+      "items": {
+        "$ref": "#/definitions/privateEndpointSingleServiceType"
+      },
+      "nullable": true,
       "metadata": {
         "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible."
       }
@@ -653,7 +781,11 @@
       }
     },
     "roleAssignments": {
-      "$ref": "#/definitions/roleAssignmentType",
+      "type": "array",
+      "items": {
+        "$ref": "#/definitions/roleAssignmentType"
+      },
+      "nullable": true,
       "metadata": {
         "description": "Optional. Array of role assignments to create."
       }
@@ -687,13 +819,18 @@
       }
     },
     "managedIdentities": {
-      "$ref": "#/definitions/managedIdentitiesType",
+      "$ref": "#/definitions/managedIdentityAllType",
+      "nullable": true,
       "metadata": {
         "description": "Optional. The managed identity definition for this resource."
       }
     },
     "diagnosticSettings": {
-      "$ref": "#/definitions/diagnosticSettingType",
+      "type": "array",
+      "items": {
+        "$ref": "#/definitions/diagnosticSettingFullType"
+      },
+      "nullable": true,
       "metadata": {
         "description": "Optional. The diagnostic settings of the service."
       }
@@ -759,7 +896,7 @@
       "tags": "[parameters('tags')]",
       "identity": "[variables('identity')]",
       "properties": {
-        "authOptions": "[if(not(empty(parameters('authOptions'))), parameters('authOptions'), null())]",
+        "authOptions": "[parameters('authOptions')]",
         "disableLocalAuth": "[parameters('disableLocalAuth')]",
         "encryptionWithCmk": {
           "enforcement": "[parameters('cmkEnforcement')]"
@@ -1657,8 +1794,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.23.60470",
-              "templateHash": "1073269867332822875"
+              "version": "0.31.34.60546",
+              "templateHash": "13697564567147510981"
             },
             "name": "Search Services Private Link Resources",
             "description": "This module deploys a Search Service Private Link Resource.",
@@ -1719,10 +1856,7 @@
                 "groupId": "[parameters('groupId')]",
                 "requestMessage": "[parameters('requestMessage')]",
                 "resourceRegion": "[parameters('resourceRegion')]"
-              },
-              "dependsOn": [
-                "searchService"
-              ]
+              }
             }
           },
           "outputs": {
@@ -1781,8 +1915,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.23.60470",
-              "templateHash": "12263717469683062316"
+              "version": "0.31.34.60546",
+              "templateHash": "251825345610643647"
             }
           },
           "definitions": {
@@ -1858,10 +1992,7 @@
               "name": "[format('{0}/{1}', parameters('keyVaultName'), parameters('secretsToSet')[copyIndex()].name)]",
               "properties": {
                 "value": "[parameters('secretsToSet')[copyIndex()].value]"
-              },
-              "dependsOn": [
-                "keyVault"
-              ]
+              }
             }
           },
           "outputs": {
diff --git a/avm/res/search/search-service/shared-private-link-resource/main.json b/avm/res/search/search-service/shared-private-link-resource/main.json
index ccb69cdd79..e465debc7b 100644
--- a/avm/res/search/search-service/shared-private-link-resource/main.json
+++ b/avm/res/search/search-service/shared-private-link-resource/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "2330033720810948871"
+      "version": "0.31.34.60546",
+      "templateHash": "13697564567147510981"
     },
     "name": "Search Services Private Link Resources",
     "description": "This module deploys a Search Service Private Link Resource.",
@@ -67,10 +67,7 @@
         "groupId": "[parameters('groupId')]",
         "requestMessage": "[parameters('requestMessage')]",
         "resourceRegion": "[parameters('resourceRegion')]"
-      },
-      "dependsOn": [
-        "searchService"
-      ]
+      }
     }
   },
   "outputs": {
diff --git a/avm/res/search/search-service/tests/e2e/max/main.test.bicep b/avm/res/search/search-service/tests/e2e/max/main.test.bicep
index 0fc341ea23..93c3460fa4 100644
--- a/avm/res/search/search-service/tests/e2e/max/main.test.bicep
+++ b/avm/res/search/search-service/tests/e2e/max/main.test.bicep
@@ -111,6 +111,7 @@ module testDeployment '../../../main.bicep' = [
         }
       ]
       networkRuleSet: {
+        bypass: 'AzurePortal'
         ipRules: [
           {
             value: '40.74.28.0/23'
diff --git a/avm/res/search/search-service/version.json b/avm/res/search/search-service/version.json
index 7e1d3f4157..9a9a06e897 100644
--- a/avm/res/search/search-service/version.json
+++ b/avm/res/search/search-service/version.json
@@ -1,7 +1,7 @@
 {
-    "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#",
-    "version": "0.7",
-    "pathFilters": [
-        "./main.json"
-    ]
+  "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#",
+  "version": "0.8",
+  "pathFilters": [
+    "./main.json"
+  ]
 }
\ No newline at end of file
diff --git a/avm/utilities/pipelines/staticValidation/psrule/.ps-rule/cb-waf-security.Rule.yaml b/avm/utilities/pipelines/staticValidation/psrule/.ps-rule/cb-waf-security.Rule.yaml
new file mode 100644
index 0000000000..3620b3c9bd
--- /dev/null
+++ b/avm/utilities/pipelines/staticValidation/psrule/.ps-rule/cb-waf-security.Rule.yaml
@@ -0,0 +1,46 @@
+---
+# Synopsis: Custom baseline for AVM WAF security pillar recommendations that are enforced in CI.
+apiVersion: github.com/microsoft/PSRule/v1
+kind: Baseline
+metadata:
+  name: CB.AVM.WAF.Security
+spec:
+  rule:
+    include:
+      - Azure.ACR.AdminUser
+      - Azure.ACR.ContainerScan
+      - Azure.ACR.ContentTrust
+      - Azure.ACR.Firewall
+      - Azure.AKS.AzureRBAC
+      - Azure.AppGw.UseHTTPS
+      - Azure.AppGw.SSLPolicy
+      - Azure.AppGw.WAFEnabled
+      - Azure.AppGw.UseWAF
+      - Azure.AppService.WebSecureFtp
+      - Azure.AppService.MinTLS
+      - Azure.Cosmos.MinTLS
+      - Azure.Defender.Api
+      - Azure.Defender.AppServices
+      - Azure.Defender.Arm
+      - Azure.Defender.Containers
+      - Azure.Defender.CosmosDb
+      - Azure.Defender.Cspm
+      - Azure.Defender.Dns
+      - Azure.Defender.KeyVault
+      - Azure.Defender.OssRdb
+      - Azure.Defender.SQL
+      - Azure.Defender.SQLOnVM
+      - Azure.Defender.SecurityContact
+      - Azure.Defender.Servers
+      - Azure.Defender.Storage.DataScan
+      - Azure.Defender.Storage.MalwareScan
+      - Azure.Defender.Storage
+      - Azure.Firewall.Mode
+      - Azure.Firewall.PolicyMode
+      - Azure.Storage.DefenderCloud
+      - Azure.Storage.Defender.MalwareScan
+      - Azure.Storage.SecureTransfer
+      - Azure.Storage.BlobPublicAccess
+      - Azure.Storage.BlobAccessType
+      - Azure.Storage.Firewall
+      - Azure.Storage.MinTLS