Azure · eriqua · Mar 21, 2025 · Mar 14, 2025 · Mar 14, 2025 · Mar 14, 2025
@@ -117,6 +117,7 @@
 /avm/res/load-test-service/load-test/ @Azure/avm-res-loadtestservice-loadtest-module-owners-bicep @Azure/avm-module-reviewers-bicep
 /avm/res/logic/workflow/ @Azure/avm-res-logic-workflow-module-owners-bicep @Azure/avm-module-reviewers-bicep
 /avm/res/machine-learning-services/workspace/ @Azure/avm-res-machinelearningservices-workspace-module-owners-bicep @Azure/avm-module-reviewers-bicep
+/avm/res/maintenance/configuration-assignment/ @Azure/avm-res-maintenance-configurationassignment-module-owners-bicep @Azure/avm-module-reviewers-bicep
 /avm/res/maintenance/maintenance-configuration/ @Azure/avm-res-maintenance-maintenanceconfiguration-module-owners-bicep @Azure/avm-module-reviewers-bicep
 /avm/res/managed-identity/user-assigned-identity/ @Azure/avm-res-managedidentity-userassignedidentity-module-owners-bicep @Azure/avm-module-reviewers-bicep
 /avm/res/managed-services/registration-definition/ @Azure/avm-res-managedservices-registrationdefinition-module-owners-bicep @Azure/avm-module-reviewers-bicep

@@ -152,6 +152,7 @@ body:
         - "avm/res/load-test-service/load-test"
         - "avm/res/logic/workflow"
         - "avm/res/machine-learning-services/workspace"
+        - "avm/res/maintenance/configuration-assignment"
         - "avm/res/maintenance/maintenance-configuration"
         - "avm/res/managed-identity/user-assigned-identity"
         - "avm/res/managed-services/registration-definition"

@@ -0,0 +1,88 @@
+name: "avm.res.maintenance.configuration-assignment"
+
+on:
+  workflow_dispatch:
+    inputs:
+      staticValidation:
+        type: boolean
+        description: "Execute static validation"
+        required: false
+        default: true
+      deploymentValidation:
+        type: boolean
+        description: "Execute deployment validation"
+        required: false
+        default: true
+      removeDeployment:
+        type: boolean
+        description: "Remove deployed module"
+        required: false
+        default: true
+      customLocation:
+        type: string
+        description: "Default location overwrite (e.g., eastus)"
+        required: false
+  push:
+    branches:
+      - main
+    paths:
+      - ".github/actions/templates/avm-**"
+      - ".github/workflows/avm.template.module.yml"
+      - ".github/workflows/avm.res.maintenance.configuration-assignment.yml"
+      - "avm/res/maintenance/configuration-assignment/**"
+      - "utilities/pipelines/**"
+      - "!utilities/pipelines/platform/**"
+      - "!*/**/README.md"
+
+env:
+  modulePath: "avm/res/maintenance/configuration-assignment"
+  workflowPath: ".github/workflows/avm.res.maintenance.configuration-assignment.yml"
+
+concurrency:
+  group: ${{ github.workflow }}
+
+jobs:
+  ###########################
+  #   Initialize pipeline   #
+  ###########################
+  job_initialize_pipeline:
+    runs-on: ubuntu-latest
+    name: "Initialize pipeline"
+    steps:
+      - name: "Checkout"
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: "Set input parameters to output variables"
+        id: get-workflow-param
+        uses: ./.github/actions/templates/avm-getWorkflowInput
+        with:
+          workflowPath: "${{ env.workflowPath}}"
+      - name: "Get module test file paths"
+        id: get-module-test-file-paths
+        uses: ./.github/actions/templates/avm-getModuleTestFiles
+        with:
+          modulePath: "${{ env.modulePath }}"
+    outputs:
+      workflowInput: ${{ steps.get-workflow-param.outputs.workflowInput }}
+      moduleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.moduleTestFilePaths }}
+      psRuleModuleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.psRuleModuleTestFilePaths }}
+      modulePath: "${{ env.modulePath }}"
+
+  ##############################
+  #   Call reusable workflow   #
+  ##############################
+  call-workflow-passing-data:
+    name: "Run"
+    permissions:
+      id-token: write # For OIDC
+      contents: write # For release tags
+    needs:
+      - job_initialize_pipeline
+    uses: ./.github/workflows/avm.template.module.yml
+    with:
+      workflowInput: "${{ needs.job_initialize_pipeline.outputs.workflowInput }}"
+      moduleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.moduleTestFilePaths }}"
+      psRuleModuleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.psRuleModuleTestFilePaths }}"
+      modulePath: "${{ needs.job_initialize_pipeline.outputs.modulePath}}"
+    secrets: inherit
@@ -0,0 +1,115 @@
+metadata name = 'Maintenance Configuration Assignments'
+metadata description = 'This module deploys a Maintenance Configuration Assignment.'
+
+// ============== //
+//   Parameters   //
+// ============== //
+
+@description('Required. Maintenance configuration assignment Name.')
+param name string
+
+@description('Optional. Enable/Disable usage telemetry for module.')
+param enableTelemetry bool = true
+
+@description('Optional. Location for all Resources.')
+param location string = resourceGroup().location
+
+@description('Required. The maintenance configuration resource ID.')
+param maintenanceConfigurationResourceId string
+
+@description('Conditional. The unique virtual machine resource ID to assign the configuration to. Required if filter is not provided. If resourceId is provided, filter is ignored. If provided, the module scope must be set to the resource group of the virtual machine.')
+param resourceId string?
+
+@description('Conditional. Properties of the dynamic configuration assignment. Required if resourceId is not provided.')
+param filter filterType?
+
+// =============== //
+//   Deployments   //
+// =============== //
+
+#disable-next-line no-deployments-resources
+resource avmTelemetry 'Microsoft.Resources/deployments@2024-03-01' = if (enableTelemetry) {
+  name: '46d3xbcp.res.maintenance-configurationassignment.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}'
+  properties: {
+    mode: 'Incremental'
+    template: {
+      '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
+      contentVersion: '1.0.0.0'
+      resources: []
+      outputs: {
+        telemetry: {
+          type: 'String'
+          value: 'For more information, see https://aka.ms/avm/TelemetryInfo'
+        }
+      }
+    }
+  }
+}
+
+resource vm 'Microsoft.Compute/virtualMachines@2024-07-01' existing = if (resourceId != null) {
+  name: last(split(resourceId ?? '', '/'))!
+}
+
+resource configurationAssignment 'Microsoft.Maintenance/configurationAssignments@2023-04-01' = if (resourceId != null) {
+  scope: vm
+  location: location
+  name: name
+  properties: {
+    maintenanceConfigurationId: maintenanceConfigurationResourceId
+    resourceId: vm.id
+  }
+}
+
+resource configurationAssignment_dynamic 'Microsoft.Maintenance/configurationAssignments@2023-04-01' = if (resourceId == null) {
+  location: location
+  name: name
+  properties: {
+    filter: filter
+    maintenanceConfigurationId: maintenanceConfigurationResourceId
+  }
+}
+
+// =========== //
+//   Outputs   //
+// =========== //
+
+@description('The name of the Maintenance configuration assignment.')
+output name string = configurationAssignment.name ?? configurationAssignment_dynamic.name
+
+@description('The resource ID of the Maintenance configuration assignment.')
+output resourceId string = configurationAssignment.id ?? configurationAssignment_dynamic.id
+
+@description('The name of the resource group the Maintenance configuration assignment was created in.')
+output resourceGroupName string = resourceGroup().name
+
+// =============== //
+//   Definitions   //
+// =============== //
+
+@export()
+@description('The type for a managed configuration dynamic assignment filter.')
+type filterType = {
+  @description('Optional. List of allowed resource group names.')
+  resourceGroups: string[]?
+
+  @description('Optional. List of allowed resource types.')
+  resourceTypes: string[]?
+
+  @description('Optional. List of locations to scope the query to.')
+  locations: string[]?
+
+  @description('Optional. List of allowed operating systems.')
+  osTypes: ('Linux' | 'Windows')[]?
+
+  @description('Optional. Tag settings for the VM.')
+  tagSettings: {
+    @description('Required. Filter VMs by Any or All specified tags.')
+    filterOperator: ('All' | 'Any')
+
+    @description('Required. Dictionary of tags with its list of values.')
+    tags: {
+      @description('Required. A key-value pair.')
+      *: string
+    }
+  }?
+}
@@ -0,0 +1,215 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "languageVersion": "2.0",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.33.93.31351",
+      "templateHash": "13366072417349467027"
+    },
+    "name": "Maintenance Configuration Assignments",
+    "description": "This module deploys a Maintenance Configuration Assignment."
+  },
+  "definitions": {
+    "filterType": {
+      "type": "object",
+      "properties": {
+        "resourceGroups": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. List of allowed resource group names."
+          }
+        },
+        "resourceTypes": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. List of allowed resource types."
+          }
+        },
+        "locations": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. List of locations to scope the query to."
+          }
+        },
+        "osTypes": {
+          "type": "array",
+          "allowedValues": [
+            "Linux",
+            "Windows"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. List of allowed operating systems."
+          }
+        },
+        "tagSettings": {
+          "type": "object",
+          "properties": {
+            "filterOperator": {
+              "type": "string",
+              "allowedValues": [
+                "All",
+                "Any"
+              ],
+              "metadata": {
+                "description": "Required. Filter VMs by Any or All specified tags."
+              }
+            },
+            "tags": {
+              "type": "object",
+              "properties": {},
+              "additionalProperties": {
+                "type": "string",
+                "metadata": {
+                  "description": "Required. A key-value pair."
+                }
+              },
+              "metadata": {
+                "description": "Required. Dictionary of tags with its list of values."
+              }
+            }
+          },
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Tag settings for the VM."
+          }
+        }
+      },
+      "metadata": {
+        "__bicep_export!": true,
+        "description": "The type for a managed configuration dynamic assignment filter."
+      }
+    }
+  },
+  "parameters": {
+    "name": {
+      "type": "string",
+      "metadata": {
+        "description": "Required. Maintenance configuration assignment Name."
+      }
+    },
+    "enableTelemetry": {
+      "type": "bool",
+      "defaultValue": true,
+      "metadata": {
+        "description": "Optional. Enable/Disable usage telemetry for module."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Optional. Location for all Resources."
+      }
+    },
+    "maintenanceConfigurationResourceId": {
+      "type": "string",
+      "metadata": {
+        "description": "Required. The maintenance configuration resource ID."
+      }
+    },
+    "resourceId": {
+      "type": "string",
+      "nullable": true,
+      "metadata": {
+        "description": "Conditional. The unique virtual machine resource ID to assign the configuration to. Required if filter is not provided. If resourceId is provided, filter is ignored. If provided, the module scope must be set to the resource group of the virtual machine."
+      }
+    },
+    "filter": {
+      "$ref": "#/definitions/filterType",
+      "nullable": true,
+      "metadata": {
+        "description": "Conditional. Properties of the dynamic configuration assignment. Required if resourceId is not provided."
+      }
+    }
+  },
+  "resources": {
+    "avmTelemetry": {
+      "condition": "[parameters('enableTelemetry')]",
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2024-03-01",
+      "name": "[format('46d3xbcp.res.maintenance-configurationassignment.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]",
+      "properties": {
+        "mode": "Incremental",
+        "template": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "1.0.0.0",
+          "resources": [],
+          "outputs": {
+            "telemetry": {
+              "type": "String",
+              "value": "For more information, see https://aka.ms/avm/TelemetryInfo"
+            }
+          }
+        }
+      }
+    },
+    "vm": {
+      "condition": "[not(equals(parameters('resourceId'), null()))]",
+      "existing": true,
+      "type": "Microsoft.Compute/virtualMachines",
+      "apiVersion": "2024-07-01",
+      "name": "[last(split(coalesce(parameters('resourceId'), ''), '/'))]"
+    },
+    "configurationAssignment": {
+      "condition": "[not(equals(parameters('resourceId'), null()))]",
+      "type": "Microsoft.Maintenance/configurationAssignments",
+      "apiVersion": "2023-04-01",
+      "scope": "[format('Microsoft.Compute/virtualMachines/{0}', last(split(coalesce(parameters('resourceId'), ''), '/')))]",
+      "name": "[parameters('name')]",
+      "location": "[parameters('location')]",
+      "properties": {
+        "maintenanceConfigurationId": "[parameters('maintenanceConfigurationResourceId')]",
+        "resourceId": "[resourceId('Microsoft.Compute/virtualMachines', last(split(coalesce(parameters('resourceId'), ''), '/')))]"
+      }
+    },
+    "configurationAssignment_dynamic": {
+      "condition": "[equals(parameters('resourceId'), null())]",
+      "type": "Microsoft.Maintenance/configurationAssignments",
+      "apiVersion": "2023-04-01",
+      "name": "[parameters('name')]",
+      "location": "[parameters('location')]",
+      "properties": {
+        "filter": "[parameters('filter')]",
+        "maintenanceConfigurationId": "[parameters('maintenanceConfigurationResourceId')]"
+      }
+    }
+  },
+  "outputs": {
+    "name": {
+      "type": "string",
+      "metadata": {
+        "description": "The name of the Maintenance configuration assignment."
+      },
+      "value": "[coalesce(parameters('name'), parameters('name'))]"
+    },
+    "resourceId": {
+      "type": "string",
+      "metadata": {
+        "description": "The resource ID of the Maintenance configuration assignment."
+      },
+      "value": "[coalesce(extensionResourceId(resourceId('Microsoft.Compute/virtualMachines', last(split(coalesce(parameters('resourceId'), ''), '/'))), 'Microsoft.Maintenance/configurationAssignments', parameters('name')), resourceId('Microsoft.Maintenance/configurationAssignments', parameters('name')))]"
+    },
+    "resourceGroupName": {
+      "type": "string",
+      "metadata": {
+        "description": "The name of the resource group the Maintenance configuration assignment was created in."
+      },
+      "value": "[resourceGroup().name]"
+    }
+  }
+}
@@ -0,0 +1,50 @@
+@description('Optional. The location to deploy to.')
+param location string = resourceGroup().location
+
+@description('Required. The name of the Maintenance Configuration to create.')
+param maintenanceConfigurationName string
+
+resource maintenanceConfiguration 'Microsoft.Maintenance/maintenanceConfigurations@2023-10-01-preview' = {
+  name: maintenanceConfigurationName
+  location: location
+  properties: {
+    extensionProperties: {
+      InGuestPatchMode: 'User'
+    }
+    maintenanceScope: 'InGuestPatch'
+    maintenanceWindow: {
+      startDateTime: '2025-01-09 00:00'
+      expirationDateTime: '2026-01-08 00:00'
+      duration: '03:00'
+      timeZone: 'UTC'
+      recurEvery: 'Week'
+    }
+    visibility: 'Custom'
+    installPatches: {
+      rebootSetting: 'AlwaysReboot'
+      windowsParameters: {
+        kbNumbersToExclude: [
+          'KB123456'
+          'KB3654321'
+        ]
+        kbNumbersToInclude: [
+          'KB111111'
+          'KB222222'
+        ]
+        classificationsToInclude: [
+          'Critical'
+          'Security'
+        ]
+      }
+      linuxParameters: {
+        classificationsToInclude: [
+          'Critical'
+          'Security'
+        ]
+      }
+    }
+  }
+}
+
+@description('The resource ID of the maintenance configuration.')
+output maintenanceConfigurationResourceId string = maintenanceConfiguration.id
@@ -0,0 +1,65 @@
+targetScope = 'subscription'
+
+metadata name = 'Using only defaults'
+metadata description = 'This instance deploys the module with the minimum set of required parameters. This instance uses filters to define a dynamic scope and assign it to the input maintenance configuration. The dynamic scope will be resolved at run time. '
+
+// ========== //
+// Parameters //
+// ========== //
+
+@description('Optional. The location for all resources.')
+param resourceLocation string = deployment().location
+
+@description('Optional. The name of the resource group to deploy for testing purposes.')
+@maxLength(90)
+param resourceGroupName string = 'dep-${namePrefix}-maintenance.maintenanceconfigurations-${serviceShort}-rg'
+
+@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
+param serviceShort string = 'mcamin'
+
+@description('Optional. A token to inject into the name of each resource.')
+param namePrefix string = '#_namePrefix_#'
+
+// ============ //
+// Dependencies //
+// ============ //
+
+// General resources
+// =================
+resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
+  name: resourceGroupName
+  location: resourceLocation
+}
+
+module nestedDependencies 'dependencies.bicep' = {
+  scope: resourceGroup
+  name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies'
+  params: {
+    maintenanceConfigurationName: 'dep-${namePrefix}-mc-${serviceShort}'
+    location: resourceLocation
+  }
+}
+
+// ============== //
+// Test Execution //
+// ============== //
+@batchSize(1)
+module testDeployment '../../../main.bicep' = [
+  for iteration in ['init', 'idem']: {
+    scope: resourceGroup
+    name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}'
+    params: {
+      name: '${namePrefix}${serviceShort}001'
+      maintenanceConfigurationResourceId: nestedDependencies.outputs.maintenanceConfigurationResourceId
+      filter: {
+        osTypes: [
+          'Linux'
+          'Windows'
+        ]
+        resourceTypes: [
+          'Virtual Machines'
+        ]
+      }
+    }
+  }
+]
@@ -0,0 +1,155 @@
+@description('Optional. The location to deploy to.')
+param location string = resourceGroup().location
+
+@description('Required. The name of the Maintenance Configuration to create.')
+param maintenanceConfigurationName string
+
+@description('Required. The name of the Virtual Network to create.')
+param virtualNetworkName string
+
+@description('Required. The name of the Virtual Machine to create.')
+param virtualMachineName string
+
+@description('Required. The username to leverage for the VM login.')
+@secure()
+param adminUsername string
+
+@description('Optional. The password to leverage for the VM login.')
+@secure()
+param password string = newGuid()
+
+var addressPrefix = '10.0.0.0/16'
+
+resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = {
+  name: virtualNetworkName
+  location: location
+  properties: {
+    addressSpace: {
+      addressPrefixes: [
+        addressPrefix
+      ]
+    }
+    subnets: [
+      {
+        name: 'defaultSubnet'
+        properties: {
+          addressPrefix: cidrSubnet(addressPrefix, 16, 0)
+        }
+      }
+    ]
+  }
+}
+
+resource networkInterface 'Microsoft.Network/networkInterfaces@2023-04-01' = {
+  name: '${virtualMachineName}-nic'
+  location: location
+  properties: {
+    ipConfigurations: [
+      {
+        name: 'ipconfig01'
+        properties: {
+          subnet: {
+            id: virtualNetwork.properties.subnets[0].id
+          }
+        }
+      }
+    ]
+  }
+}
+
+resource maintenanceConfiguration 'Microsoft.Maintenance/maintenanceConfigurations@2023-10-01-preview' = {
+  name: maintenanceConfigurationName
+  location: location
+  properties: {
+    extensionProperties: {
+      InGuestPatchMode: 'User'
+    }
+    maintenanceScope: 'InGuestPatch'
+    maintenanceWindow: {
+      startDateTime: '2025-01-09 00:00'
+      expirationDateTime: '2026-01-08 00:00'
+      duration: '03:00'
+      timeZone: 'UTC'
+      recurEvery: 'Week'
+    }
+    visibility: 'Custom'
+    installPatches: {
+      rebootSetting: 'AlwaysReboot'
+      windowsParameters: {
+        kbNumbersToExclude: [
+          'KB123456'
+          'KB3654321'
+        ]
+        kbNumbersToInclude: [
+          'KB111111'
+          'KB222222'
+        ]
+        classificationsToInclude: [
+          'Critical'
+          'Security'
+        ]
+      }
+      linuxParameters: {
+        classificationsToInclude: [
+          'Critical'
+          'Security'
+        ]
+      }
+    }
+  }
+}
+
+resource virtualMachine 'Microsoft.Compute/virtualMachines@2024-07-01' = {
+  name: virtualMachineName
+  location: location
+  properties: {
+    networkProfile: {
+      networkInterfaces: [
+        {
+          id: networkInterface.id
+          properties: {
+            deleteOption: 'Delete'
+            primary: true
+          }
+        }
+      ]
+    }
+    storageProfile: {
+      imageReference: {
+        publisher: 'Canonical'
+        offer: '0001-com-ubuntu-server-jammy'
+        sku: '22_04-lts-gen2'
+        version: 'latest'
+      }
+      osDisk: {
+        deleteOption: 'Delete'
+        createOption: 'FromImage'
+      }
+    }
+    hardwareProfile: {
+      vmSize: 'Standard_B1ms'
+    }
+    osProfile: {
+      adminUsername: adminUsername
+      adminPassword: password
+      computerName: virtualMachineName
+      linuxConfiguration: {
+        disablePasswordAuthentication: false
+        patchSettings: {
+          assessmentMode: 'AutomaticByPlatform'
+          automaticByPlatformSettings: {
+            rebootSetting: 'IfRequired'
+            bypassPlatformSafetyChecksOnUserSchedule: true
+          }
+          patchMode: 'AutomaticByPlatform'
+        }
+      }
+    }
+  }
+}
+
+@description('The resource ID of the maintenance configuration.')
+output maintenanceConfigurationResourceId string = maintenanceConfiguration.id
+
+@description('The resource ID of the created Virtual Machine.')
+output virtualMachineResourceId string = virtualMachine.id
@@ -0,0 +1,60 @@
+targetScope = 'subscription'
+
+metadata name = 'WAF-aligned'
+metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. This instance assigns an existing Linux virtual machine to the input maintenance configuration.'
+
+// ========== //
+// Parameters //
+// ========== //
+
+@description('Optional. The name of the resource group to deploy for testing purposes.')
+@maxLength(90)
+param resourceGroupName string = 'dep-${namePrefix}-maintenance.maintenanceconfigurations-${serviceShort}-rg'
+
+@description('Optional. The location for all resources.')
+param resourceLocation string = deployment().location
+
+@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
+param serviceShort string = 'mcawaf'
+
+@description('Optional. A token to inject into the name of each resource.')
+param namePrefix string = '#_namePrefix_#'
+
+// ============ //
+// Dependencies //
+// ============ //
+
+// General resources
+// =================
+resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
+  name: resourceGroupName
+  location: resourceLocation
+}
+
+module nestedDependencies 'dependencies.bicep' = {
+  scope: resourceGroup
+  name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies'
+  params: {
+    virtualMachineName: 'dep-${namePrefix}-vm-${serviceShort}'
+    adminUsername: 'localAdminUser'
+    virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}'
+    maintenanceConfigurationName: 'dep-${namePrefix}-mc-${serviceShort}'
+    location: resourceLocation
+  }
+}
+
+// ============== //
+// Test Execution //
+// ============== //
+@batchSize(1)
+module testDeployment '../../../main.bicep' = [
+  for iteration in ['init', 'idem']: {
+    scope: resourceGroup
+    name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}'
+    params: {
+      name: '${namePrefix}${serviceShort}001'
+      maintenanceConfigurationResourceId: nestedDependencies.outputs.maintenanceConfigurationResourceId
+      resourceId: nestedDependencies.outputs.virtualMachineResourceId
+    }
+  }
+]
@@ -0,0 +1,50 @@
+@description('Optional. The location to deploy to.')
+param location string = resourceGroup().location
+
+@description('Required. The name of the Maintenance Configuration to create.')
+param maintenanceConfigurationName string
+
+resource maintenanceConfiguration 'Microsoft.Maintenance/maintenanceConfigurations@2023-10-01-preview' = {
+  name: maintenanceConfigurationName
+  location: location
+  properties: {
+    extensionProperties: {
+      InGuestPatchMode: 'User'
+    }
+    maintenanceScope: 'InGuestPatch'
+    maintenanceWindow: {
+      startDateTime: '2025-01-09 00:00'
+      expirationDateTime: '2026-01-08 00:00'
+      duration: '03:00'
+      timeZone: 'UTC'
+      recurEvery: 'Week'
+    }
+    visibility: 'Custom'
+    installPatches: {
+      rebootSetting: 'AlwaysReboot'
+      windowsParameters: {
+        kbNumbersToExclude: [
+          'KB123456'
+          'KB3654321'
+        ]
+        kbNumbersToInclude: [
+          'KB111111'
+          'KB222222'
+        ]
+        classificationsToInclude: [
+          'Critical'
+          'Security'
+        ]
+      }
+      linuxParameters: {
+        classificationsToInclude: [
+          'Critical'
+          'Security'
+        ]
+      }
+    }
+  }
+}
+
+@description('The resource ID of the maintenance configuration.')
+output maintenanceConfigurationResourceId string = maintenanceConfiguration.id
@@ -0,0 +1,111 @@
+@description('Optional. The location to deploy to.')
+param location string = resourceGroup().location
+
+@description('Required. The name of the Virtual Network to create.')
+param virtualNetworkName string
+
+@description('Required. The name of the Virtual Machine to create.')
+param virtualMachineName string
+
+@description('Required. The name of the Virtual Machine to create.')
+@maxLength(15)
+param computerName string
+
+@description('Optional. The password to leverage for the VM login.')
+@secure()
+param password string = newGuid()
+
+@description('Required. The username to leverage for the VM login.')
+@secure()
+param adminUsername string
+
+var addressPrefix = '10.0.0.0/16'
+
+resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = {
+  name: virtualNetworkName
+  location: location
+  properties: {
+    addressSpace: {
+      addressPrefixes: [
+        addressPrefix
+      ]
+    }
+    subnets: [
+      {
+        name: 'defaultSubnet'
+        properties: {
+          addressPrefix: cidrSubnet(addressPrefix, 16, 0)
+        }
+      }
+    ]
+  }
+}
+
+resource networkInterface 'Microsoft.Network/networkInterfaces@2023-04-01' = {
+  name: '${virtualMachineName}-nic'
+  location: location
+  properties: {
+    ipConfigurations: [
+      {
+        name: 'ipconfig01'
+        properties: {
+          subnet: {
+            id: virtualNetwork.properties.subnets[0].id
+          }
+        }
+      }
+    ]
+  }
+}
+
+resource virtualMachine 'Microsoft.Compute/virtualMachines@2024-07-01' = {
+  name: virtualMachineName
+  location: location
+  properties: {
+    networkProfile: {
+      networkInterfaces: [
+        {
+          id: networkInterface.id
+          properties: {
+            deleteOption: 'Delete'
+            primary: true
+          }
+        }
+      ]
+    }
+    storageProfile: {
+      imageReference: {
+        publisher: 'MicrosoftWindowsServer'
+        offer: 'WindowsServer'
+        sku: '2022-datacenter-azure-edition'
+        version: 'latest'
+      }
+      osDisk: {
+        deleteOption: 'Delete'
+        createOption: 'FromImage'
+      }
+    }
+    hardwareProfile: {
+      vmSize: 'Standard_B1ms'
+    }
+    osProfile: {
+      adminUsername: adminUsername
+      adminPassword: password
+      computerName: computerName
+      windowsConfiguration: {
+        enableAutomaticUpdates: true
+        patchSettings: {
+          assessmentMode: 'AutomaticByPlatform'
+          automaticByPlatformSettings: {
+            rebootSetting: 'IfRequired'
+            bypassPlatformSafetyChecksOnUserSchedule: true
+          }
+          patchMode: 'AutomaticByPlatform'
+        }
+      }
+    }
+  }
+}
+
+@description('The resource ID of the created Virtual Machine.')
+output virtualMachineResourceId string = virtualMachine.id
@@ -0,0 +1,74 @@
+targetScope = 'subscription'
+
+metadata name = 'Multi resource group'
+metadata description = 'This instance deploys the module leveraging virtual machine and maintenance configuration dependencies from two different resource groups. This instance assigns an existing Windows virtual machine to the input maintenance configuration.'
+
+// ========== //
+// Parameters //
+// ========== //
+
+@description('Optional. The name of the resource group to deploy for testing purposes.')
+@maxLength(90)
+param resourceGroupName string = 'dep-${namePrefix}-maintenance.maintenanceconfigurations-${serviceShort}-rg'
+
+@description('Optional. The location for all resources.')
+param resourceLocation string = deployment().location
+
+@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
+param serviceShort string = 'mcamrg'
+
+@description('Optional. A token to inject into the name of each resource.')
+param namePrefix string = '#_namePrefix_#'
+
+// ============ //
+// Dependencies //
+// ============ //
+
+// General resources
+// =================
+resource resourceGroup_vm 'Microsoft.Resources/resourceGroups@2021-04-01' = {
+  name: resourceGroupName
+  location: resourceLocation
+}
+
+resource resourceGroup_mc 'Microsoft.Resources/resourceGroups@2021-04-01' = {
+  name: '${take(resourceGroupName, 87)}-mc' // Ensure the resource group name is within the 90 character limit
+  location: resourceLocation
+}
+
+module nestedDependencies_vm 'dependencies_vm.bicep' = {
+  scope: resourceGroup_vm
+  name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies_vm'
+  params: {
+    virtualMachineName: 'dep-${namePrefix}-vm-${serviceShort}'
+    computerName: 'dep${namePrefix}${serviceShort}'
+    adminUsername: 'localAdminUser'
+    virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}'
+    location: resourceLocation
+  }
+}
+
+module nestedDependencies_mc 'dependencies_mc.bicep' = {
+  scope: resourceGroup_mc
+  name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies_mc'
+  params: {
+    maintenanceConfigurationName: 'dep-${namePrefix}-mc-${serviceShort}'
+    location: resourceLocation
+  }
+}
+
+// ============== //
+// Test Execution //
+// ============== //
+@batchSize(1)
+module testDeployment '../../../main.bicep' = [
+  for iteration in ['init', 'idem']: {
+    scope: resourceGroup_vm
+    name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}'
+    params: {
+      name: '${namePrefix}${serviceShort}001'
+      maintenanceConfigurationResourceId: nestedDependencies_mc.outputs.maintenanceConfigurationResourceId
+      resourceId: nestedDependencies_vm.outputs.virtualMachineResourceId
+    }
+  }
+]
@@ -0,0 +1,7 @@
+{
+  "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#",
+  "version": "0.1",
+  "pathFilters": [
+    "./main.json"
+  ]
+}