feat: ASEv3 AZ Defaults & Networking Fix (Azure#3500)

## Description

This PR addresses some networking issues during deployment when
overriding an IP using config/networking. This has been simplified to
address the issue.

Also, AZs are now leveraged by default as part of Proactive resiliency. 

Closes:
Azure#3337
Azure#3176 
Azure#3014 

## Pipeline Reference

<!-- Insert your Pipeline Status Badge below -->

| Pipeline |
| -------- |

|[![avm.res.web.hosting-environment](https://github.com/tsc-buddy/bicep-registry-modules/actions/workflows/avm.res.web.hosting-environment.yml/badge.svg?branch=fix%2Fase-az-test)](https://github.com/tsc-buddy/bicep-registry-modules/actions/workflows/avm.res.web.hosting-environment.yml)|

## Type of Change

<!-- Use the checkboxes [x] on the options that are relevant. -->

- [ ] Update to CI Environment or utilities (Non-module affecting
changes)
- [x] Azure Verified Module updates:
- [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [ ] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [x] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [x] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [x] Update to documentation

## Checklist

- [x] I'm sure there are no other open Pull Requests for the same
update/change
- [x] I have run `Set-AVMModule` locally to generate the supporting
module files.
- [x] My corresponding pipelines / checks run clean and green without
any errors or warnings

<!-- Please keep up to date with the contribution guide at
https://aka.ms/avm/contribute/bicep -->

avm/res/web/hosting-environment/configuration--customdnssuffix/README.md

@@ -12,7 +12,7 @@ This module deploys a Hosting Environment Custom DNS Suffix Configuration.
 
 | Resource Type | API Version |
 | :-- | :-- |
-| `Microsoft.Web/hostingEnvironments/configurations` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/hostingEnvironments/configurations) |
+| `Microsoft.Web/hostingEnvironments/configurations` | [2023-12-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Web/hostingEnvironments/configurations) |
 
 ## Parameters
 

avm/res/web/hosting-environment/configuration--customdnssuffix/main.bicep

@@ -18,7 +18,7 @@ resource appServiceEnvironment 'Microsoft.Web/hostingEnvironments@2022-03-01' ex
   name: hostingEnvironmentName
 }
 
-resource configuration 'Microsoft.Web/hostingEnvironments/configurations@2022-03-01' = {
+resource configuration 'Microsoft.Web/hostingEnvironments/configurations@2023-12-01' = {
   name: 'customdnssuffix'
   parent: appServiceEnvironment
   properties: {

avm/res/web/hosting-environment/configuration--customdnssuffix/main.json

@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.28.1.47646",
-      "templateHash": "12791869385776671140"
+      "version": "0.30.3.12046",
+      "templateHash": "8555887239478847203"
     },
     "name": "Hosting Environment Custom DNS Suffix Configuration",
     "description": "This module deploys a Hosting Environment Custom DNS Suffix Configuration.",
@@ -40,7 +40,7 @@
   "resources": [
     {
       "type": "Microsoft.Web/hostingEnvironments/configurations",
-      "apiVersion": "2022-03-01",
+      "apiVersion": "2023-12-01",
       "name": "[format('{0}/{1}', parameters('hostingEnvironmentName'), 'customdnssuffix')]",
       "properties": {
         "certificateUrl": "[parameters('certificateUrl')]",

avm/res/web/hosting-environment/main.bicep

@@ -65,17 +65,8 @@ param frontEndScaleFactor int = 15
 ])
 param internalLoadBalancingMode string = 'None'
 
-@description('Optional. Property to enable and disable new private endpoint connection creation on ASE.')
-param allowNewPrivateEndpointConnections bool = false
-
-@description('Optional. Property to enable and disable FTP on ASEV3.')
-param ftpEnabled bool = false
-
-@description('Optional. Customer provided Inbound IP Address. Only able to be set on Ase create.')
-param inboundIpAddressOverride string = ''
-
-@description('Optional. Property to enable and disable Remote Debug on ASEv3.')
-param remoteDebugEnabled bool = false
+@description('Optional. Properties to configure additional networking features.')
+param networkConfiguration object?
 
 @description('Optional. Specify preference for when and how the planned maintenance is applied.')
 @allowed([
@@ -90,7 +81,7 @@ param upgradePreference string = 'None'
 param subnetResourceId string
 
 @description('Optional. Switch to make the App Service Environment zone redundant. If enabled, the minimum App Service plan instance count will be three, otherwise 1. If enabled, the `dedicatedHostCount` must be set to `-1`.')
-param zoneRedundant bool = false
+param zoneRedundant bool = true
 
 @description('Optional. The managed identity definition for this resource.')
 param managedIdentities managedIdentitiesType
@@ -127,6 +118,17 @@ var builtInRoleNames = {
   )
 }
 
+var formattedRoleAssignments = [
+  for (roleAssignment, index) in (roleAssignments ?? []): union(roleAssignment, {
+    roleDefinitionId: builtInRoleNames[?roleAssignment.roleDefinitionIdOrName] ?? (contains(
+        roleAssignment.roleDefinitionIdOrName,
+        '/providers/Microsoft.Authorization/roleDefinitions/'
+      )
+      ? roleAssignment.roleDefinitionIdOrName
+      : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName))
+  })
+]
+
 // ============== //
 // Resources      //
 // ============== //
@@ -150,7 +152,7 @@ resource avmTelemetry 'Microsoft.Resources/deployments@2024-03-01' = if (enableT
   }
 }
 
-resource appServiceEnvironment 'Microsoft.Web/hostingEnvironments@2022-03-01' = {
+resource appServiceEnvironment 'Microsoft.Web/hostingEnvironments@2023-12-01' = {
   name: name
   kind: kind
   location: location
@@ -163,6 +165,7 @@ resource appServiceEnvironment 'Microsoft.Web/hostingEnvironments@2022-03-01' =
     frontEndScaleFactor: frontEndScaleFactor
     internalLoadBalancingMode: internalLoadBalancingMode
     upgradePreference: upgradePreference
+    networkingConfiguration: networkConfiguration
     virtualNetwork: {
       id: subnetResourceId
       subnet: last(split(subnetResourceId, '/'))
@@ -171,17 +174,6 @@ resource appServiceEnvironment 'Microsoft.Web/hostingEnvironments@2022-03-01' =
   }
 }
 
-module appServiceEnvironment_configurations_networking 'configuration--networking/main.bicep' = {
-  name: '${uniqueString(deployment().name, location)}-AppServiceEnv-Configurations-Networking'
-  params: {
-    hostingEnvironmentName: appServiceEnvironment.name
-    allowNewPrivateEndpointConnections: allowNewPrivateEndpointConnections
-    ftpEnabled: ftpEnabled
-    inboundIpAddressOverride: inboundIpAddressOverride
-    remoteDebugEnabled: remoteDebugEnabled
-  }
-}
-
 module appServiceEnvironment_configurations_customDnsSuffix 'configuration--customdnssuffix/main.bicep' = if (!empty(customDnsSuffix)) {
   name: '${uniqueString(deployment().name, location)}-AppServiceEnv-Configurations-CustomDnsSuffix'
   params: {
@@ -226,14 +218,14 @@ resource appServiceEnvironment_diagnosticSettings 'Microsoft.Insights/diagnostic
 ]
 
 resource appServiceEnvironment_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
-  for (roleAssignment, index) in (roleAssignments ?? []): {
-    name: guid(appServiceEnvironment.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName)
+  for (roleAssignment, index) in (formattedRoleAssignments ?? []): {
+    name: roleAssignment.?name ?? guid(
+      appServiceEnvironment.id,
+      roleAssignment.principalId,
+      roleAssignment.roleDefinitionId
+    )
     properties: {
-      roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName)
-        ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName]
-        : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/')
-            ? roleAssignment.roleDefinitionIdOrName
-            : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName)
+      roleDefinitionId: roleAssignment.roleDefinitionId
       principalId: roleAssignment.principalId
       description: roleAssignment.?description
       principalType: roleAssignment.?principalType
@@ -244,7 +236,6 @@ resource appServiceEnvironment_roleAssignments 'Microsoft.Authorization/roleAssi
     scope: appServiceEnvironment
   }
 ]
-
 // ============ //
 // Outputs      //
 // ============ //
@@ -285,6 +276,9 @@ type lockType = {
 }?
 
 type roleAssignmentType = {
+  @description('Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated.')
+  name: string?
+
   @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.')
   roleDefinitionIdOrName: string