diff --git a/README.md b/README.md
index c3b412e..76e3617 100644
--- a/README.md
+++ b/README.md
@@ -27,6 +27,7 @@ The following resources are used by this module:
 
 - [azapi_resource.bing_grounding](https://registry.terraform.io/providers/Azure/azapi/latest/docs/resources/resource) (resource)
 - [azapi_resource_action.purge_ai_foundry](https://registry.terraform.io/providers/Azure/azapi/latest/docs/resources/resource_action) (resource)
+- [azurerm_network_security_rule.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule) (resource)
 - [azurerm_resource_group.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) (resource)
 - [azurerm_role_assignment.deployment_user_kv_admin](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource)
 - [azurerm_virtual_hub_connection.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_hub_connection) (resource)
@@ -70,12 +71,40 @@ Description: Configuration object for the Virtual Network (VNet) to be deployed.
   - `vnet_resource_id` - Resource ID of the existing Virtual Network to use.
   - `firewall_ip_address` - (Optional) IP address of the firewall if a firewall is deployed for use by the BYO vnet. This IP address wlll be used to configure the route table for the subnets when provided. If using a BYO Vnet, the firewall is assumed to be deployed and configured outside of this module.
 - `address_space` - (Optional) The address space for the Virtual Network in CIDR notation. Defaults to 192.168.0.0/20 if none provided. Not used when `existing_byo_vnet` is configured.
+- `ipam_pools` - (Optional) List of IPAM pools to associate with the VNet. If present, the address\_space will be ignored and IPAM pools will be used for address allocation.
+  - `id` - The ID of the IPAM pool.
+  - `prefix_length` - The prefix length to request from the IPAM pool.
 - `ddos_protection_plan_resource_id` - (Optional) Resource ID of the DDoS Protection Plan to associate with the VNet. This is not used for BYO VNet configurations as that is assumed to be handled outside the module.
+- `enable_diagnostic_settings` - (Optional) Whether diagnostic settings are enabled. Default is true.
+- `diagnostic_settings` - (Optional) Map of diagnostic settings configurations for the VNet. If you set a configuration then all diagnostic preset configuration included in the module will be ignored. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.
+  - `name` - (Optional) The name of the diagnostic setting.
+  - `log_categories` - (Optional) Set of log categories to enable. Default is an empty set.
+  - `log_groups` - (Optional) Set of log groups to enable. Default is ["allLogs"].
+  - `metric_categories` - (Optional) Set of metric categories to enable. Default is ["AllMetrics"].
+  - `log_analytics_destination_type` - (Optional) The destination type for Log Analytics. Default is "Dedicated".
+  - `workspace_resource_id` - (Optional) Resource ID of the Log Analytics workspace.
+  - `storage_account_resource_id` - (Optional) Resource ID of the storage account for diagnostics.
+  - `event_hub_authorization_rule_resource_id` - (Optional) Resource ID of the Event Hub authorization rule.
+  - `event_hub_name` - (Optional) Name of the Event Hub.
+  - `marketplace_partner_resource_id` - (Optional) Resource ID of the marketplace partner resource.
 - `dns_servers` - (Optional) Set of custom DNS server IP addresses for the VNet.
+- `role_assignments` - (Optional) Map of role assignments to create on the VNet. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.
+  - `role_definition_id_or_name` - The role definition ID or name to assign.
+  - `principal_id` - The principal ID to assign the role to.
+  - `description` - (Optional) Description of the role assignment.
+  - `skip_service_principal_aad_check` - (Optional) Whether to skip AAD check for service principal.
+  - `condition` - (Optional) Condition for the role assignment.
+  - `condition_version` - (Optional) Version of the condition.
+  - `delegated_managed_identity_resource_id` - (Optional) Resource ID of the delegated managed identity.
+  - `principal_type` - (Optional) Type of the principal (User, Group, ServicePrincipal).
 - `subnets` - (Optional) Map of subnet configurations that can be used to override the default subnet configurations. The map key must match the desired subnet usage to override the default configuration.
   - `enabled` - (Optional) Whether the subnet is enabled. Default is true.
   - `name` - (Optional) The name of the subnet. If not provided, a name will be generated.
   - `address_prefix` - (Optional) The address prefix for the subnet in CIDR notation.
+  - `ipam_pools` - (Optional) List of IPAM pools to associate with the subnet. If present, the address\_prefix will be ignored and IPAM pools will be used for address allocation.
+    - `pool_id` - The ID of the IPAM pool.
+    - `prefix_length` - The prefix length to request from the IPAM pool.
+- `tags` - (Optional) Map of tags to assign to the VNet.
 - `vnet_peering_configuration` - (Optional) Configuration for VNet peering. This is not used for BYO VNet configurations as that is assumed to be handled outside the module.
   - `peer_vnet_resource_id` - (Optional) Resource ID of the peer VNet.
   - `name` - (Optional) Name of the peering connection.
@@ -102,15 +131,47 @@ object({
       firewall_ip_address = optional(string)
       }
     )), {})
-    address_space                    = optional(string, "192.168.0.0/20")
+    address_space = optional(list(string), ["192.168.0.0/20"])
+    ipam_pools = optional(list(object({
+      id            = string
+      prefix_length = string
+    })))
     ddos_protection_plan_resource_id = optional(string)
-    dns_servers                      = optional(set(string), [])
+    enable_diagnostic_settings       = optional(bool, true)
+    diagnostic_settings = optional(map(object({
+      name                                     = optional(string, null)
+      log_categories                           = optional(set(string), [])
+      log_groups                               = optional(set(string), ["allLogs"])
+      metric_categories                        = optional(set(string), ["AllMetrics"])
+      log_analytics_destination_type           = optional(string, "Dedicated")
+      workspace_resource_id                    = optional(string, null)
+      storage_account_resource_id              = optional(string, null)
+      event_hub_authorization_rule_resource_id = optional(string, null)
+      event_hub_name                           = optional(string, null)
+      marketplace_partner_resource_id          = optional(string, null)
+    })), {})
+    dns_servers = optional(set(string), [])
+    role_assignments = optional(map(object({
+      role_definition_id_or_name             = string
+      principal_id                           = string
+      description                            = optional(string, null)
+      skip_service_principal_aad_check       = optional(bool, false)
+      condition                              = optional(string, null)
+      condition_version                      = optional(string, null)
+      delegated_managed_identity_resource_id = optional(string, null)
+      principal_type                         = optional(string, null)
+    })), {})
     subnets = optional(map(object({
       enabled        = optional(bool, true)
       name           = optional(string)
       address_prefix = optional(string)
+      ipam_pools = optional(list(object({
+        pool_id       = string
+        prefix_length = string
+      })))
       }
     )), {})
+    tags = optional(map(string), {})
     vnet_peering_configuration = optional(object({
       peer_vnet_resource_id                = optional(string)
       name                                 = optional(string)
@@ -142,10 +203,21 @@ Description: Configuration object for the Azure AI Foundry deployment (hub, proj
 
 - `create_byor` - (Optional) Whether to create BYOR resources managed by this module. Default is true.
 - `purge_on_destroy` - (Optional) Whether to purge soft-delete–capable resources on destroy. Default is false.
-
 - `ai_foundry` - (Optional) Azure AI Foundry hub settings.
   - `name` - (Optional) Name of the hub. If not provided, a name will be generated.
   - `disable_local_auth` - (Optional) Whether to disable local authentication. Default is false.
+  - `enable_diagnostic_settings` - (Optional) Whether diagnostic settings are enabled. Default is true.
+  - `diagnostic_settings` - (Optional) - map of diagnostic settings for the main foundry module and resource
+    - `name` - (Optional) The name of the diagnostic setting. One will be generated if not set, however this will not be unique if you want to create multiple diagnostic setting resources.
+    - `log_categories` - (Optional) A set of log categories to send to the log analytics workspace. Defaults to `[]`.
+    - `log_groups` - (Optional) A set of log groups to send to the log analytics workspace. Defaults to `["allLogs"]`.
+    - `metric_categories` - (Optional) A set of metric categories to send to the log analytics workspace. Defaults to `["AllMetrics"]`.
+    - `log_analytics_destination_type` - (Optional) The destination type for the diagnostic setting. Possible values are `Dedicated` and `AzureDiagnostics`. Defaults to `Dedicated`.
+    - `workspace_resource_id` - (Optional) The resource ID of the log analytics workspace to send logs and metrics to.
+    - `storage_account_resource_id` - (Optional) The resource ID of the storage account to send logs and metrics to.
+    - `event_hub_authorization_rule_resource_id` - (Optional) The resource ID of the event hub authorization rule to send logs and metrics to.
+    - `event_hub_name` - (Optional) The name of the event hub. If none is specified, the default event hub will be selected.
+    - `marketplace_partner_resource_id` - (Optional) The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.
   - `allow_project_management` - (Optional) Whether project management is allowed from the hub. Default is true.
   - `create_ai_agent_service` - (Optional) Whether to create the AI Agent service in the hub. Default is false.
   - `private_dns_zone_resource_ids` - (Optional) List of private DNS zone resource IDs for hub endpoints. Default is [].
@@ -199,7 +271,18 @@ Description: Configuration object for the Azure AI Foundry deployment (hub, proj
     - `existing_resource_id` - (Optional) Resource ID of an existing service to reuse.
     - `name` - (Optional) Name of the service if creating new.
     - `private_dns_zone_resource_id` - (Optional) Private DNS zone resource ID for the service.
-    - `enable_diagnostic_settings` - (Optional) Whether diagnostic settings are enabled. Default is true.
+    - `private_endpoints_manage_dns_zone_group` - (Optional) Whether to manage private DNS zone groups with this module. If set to false, you must manage private DNS zone groups externally, e.g. using Azure Policy. Default is true.
+    - `diagnostic_settings` - (Optional) - map of diagnostic settings for the main foundry module's byor ai\_search resource
+        - `name` - (Optional) The name of the diagnostic setting. One will be generated if not set, however this will not be unique if you want to create multiple diagnostic setting resources.
+        - `log_categories` - (Optional) A set of log categories to send to the log analytics workspace. Defaults to `[]`.
+        - `log_groups` - (Optional) A set of log groups to send to the log analytics workspace. Defaults to `["allLogs"]`.
+        - `metric_categories` - (Optional) A set of metric categories to send to the log analytics workspace. Defaults to `["AllMetrics"]`.
+        - `log_analytics_destination_type` - (Optional) The destination type for the diagnostic setting. Possible values are `Dedicated` and `AzureDiagnostics`. Defaults to `Dedicated`.
+        - `workspace_resource_id` - (Optional) The resource ID of the log analytics workspace to send logs and metrics to.
+        - `storage_account_resource_id` - (Optional) The resource ID of the storage account to send logs and metrics to.
+        - `event_hub_authorization_rule_resource_id` - (Optional) The resource ID of the event hub authorization rule to send logs and metrics to.
+        - `event_hub_name` - (Optional) The name of the event hub. If none is specified, the default event hub will be selected.
+        - `marketplace_partner_resource_id` - (Optional) The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.
     - `sku` - (Optional) Service SKU. Default is "standard".
     - `local_authentication_enabled` - (Optional) Whether local auth is enabled. Default is true.
     - `partition_count` - (Optional) Number of partitions. Default is 1.
@@ -222,7 +305,18 @@ Description: Configuration object for the Azure AI Foundry deployment (hub, proj
   - `cosmosdb_definition` - (Optional) Map defining one or more Azure Cosmos DB accounts.
     - `existing_resource_id` - (Optional) Resource ID of an existing account to reuse.
     - `private_dns_zone_resource_id` - (Optional) Private DNS zone resource ID.
-    - `enable_diagnostic_settings` - (Optional) Whether diagnostic settings are enabled. Default is true.
+    - `private_endpoints_manage_dns_zone_group` - (Optional) Whether to manage private DNS zone groups with this module. If set to false, you must manage private DNS zone groups externally, e.g. using Azure Policy. Default is true.
+    - `diagnostic_settings` - (Optional) - map of diagnostic settings for the foundry module's byor cosmos resource
+        - `name` - (Optional) The name of the diagnostic setting. One will be generated if not set, however this will not be unique if you want to create multiple diagnostic setting resources.
+        - `log_categories` - (Optional) A set of log categories to send to the log analytics workspace. Defaults to `[]`.
+        - `log_groups` - (Optional) A set of log groups to send to the log analytics workspace. Defaults to `["allLogs"]`.
+        - `metric_categories` - (Optional) A set of metric categories to send to the log analytics workspace. Defaults to `["AllMetrics"]`.
+        - `log_analytics_destination_type` - (Optional) The destination type for the diagnostic setting. Possible values are `Dedicated` and `AzureDiagnostics`. Defaults to `Dedicated`.
+        - `workspace_resource_id` - (Optional) The resource ID of the log analytics workspace to send logs and metrics to.
+        - `storage_account_resource_id` - (Optional) The resource ID of the storage account to send logs and metrics to.
+        - `event_hub_authorization_rule_resource_id` - (Optional) The resource ID of the event hub authorization rule to send logs and metrics to.
+        - `event_hub_name` - (Optional) The name of the event hub. If none is specified, the default event hub will be selected.
+        - `marketplace_partner_resource_id` - (Optional) The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.
     - `name` - (Optional) Name of the account if creating new.
     - `secondary_regions` - (Optional) List of secondary regions for geo-replication. Default is [].
       - `location` - Azure region name for the secondary location.
@@ -271,7 +365,18 @@ Description: Configuration object for the Azure AI Foundry deployment (hub, proj
     - `existing_resource_id` - (Optional) Resource ID of an existing vault to reuse.
     - `name` - (Optional) Name of the vault if creating new.
     - `private_dns_zone_resource_id` - (Optional) Private DNS zone resource ID.
-    - `enable_diagnostic_settings` - (Optional) Whether diagnostic settings are enabled. Default is true.
+    - `private_endpoints_manage_dns_zone_group` - (Optional) Whether to manage private DNS zone groups with this module. If set to false, you must manage private DNS zone groups externally, e.g. using Azure Policy. Default is true.
+    - `diagnostic_settings` - (Optional) - map of diagnostic settings for the foundry module's byor key vault resource
+        - `name` - (Optional) The name of the diagnostic setting. One will be generated if not set, however this will not be unique if you want to create multiple diagnostic setting resources.
+        - `log_categories` - (Optional) A set of log categories to send to the log analytics workspace. Defaults to `[]`.
+        - `log_groups` - (Optional) A set of log groups to send to the log analytics workspace. Defaults to `["allLogs"]`.
+        - `metric_categories` - (Optional) A set of metric categories to send to the log analytics workspace. Defaults to `["AllMetrics"]`.
+        - `log_analytics_destination_type` - (Optional) The destination type for the diagnostic setting. Possible values are `Dedicated` and `AzureDiagnostics`. Defaults to `Dedicated`.
+        - `workspace_resource_id` - (Optional) The resource ID of the log analytics workspace to send logs and metrics to.
+        - `storage_account_resource_id` - (Optional) The resource ID of the storage account to send logs and metrics to.
+        - `event_hub_authorization_rule_resource_id` - (Optional) The resource ID of the event hub authorization rule to send logs and metrics to.
+        - `event_hub_name` - (Optional) The name of the event hub. If none is specified, the default event hub will be selected.
+        - `marketplace_partner_resource_id` - (Optional) The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.
     - `sku` - (Optional) Vault SKU. Default is "standard".
     - `tenant_id` - (Optional) Tenant ID for the Key Vault.
     - `role_assignments` - (Optional) Map of role assignments on the vault.
@@ -285,16 +390,19 @@ Description: Configuration object for the Azure AI Foundry deployment (hub, proj
       - `principal_type` - (Optional) Type of the principal (User, Group, ServicePrincipal).
     - `tags` - (Optional) Map of tags for the vault.
 
-  - `law_definition` - (Optional) Map defining one or more Log Analytics Workspaces.
-    - `existing_resource_id` - (Optional) Resource ID of an existing workspace to reuse.
-    - `name` - (Optional) Name of the workspace if creating new.
-    - `retention` - (Optional) Data retention in days. Default is 30.
-    - `sku` - (Optional) Workspace SKU. Default is "PerGB2018".
-    - `tags` - (Optional) Map of tags for the workspace.
-
   - `storage_account_definition` - (Optional) Map defining one or more Storage Accounts.
     - `existing_resource_id` - (Optional) Resource ID of an existing account to reuse.
-    - `enable_diagnostic_settings` - (Optional) Whether diagnostic settings are enabled. Default is true.
+    - `diagnostic_settings` - (Optional) - map of diagnostic settings for the foundry module's byor storage account resource
+      - `name` - (Optional) The name of the diagnostic setting. One will be generated if not set, however this will not be unique if you want to create multiple diagnostic setting resources.
+      - `log_categories` - (Optional) A set of log categories to send to the log analytics workspace. Defaults to `[]`.
+      - `log_groups` - (Optional) A set of log groups to send to the log analytics workspace. Defaults to `["allLogs"]`.
+      - `metric_categories` - (Optional) A set of metric categories to send to the log analytics workspace. Defaults to `["AllMetrics"]`.
+      - `log_analytics_destination_type` - (Optional) The destination type for the diagnostic setting. Possible values are `Dedicated` and `AzureDiagnostics`. Defaults to `Dedicated`.
+      - `workspace_resource_id` - (Optional) The resource ID of the log analytics workspace to send logs and metrics to.
+      - `storage_account_resource_id` - (Optional) The resource ID of the storage account to send logs and metrics to.
+      - `event_hub_authorization_rule_resource_id` - (Optional) The resource ID of the event hub authorization rule to send logs and metrics to.
+      - `event_hub_name` - (Optional) The name of the event hub. If none is specified, the default event hub will be selected.
+      - `marketplace_partner_resource_id` - (Optional) The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.
     - `name` - (Optional) Name of the account if creating new.
     - `account_kind` - (Optional) Storage account kind. Default is "StorageV2".
     - `account_tier` - (Optional) Storage account tier. Default is "Standard".
@@ -303,6 +411,7 @@ Description: Configuration object for the Azure AI Foundry deployment (hub, proj
       - map key - Endpoint name (e.g., `blob`).
       - `type` - Endpoint type (e.g., "blob").
       - `private_dns_zone_resource_id` - (Optional) Private DNS zone resource ID for the endpoint.
+      - `private_endpoints_manage_dns_zone_group` - (Optional) Whether to manage private DNS zone groups with this module. If set to false, you must manage private DNS zone groups externally, e.g. using Azure Policy. Default is true.
     - `access_tier` - (Optional) Access tier for the account. Default is "Hot".
     - `shared_access_key_enabled` - (Optional) Whether shared access keys are enabled. Default is false.
     - `role_assignments` - (Optional) Map of role assignments on the storage account.
@@ -326,8 +435,21 @@ object({
     create_byor      = optional(bool, true)
     purge_on_destroy = optional(bool, false)
     ai_foundry = optional(object({
-      name                     = optional(string, null)
-      disable_local_auth       = optional(bool, false)
+      name                       = optional(string, null)
+      disable_local_auth         = optional(bool, false)
+      enable_diagnostic_settings = optional(bool, true)
+      diagnostic_settings = optional(map(object({
+        name                                     = optional(string, null)
+        log_categories                           = optional(set(string), [])
+        log_groups                               = optional(set(string), ["allLogs"])
+        metric_categories                        = optional(set(string), ["AllMetrics"])
+        log_analytics_destination_type           = optional(string, "Dedicated")
+        workspace_resource_id                    = optional(string, null)
+        storage_account_resource_id              = optional(string, null)
+        event_hub_authorization_rule_resource_id = optional(string, null)
+        event_hub_name                           = optional(string, null)
+        marketplace_partner_resource_id          = optional(string, null)
+      })), {})
       allow_project_management = optional(bool, true)
       create_ai_agent_service  = optional(bool, false)
       #network_injections is statically set to vnet/subnet created in the module.
@@ -389,10 +511,22 @@ object({
     # Bring Your Own Resources (BYOR) Configuration
     # One or more AI search installations.
     ai_search_definition = optional(map(object({
-      existing_resource_id         = optional(string, null)
-      name                         = optional(string)
-      private_dns_zone_resource_id = optional(string, null)
-      enable_diagnostic_settings   = optional(bool, true)
+      existing_resource_id                    = optional(string, null)
+      name                                    = optional(string)
+      private_dns_zone_resource_id            = optional(string, null)
+      private_endpoints_manage_dns_zone_group = optional(bool, true)
+      diagnostic_settings = optional(map(object({
+        name                                     = optional(string, null)
+        log_categories                           = optional(set(string), [])
+        log_groups                               = optional(set(string), ["allLogs"])
+        metric_categories                        = optional(set(string), ["AllMetrics"])
+        log_analytics_destination_type           = optional(string, "Dedicated")
+        workspace_resource_id                    = optional(string, null)
+        storage_account_resource_id              = optional(string, null)
+        event_hub_authorization_rule_resource_id = optional(string, null)
+        event_hub_name                           = optional(string, null)
+        marketplace_partner_resource_id          = optional(string, null)
+      })), {})
       sku                          = optional(string, "standard")
       local_authentication_enabled = optional(bool, true)
       partition_count              = optional(number, 1)
@@ -415,10 +549,22 @@ object({
     })), {})
 
     cosmosdb_definition = optional(map(object({
-      existing_resource_id         = optional(string, null)
-      private_dns_zone_resource_id = optional(string, null)
-      enable_diagnostic_settings   = optional(bool, true)
-      name                         = optional(string)
+      existing_resource_id                    = optional(string, null)
+      private_dns_zone_resource_id            = optional(string, null)
+      private_endpoints_manage_dns_zone_group = optional(bool, true)
+      diagnostic_settings = optional(map(object({
+        name                                     = optional(string, null)
+        log_categories                           = optional(set(string), [])
+        log_groups                               = optional(set(string), ["allLogs"])
+        metric_categories                        = optional(set(string), ["AllMetrics"])
+        log_analytics_destination_type           = optional(string, "Dedicated")
+        workspace_resource_id                    = optional(string, null)
+        storage_account_resource_id              = optional(string, null)
+        event_hub_authorization_rule_resource_id = optional(string, null)
+        event_hub_name                           = optional(string, null)
+        marketplace_partner_resource_id          = optional(string, null)
+      })), {})
+      name = optional(string)
       secondary_regions = optional(list(object({
         location          = string
         zone_redundant    = optional(bool, true)
@@ -472,12 +618,24 @@ object({
     })), {})
 
     key_vault_definition = optional(map(object({
-      existing_resource_id         = optional(string, null)
-      name                         = optional(string)
-      private_dns_zone_resource_id = optional(string, null)
-      enable_diagnostic_settings   = optional(bool, true)
-      sku                          = optional(string, "standard")
-      tenant_id                    = optional(string)
+      existing_resource_id                    = optional(string, null)
+      name                                    = optional(string)
+      private_dns_zone_resource_id            = optional(string, null)
+      private_endpoints_manage_dns_zone_group = optional(bool, true)
+      diagnostic_settings = optional(map(object({
+        name                                     = optional(string, null)
+        log_categories                           = optional(set(string), [])
+        log_groups                               = optional(set(string), ["allLogs"])
+        metric_categories                        = optional(set(string), ["AllMetrics"])
+        log_analytics_destination_type           = optional(string, "Dedicated")
+        workspace_resource_id                    = optional(string, null)
+        storage_account_resource_id              = optional(string, null)
+        event_hub_authorization_rule_resource_id = optional(string, null)
+        event_hub_name                           = optional(string, null)
+        marketplace_partner_resource_id          = optional(string, null)
+      })), {})
+      sku       = optional(string, "standard")
+      tenant_id = optional(string)
       role_assignments = optional(map(object({
         role_definition_id_or_name             = string
         principal_id                           = string
@@ -491,24 +649,28 @@ object({
       tags = optional(map(string), {})
     })), {})
 
-    law_definition = optional(map(object({
-      existing_resource_id = optional(string)
-      name                 = optional(string)
-      retention            = optional(number, 30)
-      sku                  = optional(string, "PerGB2018")
-      tags                 = optional(map(string), {})
-    })), {})
-
     storage_account_definition = optional(map(object({
-      existing_resource_id       = optional(string, null)
-      enable_diagnostic_settings = optional(bool, true)
-      name                       = optional(string, null)
-      account_kind               = optional(string, "StorageV2")
-      account_tier               = optional(string, "Standard")
-      account_replication_type   = optional(string, "ZRS")
+      existing_resource_id = optional(string, null)
+      diagnostic_settings = optional(map(object({
+        name                                     = optional(string, null)
+        log_categories                           = optional(set(string), [])
+        log_groups                               = optional(set(string), ["allLogs"])
+        metric_categories                        = optional(set(string), ["AllMetrics"])
+        log_analytics_destination_type           = optional(string, "Dedicated")
+        workspace_resource_id                    = optional(string, null)
+        storage_account_resource_id              = optional(string, null)
+        event_hub_authorization_rule_resource_id = optional(string, null)
+        event_hub_name                           = optional(string, null)
+        marketplace_partner_resource_id          = optional(string, null)
+      })), {})
+      name                     = optional(string, null)
+      account_kind             = optional(string, "StorageV2")
+      account_tier             = optional(string, "Standard")
+      account_replication_type = optional(string, "ZRS")
       endpoints = optional(map(object({
-        type                         = string
-        private_dns_zone_resource_id = optional(string, null)
+        type                                    = string
+        private_dns_zone_resource_id            = optional(string, null)
+        private_endpoints_manage_dns_zone_group = optional(bool, true)
         })), {
         blob = {
           type = "blob"
@@ -554,6 +716,18 @@ Description: Configuration object for the Azure API Management service to be dep
   - `store_name` - The certificate store name (e.g., "CertificateAuthority", "Root").
   - `certificate_password` - (Optional) The password for the certificate.
 - `client_certificate_enabled` - (Optional) Whether client certificate authentication is enabled. Default is false.
+- `enable_diagnostic_settings` - (Optional) Whether diagnostic settings are enabled. Default is true.
+- `diagnostic_settings` - (Optional) Map of diagnostic settings configurations for the API Management service. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.
+  - `name` - (Optional) The name of the diagnostic setting.
+  - `log_categories` - (Optional) Set of log categories to enable. Default is an empty set.
+  - `log_groups` - (Optional) Set of log groups to enable. Default is ["allLogs"].
+  - `metric_categories` - (Optional) Set of metric categories to enable. Default is ["AllMetrics"].
+  - `log_analytics_destination_type` - (Optional) The destination type for Log Analytics. Default is "Dedicated".
+  - `workspace_resource_id` - (Optional) Resource ID of the Log Analytics workspace.
+  - `storage_account_resource_id` - (Optional) Resource ID of the storage account for diagnostics.
+  - `event_hub_authorization_rule_resource_id` - (Optional) Resource ID of the Event Hub authorization rule.
+  - `event_hub_name` - (Optional) Name of the Event Hub.
+  - `marketplace_partner_resource_id` - (Optional) Resource ID of the marketplace partner resource.
 - `hostname_configuration` - (Optional) Hostname configuration for different endpoints.
   - `management` - (Optional) List of custom hostnames for the management endpoint.
   - `portal` - (Optional) List of custom hostnames for the developer portal endpoint.
@@ -568,6 +742,9 @@ Description: Configuration object for the Azure API Management service to be dep
     - `negotiate_client_certificate` - (Optional) Whether to negotiate client certificates.
     - `ssl_keyvault_identity_client_id` - (Optional) Client ID of the user-assigned managed identity for Key Vault access.
     - `default_ssl_binding` - (Optional, proxy only) Whether this is the default SSL binding.
+- `managed_identities` - (Optional) Managed identities configuration.
+  - `system_assigned` - (Optional) Whether to enable system-assigned managed identity. Default is false.
+  - `user_assigned_resource_ids` - (Optional) Set of user-assigned managed identity resource IDs.
 - `min_api_version` - (Optional) The minimum API version that the API Management service will accept.
 - `notification_sender_email` - (Optional) Email address from which notifications will be sent.
 - `protocols` - (Optional) Protocol configuration.
@@ -619,6 +796,19 @@ object({
       certificate_password = optional(string, null)
     })), [])
     client_certificate_enabled = optional(bool, false)
+    enable_diagnostic_settings = optional(bool, true)
+    diagnostic_settings = optional(map(object({
+      name                                     = optional(string, null)
+      log_categories                           = optional(set(string), [])
+      log_groups                               = optional(set(string), ["allLogs"])
+      metric_categories                        = optional(set(string), ["AllMetrics"])
+      log_analytics_destination_type           = optional(string, "Dedicated")
+      workspace_resource_id                    = optional(string, null)
+      storage_account_resource_id              = optional(string, null)
+      event_hub_authorization_rule_resource_id = optional(string, null)
+      event_hub_name                           = optional(string, null)
+      marketplace_partner_resource_id          = optional(string, null)
+    })), {})
     hostname_configuration = optional(object({
       management = optional(list(object({
         host_name                       = string
@@ -662,6 +852,10 @@ object({
         ssl_keyvault_identity_client_id = optional(string, null)
       })), [])
     }), null)
+    managed_identities = optional(object({
+      system_assigned            = optional(bool, false)
+      user_assigned_resource_ids = optional(set(string), [])
+    }))
     min_api_version           = optional(string)
     notification_sender_email = optional(string, null)
     protocols = optional(object({
@@ -819,6 +1013,18 @@ Description: Configuration object for the Azure Application Gateway to be deploy
   - `default_backend_address_pool_name` - (Optional) Default backend address pool name.
   - `path_rules` - Map of path-based routing rules.
 - `tags` - (Optional) Map of tags to assign to the Application Gateway.
+- `enable_diagnostic_settings` - (Optional) Whether diagnostic settings are enabled. Default is true.
+- `diagnostic_settings` - (Optional) Map of diagnostic settings configurations for the Application Gateway. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.
+  - `name` - (Optional) The name of the diagnostic setting.
+  - `log_categories` - (Optional) Set of log categories to enable. Default is an empty set.
+  - `log_groups` - (Optional) Set of log groups to enable. Default is ["allLogs"].
+  - `metric_categories` - (Optional) Set of metric categories to enable. Default is ["AllMetrics"].
+  - `log_analytics_destination_type` - (Optional) The destination type for Log Analytics. Default is "Dedicated".
+  - `workspace_resource_id` - (Optional) Resource ID of the Log Analytics workspace.
+  - `storage_account_resource_id` - (Optional) Resource ID of the storage account for diagnostics.
+  - `event_hub_authorization_rule_resource_id` - (Optional) Resource ID of the Event Hub authorization rule.
+  - `event_hub_name` - (Optional) Name of the Event Hub.
+  - `marketplace_partner_resource_id` - (Optional) Resource ID of the marketplace partner resource.
 - `role_assignments` - (Optional) Map of role assignments to create on the Application Gateway. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.
   - `role_definition_id_or_name` - The role definition ID or name to assign.
   - `principal_id` - The principal ID to assign the role to.
@@ -1020,7 +1226,20 @@ object({
       }))
     })), null)
 
-    tags = optional(map(string), {})
+    tags                       = optional(map(string), {})
+    enable_diagnostic_settings = optional(bool, true)
+    diagnostic_settings = optional(map(object({
+      name                                     = optional(string, null)
+      log_categories                           = optional(set(string), [])
+      log_groups                               = optional(set(string), ["allLogs"])
+      metric_categories                        = optional(set(string), ["AllMetrics"])
+      log_analytics_destination_type           = optional(string, "Dedicated")
+      workspace_resource_id                    = optional(string, null)
+      storage_account_resource_id              = optional(string, null)
+      event_hub_authorization_rule_resource_id = optional(string, null)
+      event_hub_name                           = optional(string, null)
+      marketplace_partner_resource_id          = optional(string, null)
+    })), {})
     role_assignments = optional(map(object({
       role_definition_id_or_name             = string
       principal_id                           = string
@@ -1093,6 +1312,17 @@ Description: Configuration object for the Container App Environment to be create
 - `deploy` - (Optional) Whether to deploy the Container App Environment. Default is true.
 - `name` - (Optional) The name of the Container App Environment. If not provided, a name will be generated.
 - `enable_diagnostic_settings` - (Optional) Whether diagnostic settings are enabled. Default is true.
+- `diagnostic_settings` - (Optional) Map of diagnostic settings configurations for the Container App Environment. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.
+  - `name` - (Optional) The name of the diagnostic setting.
+  - `log_categories` - (Optional) Set of log categories to enable. Default is an empty set.
+  - `log_groups` - (Optional) Set of log groups to enable. Default is ["allLogs"].
+  - `metric_categories` - (Optional) Set of metric categories to enable. Default is ["AllMetrics"].
+  - `log_analytics_destination_type` - (Optional) The destination type for Log Analytics. Default is "Dedicated".
+  - `workspace_resource_id` - (Optional) Resource ID of the Log Analytics workspace.
+  - `storage_account_resource_id` - (Optional) Resource ID of the storage account for diagnostics.
+  - `event_hub_authorization_rule_resource_id` - (Optional) Resource ID of the Event Hub authorization rule.
+  - `event_hub_name` - (Optional) Name of the Event Hub.
+  - `marketplace_partner_resource_id` - (Optional) Resource ID of the marketplace partner resource.
 - `tags` - (Optional) Map of tags to assign to the Container App Environment.
 - `internal_load_balancer_enabled` - (Optional) Whether the load balancer is internal. Default is true.
 - `log_analytics_workspace_resource_id` - (Optional) Resource ID of the Log Analytics workspace for logging.
@@ -1120,9 +1350,21 @@ Type:
 
 ```hcl
 object({
-    deploy                              = optional(bool, true)
-    name                                = optional(string)
-    enable_diagnostic_settings          = optional(bool, true)
+    deploy                     = optional(bool, true)
+    name                       = optional(string)
+    enable_diagnostic_settings = optional(bool, true)
+    diagnostic_settings = optional(map(object({
+      name                                     = optional(string, null)
+      log_categories                           = optional(set(string), [])
+      log_groups                               = optional(set(string), ["allLogs"])
+      metric_categories                        = optional(set(string), ["AllMetrics"])
+      log_analytics_destination_type           = optional(string, "Dedicated")
+      workspace_resource_id                    = optional(string, null)
+      storage_account_resource_id              = optional(string, null)
+      event_hub_authorization_rule_resource_id = optional(string, null)
+      event_hub_name                           = optional(string, null)
+      marketplace_partner_resource_id          = optional(string, null)
+    })), {})
     tags                                = optional(map(string), {})
     internal_load_balancer_enabled      = optional(bool, true)
     log_analytics_workspace_resource_id = optional(string)
@@ -1177,6 +1419,27 @@ Description: Configuration object for the Azure Firewall to be deployed.
 - `sku` - (Optional) The SKU of the Azure Firewall. Default is "AZFW\_VNet".
 - `tier` - (Optional) The tier of the Azure Firewall. Default is "Standard".
 - `zones` - (Optional) List of availability zones for the Azure Firewall. Default is ["1", "2", "3"].
+- `enable_diagnostic_settings` - (Optional) Whether diagnostic settings are enabled. Default is true.
+- `diagnostic_settings` - (Optional) Map of diagnostic settings configurations for the Azure Firewall. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.
+  - `name` - (Optional) The name of the diagnostic setting.
+  - `log_categories` - (Optional) Set of log categories to enable. Default is an empty set.
+  - `log_groups` - (Optional) Set of log groups to enable. Default is ["allLogs"].
+  - `metric_categories` - (Optional) Set of metric categories to enable. Default is ["AllMetrics"].
+  - `log_analytics_destination_type` - (Optional) The destination type for Log Analytics. Default is "Dedicated".
+  - `workspace_resource_id` - (Optional) Resource ID of the Log Analytics workspace.
+  - `storage_account_resource_id` - (Optional) Resource ID of the storage account for diagnostics.
+  - `event_hub_authorization_rule_resource_id` - (Optional) Resource ID of the Event Hub authorization rule.
+  - `event_hub_name` - (Optional) Name of the Event Hub.
+  - `marketplace_partner_resource_id` - (Optional) Resource ID of the marketplace partner resource.
+- `role_assignments` - (Optional) Map of role assignments to create on the Azure Firewall. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.
+  - `role_definition_id_or_name` - The role definition ID or name to assign.
+  - `principal_id` - The principal ID to assign the role to.
+  - `description` - (Optional) Description of the role assignment.
+  - `skip_service_principal_aad_check` - (Optional) Whether to skip AAD check for service principal.
+  - `condition` - (Optional) Condition for the role assignment.
+  - `condition_version` - (Optional) Version of the condition.
+  - `delegated_managed_identity_resource_id` - (Optional) Resource ID of the delegated managed identity.
+  - `principal_type` - (Optional) Type of the principal (User, Group, ServicePrincipal).
 - `tags` - (Optional) Map of tags to assign to the Azure Firewall.
 - `resource_group_name` - (Optional) The name of the resource group to deploy the Azure Firewall into. If not provided, the module's resource group will be used.
 
@@ -1184,11 +1447,34 @@ Type:
 
 ```hcl
 object({
-    deploy              = optional(bool, true)
-    name                = optional(string)
-    sku                 = optional(string, "AZFW_VNet")
-    tier                = optional(string, "Standard")
-    zones               = optional(list(string), ["1", "2", "3"])
+    deploy                     = optional(bool, true)
+    name                       = optional(string)
+    sku                        = optional(string, "AZFW_VNet")
+    tier                       = optional(string, "Standard")
+    zones                      = optional(list(string), ["1", "2", "3"])
+    enable_diagnostic_settings = optional(bool, true)
+    diagnostic_settings = optional(map(object({
+      name                                     = optional(string, null)
+      log_categories                           = optional(set(string), [])
+      log_groups                               = optional(set(string), ["allLogs"])
+      metric_categories                        = optional(set(string), ["AllMetrics"])
+      log_analytics_destination_type           = optional(string, "Dedicated")
+      workspace_resource_id                    = optional(string, null)
+      storage_account_resource_id              = optional(string, null)
+      event_hub_authorization_rule_resource_id = optional(string, null)
+      event_hub_name                           = optional(string, null)
+      marketplace_partner_resource_id          = optional(string, null)
+    })), {})
+    role_assignments = optional(map(object({
+      role_definition_id_or_name             = string
+      principal_id                           = string
+      description                            = optional(string, null)
+      skip_service_principal_aad_check       = optional(bool, false)
+      condition                              = optional(string, null)
+      condition_version                      = optional(string, null)
+      delegated_managed_identity_resource_id = optional(string, null)
+      principal_type                         = optional(string, null)
+    })), {})
     tags                = optional(map(string), {})
     resource_group_name = optional(string)
   })
@@ -1264,6 +1550,18 @@ Description: Configuration object for the Azure App Configuration service to be
   - `condition_version` - (Optional) Version of the condition.
   - `delegated_managed_identity_resource_id` - (Optional) Resource ID of the delegated managed identity.
   - `principal_type` - (Optional) Type of the principal (User, Group, ServicePrincipal).
+- `enable_diagnostic_settings` - (Optional) Whether diagnostic settings are enabled. Default is true.
+- `diagnostic_settings` - (Optional) Map of diagnostic settings configurations for the App Configuration store. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.
+  - `name` - (Optional) The name of the diagnostic setting.
+  - `log_categories` - (Optional) Set of log categories to enable. Default is an empty set.
+  - `log_groups` - (Optional) Set of log groups to enable. Default is ["allLogs"].
+  - `metric_categories` - (Optional) Set of metric categories to enable. Default is ["AllMetrics"].
+  - `log_analytics_destination_type` - (Optional) The destination type for Log Analytics. Default is "Dedicated".
+  - `workspace_resource_id` - (Optional) Resource ID of the Log Analytics workspace.
+  - `storage_account_resource_id` - (Optional) Resource ID of the storage account for diagnostics.
+  - `event_hub_authorization_rule_resource_id` - (Optional) Resource ID of the Event Hub authorization rule.
+  - `event_hub_name` - (Optional) Name of the Event Hub.
+  - `marketplace_partner_resource_id` - (Optional) Resource ID of the marketplace partner resource.
 
 Type:
 
@@ -1290,6 +1588,19 @@ object({
       delegated_managed_identity_resource_id = optional(string, null)
       principal_type                         = optional(string, null)
     })), {})
+    enable_diagnostic_settings = optional(bool, true)
+    diagnostic_settings = optional(map(object({
+      name                                     = optional(string, null)
+      log_categories                           = optional(set(string), [])
+      log_groups                               = optional(set(string), ["allLogs"])
+      metric_categories                        = optional(set(string), ["AllMetrics"])
+      log_analytics_destination_type           = optional(string, "Dedicated")
+      workspace_resource_id                    = optional(string, null)
+      storage_account_resource_id              = optional(string, null)
+      event_hub_authorization_rule_resource_id = optional(string, null)
+      event_hub_name                           = optional(string, null)
+      marketplace_partner_resource_id          = optional(string, null)
+    })), {})
   })
 ```
 
@@ -1304,6 +1615,18 @@ Description: Configuration object for the Azure Container Registry to be created
 - `sku` - (Optional) The SKU of the Container Registry. Default is "Premium".
 - `zone_redundancy_enabled` - (Optional) Whether zone redundancy is enabled. Default is true.
 - `public_network_access_enabled` - (Optional) Whether public network access is enabled. Default is false.
+- `enable_diagnostic_settings` - (Optional) Whether diagnostic settings are enabled. Default is true.
+- `diagnostic_settings` - (Optional) Map of diagnostic settings configurations for the Container Registry. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.
+  - `name` - (Optional) The name of the diagnostic setting.
+  - `log_categories` - (Optional) Set of log categories to enable. Default is an empty set.
+  - `log_groups` - (Optional) Set of log groups to enable. Default is ["allLogs"].
+  - `metric_categories` - (Optional) Set of metric categories to enable. Default is ["AllMetrics"].
+  - `log_analytics_destination_type` - (Optional) The destination type for Log Analytics. Default is "Dedicated".
+  - `workspace_resource_id` - (Optional) Resource ID of the Log Analytics workspace.
+  - `storage_account_resource_id` - (Optional) Resource ID of the storage account for diagnostics.
+  - `event_hub_authorization_rule_resource_id` - (Optional) Resource ID of the Event Hub authorization rule.
+  - `event_hub_name` - (Optional) Name of the Event Hub.
+  - `marketplace_partner_resource_id` - (Optional) Resource ID of the marketplace partner resource.
 - `tags` - (Optional) Map of tags to assign to the Container Registry.
 - `role_assignments` - (Optional) Map of role assignments to create on the Container Registry. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.
   - `role_definition_id_or_name` - The role definition ID or name to assign.
@@ -1325,7 +1648,19 @@ object({
     zone_redundancy_enabled       = optional(bool, true)
     public_network_access_enabled = optional(bool, false)
     enable_diagnostic_settings    = optional(bool, true)
-    tags                          = optional(map(string), {})
+    diagnostic_settings = optional(map(object({
+      name                                     = optional(string, null)
+      log_categories                           = optional(set(string), [])
+      log_groups                               = optional(set(string), ["allLogs"])
+      metric_categories                        = optional(set(string), ["AllMetrics"])
+      log_analytics_destination_type           = optional(string, "Dedicated")
+      workspace_resource_id                    = optional(string, null)
+      storage_account_resource_id              = optional(string, null)
+      event_hub_authorization_rule_resource_id = optional(string, null)
+      event_hub_name                           = optional(string, null)
+      marketplace_partner_resource_id          = optional(string, null)
+    })), {})
+    tags = optional(map(string), {})
     role_assignments = optional(map(object({
       role_definition_id_or_name             = string
       principal_id                           = string
@@ -1347,13 +1682,25 @@ Description: Configuration object for the Azure Cosmos DB account to be created
 
 - `deploy` - (Optional) Whether to deploy the Cosmos DB account. Default is true.
 - `name` - (Optional) The name of the Cosmos DB account. If not provided, a name will be generated.
+- `enable_diagnostic_settings` - (Optional) Whether diagnostic settings are enabled. Default is true.
+- `diagnostic_settings` - (Optional) Map of diagnostic settings configurations for the Cosmos DB account. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.
+  - `name` - (Optional) The name of the diagnostic setting.
+  - `log_categories` - (Optional) Set of log categories to enable. Default is an empty set.
+  - `log_groups` - (Optional) Set of log groups to enable. Default is ["allLogs"].
+  - `metric_categories` - (Optional) Set of metric categories to enable. Default is ["AllMetrics"].
+  - `log_analytics_destination_type` - (Optional) The destination type for Log Analytics. Default is "Dedicated".
+  - `workspace_resource_id` - (Optional) Resource ID of the Log Analytics workspace.
+  - `storage_account_resource_id` - (Optional) Resource ID of the storage account for diagnostics.
+  - `event_hub_authorization_rule_resource_id` - (Optional) Resource ID of the Event Hub authorization rule.
+  - `event_hub_name` - (Optional) Name of the Event Hub.
+  - `marketplace_partner_resource_id` - (Optional) Resource ID of the marketplace partner resource.
 - `secondary_regions` - (Optional) List of secondary regions for geo-replication.
   - `location` - The Azure region for the secondary location.
   - `zone_redundant` - (Optional) Whether zone redundancy is enabled for the secondary region. Default is true.
   - `failover_priority` - (Optional) The failover priority for the secondary region. Default is 0.
 - `public_network_access_enabled` - (Optional) Whether public network access is enabled. Default is false.
 - `analytical_storage_enabled` - (Optional) Whether analytical storage is enabled. Default is true.
-- `automatic_failover_enabled` - (Optional) Whether automatic failover is enabled. Default is false.
+- `automatic_failover_enabled` - (Optional) Whether automatic failover is enabled. Default is true.
 - `local_authentication_disabled` - (Optional) Whether local authentication is disabled. Default is true.
 - `partition_merge_enabled` - (Optional) Whether partition merge is enabled. Default is false.
 - `multiple_write_locations_enabled` - (Optional) Whether multiple write locations are enabled. Default is false.
@@ -1387,6 +1734,18 @@ object({
     deploy                     = optional(bool, true)
     name                       = optional(string)
     enable_diagnostic_settings = optional(bool, true)
+    diagnostic_settings = optional(map(object({
+      name                                     = optional(string, null)
+      log_categories                           = optional(set(string), [])
+      log_groups                               = optional(set(string), ["allLogs"])
+      metric_categories                        = optional(set(string), ["AllMetrics"])
+      log_analytics_destination_type           = optional(string, "Dedicated")
+      workspace_resource_id                    = optional(string, null)
+      storage_account_resource_id              = optional(string, null)
+      event_hub_authorization_rule_resource_id = optional(string, null)
+      event_hub_name                           = optional(string, null)
+      marketplace_partner_resource_id          = optional(string, null)
+    })), {})
     secondary_regions = optional(list(object({
       location          = string
       zone_redundant    = optional(bool, true)
@@ -1444,6 +1803,18 @@ Description: Configuration object for the Azure Key Vault to be created for GenA
 - `public_network_access_enabled` - (Optional) Whether public network access is enabled. Default is false.
 - `sku` - (Optional) The SKU of the Key Vault. Default is "standard".
 - `tenant_id` - (Optional) The tenant ID for the Key Vault. If not provided, the current tenant will be used.
+- `enable_diagnostic_settings` - (Optional) Whether diagnostic settings are enabled. Default is true.
+- `diagnostic_settings` - (Optional) Map of diagnostic settings configurations for the Key Vault. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.
+  - `name` - (Optional) The name of the diagnostic setting.
+  - `log_categories` - (Optional) Set of log categories to enable. Default is an empty set.
+  - `log_groups` - (Optional) Set of log groups to enable. Default is ["allLogs"].
+  - `metric_categories` - (Optional) Set of metric categories to enable. Default is ["AllMetrics"].
+  - `log_analytics_destination_type` - (Optional) The destination type for Log Analytics. Default is "Dedicated".
+  - `workspace_resource_id` - (Optional) Resource ID of the Log Analytics workspace.
+  - `storage_account_resource_id` - (Optional) Resource ID of the storage account for diagnostics.
+  - `event_hub_authorization_rule_resource_id` - (Optional) Resource ID of the Event Hub authorization rule.
+  - `event_hub_name` - (Optional) Name of the Event Hub.
+  - `marketplace_partner_resource_id` - (Optional) Resource ID of the marketplace partner resource.
 - `role_assignments` - (Optional) Map of role assignments to create on the Key Vault. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.
   - `role_definition_id_or_name` - The role definition ID or name to assign.
   - `principal_id` - The principal ID to assign the role to.
@@ -1469,6 +1840,19 @@ object({
     public_network_access_enabled = optional(bool, false)
     sku                           = optional(string, "standard")
     tenant_id                     = optional(string)
+    enable_diagnostic_settings    = optional(bool, true)
+    diagnostic_settings = optional(map(object({
+      name                                     = optional(string, null)
+      log_categories                           = optional(set(string), [])
+      log_groups                               = optional(set(string), ["allLogs"])
+      metric_categories                        = optional(set(string), ["AllMetrics"])
+      log_analytics_destination_type           = optional(string, "Dedicated")
+      workspace_resource_id                    = optional(string, null)
+      storage_account_resource_id              = optional(string, null)
+      event_hub_authorization_rule_resource_id = optional(string, null)
+      event_hub_name                           = optional(string, null)
+      marketplace_partner_resource_id          = optional(string, null)
+    })), {})
     role_assignments = optional(map(object({
       role_definition_id_or_name             = string
       principal_id                           = string
@@ -1491,6 +1875,18 @@ Description: Configuration object for the Azure Storage Account to be created fo
 
 - `deploy` - (Optional) Whether to deploy the Storage Account. Default is true.
 - `name` - (Optional) The name of the Storage Account. If not provided, a name will be generated.
+- `enable_diagnostic_settings` - (Optional) Whether diagnostic settings are enabled. Default is true.
+- `diagnostic_settings` - (Optional) Map of diagnostic settings configurations for the Storage Account. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.
+  - `name` - (Optional) The name of the diagnostic setting.
+  - `log_categories` - (Optional) Set of log categories to enable. Default is an empty set.
+  - `log_groups` - (Optional) Set of log groups to enable. Default is ["allLogs"].
+  - `metric_categories` - (Optional) Set of metric categories to enable. Default is ["AllMetrics"].
+  - `log_analytics_destination_type` - (Optional) The destination type for Log Analytics. Default is "Dedicated".
+  - `workspace_resource_id` - (Optional) Resource ID of the Log Analytics workspace.
+  - `storage_account_resource_id` - (Optional) Resource ID of the storage account for diagnostics.
+  - `event_hub_authorization_rule_resource_id` - (Optional) Resource ID of the Event Hub authorization rule.
+  - `event_hub_name` - (Optional) Name of the Event Hub.
+  - `marketplace_partner_resource_id` - (Optional) Resource ID of the marketplace partner resource.
 - `account_kind` - (Optional) The kind of storage account. Default is "StorageV2".
 - `account_tier` - (Optional) The performance tier of the storage account. Default is "Standard".
 - `account_replication_type` - (Optional) The replication type for the storage account. Default is "GRS".
@@ -1513,9 +1909,21 @@ Type:
 
 ```hcl
 object({
-    deploy                        = optional(bool, true)
-    name                          = optional(string)
-    enable_diagnostic_settings    = optional(bool, true)
+    deploy                     = optional(bool, true)
+    name                       = optional(string)
+    enable_diagnostic_settings = optional(bool, true)
+    diagnostic_settings = optional(map(object({
+      name                                     = optional(string, null)
+      log_categories                           = optional(set(string), [])
+      log_groups                               = optional(set(string), ["allLogs"])
+      metric_categories                        = optional(set(string), ["AllMetrics"])
+      log_analytics_destination_type           = optional(string, "Dedicated")
+      workspace_resource_id                    = optional(string, null)
+      storage_account_resource_id              = optional(string, null)
+      event_hub_authorization_rule_resource_id = optional(string, null)
+      event_hub_name                           = optional(string, null)
+      marketplace_partner_resource_id          = optional(string, null)
+    })), {})
     account_kind                  = optional(string, "StorageV2")
     account_tier                  = optional(string, "Standard")
     account_replication_type      = optional(string, "GRS")
@@ -1546,6 +1954,7 @@ Default: `{}`
 
 Description: Configuration object for the Jump VM to be created for managing the implementation services.
 
+- `deploy` - (Optional) Whether to deploy the Jump VM. Default is true.
 - `name` - (Optional) The name of the Jump VM. If not provided, a name will be generated.
 - `sku` - (Optional) The VM size/SKU for the Jump VM. Default is "Standard\_B2s".
 - `tags` - (Optional) Map of tags to assign to the Jump VM.
@@ -1571,6 +1980,18 @@ Description: Configuration object for the Azure AI Search service to be created
 
 - `deploy` - (Optional) Deploy the AI Search service. Default is true.
 - `name` - (Optional) The name of the AI Search service. If not provided, a name will be generated.
+- `enable_diagnostic_settings` - (Optional) Whether diagnostic settings are enabled. Default is true.
+- `diagnostic_settings` - (Optional) Map of diagnostic settings configurations for the AI Search service. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.
+  - `name` - (Optional) The name of the diagnostic setting.
+  - `log_categories` - (Optional) Set of log categories to enable. Default is an empty set.
+  - `log_groups` - (Optional) Set of log groups to enable. Default is ["allLogs"].
+  - `metric_categories` - (Optional) Set of metric categories to enable. Default is ["AllMetrics"].
+  - `log_analytics_destination_type` - (Optional) The destination type for Log Analytics. Default is "Dedicated".
+  - `workspace_resource_id` - (Optional) Resource ID of the Log Analytics workspace.
+  - `storage_account_resource_id` - (Optional) Resource ID of the storage account for diagnostics.
+  - `event_hub_authorization_rule_resource_id` - (Optional) Resource ID of the Event Hub authorization rule.
+  - `event_hub_name` - (Optional) Name of the Event Hub.
+  - `marketplace_partner_resource_id` - (Optional) Resource ID of the marketplace partner resource.
 - `sku` - (Optional) The SKU of the AI Search service. Default is "standard".
 - `local_authentication_enabled` - (Optional) Whether local authentication is enabled. Default is true.
 - `partition_count` - (Optional) The number of partitions for the search service. Default is 1.
@@ -1593,9 +2014,21 @@ Type:
 
 ```hcl
 object({
-    deploy                        = optional(bool, true)
-    name                          = optional(string)
-    enable_diagnostic_settings    = optional(bool, true)
+    deploy                     = optional(bool, true)
+    name                       = optional(string)
+    enable_diagnostic_settings = optional(bool, true)
+    diagnostic_settings = optional(map(object({
+      name                                     = optional(string, null)
+      log_categories                           = optional(set(string), [])
+      log_groups                               = optional(set(string), ["allLogs"])
+      metric_categories                        = optional(set(string), ["AllMetrics"])
+      log_analytics_destination_type           = optional(string, "Dedicated")
+      workspace_resource_id                    = optional(string, null)
+      storage_account_resource_id              = optional(string, null)
+      event_hub_authorization_rule_resource_id = optional(string, null)
+      event_hub_name                           = optional(string, null)
+      marketplace_partner_resource_id          = optional(string, null)
+    })), {})
     sku                           = optional(string, "standard")
     local_authentication_enabled  = optional(bool, true)
     partition_count               = optional(number, 1)
@@ -1643,8 +2076,8 @@ Default: `{}`
 
 ### <a name="input_law_definition"></a> [law\_definition](#input\_law\_definition)
 
-Description: Configuration object for the Log Analytics Workspace to be created for monitoring and logging.
-
+Description: Configuration object for the Log Analytics Workspace to be created for monitoring and logging. If no resource\_id is provided, and deploy is set to false, then each resource will default to not including diagnostic settings unless an explicit diagnostic\_setting value is provided for that resource. Explicitly set resource diagnostic\_settings values will always be preferred.
+- `deploy` - (Optional) Boolean to indicate whether to deploy a new Log Analytics Workspace if no resource\_id is provided. Default is true.
 - `resource_id` - (Optional) The resource ID of an existing Log Analytics Workspace to use. If provided, the workspace will not be created and the other inputs will be ignored.
 - `name` - (Optional) The name of the Log Analytics Workspace. If not provided, a name will be generated.
 - `retention` - (Optional) The data retention period in days for the workspace. Default is 30.
@@ -1655,6 +2088,7 @@ Type:
 
 ```hcl
 object({
+    deploy      = optional(bool, true)
     resource_id = optional(string)
     name        = optional(string)
     retention   = optional(number, 30)
@@ -1743,6 +2177,7 @@ Default: `{}`
 
 Description: Configuration object for Private DNS Zones and their network links.
 
+- `azure_policy_pe_zone_linking_enabled` - (Optional) Whether Azure Policy is used to enable private endpoint dns zone linking when using a platform landing zone (platform landing zone flag = true). Default is true.
 - `existing_zones_resource_group_resource_id` - (Optional) Resource group resource id where existing Private DNS Zones are located.
 - `allow_internet_resolution_fallback` - (Optional) Whether to allow fallback to internet resolution for Private DNS Zone network links. Default is false.
 - `network_links` - (Optional) Map of network links to create for Private DNS Zones. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.
@@ -1754,6 +2189,7 @@ Type:
 
 ```hcl
 object({
+    azure_policy_pe_zone_linking_enabled      = optional(bool, true)
     existing_zones_resource_group_resource_id = optional(string)
     allow_internet_resolution_fallback        = optional(bool, false)
     network_links = optional(map(object({
@@ -1885,6 +2321,10 @@ Default: `{}`
 
 The following outputs are exported:
 
+### <a name="output_log_analytics_workspace_id"></a> [log\_analytics\_workspace\_id](#output\_log\_analytics\_workspace\_id)
+
+Description: The ID of the Log Analytics Workspace used for monitoring.
+
 ### <a name="output_resource_id"></a> [resource\_id](#output\_resource\_id)
 
 Description: Future resource ID output for the LZA.
@@ -1893,6 +2333,10 @@ Description: Future resource ID output for the LZA.
 
 Description: A map of the deployed subnets in the AI PTN LZA.
 
+### <a name="output_virtual_network"></a> [virtual\_network](#output\_virtual\_network)
+
+Description: The deployed virtual network in the AI PTN LZA.
+
 ## Modules
 
 The following Modules are called:
@@ -1901,7 +2345,7 @@ The following Modules are called:
 
 Source: Azure/avm-res-network-virtualnetwork/azurerm
 
-Version: =0.16.0
+Version: 0.16.0
 
 ### <a name="module_apim"></a> [apim](#module\_apim)
 
@@ -2003,7 +2447,7 @@ Version: 0.4.1
 
 Source: Azure/avm-ptn-aiml-ai-foundry/azurerm
 
-Version: 0.8.0
+Version: 0.10.0
 
 ### <a name="module_fw_pip"></a> [fw\_pip](#module\_fw\_pip)
 
diff --git a/avm b/avm
index 5764643..567d8df 100755
--- a/avm
+++ b/avm
@@ -48,6 +48,15 @@ if [ -d "${AZURE_CONFIG_DIR}" ]; then
   AZURE_CONFIG_MOUNT="-v ${AZURE_CONFIG_DIR}:/home/runtimeuser/.azure"
 fi
 
+# Check if AVM_TMP_DIR is set, if so mount it to /tmp
+if [ -z "${AVM_TMP_DIR}" ] && [ -n "${RUNNER_TEMP}" ]; then
+  AVM_TMP_DIR="${RUNNER_TEMP}"
+fi
+
+if [ -n "${AVM_TMP_DIR}" ]; then
+  TMP_MOUNT="-v ${AVM_TMP_DIR}:/tmp"
+fi
+
 # If the host Docker socket exists, mount it into the container so the container can talk to the host docker daemon
 if [ -S /var/run/docker.sock ]; then
   DOCKER_SOCK_MOUNT="-v /var/run/docker.sock:/var/run/docker.sock"
@@ -87,6 +96,19 @@ if [ -n "${AVM_PORCH_BASE_URL}" ]; then
   PORCH_BASE_URL_MAKE_ADD="PORCH_BASE_URL=${AVM_PORCH_BASE_URL}"
 fi
 
+# Get the repo specific environment variables from avm.config if it exists
+LOCAL_ENVIRONMENT_VARIABLES=""
+if [ -f "avm.config.json" ]; then
+  declare -A variables
+  eval "$(cat "avm.config.json" | jq -r 'to_entries[] | @sh "variables[\(.key|tostring)]=\(.value|tostring)"')"
+
+  for key in "${!variables[@]}"; do
+    export "$key"="${variables[$key]}"
+    LOCAL_ENVIRONMENT_VARIABLES="${LOCAL_ENVIRONMENT_VARIABLES}-e $key "
+    echo "Set environment variable: $key"="${variables[$key]}"
+  done
+fi
+
 # Check if we are running in a container
 # If we are then just run make directly
 if [ -z "${AVM_IN_CONTAINER}" ]; then
@@ -99,6 +121,7 @@ if [ -z "${AVM_IN_CONTAINER}" ]; then
     ${AZURE_CONFIG_MOUNT:-} \
     ${DOCKER_SOCK_MOUNT:-} \
     ${SSL_CERT_MOUNTS:-} \
+    ${TMP_MOUNT:-} \
     -e ARM_CLIENT_ID \
     -e ARM_OIDC_REQUEST_TOKEN \
     -e ARM_OIDC_REQUEST_URL \
@@ -110,11 +133,13 @@ if [ -z "${AVM_IN_CONTAINER}" ]; then
     -e NO_COLOR \
     -e PORCH_LOG_LEVEL \
     -e TF_IN_AUTOMATION=1 \
+    ${LOCAL_ENVIRONMENT_VARIABLES} \
     --env-file <(env | grep '^TF_VAR_') \
     --env-file <(env | grep '^AVM_') \
     "${CONTAINER_IMAGE}" \
     make \
     TUI="${TUI}" \
+    AVM_PORCH_STDOUT="${AVM_PORCH_STDOUT}" \
     AVM_MAKEFILE_REF="${AVM_MAKEFILE_REF}" \
     "${PORCH_BASE_URL_MAKE_ADD}" \
     AVM_PORCH_REF="${AVM_PORCH_REF}" \
diff --git a/avm.ps1 b/avm.ps1
index 91a2a87..f51ae27 100644
--- a/avm.ps1
+++ b/avm.ps1
@@ -130,6 +130,7 @@ if (-not $env:AVM_IN_CONTAINER) {
     "MPTF_URL",
     "NO_COLOR",
     "PORCH_LOG_LEVEL",
+    "AVM_PORCH_STDOUT",
     "TEST_TYPE",
     "TFLINT_CONFIG_URL"
   )
@@ -154,6 +155,16 @@ if (-not $env:AVM_IN_CONTAINER) {
     $dockerArgs += @("-e", "$($_.Name)=$($_.Value)")
   }
 
+  # Add local environment variables from avm.config.json
+  if (Test-Path "avm.config.json") {
+    $jsonContent = Get-Content "avm.config.json" -Raw | ConvertFrom-Json -AsHashtable
+
+    foreach ($key in $jsonContent.Keys) {
+      [System.Environment]::SetEnvironmentVariable($key, $jsonContent[$key])
+      $dockerArgs += @("-e", "$key")
+    }
+  }
+
   $dockerArgs += $CONTAINER_IMAGE
   $dockerArgs += "make"
 
@@ -161,6 +172,10 @@ if (-not $env:AVM_IN_CONTAINER) {
     $dockerArgs += "TUI=$TUI"
   }
 
+  if($env:AVM_PORCH_STDOUT) {
+    $dockerArgs += "AVM_PORCH_STDOUT=$($env:AVM_PORCH_STDOUT)"
+  }
+
   $dockerArgs += "MAKEFILE_REF=$MAKEFILE_REF"
 
   if ($PORCH_BASE_URL_MAKE_ADD) {
diff --git a/examples/default-byo-vnet/README.md b/examples/default-byo-vnet/README.md
index d167319..e07fbbd 100644
--- a/examples/default-byo-vnet/README.md
+++ b/examples/default-byo-vnet/README.md
@@ -140,7 +140,8 @@ module "test" {
   ai_foundry_definition = {
     purge_on_destroy = true
     ai_foundry = {
-      create_ai_agent_service = true
+      create_ai_agent_service    = true
+      enable_diagnostic_settings = false
     }
     ai_model_deployments = {
       "gpt-4o" = {
@@ -175,25 +176,21 @@ module "test" {
     }
     ai_search_definition = {
       this = {
-        enable_diagnostic_settings = false
       }
     }
     cosmosdb_definition = {
       this = {
-        enable_diagnostic_settings = false
-        consistency_level          = "Session"
+        consistency_level = "Session"
       }
     }
     key_vault_definition = {
       this = {
-        enable_diagnostic_settings = false
       }
     }
 
     storage_account_definition = {
       this = {
-        enable_diagnostic_settings = false
-        shared_access_key_enabled  = true #configured for testing
+        shared_access_key_enabled = true #configured for testing
         endpoints = {
           blob = {
             type = "blob"
@@ -249,11 +246,14 @@ module "test" {
   }
   enable_telemetry           = var.enable_telemetry
   flag_platform_landing_zone = false
+  genai_app_configuration_definition = {
+    enable_diagnostic_settings = false
+  }
   genai_container_registry_definition = {
     enable_diagnostic_settings = false
   }
   genai_cosmosdb_definition = {
-    enable_diagnostic_settings = false
+    consistency_level = "Session"
   }
   genai_key_vault_definition = {
     #this is for AVM testing purposes only. Doing this as we don't have an easy for the test runner to be privately connected for testing.
@@ -264,7 +264,6 @@ module "test" {
     }
   }
   genai_storage_account_definition = {
-    enable_diagnostic_settings = false
   }
   ks_ai_search_definition = {
     enable_diagnostic_settings = false
diff --git a/examples/default-byo-vnet/main.tf b/examples/default-byo-vnet/main.tf
index e2ab4bf..ec78a0d 100644
--- a/examples/default-byo-vnet/main.tf
+++ b/examples/default-byo-vnet/main.tf
@@ -133,7 +133,8 @@ module "test" {
   ai_foundry_definition = {
     purge_on_destroy = true
     ai_foundry = {
-      create_ai_agent_service = true
+      create_ai_agent_service    = true
+      enable_diagnostic_settings = false
     }
     ai_model_deployments = {
       "gpt-4o" = {
@@ -168,25 +169,21 @@ module "test" {
     }
     ai_search_definition = {
       this = {
-        enable_diagnostic_settings = false
       }
     }
     cosmosdb_definition = {
       this = {
-        enable_diagnostic_settings = false
-        consistency_level          = "Session"
+        consistency_level = "Session"
       }
     }
     key_vault_definition = {
       this = {
-        enable_diagnostic_settings = false
       }
     }
 
     storage_account_definition = {
       this = {
-        enable_diagnostic_settings = false
-        shared_access_key_enabled  = true #configured for testing
+        shared_access_key_enabled = true #configured for testing
         endpoints = {
           blob = {
             type = "blob"
@@ -242,11 +239,14 @@ module "test" {
   }
   enable_telemetry           = var.enable_telemetry
   flag_platform_landing_zone = false
+  genai_app_configuration_definition = {
+    enable_diagnostic_settings = false
+  }
   genai_container_registry_definition = {
     enable_diagnostic_settings = false
   }
   genai_cosmosdb_definition = {
-    enable_diagnostic_settings = false
+    consistency_level = "Session"
   }
   genai_key_vault_definition = {
     #this is for AVM testing purposes only. Doing this as we don't have an easy for the test runner to be privately connected for testing.
@@ -257,7 +257,6 @@ module "test" {
     }
   }
   genai_storage_account_definition = {
-    enable_diagnostic_settings = false
   }
   ks_ai_search_definition = {
     enable_diagnostic_settings = false
diff --git a/examples/default/README.md b/examples/default/README.md
index dc8607f..0e7fa0c 100644
--- a/examples/default/README.md
+++ b/examples/default/README.md
@@ -94,7 +94,7 @@ module "test" {
   resource_group_name = "ai-lz-rg-default-${substr(module.naming.unique-seed, 0, 5)}"
   vnet_definition = {
     name          = "ai-lz-vnet-default"
-    address_space = "192.168.0.0/23"                                                                 # has to be out of 192.168.0.0/16 currently. Other RFC1918 not supported for foundry capabilityHost injection.
+    address_space = ["192.168.0.0/23"]                                                               # has to be out of 192.168.0.0/16 currently. Other RFC1918 not supported for foundry capabilityHost injection.
     dns_servers   = [for key, value in module.example_hub.dns_resolver_inbound_ip_addresses : value] # Use the DNS resolver IPs from the example hub
     hub_vnet_peering_definition = {
       peer_vnet_resource_id = module.example_hub.virtual_network_resource_id
@@ -104,7 +104,8 @@ module "test" {
   ai_foundry_definition = {
     purge_on_destroy = true
     ai_foundry = {
-      create_ai_agent_service = true
+      create_ai_agent_service    = true
+      enable_diagnostic_settings = false
     }
     ai_model_deployments = {
       "gpt-4o" = {
@@ -139,25 +140,21 @@ module "test" {
     }
     ai_search_definition = {
       this = {
-        enable_diagnostic_settings = false
       }
     }
     cosmosdb_definition = {
       this = {
-        enable_diagnostic_settings = false
-        consistency_level          = "Session"
+        consistency_level = "Session"
       }
     }
     key_vault_definition = {
       this = {
-        enable_diagnostic_settings = false
       }
     }
 
     storage_account_definition = {
       this = {
-        enable_diagnostic_settings = false
-        shared_access_key_enabled  = true #configured for testing
+        shared_access_key_enabled = true #configured for testing
         endpoints = {
           blob = {
             type = "blob"
@@ -207,21 +204,22 @@ module "test" {
     }
   }
   bastion_definition = {
+
   }
   container_app_environment_definition = {
     enable_diagnostic_settings = false
   }
   enable_telemetry           = var.enable_telemetry
   flag_platform_landing_zone = false
-  # Note: When flag_platform_landing_zone = true, you can enable direct internet routing
-  # for Azure Application Gateway v2 compatibility by setting:
-  # use_internet_routing = true
+  genai_app_configuration_definition = {
+    enable_diagnostic_settings = false
+  }
   genai_container_registry_definition = {
     enable_diagnostic_settings = false
   }
   genai_cosmosdb_definition = {
-    enable_diagnostic_settings = false
-    consistency_level          = "Session"
+
+    consistency_level = "Session"
   }
   genai_key_vault_definition = {
     public_network_access_enabled = true # configured for testing
@@ -231,16 +229,15 @@ module "test" {
     }
   }
   genai_storage_account_definition = {
-    enable_diagnostic_settings = false
   }
   ks_ai_search_definition = {
     enable_diagnostic_settings = false
   }
   private_dns_zones = {
+    azure_policy_pe_zone_linking_enabled      = true
     existing_zones_resource_group_resource_id = module.example_hub.resource_group_resource_id
   }
 }
-
 ```
 
 <!-- markdownlint-disable MD033 -->
diff --git a/examples/default/main.tf b/examples/default/main.tf
index ed827ee..8b04e12 100644
--- a/examples/default/main.tf
+++ b/examples/default/main.tf
@@ -87,7 +87,7 @@ module "test" {
   resource_group_name = "ai-lz-rg-default-${substr(module.naming.unique-seed, 0, 5)}"
   vnet_definition = {
     name          = "ai-lz-vnet-default"
-    address_space = "192.168.0.0/23"                                                                 # has to be out of 192.168.0.0/16 currently. Other RFC1918 not supported for foundry capabilityHost injection.
+    address_space = ["192.168.0.0/23"]                                                               # has to be out of 192.168.0.0/16 currently. Other RFC1918 not supported for foundry capabilityHost injection.
     dns_servers   = [for key, value in module.example_hub.dns_resolver_inbound_ip_addresses : value] # Use the DNS resolver IPs from the example hub
     hub_vnet_peering_definition = {
       peer_vnet_resource_id = module.example_hub.virtual_network_resource_id
@@ -97,7 +97,8 @@ module "test" {
   ai_foundry_definition = {
     purge_on_destroy = true
     ai_foundry = {
-      create_ai_agent_service = true
+      create_ai_agent_service    = true
+      enable_diagnostic_settings = false
     }
     ai_model_deployments = {
       "gpt-4o" = {
@@ -132,25 +133,21 @@ module "test" {
     }
     ai_search_definition = {
       this = {
-        enable_diagnostic_settings = false
       }
     }
     cosmosdb_definition = {
       this = {
-        enable_diagnostic_settings = false
-        consistency_level          = "Session"
+        consistency_level = "Session"
       }
     }
     key_vault_definition = {
       this = {
-        enable_diagnostic_settings = false
       }
     }
 
     storage_account_definition = {
       this = {
-        enable_diagnostic_settings = false
-        shared_access_key_enabled  = true #configured for testing
+        shared_access_key_enabled = true #configured for testing
         endpoints = {
           blob = {
             type = "blob"
@@ -200,21 +197,22 @@ module "test" {
     }
   }
   bastion_definition = {
+
   }
   container_app_environment_definition = {
     enable_diagnostic_settings = false
   }
   enable_telemetry           = var.enable_telemetry
   flag_platform_landing_zone = false
-  # Note: When flag_platform_landing_zone = true, you can enable direct internet routing
-  # for Azure Application Gateway v2 compatibility by setting:
-  # use_internet_routing = true
+  genai_app_configuration_definition = {
+    enable_diagnostic_settings = false
+  }
   genai_container_registry_definition = {
     enable_diagnostic_settings = false
   }
   genai_cosmosdb_definition = {
-    enable_diagnostic_settings = false
-    consistency_level          = "Session"
+
+    consistency_level = "Session"
   }
   genai_key_vault_definition = {
     public_network_access_enabled = true # configured for testing
@@ -224,13 +222,12 @@ module "test" {
     }
   }
   genai_storage_account_definition = {
-    enable_diagnostic_settings = false
   }
   ks_ai_search_definition = {
     enable_diagnostic_settings = false
   }
   private_dns_zones = {
+    azure_policy_pe_zone_linking_enabled      = true
     existing_zones_resource_group_resource_id = module.example_hub.resource_group_resource_id
   }
 }
-
diff --git a/examples/standalone-byo-vnet/README.md b/examples/standalone-byo-vnet/README.md
index 9576235..6458deb 100644
--- a/examples/standalone-byo-vnet/README.md
+++ b/examples/standalone-byo-vnet/README.md
@@ -112,7 +112,8 @@ module "test" {
   ai_foundry_definition = {
     purge_on_destroy = true
     ai_foundry = {
-      create_ai_agent_service = true
+      create_ai_agent_service    = true
+      enable_diagnostic_settings = false
     }
     ai_model_deployments = {
       "gpt-4o" = {
@@ -147,25 +148,21 @@ module "test" {
     }
     ai_search_definition = {
       this = {
-        enable_diagnostic_settings = false
       }
     }
     cosmosdb_definition = {
       this = {
-        enable_diagnostic_settings = false
-        consistency_level          = "Session"
+        consistency_level = "Session"
       }
     }
     key_vault_definition = {
       this = {
-        enable_diagnostic_settings = false
       }
     }
 
     storage_account_definition = {
       this = {
-        enable_diagnostic_settings = false
-        shared_access_key_enabled  = true #configured for testing
+        shared_access_key_enabled = true #configured for testing
         endpoints = {
           blob = {
             type = "blob"
@@ -221,11 +218,14 @@ module "test" {
   }
   enable_telemetry           = var.enable_telemetry
   flag_platform_landing_zone = true
+  genai_app_configuration_definition = {
+    enable_diagnostic_settings = false
+  }
   genai_container_registry_definition = {
     enable_diagnostic_settings = false
   }
   genai_cosmosdb_definition = {
-    enable_diagnostic_settings = false
+    consistency_level = "Session"
   }
   genai_key_vault_definition = {
     #this is for AVM testing purposes only. Doing this as we don't have an easy for the test runner to be privately connected for testing.
@@ -236,7 +236,6 @@ module "test" {
     }
   }
   genai_storage_account_definition = {
-    enable_diagnostic_settings = false
   }
   ks_ai_search_definition = {
     enable_diagnostic_settings = false
diff --git a/examples/standalone-byo-vnet/main.tf b/examples/standalone-byo-vnet/main.tf
index adfd6a9..0011728 100644
--- a/examples/standalone-byo-vnet/main.tf
+++ b/examples/standalone-byo-vnet/main.tf
@@ -105,7 +105,8 @@ module "test" {
   ai_foundry_definition = {
     purge_on_destroy = true
     ai_foundry = {
-      create_ai_agent_service = true
+      create_ai_agent_service    = true
+      enable_diagnostic_settings = false
     }
     ai_model_deployments = {
       "gpt-4o" = {
@@ -140,25 +141,21 @@ module "test" {
     }
     ai_search_definition = {
       this = {
-        enable_diagnostic_settings = false
       }
     }
     cosmosdb_definition = {
       this = {
-        enable_diagnostic_settings = false
-        consistency_level          = "Session"
+        consistency_level = "Session"
       }
     }
     key_vault_definition = {
       this = {
-        enable_diagnostic_settings = false
       }
     }
 
     storage_account_definition = {
       this = {
-        enable_diagnostic_settings = false
-        shared_access_key_enabled  = true #configured for testing
+        shared_access_key_enabled = true #configured for testing
         endpoints = {
           blob = {
             type = "blob"
@@ -214,11 +211,14 @@ module "test" {
   }
   enable_telemetry           = var.enable_telemetry
   flag_platform_landing_zone = true
+  genai_app_configuration_definition = {
+    enable_diagnostic_settings = false
+  }
   genai_container_registry_definition = {
     enable_diagnostic_settings = false
   }
   genai_cosmosdb_definition = {
-    enable_diagnostic_settings = false
+    consistency_level = "Session"
   }
   genai_key_vault_definition = {
     #this is for AVM testing purposes only. Doing this as we don't have an easy for the test runner to be privately connected for testing.
@@ -229,7 +229,6 @@ module "test" {
     }
   }
   genai_storage_account_definition = {
-    enable_diagnostic_settings = false
   }
   ks_ai_search_definition = {
     enable_diagnostic_settings = false
diff --git a/examples/standalone/README.md b/examples/standalone/README.md
index 70826ed..1d46d28 100644
--- a/examples/standalone/README.md
+++ b/examples/standalone/README.md
@@ -102,12 +102,13 @@ module "test" {
   resource_group_name = "ai-lz-rg-standalone-${substr(module.naming.unique-seed, 0, 5)}"
   vnet_definition = {
     name          = "ai-lz-vnet-standalone"
-    address_space = "192.168.0.0/20" # has to be out of 192.168.0.0/16 currently. Other RFC1918 not supported for foundry capabilityHost injection.
+    address_space = ["192.168.0.0/20"] # has to be out of 192.168.0.0/16 currently. Other RFC1918 not supported for foundry capabilityHost injection.
   }
   ai_foundry_definition = {
     purge_on_destroy = true
     ai_foundry = {
-      create_ai_agent_service = true
+      create_ai_agent_service    = true
+      enable_diagnostic_settings = false
     }
     ai_model_deployments = {
       "gpt-4o" = {
@@ -144,7 +145,6 @@ module "test" {
 
     ai_search_definition = {
       this = {
-        enable_diagnostic_settings = false
       }
     }
 
@@ -154,21 +154,18 @@ module "test" {
 
     cosmosdb_definition = {
       this = {
-        enable_diagnostic_settings = false
-        consistency_level          = "Session"
+        consistency_level = "Session"
       }
     }
 
     key_vault_definition = {
       this = {
-        enable_diagnostic_settings = false
       }
     }
 
     storage_account_definition = {
       this = {
-        enable_diagnostic_settings = false
-        shared_access_key_enabled  = true #configured for testing
+        shared_access_key_enabled = true #configured for testing
         endpoints = {
           blob = {
             type = "blob"
@@ -224,14 +221,14 @@ module "test" {
   }
   enable_telemetry           = var.enable_telemetry
   flag_platform_landing_zone = true
-  # Uncomment the following line to enable direct internet routing instead of firewall routing
-  # This is useful for Azure Application Gateway v2 deployments that require direct internet connectivity
-  # use_internet_routing = true
+  genai_app_configuration_definition = {
+    enable_diagnostic_settings = false
+  }
   genai_container_registry_definition = {
     enable_diagnostic_settings = false
   }
   genai_cosmosdb_definition = {
-    enable_diagnostic_settings = false
+    consistency_level = "Session"
   }
   genai_key_vault_definition = {
     #this is for AVM testing purposes only. Doing this as we don't have an easy for the test runner to be privately connected for testing.
@@ -242,7 +239,6 @@ module "test" {
     }
   }
   genai_storage_account_definition = {
-    enable_diagnostic_settings = false
   }
   ks_ai_search_definition = {
     enable_diagnostic_settings = false
diff --git a/examples/standalone/main.tf b/examples/standalone/main.tf
index 88afd20..dbf3e44 100644
--- a/examples/standalone/main.tf
+++ b/examples/standalone/main.tf
@@ -95,12 +95,13 @@ module "test" {
   resource_group_name = "ai-lz-rg-standalone-${substr(module.naming.unique-seed, 0, 5)}"
   vnet_definition = {
     name          = "ai-lz-vnet-standalone"
-    address_space = "192.168.0.0/20" # has to be out of 192.168.0.0/16 currently. Other RFC1918 not supported for foundry capabilityHost injection.
+    address_space = ["192.168.0.0/20"] # has to be out of 192.168.0.0/16 currently. Other RFC1918 not supported for foundry capabilityHost injection.
   }
   ai_foundry_definition = {
     purge_on_destroy = true
     ai_foundry = {
-      create_ai_agent_service = true
+      create_ai_agent_service    = true
+      enable_diagnostic_settings = false
     }
     ai_model_deployments = {
       "gpt-4o" = {
@@ -137,7 +138,6 @@ module "test" {
 
     ai_search_definition = {
       this = {
-        enable_diagnostic_settings = false
       }
     }
 
@@ -147,21 +147,18 @@ module "test" {
 
     cosmosdb_definition = {
       this = {
-        enable_diagnostic_settings = false
-        consistency_level          = "Session"
+        consistency_level = "Session"
       }
     }
 
     key_vault_definition = {
       this = {
-        enable_diagnostic_settings = false
       }
     }
 
     storage_account_definition = {
       this = {
-        enable_diagnostic_settings = false
-        shared_access_key_enabled  = true #configured for testing
+        shared_access_key_enabled = true #configured for testing
         endpoints = {
           blob = {
             type = "blob"
@@ -217,14 +214,14 @@ module "test" {
   }
   enable_telemetry           = var.enable_telemetry
   flag_platform_landing_zone = true
-  # Uncomment the following line to enable direct internet routing instead of firewall routing
-  # This is useful for Azure Application Gateway v2 deployments that require direct internet connectivity
-  # use_internet_routing = true
+  genai_app_configuration_definition = {
+    enable_diagnostic_settings = false
+  }
   genai_container_registry_definition = {
     enable_diagnostic_settings = false
   }
   genai_cosmosdb_definition = {
-    enable_diagnostic_settings = false
+    consistency_level = "Session"
   }
   genai_key_vault_definition = {
     #this is for AVM testing purposes only. Doing this as we don't have an easy for the test runner to be privately connected for testing.
@@ -235,7 +232,6 @@ module "test" {
     }
   }
   genai_storage_account_definition = {
-    enable_diagnostic_settings = false
   }
   ks_ai_search_definition = {
     enable_diagnostic_settings = false
diff --git a/locals.apim.tf b/locals.apim.tf
index f2c1af6..ba7f534 100644
--- a/locals.apim.tf
+++ b/locals.apim.tf
@@ -1,8 +1,19 @@
 locals {
-  apim_default_role_assignments = {}
-  apim_name                     = try(var.apim_definition.name, null) != null ? var.apim_definition.name : (var.name_prefix != null ? "${var.name_prefix}-apim-${random_string.name_suffix.result}" : "ai-alz-apim-${random_string.name_suffix.result}")
-  apim_role_assignments = merge(
-    local.apim_default_role_assignments,
-    try(var.apim_definition.role_assignments, {})
-  )
+  apim_diagnostic_settings = var.apim_definition.enable_diagnostic_settings ? (length(var.apim_definition.diagnostic_settings) > 0 ? var.apim_definition.diagnostic_settings : local.apim_diagnostic_settings_inner) : {}
+  apim_diagnostic_settings_inner = ((try(var.law_definition.deploy, false) == true) ? {
+    sendToLogAnalytics = {
+      name                                     = "sendToLogAnalytics-apim-${random_string.name_suffix.result}"
+      workspace_resource_id                    = local.log_analytics_workspace_id
+      log_analytics_destination_type           = "Dedicated"
+      log_groups                               = ["allLogs"]
+      metric_categories                        = ["AllMetrics"]
+      log_categories                           = []
+      storage_account_resource_id              = null
+      event_hub_authorization_rule_resource_id = null
+      event_hub_name                           = null
+      marketplace_partner_resource_id          = null
+    }
+  } : {})
+  apim_name             = try(var.apim_definition.name, null) != null ? var.apim_definition.name : (var.name_prefix != null ? "${var.name_prefix}-apim-${random_string.name_suffix.result}" : "ai-alz-apim-${random_string.name_suffix.result}")
+  apim_role_assignments = try(var.apim_definition.role_assignments, {})
 }
diff --git a/locals.compute.tf b/locals.compute.tf
index cd2a830..feb1b88 100644
--- a/locals.compute.tf
+++ b/locals.compute.tf
@@ -1,7 +1,30 @@
 locals {
-  cae_log_analytics_workspace_resource_id            = var.container_app_environment_definition.log_analytics_workspace_resource_id != null ? var.container_app_environment_definition.log_analytics_workspace_resource_id : module.log_analytics_workspace[0].resource_id
+  cae_diagnostic_settings = var.container_app_environment_definition.enable_diagnostic_settings ? (length(var.container_app_environment_definition.diagnostic_settings) > 0 ? var.container_app_environment_definition.diagnostic_settings : local.cae_diagnostic_settings_inner) : {}
+  cae_diagnostic_settings_inner = ((try(var.law_definition.deploy, false) == true) ? {
+    sendToLogAnalytics = {
+      name                                     = "sendToLogAnalytics-cae-${random_string.name_suffix.result}"
+      workspace_resource_id                    = local.log_analytics_workspace_id
+      log_analytics_destination_type           = null
+      log_groups                               = ["allLogs"]
+      metric_categories                        = ["AllMetrics"]
+      log_categories                           = []
+      storage_account_resource_id              = null
+      event_hub_authorization_rule_resource_id = null
+      event_hub_name                           = null
+      marketplace_partner_resource_id          = null
+    }
+  } : {})
+  cae_log_analytics_workspace_resource_id = (
+    var.container_app_environment_definition.log_analytics_workspace_resource_id != null ?
+    var.container_app_environment_definition.log_analytics_workspace_resource_id :
+    local.log_analytics_workspace_id
+  )
   container_app_environment_default_role_assignments = {}
-  container_app_environment_name                     = try(var.container_app_environment_definition.name, null) != null ? var.container_app_environment_definition.name : (var.name_prefix != null ? "${var.name_prefix}-container-app-env" : "ai-alz-container-app-env-${random_string.name_suffix.result}")
+  container_app_environment_name = (
+    try(var.container_app_environment_definition.name, null) != null ?
+    var.container_app_environment_definition.name :
+    (var.name_prefix != null ? "${var.name_prefix}-container-app-env" : "ai-alz-container-app-env-${random_string.name_suffix.result}")
+  )
   container_app_environment_role_assignments = merge(
     local.container_app_environment_default_role_assignments,
     var.container_app_environment_definition.role_assignments
diff --git a/locals.foundry.tf b/locals.foundry.tf
index 630f077..15d7d90 100644
--- a/locals.foundry.tf
+++ b/locals.foundry.tf
@@ -8,26 +8,45 @@ locals {
         subnetArmId                = local.subnet_ids["AIFoundrySubnet"]
         useMicrosoftManagedNetwork = false
       }]
-      private_dns_zone_resource_ids = [
+      private_dns_zone_resource_ids = var.private_dns_zones.azure_policy_pe_zone_linking_enabled ? null : [
         (var.flag_platform_landing_zone ? module.private_dns_zones.ai_foundry_openai_zone.resource_id : local.private_dns_zones_existing.ai_foundry_openai_zone.resource_id),
         (var.flag_platform_landing_zone ? module.private_dns_zones.ai_foundry_ai_services_zone.resource_id : local.private_dns_zones_existing.ai_foundry_ai_services_zone.resource_id),
         (var.flag_platform_landing_zone ? module.private_dns_zones.ai_foundry_cognitive_services_zone.resource_id : local.private_dns_zones_existing.ai_foundry_cognitive_services_zone.resource_id)
       ]
+      private_endpoints_manage_dns_zone_group = var.private_dns_zones.azure_policy_pe_zone_linking_enabled ? false : var.ai_foundry_definition.ai_foundry.private_endpoints_manage_dns_zone_group
     }
   )
   foundry_ai_search_definition = { for key, value in var.ai_foundry_definition.ai_search_definition : key => merge(
     var.ai_foundry_definition.ai_search_definition[key], {
-      private_dns_zone_resource_id = var.flag_platform_landing_zone ? module.private_dns_zones.ai_search_zone.resource_id : local.private_dns_zones_existing.ai_search_zone.resource_id
+      private_dns_zone_resource_id            = var.private_dns_zones.azure_policy_pe_zone_linking_enabled ? null : (var.flag_platform_landing_zone ? module.private_dns_zones.ai_search_zone.resource_id : local.private_dns_zones_existing.ai_search_zone.resource_id)
+      private_endpoints_manage_dns_zone_group = var.private_dns_zones.azure_policy_pe_zone_linking_enabled ? false : var.ai_foundry_definition.ai_search_definition[key].private_endpoints_manage_dns_zone_group
     }
   ) }
   foundry_cosmosdb_definition = { for key, value in var.ai_foundry_definition.cosmosdb_definition : key => merge(
     var.ai_foundry_definition.cosmosdb_definition[key], {
-      private_dns_zone_resource_id = var.flag_platform_landing_zone ? module.private_dns_zones.cosmos_sql_zone.resource_id : local.private_dns_zones_existing.cosmos_sql_zone.resource_id
+      private_dns_zone_resource_id            = var.private_dns_zones.azure_policy_pe_zone_linking_enabled ? null : (var.flag_platform_landing_zone ? module.private_dns_zones.cosmos_sql_zone.resource_id : local.private_dns_zones_existing.cosmos_sql_zone.resource_id)
+      private_endpoints_manage_dns_zone_group = var.private_dns_zones.azure_policy_pe_zone_linking_enabled ? false : var.ai_foundry_definition.cosmosdb_definition[key].private_endpoints_manage_dns_zone_group
     }
   ) }
+  foundry_diagnostic_settings = var.ai_foundry_definition.ai_foundry.enable_diagnostic_settings ? (length(var.ai_foundry_definition.ai_foundry.diagnostic_settings) > 0 ? var.ai_foundry_definition.ai_foundry.diagnostic_settings : local.foundry_diagnostic_settings_inner) : {}
+  foundry_diagnostic_settings_inner = ((try(var.law_definition.deploy, false) == true) ? {
+    sendToLogAnalytics = {
+      name                                     = "sendToLogAnalytics-foundry-${random_string.name_suffix.result}"
+      workspace_resource_id                    = local.log_analytics_workspace_id
+      log_analytics_destination_type           = null
+      log_groups                               = ["allLogs"]
+      metric_categories                        = ["AllMetrics"]
+      log_categories                           = []
+      storage_account_resource_id              = null
+      event_hub_authorization_rule_resource_id = null
+      event_hub_name                           = null
+      marketplace_partner_resource_id          = null
+    }
+  } : {})
   foundry_key_vault_definition = { for key, value in var.ai_foundry_definition.key_vault_definition : key => merge(
     var.ai_foundry_definition.key_vault_definition[key], {
-      private_dns_zone_resource_id = var.flag_platform_landing_zone ? module.private_dns_zones.key_vault_zone.resource_id : local.private_dns_zones_existing.key_vault_zone.resource_id
+      private_dns_zone_resource_id            = var.private_dns_zones.azure_policy_pe_zone_linking_enabled ? null : (var.flag_platform_landing_zone ? module.private_dns_zones.key_vault_zone.resource_id : local.private_dns_zones_existing.key_vault_zone.resource_id)
+      private_endpoints_manage_dns_zone_group = var.private_dns_zones.azure_policy_pe_zone_linking_enabled ? false : var.ai_foundry_definition.key_vault_definition[key].private_endpoints_manage_dns_zone_group
     }
   ) }
   foundry_storage_account_definition = { for key, value in var.ai_foundry_definition.storage_account_definition : key => merge(
@@ -35,8 +54,9 @@ locals {
       endpoints = {
         for ek, ev in value.endpoints :
         ek => {
-          private_dns_zone_resource_id = var.flag_platform_landing_zone ? module.private_dns_zones["storage_${lower(ek)}_zone"].resource_id : local.private_dns_zones_existing["storage_${lower(ek)}_zone"].resource_id
-          type                         = lower(ek)
+          private_dns_zone_resource_id            = var.private_dns_zones.azure_policy_pe_zone_linking_enabled ? null : (var.flag_platform_landing_zone ? module.private_dns_zones["storage_${lower(ek)}_zone"].resource_id : local.private_dns_zones_existing["storage_${lower(ek)}_zone"].resource_id)
+          private_endpoints_manage_dns_zone_group = var.private_dns_zones.azure_policy_pe_zone_linking_enabled ? false : var.ai_foundry_definition.storage_account_definition[key].endpoints[ek].private_endpoints_manage_dns_zone_group
+          type                                    = lower(ek)
         }
       }
     }
diff --git a/locals.genai_services.tf b/locals.genai_services.tf
index 161dbef..6cb2411 100644
--- a/locals.genai_services.tf
+++ b/locals.genai_services.tf
@@ -1,16 +1,61 @@
 locals {
   genai_app_configuration_default_role_assignments = {}
-  genai_app_configuration_name                     = try(var.genai_app_configuration_definition.name, null) != null ? var.genai_app_configuration_definition.name : (var.name_prefix != null ? "${var.name_prefix}-genai-appconfig-${random_string.name_suffix.result}" : "genai-appconfig-${random_string.name_suffix.result}")
+  genai_app_configuration_diagnostic_settings      = var.genai_app_configuration_definition.enable_diagnostic_settings ? (length(var.genai_app_configuration_definition.diagnostic_settings) > 0 ? var.genai_app_configuration_definition.diagnostic_settings : local.genai_app_configuration_diagnostic_settings_inner) : {}
+  genai_app_configuration_diagnostic_settings_inner = ((try(var.law_definition.deploy, false) == true) ? {
+    sendToLogAnalytics = {
+      name                                     = "sendToLogAnalytics-genai-appconfig-${random_string.name_suffix.result}"
+      workspace_resource_id                    = local.log_analytics_workspace_id
+      log_analytics_destination_type           = "Dedicated"
+      log_groups                               = ["allLogs"]
+      metric_categories                        = ["AllMetrics"]
+      log_categories                           = []
+      storage_account_resource_id              = null
+      event_hub_authorization_rule_resource_id = null
+      event_hub_name                           = null
+      marketplace_partner_resource_id          = null
+    }
+  } : {})
+  genai_app_configuration_name = try(var.genai_app_configuration_definition.name, null) != null ? var.genai_app_configuration_definition.name : (var.name_prefix != null ? "${var.name_prefix}-genai-appconfig-${random_string.name_suffix.result}" : "genai-appconfig-${random_string.name_suffix.result}")
   genai_app_configuration_role_assignments = merge(
     local.genai_app_configuration_default_role_assignments,
     var.genai_app_configuration_definition.role_assignments
   )
   genai_container_registry_default_role_assignments = {}
-  genai_container_registry_name                     = try(var.genai_container_registry_definition.name, null) != null ? var.genai_container_registry_definition.name : (var.name_prefix != null ? "${var.name_prefix}genaicr${random_string.name_suffix.result}" : "genaicr${random_string.name_suffix.result}")
+  genai_container_registry_diagnostic_settings      = var.genai_container_registry_definition.enable_diagnostic_settings ? (length(var.genai_container_registry_definition.diagnostic_settings) > 0 ? var.genai_container_registry_definition.diagnostic_settings : local.genai_container_registry_diagnostic_settings_inner) : {}
+  genai_container_registry_diagnostic_settings_inner = ((try(var.law_definition.deploy, false) == true) ? {
+    sendToLogAnalytics = {
+      name                                     = "sendToLogAnalytics-genai-acr-${random_string.name_suffix.result}"
+      workspace_resource_id                    = local.log_analytics_workspace_id
+      log_analytics_destination_type           = null
+      log_groups                               = ["allLogs"]
+      metric_categories                        = ["AllMetrics"]
+      log_categories                           = []
+      storage_account_resource_id              = null
+      event_hub_authorization_rule_resource_id = null
+      event_hub_name                           = null
+      marketplace_partner_resource_id          = null
+    }
+  } : {})
+  genai_container_registry_name = try(var.genai_container_registry_definition.name, null) != null ? var.genai_container_registry_definition.name : (var.name_prefix != null ? "${var.name_prefix}genaicr${random_string.name_suffix.result}" : "genaicr${random_string.name_suffix.result}")
   genai_container_registry_role_assignments = merge(
     local.genai_container_registry_default_role_assignments,
     var.genai_container_registry_definition.role_assignments
   )
+  genai_cosmosdb_diagnostic_settings = var.genai_cosmosdb_definition.enable_diagnostic_settings ? (length(var.genai_cosmosdb_definition.diagnostic_settings) > 0 ? var.genai_cosmosdb_definition.diagnostic_settings : local.genai_cosmosdb_diagnostic_settings_inner) : {}
+  genai_cosmosdb_diagnostic_settings_inner = ((try(var.law_definition.deploy, false) == true) ? {
+    sendToLogAnalytics = {
+      name                                     = "sendToLogAnalytics-genai-cosmosdb-${random_string.name_suffix.result}"
+      workspace_resource_id                    = local.log_analytics_workspace_id
+      log_analytics_destination_type           = "Dedicated"
+      log_groups                               = ["allLogs"]
+      metric_categories                        = ["SLI", "Requests"]
+      log_categories                           = []
+      storage_account_resource_id              = null
+      event_hub_authorization_rule_resource_id = null
+      event_hub_name                           = null
+      marketplace_partner_resource_id          = null
+    }
+  } : {})
   genai_cosmosdb_name = try(var.genai_cosmosdb_definition.name, null) != null ? var.genai_cosmosdb_definition.name : (var.name_prefix != null ? "${var.name_prefix}-genai-cosmosdb-${random_string.name_suffix.result}" : "genai-cosmosdb-${random_string.name_suffix.result}")
   # Handle secondary regions logic:
   # - If null, set to empty list
@@ -32,6 +77,21 @@ locals {
   )
   genai_key_vault_default_role_assignments = {
   }
+  genai_key_vault_diagnostic_settings = var.genai_key_vault_definition.enable_diagnostic_settings ? (length(var.genai_key_vault_definition.diagnostic_settings) > 0 ? var.genai_key_vault_definition.diagnostic_settings : local.genai_key_vault_diagnostic_settings_inner) : {}
+  genai_key_vault_diagnostic_settings_inner = ((try(var.law_definition.deploy, false) == true) ? {
+    sendToLogAnalytics = {
+      name                                     = "sendToLogAnalytics-genai-kv-${random_string.name_suffix.result}"
+      workspace_resource_id                    = local.log_analytics_workspace_id
+      log_analytics_destination_type           = "Dedicated"
+      log_groups                               = ["allLogs"]
+      metric_categories                        = ["AllMetrics"]
+      log_categories                           = []
+      storage_account_resource_id              = null
+      event_hub_authorization_rule_resource_id = null
+      event_hub_name                           = null
+      marketplace_partner_resource_id          = null
+    }
+  } : {})
   genai_key_vault_name = try(var.genai_key_vault_definition.name, null) != null ? var.genai_key_vault_definition.name : (var.name_prefix != null ? "${var.name_prefix}-genai-kv-${random_string.name_suffix.result}" : "genai-kv-${random_string.name_suffix.result}")
   genai_key_vault_role_assignments = merge(
     local.genai_key_vault_default_role_assignments,
@@ -39,6 +99,21 @@ locals {
   )
   genai_storage_account_default_role_assignments = {
   }
+  genai_storage_account_diagnostic_settings = var.genai_storage_account_definition.enable_diagnostic_settings ? (length(var.genai_storage_account_definition.diagnostic_settings) > 0 ? var.genai_storage_account_definition.diagnostic_settings : local.genai_storage_account_diagnostic_settings_inner) : {}
+  genai_storage_account_diagnostic_settings_inner = ((try(var.law_definition.deploy, false) == true) ? {
+    sendToLogAnalytics = {
+      name                                     = "sendToLogAnalytics-genai-sa-${random_string.name_suffix.result}"
+      workspace_resource_id                    = local.log_analytics_workspace_id
+      log_analytics_destination_type           = "Dedicated"
+      log_groups                               = ["allLogs"]
+      metric_categories                        = ["Capacity", "Transaction"]
+      log_categories                           = []
+      storage_account_resource_id              = null
+      event_hub_authorization_rule_resource_id = null
+      event_hub_name                           = null
+      marketplace_partner_resource_id          = null
+    }
+  } : {})
   genai_storage_account_name = try(var.genai_storage_account_definition.name, null) != null ? var.genai_storage_account_definition.name : (var.name_prefix != null ? "${var.name_prefix}genaisa${random_string.name_suffix.result}" : "genaisa${random_string.name_suffix.result}")
   genai_storage_account_role_assignments = merge(
     local.genai_storage_account_default_role_assignments,
diff --git a/locals.knowledge_sources.tf b/locals.knowledge_sources.tf
index fb32127..9d35873 100644
--- a/locals.knowledge_sources.tf
+++ b/locals.knowledge_sources.tf
@@ -1,4 +1,21 @@
 locals {
-  ks_ai_search_name      = try(var.ks_ai_search_definition.name, null) != null ? var.ks_ai_search_definition.name : (var.name_prefix != null ? "${var.name_prefix}-ks-ai-search" : "ai-alz-ks-ai-search-${random_string.name_suffix.result}")
-  ks_bing_grounding_name = try(var.ks_bing_grounding_definition.name, null) != null ? var.ks_bing_grounding_definition.name : (var.name_prefix != null ? "${var.name_prefix}-ks-bing-grounding" : "ai-alz-ks-bing-grounding-${random_string.name_suffix.result}")
+  ks_ai_search_diagnostic_settings = var.ks_ai_search_definition.enable_diagnostic_settings ? (length(var.ks_ai_search_definition.diagnostic_settings) > 0 ? var.ks_ai_search_definition.diagnostic_settings : local.ks_ai_search_diagnostic_settings_inner) : {}
+  ks_ai_search_diagnostic_settings_inner = ((try(var.law_definition.deploy, false) == true) ? {
+    sendToLogAnalytics = {
+      name                                     = "sendToLogAnalytics-ks-ai-search-${random_string.name_suffix.result}"
+      workspace_resource_id                    = local.log_analytics_workspace_id
+      log_analytics_destination_type           = "Dedicated"
+      log_groups                               = ["allLogs"]
+      metric_categories                        = ["AllMetrics"]
+      log_categories                           = []
+      storage_account_resource_id              = null
+      event_hub_authorization_rule_resource_id = null
+      event_hub_name                           = null
+      marketplace_partner_resource_id          = null
+    }
+  } : {})
+  ks_ai_search_name             = try(var.ks_ai_search_definition.name, null) != null ? var.ks_ai_search_definition.name : (var.name_prefix != null ? "${var.name_prefix}-ks-ai-search" : "ai-alz-ks-ai-search-${random_string.name_suffix.result}")
+  ks_ai_search_role_assignments = try(var.ks_ai_search_definition.role_assignments, {})
+  ks_bing_grounding_name        = try(var.ks_bing_grounding_definition.name, null) != null ? var.ks_bing_grounding_definition.name : (var.name_prefix != null ? "${var.name_prefix}-ks-bing-grounding" : "ai-alz-ks-bing-grounding-${random_string.name_suffix.result}")
 }
+
diff --git a/locals.monitoring.tf b/locals.monitoring.tf
index 7d40ec6..3486e15 100644
--- a/locals.monitoring.tf
+++ b/locals.monitoring.tf
@@ -1,4 +1,6 @@
 locals {
+  #deploy_diagnostics_settings  = var.law_definition.resource_id != null || length(module.log_analytics_workspace) > 0 #TODO - remove this after we update the diags logic
+  log_analytics_workspace_id   = var.law_definition.resource_id != null ? var.law_definition.resource_id : (length(module.log_analytics_workspace) > 0 ? module.log_analytics_workspace[0].resource_id : null)
   log_analytics_workspace_name = try(var.law_definition.name, null) != null ? var.law_definition.name : (var.name_prefix != null ? "${var.name_prefix}-law" : "ai-alz-law")
 }
 
diff --git a/locals.networking.nsgs.tf b/locals.networking.nsgs.tf
index 2bfba2a..2eb0a9b 100644
--- a/locals.networking.nsgs.tf
+++ b/locals.networking.nsgs.tf
@@ -26,7 +26,7 @@ locals {
     "appgw_rule02" = {
       name                         = "Allow-AppGW_Web"
       access                       = "Allow"
-      destination_address_prefixes = try(local.subnets["AppGatewaySubnet"].address_prefix, null) != null ? [local.subnets["AppGatewaySubnet"].address_prefix] : [cidrsubnet(local.vnet_address_space, 4, 5)]
+      destination_address_prefixes = length(var.vnet_definition.existing_byo_vnet) > 0 ? module.byo_subnets["AppGatewaySubnet"].address_prefixes : module.ai_lz_vnet[0].subnets["AppGatewaySubnet"].address_prefixes
       destination_port_ranges      = ["80", "443"]
       direction                    = "Inbound"
       priority                     = 120
@@ -37,7 +37,7 @@ locals {
     "appgw_rule03" = {
       name                         = "Allow-AppGW_LoadBalancer"
       access                       = "Allow"
-      destination_address_prefixes = try(local.subnets["AppGatewaySubnet"].address_prefix, null) != null ? [local.subnets["AppGatewaySubnet"].address_prefix] : [cidrsubnet(local.vnet_address_space, 4, 5)]
+      destination_address_prefixes = length(var.vnet_definition.existing_byo_vnet) > 0 ? module.byo_subnets["AppGatewaySubnet"].address_prefixes : module.ai_lz_vnet[0].subnets["AppGatewaySubnet"].address_prefixes
       destination_port_range       = "*"
       direction                    = "Inbound"
       priority                     = 4000
diff --git a/locals.networking.tf b/locals.networking.tf
index 7642d80..67aa65c 100644
--- a/locals.networking.tf
+++ b/locals.networking.tf
@@ -1,11 +1,37 @@
 locals {
-  application_gateway_name = try(var.app_gateway_definition.name, null) != null ? var.app_gateway_definition.name : (var.name_prefix != null ? "${var.name_prefix}-appgw" : "ai-alz-appgw")
-  application_gateway_role_assignments = merge(
-    local.application_gateway_role_assignments_base,
-    try(var.app_gateway_definition.role_assignments, {})
-  )
-  application_gateway_role_assignments_base = {}
-  bastion_name                              = try(var.bastion_definition.name, null) != null ? var.bastion_definition.name : (var.name_prefix != null ? "${var.name_prefix}-bastion" : "ai-alz-bastion")
+  app_gw_diagnostic_settings = var.app_gateway_definition.enable_diagnostic_settings ? (length(var.app_gateway_definition.diagnostic_settings) > 0 ? var.app_gateway_definition.diagnostic_settings : local.app_gw_diagnostic_settings_inner) : {}
+  app_gw_diagnostic_settings_inner = ((try(var.law_definition.deploy, false) == true) ? {
+    sendToLogAnalytics = {
+      name                                     = "sendToLogAnalytics-appgw-${random_string.name_suffix.result}"
+      workspace_resource_id                    = local.log_analytics_workspace_id
+      log_analytics_destination_type           = "Dedicated"
+      log_groups                               = ["allLogs"]
+      metric_categories                        = ["AllMetrics"]
+      log_categories                           = []
+      storage_account_resource_id              = null
+      event_hub_authorization_rule_resource_id = null
+      event_hub_name                           = null
+      marketplace_partner_resource_id          = null
+    }
+  } : {})
+  application_gateway_name             = try(var.app_gateway_definition.name, null) != null ? var.app_gateway_definition.name : (var.name_prefix != null ? "${var.name_prefix}-appgw" : "ai-alz-appgw")
+  application_gateway_role_assignments = try(var.app_gateway_definition.role_assignments, {}) #TODO - do we need this or can we just point it at the var?
+  az_fw_diagnostic_settings            = var.firewall_definition.enable_diagnostic_settings ? (length(var.firewall_definition.diagnostic_settings) > 0 ? var.firewall_definition.diagnostic_settings : local.az_fw_diagnostic_settings_inner) : {}
+  az_fw_diagnostic_settings_inner = ((try(var.law_definition.deploy, false) == true) ? {
+    sendToLogAnalytics = {
+      name                                     = "sendToLogAnalytics-azfw-${random_string.name_suffix.result}"
+      workspace_resource_id                    = local.log_analytics_workspace_id
+      log_analytics_destination_type           = "Dedicated"
+      log_groups                               = ["allLogs"]
+      metric_categories                        = ["AllMetrics"]
+      log_categories                           = []
+      storage_account_resource_id              = null
+      event_hub_authorization_rule_resource_id = null
+      event_hub_name                           = null
+      marketplace_partner_resource_id          = null
+    }
+  } : {})
+  bastion_name = try(var.bastion_definition.name, null) != null ? var.bastion_definition.name : (var.name_prefix != null ? "${var.name_prefix}-bastion" : "ai-alz-bastion")
   default_virtual_network_link = {
     alz_vnet_link = {
       vnetlinkname      = "${local.vnet_name}-link"
@@ -91,24 +117,60 @@ locals {
   subnet_ids       = length(var.vnet_definition.existing_byo_vnet) > 0 ? { for key, m in module.byo_subnets : key => try(m.resource_id, m.id) } : { for key, s in module.ai_lz_vnet[0].subnets : key => s.resource_id }
   subnets = {
     AzureBastionSubnet = {
-      enabled          = var.flag_platform_landing_zone == true ? try(local.subnets_definition["AzureBastionSubnet"].enabled, true) : try(local.subnets_definition["AzureBastionSubnet"].enabled, false)
-      name             = "AzureBastionSubnet"
-      address_prefixes = try(local.subnets_definition["AzureBastionSubnet"].address_prefix, null) != null ? [local.subnets_definition["AzureBastionSubnet"].address_prefix] : [cidrsubnet(local.vnet_address_space, 3, 5)]
-      route_table      = null
+      enabled = var.flag_platform_landing_zone == true ? try(local.subnets_definition["AzureBastionSubnet"].enabled, true) : try(local.subnets_definition["AzureBastionSubnet"].enabled, false)
+      name    = "AzureBastionSubnet"
+      address_prefixes = (var.vnet_definition.ipam_pools == null ?
+        try(local.subnets_definition["AzureBastionSubnet"].address_prefix, null) != null ?
+        [local.subnets_definition["AzureBastionSubnet"].address_prefix] :
+        [cidrsubnet(local.vnet_address_space, 3, 5)]
+      : null)
+      ipam_pools = (var.vnet_definition.ipam_pools != null ?
+        try(local.subnets_definition["AzureBastionSubnet"].ipam_pools, null) != null ?
+        local.subnets_definition["AzureBastionSubnet"].ipam_pools :
+        [{
+          pool_id       = var.vnet_definition.ipam_pools[0].id
+          prefix_length = var.vnet_definition.ipam_pools[0].prefix_length + 3
+        }]
+      : null)
+      route_table = null
       #network_security_group = {
       #  id = module.nsgs.resource_id
       #}
     }
     AzureFirewallSubnet = {
-      enabled          = var.flag_platform_landing_zone == true ? try(local.subnets_definition["AzureFirewallSubnet"].enabled, true) : try(local.subnets_definition["AzureFirewallSubnet"].enabled, false)
-      name             = "AzureFirewallSubnet"
-      address_prefixes = try(local.subnets_definition["AzureFirewallSubnet"].address_prefix, null) != null ? [local.subnets_definition["AzureFirewallSubnet"].address_prefix] : [cidrsubnet(local.vnet_address_space, 3, 4)]
-      route_table      = null
+      enabled = var.flag_platform_landing_zone == true ? try(local.subnets_definition["AzureFirewallSubnet"].enabled, true) : try(local.subnets_definition["AzureFirewallSubnet"].enabled, false)
+      name    = "AzureFirewallSubnet"
+      address_prefixes = (var.vnet_definition.ipam_pools == null ?
+        try(local.subnets_definition["AzureFirewallSubnet"].address_prefix, null) != null ?
+        [local.subnets_definition["AzureFirewallSubnet"].address_prefix] :
+        [cidrsubnet(local.vnet_address_space, 3, 4)]
+      : null)
+      ipam_pools = (var.vnet_definition.ipam_pools != null ?
+        try(local.subnets_definition["AzureFirewallSubnet"].ipam_pools, null) != null ?
+        local.subnets_definition["AzureFirewallSubnet"].ipam_pools :
+        [{
+          pool_id       = var.vnet_definition.ipam_pools[0].id
+          prefix_length = var.vnet_definition.ipam_pools[0].prefix_length + 3
+        }]
+      : null)
+      route_table = null
     }
     JumpboxSubnet = {
-      enabled          = var.flag_platform_landing_zone == true ? try(local.subnets_definition["JumpboxSubnet"].enabled, true) : try(local.subnets_definition["JumpboxSubnet"].enabled, false)
-      name             = try(local.subnets_definition["JumpboxSubnet"].name, null) != null ? local.subnets_definition["JumpboxSubnet"].name : "JumpboxSubnet"
-      address_prefixes = try(local.subnets_definition["JumpboxSubnet"].address_prefix, null) != null ? [local.subnets_definition["JumpboxSubnet"].address_prefix] : [cidrsubnet(local.vnet_address_space, 4, 6)]
+      enabled = var.flag_platform_landing_zone == true ? try(local.subnets_definition["JumpboxSubnet"].enabled, true) : try(local.subnets_definition["JumpboxSubnet"].enabled, false)
+      name    = try(local.subnets_definition["JumpboxSubnet"].name, null) != null ? local.subnets_definition["JumpboxSubnet"].name : "JumpboxSubnet"
+      address_prefixes = (var.vnet_definition.ipam_pools == null ?
+        try(local.subnets_definition["JumpboxSubnet"].address_prefix, null) != null ?
+        [local.subnets_definition["JumpboxSubnet"].address_prefix] :
+        [cidrsubnet(local.vnet_address_space, 4, 6)]
+      : null)
+      ipam_pools = (var.vnet_definition.ipam_pools != null ?
+        try(local.subnets_definition["JumpboxSubnet"].ipam_pools, null) != null ?
+        local.subnets_definition["JumpboxSubnet"].ipam_pools :
+        [{
+          pool_id       = var.vnet_definition.ipam_pools[0].id
+          prefix_length = var.vnet_definition.ipam_pools[0].prefix_length + 4
+        }]
+      : null)
       route_table = ((var.flag_platform_landing_zone && length(var.vnet_definition.existing_byo_vnet) == 0) ||
         (var.flag_platform_landing_zone && length(var.vnet_definition.existing_byo_vnet) > 0 && try(values(var.vnet_definition.existing_byo_vnet)[0].firewall_ip_address, null) != null)) ? {
         id = module.firewall_route_table[0].resource_id
@@ -118,9 +180,21 @@ locals {
       }
     }
     AppGatewaySubnet = {
-      enabled          = true
-      name             = try(local.subnets_definition["AppGatewaySubnet"].name, null) != null ? local.subnets_definition["AppGatewaySubnet"].name : "AppGatewaySubnet"
-      address_prefixes = try(local.subnets_definition["AppGatewaySubnet"].address_prefix, null) != null ? [local.subnets_definition["AppGatewaySubnet"].address_prefix] : [cidrsubnet(local.vnet_address_space, 4, 5)]
+      enabled = true
+      name    = try(local.subnets_definition["AppGatewaySubnet"].name, null) != null ? local.subnets_definition["AppGatewaySubnet"].name : "AppGatewaySubnet"
+      address_prefixes = (var.vnet_definition.ipam_pools == null ?
+        try(local.subnets_definition["AppGatewaySubnet"].address_prefix, null) != null ?
+        [local.subnets_definition["AppGatewaySubnet"].address_prefix] :
+        [cidrsubnet(local.vnet_address_space, 4, 5)]
+      : null)
+      ipam_pools = (var.vnet_definition.ipam_pools != null ?
+        try(local.subnets_definition["AppGatewaySubnet"].ipam_pools, null) != null ?
+        local.subnets_definition["AppGatewaySubnet"].ipam_pools :
+        [{
+          pool_id       = var.vnet_definition.ipam_pools[0].id
+          prefix_length = var.vnet_definition.ipam_pools[0].prefix_length + 4
+        }]
+      : null)
       route_table = ((var.flag_platform_landing_zone && length(var.vnet_definition.existing_byo_vnet) == 0) ||
         (var.flag_platform_landing_zone && length(var.vnet_definition.existing_byo_vnet) > 0 && try(values(var.vnet_definition.existing_byo_vnet)[0].firewall_ip_address, null) != null)) ? {
         id = module.firewall_route_table[0].resource_id
@@ -136,9 +210,21 @@ locals {
       }]
     }
     APIMSubnet = {
-      enabled          = true
-      name             = try(local.subnets_definition["APIMSubnet"].name, null) != null ? local.subnets_definition["APIMSubnet"].name : "APIMSubnet"
-      address_prefixes = try(local.subnets_definition["APIMSubnet"].address_prefix, null) != null ? [local.subnets_definition["APIMSubnet"].address_prefix] : [cidrsubnet(local.vnet_address_space, 4, 4)]
+      enabled = true
+      name    = try(local.subnets_definition["APIMSubnet"].name, null) != null ? local.subnets_definition["APIMSubnet"].name : "APIMSubnet"
+      address_prefixes = (var.vnet_definition.ipam_pools == null ?
+        try(local.subnets_definition["APIMSubnet"].address_prefix, null) != null ?
+        [local.subnets_definition["APIMSubnet"].address_prefix] :
+        [cidrsubnet(local.vnet_address_space, 4, 4)]
+      : null)
+      ipam_pools = (var.vnet_definition.ipam_pools != null ?
+        try(local.subnets_definition["APIMSubnet"].ipam_pools, null) != null ?
+        local.subnets_definition["APIMSubnet"].ipam_pools :
+        [{
+          pool_id       = var.vnet_definition.ipam_pools[0].id
+          prefix_length = var.vnet_definition.ipam_pools[0].prefix_length + 4
+        }]
+      : null)
       route_table = ((var.flag_platform_landing_zone && length(var.vnet_definition.existing_byo_vnet) == 0) ||
         (var.flag_platform_landing_zone && length(var.vnet_definition.existing_byo_vnet) > 0 && try(values(var.vnet_definition.existing_byo_vnet)[0].firewall_ip_address, null) != null)) ? {
         id = module.firewall_route_table[0].resource_id
@@ -148,9 +234,21 @@ locals {
       }
     }
     AIFoundrySubnet = {
-      enabled          = true
-      name             = try(local.subnets_definition["AIFoundrySubnet"].name, null) != null ? local.subnets_definition["AIFoundrySubnet"].name : "AIFoundrySubnet"
-      address_prefixes = try(local.subnets_definition["AIFoundrySubnet"].address_prefix, null) != null ? [local.subnets_definition["AIFoundrySubnet"].address_prefix] : [cidrsubnet(local.vnet_address_space, 4, 3)]
+      enabled = true
+      name    = try(local.subnets_definition["AIFoundrySubnet"].name, null) != null ? local.subnets_definition["AIFoundrySubnet"].name : "AIFoundrySubnet"
+      address_prefixes = (var.vnet_definition.ipam_pools == null ?
+        try(local.subnets_definition["AIFoundrySubnet"].address_prefix, null) != null ?
+        [local.subnets_definition["AIFoundrySubnet"].address_prefix] :
+        [cidrsubnet(local.vnet_address_space, 4, 3)]
+      : null)
+      ipam_pools = (var.vnet_definition.ipam_pools != null ?
+        try(local.subnets_definition["AIFoundrySubnet"].ipam_pools, null) != null ?
+        local.subnets_definition["AIFoundrySubnet"].ipam_pools :
+        [{
+          pool_id       = var.vnet_definition.ipam_pools[0].id
+          prefix_length = var.vnet_definition.ipam_pools[0].prefix_length + 4
+        }]
+      : null)
       route_table = ((var.flag_platform_landing_zone && length(var.vnet_definition.existing_byo_vnet) == 0) ||
         (var.flag_platform_landing_zone && length(var.vnet_definition.existing_byo_vnet) > 0 && try(values(var.vnet_definition.existing_byo_vnet)[0].firewall_ip_address, null) != null)) ? {
         id = module.firewall_route_table[0].resource_id
@@ -167,9 +265,21 @@ locals {
       }]
     }
     DevOpsBuildSubnet = {
-      enabled          = true
-      name             = try(local.subnets_definition["DevOpsBuildSubnet"].name, null) != null ? local.subnets_definition["DevOpsBuildSubnet"].name : "DevOpsBuildSubnet"
-      address_prefixes = try(local.subnets_definition["DevOpsBuildSubnet"].address_prefix, null) != null ? [local.subnets_definition["DevOpsBuildSubnet"].address_prefix] : [cidrsubnet(local.vnet_address_space, 4, 2)]
+      enabled = true
+      name    = try(local.subnets_definition["DevOpsBuildSubnet"].name, null) != null ? local.subnets_definition["DevOpsBuildSubnet"].name : "DevOpsBuildSubnet"
+      address_prefixes = (var.vnet_definition.ipam_pools == null ?
+        try(local.subnets_definition["DevOpsBuildSubnet"].address_prefix, null) != null ?
+        [local.subnets_definition["DevOpsBuildSubnet"].address_prefix] :
+        [cidrsubnet(local.vnet_address_space, 4, 2)]
+      : null)
+      ipam_pools = (var.vnet_definition.ipam_pools != null ?
+        try(local.subnets_definition["DevOpsBuildSubnet"].ipam_pools, null) != null ?
+        local.subnets_definition["DevOpsBuildSubnet"].ipam_pools :
+        [{
+          pool_id       = var.vnet_definition.ipam_pools[0].id
+          prefix_length = var.vnet_definition.ipam_pools[0].prefix_length + 4
+        }]
+      : null)
       route_table = ((var.flag_platform_landing_zone && length(var.vnet_definition.existing_byo_vnet) == 0) ||
         (var.flag_platform_landing_zone && length(var.vnet_definition.existing_byo_vnet) > 0 && try(values(var.vnet_definition.existing_byo_vnet)[0].firewall_ip_address, null) != null)) ? {
         id = module.firewall_route_table[0].resource_id
@@ -185,18 +295,42 @@ locals {
           name = "Microsoft.App/environments"
         }
       }]
-      enabled          = true
-      name             = try(local.subnets_definition["ContainerAppEnvironmentSubnet"].name, null) != null ? local.subnets_definition["ContainerAppEnvironmentSubnet"].name : "ContainerAppEnvironmentSubnet"
-      address_prefixes = try(local.subnets_definition["ContainerAppEnvironmentSubnet"].address_prefix, null) != null ? [local.subnets_definition["ContainerAppEnvironmentSubnet"].address_prefix] : [cidrsubnet(local.vnet_address_space, 4, 1)]
+      enabled = true
+      name    = try(local.subnets_definition["ContainerAppEnvironmentSubnet"].name, null) != null ? local.subnets_definition["ContainerAppEnvironmentSubnet"].name : "ContainerAppEnvironmentSubnet"
+      address_prefixes = (var.vnet_definition.ipam_pools == null ?
+        try(local.subnets_definition["ContainerAppEnvironmentSubnet"].address_prefix, null) != null ?
+        [local.subnets_definition["ContainerAppEnvironmentSubnet"].address_prefix] :
+        [cidrsubnet(local.vnet_address_space, 4, 1)]
+      : null)
+      ipam_pools = (var.vnet_definition.ipam_pools != null ?
+        try(local.subnets_definition["ContainerAppEnvironmentSubnet"].ipam_pools, null) != null ?
+        local.subnets_definition["ContainerAppEnvironmentSubnet"].ipam_pools :
+        [{
+          pool_id       = var.vnet_definition.ipam_pools[0].id
+          prefix_length = var.vnet_definition.ipam_pools[0].prefix_length + 4
+        }]
+      : null)
       route_table = ((var.flag_platform_landing_zone && length(var.vnet_definition.existing_byo_vnet) == 0) ||
         (var.flag_platform_landing_zone && length(var.vnet_definition.existing_byo_vnet) > 0 && try(values(var.vnet_definition.existing_byo_vnet)[0].firewall_ip_address, null) != null)) ? {
         id = module.firewall_route_table[0].resource_id
       } : null
     }
     PrivateEndpointSubnet = {
-      enabled          = true
-      name             = try(local.subnets_definition["PrivateEndpointSubnet"].name, null) != null ? local.subnets_definition["PrivateEndpointSubnet"].name : "PrivateEndpointSubnet"
-      address_prefixes = try(local.subnets_definition["PrivateEndpointSubnet"].address_prefix, null) != null ? [local.subnets_definition["PrivateEndpointSubnet"].address_prefix] : [cidrsubnet(local.vnet_address_space, 4, 0)]
+      enabled = true
+      name    = try(local.subnets_definition["PrivateEndpointSubnet"].name, null) != null ? local.subnets_definition["PrivateEndpointSubnet"].name : "PrivateEndpointSubnet"
+      address_prefixes = (var.vnet_definition.ipam_pools == null ?
+        try(local.subnets_definition["PrivateEndpointSubnet"].address_prefix, null) != null ?
+        [local.subnets_definition["PrivateEndpointSubnet"].address_prefix] :
+        [cidrsubnet(local.vnet_address_space, 4, 0)]
+      : null)
+      ipam_pools = (var.vnet_definition.ipam_pools != null ?
+        try(local.subnets_definition["PrivateEndpointSubnet"].ipam_pools, null) != null ?
+        local.subnets_definition["PrivateEndpointSubnet"].ipam_pools :
+        [{
+          pool_id       = var.vnet_definition.ipam_pools[0].id
+          prefix_length = var.vnet_definition.ipam_pools[0].prefix_length + 4
+        }]
+      : null)
       route_table = ((var.flag_platform_landing_zone && length(var.vnet_definition.existing_byo_vnet) == 0) ||
         (var.flag_platform_landing_zone && length(var.vnet_definition.existing_byo_vnet) > 0 && try(values(var.vnet_definition.existing_byo_vnet)[0].firewall_ip_address, null) != null)) ? {
         id = module.firewall_route_table[0].resource_id
@@ -206,11 +340,26 @@ locals {
       }
     }
   }
-  subnets_definition    = var.vnet_definition.subnets
-  virtual_network_links = merge(local.default_virtual_network_link, var.private_dns_zones.network_links)
-  vnet_address_space    = length(var.vnet_definition.existing_byo_vnet) > 0 ? data.azurerm_virtual_network.ai_lz_vnet[0].address_space[0] : var.vnet_definition.address_space
-  vnet_name             = length(var.vnet_definition.existing_byo_vnet) > 0 ? try(basename(values(var.vnet_definition.existing_byo_vnet)[0].vnet_resource_id), null) : (try(var.vnet_definition.name, null) != null ? var.vnet_definition.name : (var.name_prefix != null ? "${var.name_prefix}-vnet" : "ai-alz-vnet"))
-  vnet_resource_id      = length(var.vnet_definition.existing_byo_vnet) > 0 ? data.azurerm_virtual_network.ai_lz_vnet[0].id : module.ai_lz_vnet[0].resource_id
+  subnets_definition       = var.vnet_definition.subnets
+  virtual_network_links    = merge(local.default_virtual_network_link, var.private_dns_zones.network_links)
+  vnet_address_space       = length(var.vnet_definition.existing_byo_vnet) > 0 ? data.azurerm_virtual_network.ai_lz_vnet[0].address_space[0] : var.vnet_definition.address_space[0]
+  vnet_diagnostic_settings = var.vnet_definition.enable_diagnostic_settings ? (length(var.vnet_definition.diagnostic_settings) > 0 ? var.vnet_definition.diagnostic_settings : local.vnet_diagnostic_settings_inner) : {}
+  vnet_diagnostic_settings_inner = ((try(var.law_definition.deploy, false) == true) ? {
+    sendToLogAnalytics = {
+      name                                     = "sendToLogAnalytics-vnet-${random_string.name_suffix.result}"
+      workspace_resource_id                    = local.log_analytics_workspace_id
+      log_analytics_destination_type           = "Dedicated"
+      log_groups                               = ["allLogs"]
+      metric_categories                        = ["AllMetrics"]
+      log_categories                           = []
+      storage_account_resource_id              = null
+      event_hub_authorization_rule_resource_id = null
+      event_hub_name                           = null
+      marketplace_partner_resource_id          = null
+    }
+  } : {})
+  vnet_name        = length(var.vnet_definition.existing_byo_vnet) > 0 ? try(basename(values(var.vnet_definition.existing_byo_vnet)[0].vnet_resource_id), null) : (try(var.vnet_definition.name, null) != null ? var.vnet_definition.name : (var.name_prefix != null ? "${var.name_prefix}-vnet" : "ai-alz-vnet"))
+  vnet_resource_id = length(var.vnet_definition.existing_byo_vnet) > 0 ? data.azurerm_virtual_network.ai_lz_vnet[0].id : module.ai_lz_vnet[0].resource_id
   #web_application_firewall_managed_rules = var.waf_policy_definition.managed_rules == null ? {
   #  managed_rule_set = tomap({
   #    owasp = {
diff --git a/main.apim.tf b/main.apim.tf
index 3f3e539..ca4b9c5 100644
--- a/main.apim.tf
+++ b/main.apim.tf
@@ -12,19 +12,15 @@ module "apim" {
   additional_location        = var.apim_definition.additional_locations
   certificate                = var.apim_definition.certificate
   client_certificate_enabled = var.apim_definition.client_certificate_enabled
-  diagnostic_settings = {
-    storage = {
-      name                  = "sendToLogAnalytics-apim-${random_string.name_suffix.result}"
-      workspace_resource_id = var.law_definition.resource_id != null ? var.law_definition.resource_id : module.log_analytics_workspace[0].resource_id
-    }
-  }
-  enable_telemetry          = var.enable_telemetry
-  hostname_configuration    = var.apim_definition.hostname_configuration
-  min_api_version           = var.apim_definition.min_api_version
-  notification_sender_email = var.apim_definition.notification_sender_email
+  diagnostic_settings        = local.apim_diagnostic_settings
+  enable_telemetry           = var.enable_telemetry
+  hostname_configuration     = var.apim_definition.hostname_configuration
+  managed_identities         = var.apim_definition.managed_identities
+  min_api_version            = var.apim_definition.min_api_version
+  notification_sender_email  = var.apim_definition.notification_sender_email
   private_endpoints = {
     endpoint1 = {
-      private_dns_zone_resource_ids = var.flag_platform_landing_zone ? [module.private_dns_zones.apim_zone.resource_id] : [local.private_dns_zones_existing.apim_zone.resource_id]
+      private_dns_zone_resource_ids = var.private_dns_zones.azure_policy_pe_zone_linking_enabled ? null : (var.flag_platform_landing_zone ? [module.private_dns_zones.apim_zone.resource_id] : [local.private_dns_zones_existing.apim_zone.resource_id])
       subnet_resource_id            = local.subnet_ids["PrivateEndpointSubnet"]
     }
   }
diff --git a/main.compute.tf b/main.compute.tf
index 8c72cce..239e709 100644
--- a/main.compute.tf
+++ b/main.compute.tf
@@ -3,16 +3,10 @@ module "container_apps_managed_environment" {
   version = "0.3.0"
   count   = var.container_app_environment_definition.deploy ? 1 : 0
 
-  location            = azurerm_resource_group.this.location
-  name                = local.container_app_environment_name
-  resource_group_name = azurerm_resource_group.this.name
-  diagnostic_settings = var.container_app_environment_definition.enable_diagnostic_settings ? {
-    to_law = {
-      name                           = "sendToLogAnalytics-cae-${random_string.name_suffix.result}"
-      workspace_resource_id          = var.law_definition.resource_id != null ? var.law_definition.resource_id : module.log_analytics_workspace[0].resource_id
-      log_analytics_destination_type = "AzureDiagnostics"
-    }
-  } : {}
+  location                           = azurerm_resource_group.this.location
+  name                               = local.container_app_environment_name
+  resource_group_name                = azurerm_resource_group.this.name
+  diagnostic_settings                = local.cae_diagnostic_settings
   enable_telemetry                   = var.enable_telemetry
   infrastructure_resource_group_name = "rg-managed-${azurerm_resource_group.this.name}"
   infrastructure_subnet_id           = local.subnet_ids["ContainerAppEnvironmentSubnet"]
diff --git a/main.foundry.tf b/main.foundry.tf
index 2ff1c21..2bae7d9 100644
--- a/main.foundry.tf
+++ b/main.foundry.tf
@@ -1,6 +1,6 @@
 module "foundry_ptn" {
   source  = "Azure/avm-ptn-aiml-ai-foundry/azurerm"
-  version = "0.8.0"
+  version = "0.10.0"
 
   #configure the base resource
   base_name                  = coalesce(var.name_prefix, "foundry")
@@ -14,9 +14,9 @@ module "foundry_ptn" {
   cosmosdb_definition                 = local.foundry_cosmosdb_definition
   create_byor                         = var.ai_foundry_definition.create_byor
   create_private_endpoints            = true
+  diagnostic_settings                 = local.foundry_diagnostic_settings
   enable_telemetry                    = var.enable_telemetry
   key_vault_definition                = local.foundry_key_vault_definition
-  law_definition                      = var.ai_foundry_definition.law_definition
   private_endpoint_subnet_resource_id = local.subnet_ids["PrivateEndpointSubnet"]
   storage_account_definition          = local.foundry_storage_account_definition
 
diff --git a/main.genai_services.tf b/main.genai_services.tf
index bd02eab..8cf04d6 100644
--- a/main.genai_services.tf
+++ b/main.genai_services.tf
@@ -2,23 +2,18 @@ module "avm_res_keyvault_vault" {
   source  = "Azure/avm-res-keyvault-vault/azurerm"
   version = "=0.10.2"
 
-  location            = azurerm_resource_group.this.location
-  name                = local.genai_key_vault_name
-  resource_group_name = azurerm_resource_group.this.name
-  tenant_id           = var.genai_key_vault_definition.tenant_id != null ? var.genai_key_vault_definition.tenant_id : data.azurerm_client_config.current.tenant_id
-  diagnostic_settings = {
-    to_law = {
-      name                  = "sendToLogAnalytics-kv-${random_string.name_suffix.result}"
-      workspace_resource_id = var.law_definition.resource_id != null ? var.law_definition.resource_id : module.log_analytics_workspace[0].resource_id
-    }
-  }
+  location                        = azurerm_resource_group.this.location
+  name                            = local.genai_key_vault_name
+  resource_group_name             = azurerm_resource_group.this.name
+  tenant_id                       = var.genai_key_vault_definition.tenant_id != null ? var.genai_key_vault_definition.tenant_id : data.azurerm_client_config.current.tenant_id
+  diagnostic_settings             = local.genai_key_vault_diagnostic_settings
   enabled_for_deployment          = true
   enabled_for_disk_encryption     = true
   enabled_for_template_deployment = true
   network_acls                    = var.genai_key_vault_definition.network_acls
   private_endpoints = {
     primary = {
-      private_dns_zone_resource_ids = var.flag_platform_landing_zone ? [module.private_dns_zones.key_vault_zone.resource_id] : [local.private_dns_zones_existing.key_vault_zone.resource_id]
+      private_dns_zone_resource_ids = var.private_dns_zones.azure_policy_pe_zone_linking_enabled ? null : (var.flag_platform_landing_zone ? [module.private_dns_zones.key_vault_zone.resource_id] : [local.private_dns_zones_existing.key_vault_zone.resource_id])
       subnet_resource_id            = local.subnet_ids["PrivateEndpointSubnet"]
     }
   }
@@ -65,15 +60,10 @@ module "cosmosdb" {
     max_interval_in_seconds = var.genai_cosmosdb_definition.consistency_policy.max_interval_in_seconds
     max_staleness_prefix    = var.genai_cosmosdb_definition.consistency_policy.max_staleness_prefix
   }
-  cors_rule = var.genai_cosmosdb_definition.cors_rule
-  diagnostic_settings = var.genai_cosmosdb_definition.enable_diagnostic_settings ? {
-    to_law = {
-      name                  = "sendToLogAnalytics-cosmosdb-${random_string.name_suffix.result}"
-      workspace_resource_id = var.law_definition.resource_id != null ? var.law_definition.resource_id : module.log_analytics_workspace[0].resource_id
-    }
-  } : {}
-  enable_telemetry = var.enable_telemetry
-  geo_locations    = local.genai_cosmosdb_secondary_regions
+  cors_rule           = var.genai_cosmosdb_definition.cors_rule
+  diagnostic_settings = local.genai_cosmosdb_diagnostic_settings
+  enable_telemetry    = var.enable_telemetry
+  geo_locations       = local.genai_cosmosdb_secondary_regions
   ip_range_filter = [
     "168.125.123.255",
     "170.0.0.0/24",                                                                 #TODO: check 0.0.0.0 for validity
@@ -88,7 +78,7 @@ module "cosmosdb" {
     "sql" = {
       subnet_resource_id            = local.subnet_ids["PrivateEndpointSubnet"]
       subresource_name              = "sql"
-      private_dns_zone_resource_ids = var.flag_platform_landing_zone ? [module.private_dns_zones.cosmos_sql_zone.resource_id] : [local.private_dns_zones_existing.cosmos_sql_zone.resource_id]
+      private_dns_zone_resource_ids = var.private_dns_zones.azure_policy_pe_zone_linking_enabled ? null : (var.flag_platform_landing_zone ? [module.private_dns_zones.cosmos_sql_zone.resource_id] : [local.private_dns_zones_existing.cosmos_sql_zone.resource_id])
     }
   }
   public_network_access_enabled = var.genai_cosmosdb_definition.public_network_access_enabled
@@ -106,26 +96,21 @@ module "storage_account" {
   version = "0.6.6"
   count   = var.genai_storage_account_definition.deploy ? 1 : 0
 
-  location                 = azurerm_resource_group.this.location
-  name                     = local.genai_storage_account_name
-  resource_group_name      = azurerm_resource_group.this.name
-  access_tier              = var.genai_storage_account_definition.access_tier
-  account_kind             = var.genai_storage_account_definition.account_kind
-  account_replication_type = var.genai_storage_account_definition.account_replication_type
-  account_tier             = var.genai_storage_account_definition.account_tier
-  diagnostic_settings_storage_account = var.genai_storage_account_definition.enable_diagnostic_settings ? {
-    storage = {
-      name                  = "sendToLogAnalytics-sa-${random_string.name_suffix.result}"
-      workspace_resource_id = var.law_definition.resource_id != null ? var.law_definition.resource_id : module.log_analytics_workspace[0].resource_id
-    }
-  } : {}
-  enable_telemetry   = var.enable_telemetry
-  local_user_enabled = false
+  location                            = azurerm_resource_group.this.location
+  name                                = local.genai_storage_account_name
+  resource_group_name                 = azurerm_resource_group.this.name
+  access_tier                         = var.genai_storage_account_definition.access_tier
+  account_kind                        = var.genai_storage_account_definition.account_kind
+  account_replication_type            = var.genai_storage_account_definition.account_replication_type
+  account_tier                        = var.genai_storage_account_definition.account_tier
+  diagnostic_settings_storage_account = local.genai_storage_account_diagnostic_settings
+  enable_telemetry                    = var.enable_telemetry
+  local_user_enabled                  = false
   private_endpoints = {
     for endpoint in var.genai_storage_account_definition.endpoint_types :
     endpoint => {
       name                          = "${local.genai_storage_account_name}-${endpoint}-pe"
-      private_dns_zone_resource_ids = var.flag_platform_landing_zone ? [module.private_dns_zones["storage_${lower(endpoint)}_zone"].resource_id] : [local.private_dns_zones_existing["storage_${lower(endpoint)}_zone"].resource_id]
+      private_dns_zone_resource_ids = var.private_dns_zones.azure_policy_pe_zone_linking_enabled ? null : (var.flag_platform_landing_zone ? [module.private_dns_zones["storage_${lower(endpoint)}_zone"].resource_id] : [local.private_dns_zones_existing["storage_${lower(endpoint)}_zone"].resource_id])
       subnet_resource_id            = local.subnet_ids["PrivateEndpointSubnet"]
       subresource_name              = endpoint
     }
@@ -147,16 +132,11 @@ module "containerregistry" {
   location            = azurerm_resource_group.this.location
   name                = local.genai_container_registry_name
   resource_group_name = azurerm_resource_group.this.name
-  diagnostic_settings = var.genai_container_registry_definition.enable_diagnostic_settings ? {
-    storage = {
-      name                  = "sendToLogAnalytics-acr-${random_string.name_suffix.result}"
-      workspace_resource_id = var.law_definition.resource_id != null ? var.law_definition.resource_id : module.log_analytics_workspace[0].resource_id
-    }
-  } : {}
-  enable_telemetry = var.enable_telemetry
+  diagnostic_settings = local.genai_container_registry_diagnostic_settings
+  enable_telemetry    = var.enable_telemetry
   private_endpoints = {
     container_registry = {
-      private_dns_zone_resource_ids = var.flag_platform_landing_zone ? [module.private_dns_zones.container_registry_zone.resource_id] : [local.private_dns_zones_existing.container_registry_zone.resource_id]
+      private_dns_zone_resource_ids = var.private_dns_zones.azure_policy_pe_zone_linking_enabled ? null : (var.flag_platform_landing_zone ? [module.private_dns_zones.container_registry_zone.resource_id] : [local.private_dns_zones_existing.container_registry_zone.resource_id])
       subnet_resource_id            = local.subnet_ids["PrivateEndpointSubnet"]
     }
   }
@@ -177,11 +157,12 @@ module "app_configuration" {
   name                            = local.genai_app_configuration_name
   resource_group_resource_id      = azurerm_resource_group.this.id
   azapi_schema_validation_enabled = false
+  diagnostic_settings             = local.genai_app_configuration_diagnostic_settings
   enable_telemetry                = var.enable_telemetry
   local_auth_enabled              = var.genai_app_configuration_definition.local_auth_enabled
   private_endpoints = {
     app_configuration = {
-      private_dns_zone_resource_ids = var.flag_platform_landing_zone ? [module.private_dns_zones.app_configuration_zone.resource_id] : [local.private_dns_zones_existing.app_configuration_zone.resource_id]
+      private_dns_zone_resource_ids = var.private_dns_zones.azure_policy_pe_zone_linking_enabled ? null : (var.flag_platform_landing_zone ? [module.private_dns_zones.app_configuration_zone.resource_id] : [local.private_dns_zones_existing.app_configuration_zone.resource_id])
       subnet_resource_id            = local.subnet_ids["PrivateEndpointSubnet"]
     }
   }
diff --git a/main.knowledge_sources.tf b/main.knowledge_sources.tf
index e9140da..7baf9ea 100644
--- a/main.knowledge_sources.tf
+++ b/main.knowledge_sources.tf
@@ -3,28 +3,25 @@ module "search_service" {
   version = "0.2.0"
   count   = var.ks_ai_search_definition.deploy ? 1 : 0
 
-  location            = azurerm_resource_group.this.location
-  name                = local.ks_ai_search_name
-  resource_group_name = azurerm_resource_group.this.name
-  diagnostic_settings = var.ks_ai_search_definition.enable_diagnostic_settings ? {
-    search = {
-      name                  = "sendToLogAnalytics-search-${random_string.name_suffix.result}"
-      workspace_resource_id = var.law_definition.resource_id != null ? var.law_definition.resource_id : module.log_analytics_workspace[0].resource_id
-    }
-  } : {}
+  location                     = azurerm_resource_group.this.location
+  name                         = local.ks_ai_search_name
+  resource_group_name          = azurerm_resource_group.this.name
+  diagnostic_settings          = local.ks_ai_search_diagnostic_settings
   enable_telemetry             = var.enable_telemetry # see variables.tf
   local_authentication_enabled = var.ks_ai_search_definition.local_authentication_enabled
   partition_count              = var.ks_ai_search_definition.partition_count
   private_endpoints = {
     primary = {
-      private_dns_zone_resource_ids = var.flag_platform_landing_zone ? [module.private_dns_zones.ai_search_zone.resource_id] : [local.private_dns_zones_existing.ai_search_zone.resource_id]
+      private_dns_zone_resource_ids = var.private_dns_zones.azure_policy_pe_zone_linking_enabled ? null : (var.flag_platform_landing_zone ? [module.private_dns_zones.ai_search_zone.resource_id] : [local.private_dns_zones_existing.ai_search_zone.resource_id])
       subnet_resource_id            = local.subnet_ids["PrivateEndpointSubnet"]
     }
   }
   public_network_access_enabled = var.ks_ai_search_definition.public_network_access_enabled
   replica_count                 = var.ks_ai_search_definition.replica_count
+  role_assignments              = local.ks_ai_search_role_assignments
   semantic_search_sku           = var.ks_ai_search_definition.semantic_search_sku
   sku                           = var.ks_ai_search_definition.sku
+  tags                          = var.ks_ai_search_definition.tags
 
   depends_on = [module.private_dns_zones, module.hub_vnet_peering]
 }
diff --git a/main.monitoring.tf b/main.monitoring.tf
index b63d902..434a484 100644
--- a/main.monitoring.tf
+++ b/main.monitoring.tf
@@ -1,7 +1,7 @@
 module "log_analytics_workspace" {
   source  = "Azure/avm-res-operationalinsights-workspace/azurerm"
   version = "0.4.2"
-  count   = var.law_definition.resource_id == null ? 1 : 0
+  count   = var.law_definition.resource_id == null && var.law_definition.deploy ? 1 : 0
 
   location                                  = azurerm_resource_group.this.location
   name                                      = local.log_analytics_workspace_name
diff --git a/main.networking.tf b/main.networking.tf
index 48b7dbe..c21c1eb 100644
--- a/main.networking.tf
+++ b/main.networking.tf
@@ -2,29 +2,26 @@
 
 module "ai_lz_vnet" {
   source  = "Azure/avm-res-network-virtualnetwork/azurerm"
-  version = "=0.16.0"
+  version = "0.16.0"
   count   = length(var.vnet_definition.existing_byo_vnet) > 0 ? 0 : 1
 
   location      = azurerm_resource_group.this.location
   parent_id     = azurerm_resource_group.this.id
-  address_space = [var.vnet_definition.address_space]
+  address_space = var.vnet_definition.ipam_pools == null ? var.vnet_definition.address_space : null
   ddos_protection_plan = var.vnet_definition.ddos_protection_plan_resource_id != null ? {
     id     = var.vnet_definition.ddos_protection_plan_resource_id
     enable = true
   } : null
-  diagnostic_settings = {
-    sendToLogAnalytics = {
-      name                           = "sendToLogAnalytics-vnet-${random_string.name_suffix.result}"
-      workspace_resource_id          = var.law_definition.resource_id != null ? var.law_definition.resource_id : module.log_analytics_workspace[0].resource_id
-      log_analytics_destination_type = "Dedicated"
-    }
-  }
+  diagnostic_settings = local.vnet_diagnostic_settings
   dns_servers = {
     dns_servers = var.vnet_definition.dns_servers
   }
   enable_telemetry = var.enable_telemetry
+  ipam_pools       = var.vnet_definition.ipam_pools
   name             = local.vnet_name
+  role_assignments = var.vnet_definition.role_assignments
   subnets          = local.deployed_subnets
+  tags             = var.vnet_definition.tags
 }
 
 data "azurerm_virtual_network" "ai_lz_vnet" {
@@ -41,8 +38,9 @@ module "byo_subnets" {
 
   # Direct VNet resource id (module not instantiated when BYO is null due to empty for_each)
   parent_id              = values(var.vnet_definition.existing_byo_vnet)[0].vnet_resource_id
-  address_prefixes       = each.value.address_prefixes
+  address_prefixes       = each.value.ipam_pools == null ? each.value.address_prefixes : null
   delegations            = try(each.value.delegations, try(each.value.delegation, null), null)
+  ipam_pools             = each.value.ipam_pools
   name                   = each.value.name
   network_security_group = try(each.value.network_security_group, null)
   route_table            = try(each.value.route_table, null)
@@ -55,9 +53,43 @@ module "nsgs" {
   location            = azurerm_resource_group.this.location
   name                = local.nsg_name
   resource_group_name = var.nsgs_definition.resource_group_name != null ? var.nsgs_definition.resource_group_name : azurerm_resource_group.this.name
-  security_rules      = local.nsg_rules
 }
 
+# NSGs are required during subnet creation but rules use cidrs which are not known until after vnet creation.
+# Therefore, NSG rules are created in a separate resource after the VNet and subnets are created.
+resource "azurerm_network_security_rule" "this" {
+  for_each = local.nsg_rules
+
+  access                                     = each.value.access
+  direction                                  = each.value.direction
+  name                                       = each.value.name
+  network_security_group_name                = module.nsgs.resource.name
+  priority                                   = each.value.priority
+  protocol                                   = each.value.protocol
+  resource_group_name                        = module.nsgs.resource.resource_group_name
+  description                                = try(each.value.description, null)
+  destination_address_prefix                 = try(each.value.destination_address_prefix, null)
+  destination_address_prefixes               = try(each.value.destination_address_prefixes, null)
+  destination_application_security_group_ids = try(each.value.destination_application_security_group_ids, null)
+  destination_port_range                     = try(each.value.destination_port_range, null)
+  destination_port_ranges                    = try(each.value.destination_port_ranges, null)
+  source_address_prefix                      = try(each.value.source_address_prefix, null)
+  source_address_prefixes                    = try(each.value.source_address_prefixes, null)
+  source_application_security_group_ids      = try(each.value.source_application_security_group_ids, null)
+  source_port_range                          = try(each.value.source_port_range, null)
+  source_port_ranges                         = try(each.value.source_port_ranges, null)
+
+  dynamic "timeouts" {
+    for_each = try(each.value.timeouts, null) == null ? [] : [each.value.timeouts]
+
+    content {
+      create = timeouts.value.create
+      delete = timeouts.value.delete
+      read   = timeouts.value.read
+      update = timeouts.value.update
+    }
+  }
+}
 
 #TODO: Add the platform landing zone flag as a secondary decision point for the hub vnet peering?
 module "hub_vnet_peering" {
@@ -138,15 +170,8 @@ module "firewall" {
   location            = azurerm_resource_group.this.location
   name                = local.firewall_name
   resource_group_name = var.firewall_definition.resource_group_name != null ? var.firewall_definition.resource_group_name : azurerm_resource_group.this.name
-  diagnostic_settings = {
-    to_law = {
-      name                  = "sendToLogAnalytics-fwpip-${random_string.name_suffix.result}"
-      workspace_resource_id = var.law_definition.resource_id != null ? var.law_definition.resource_id : module.log_analytics_workspace[0].resource_id
-      log_groups            = ["allLogs"]
-      metric_categories     = ["AllMetrics"]
-    }
-  }
-  enable_telemetry = var.enable_telemetry
+  diagnostic_settings = local.az_fw_diagnostic_settings
+  enable_telemetry    = var.enable_telemetry
   firewall_ip_configuration = [
     {
       name                 = "${local.firewall_name}-ipconfig1"
@@ -154,7 +179,9 @@ module "firewall" {
       public_ip_address_id = module.fw_pip[0].resource_id
     }
   ]
-  firewall_zones = var.firewall_definition.zones
+  firewall_zones   = var.firewall_definition.zones
+  role_assignments = var.firewall_definition.role_assignments
+  tags             = var.firewall_definition.tags
 }
 
 module "firewall_policy" {
@@ -243,29 +270,26 @@ module "application_gateway" {
   app_gateway_waf_policy_resource_id = module.app_gateway_waf_policy.resource_id
   authentication_certificate         = var.app_gateway_definition.authentication_certificate
   autoscale_configuration            = var.app_gateway_definition.autoscale_configuration
-  diagnostic_settings = {
-    to_law = {
-      name                  = "sendToLogAnalytics-appgw-${random_string.name_suffix.result}"
-      workspace_resource_id = var.law_definition.resource_id != null ? var.law_definition.resource_id : module.log_analytics_workspace[0].resource_id
-      log_groups            = ["allLogs"]
-      metric_categories     = ["AllMetrics"]
-    }
-  }
-  enable_telemetry            = var.enable_telemetry
-  http2_enable                = var.app_gateway_definition.http2_enable
-  probe_configurations        = var.app_gateway_definition.probe_configurations
-  public_ip_name              = "${local.application_gateway_name}-pip"
-  redirect_configuration      = var.app_gateway_definition.redirect_configuration
-  rewrite_rule_set            = var.app_gateway_definition.rewrite_rule_set
-  role_assignments            = local.application_gateway_role_assignments
-  sku                         = var.app_gateway_definition.sku
-  ssl_certificates            = var.app_gateway_definition.ssl_certificates
-  ssl_policy                  = var.app_gateway_definition.ssl_policy
-  ssl_profile                 = var.app_gateway_definition.ssl_profile
-  tags                        = var.app_gateway_definition.tags
-  trusted_client_certificate  = var.app_gateway_definition.trusted_client_certificate
-  trusted_root_certificate    = var.app_gateway_definition.trusted_root_certificate
-  url_path_map_configurations = var.app_gateway_definition.url_path_map_configurations
-  zones                       = local.region_zones
+  diagnostic_settings                = local.app_gw_diagnostic_settings
+  enable_telemetry                   = var.enable_telemetry
+  http2_enable                       = var.app_gateway_definition.http2_enable
+  probe_configurations               = var.app_gateway_definition.probe_configurations
+  public_ip_name                     = "${local.application_gateway_name}-pip"
+  redirect_configuration             = var.app_gateway_definition.redirect_configuration
+  rewrite_rule_set                   = var.app_gateway_definition.rewrite_rule_set
+  role_assignments                   = local.application_gateway_role_assignments
+  sku                                = var.app_gateway_definition.sku
+  ssl_certificates                   = var.app_gateway_definition.ssl_certificates
+  ssl_policy                         = var.app_gateway_definition.ssl_policy
+  ssl_profile                        = var.app_gateway_definition.ssl_profile
+  tags                               = var.app_gateway_definition.tags
+  trusted_client_certificate         = var.app_gateway_definition.trusted_client_certificate
+  trusted_root_certificate           = var.app_gateway_definition.trusted_root_certificate
+  url_path_map_configurations        = var.app_gateway_definition.url_path_map_configurations
+  zones                              = local.region_zones
+
+  depends_on = [
+    azurerm_network_security_rule.this
+  ]
 }
 
diff --git a/outputs.monitoring.tf b/outputs.monitoring.tf
new file mode 100644
index 0000000..6166760
--- /dev/null
+++ b/outputs.monitoring.tf
@@ -0,0 +1,4 @@
+output "log_analytics_workspace_id" {
+  description = "The ID of the Log Analytics Workspace used for monitoring."
+  value       = local.log_analytics_workspace_id
+}
diff --git a/outputs.networking.tf b/outputs.networking.tf
index e245015..f8ea909 100644
--- a/outputs.networking.tf
+++ b/outputs.networking.tf
@@ -1,4 +1,14 @@
 output "subnets" {
   description = "A map of the deployed subnets in the AI PTN LZA."
-  value       = local.deployed_subnets
+  value = { for key, value in local.deployed_subnets : key => merge(
+    value,
+    {
+      address_prefixes = length(var.vnet_definition.existing_byo_vnet) > 0 ? module.byo_subnets[key].address_prefixes : module.ai_lz_vnet[0].subnets[key].address_prefixes
+    }
+  ) }
+}
+
+output "virtual_network" {
+  description = "The deployed virtual network in the AI PTN LZA."
+  value       = length(var.vnet_definition.existing_byo_vnet) == 0 ? module.ai_lz_vnet[0] : null
 }
diff --git a/variables.apim.tf b/variables.apim.tf
index 9213162..9fafc2c 100644
--- a/variables.apim.tf
+++ b/variables.apim.tf
@@ -20,6 +20,19 @@ variable "apim_definition" {
       certificate_password = optional(string, null)
     })), [])
     client_certificate_enabled = optional(bool, false)
+    enable_diagnostic_settings = optional(bool, true)
+    diagnostic_settings = optional(map(object({
+      name                                     = optional(string, null)
+      log_categories                           = optional(set(string), [])
+      log_groups                               = optional(set(string), ["allLogs"])
+      metric_categories                        = optional(set(string), ["AllMetrics"])
+      log_analytics_destination_type           = optional(string, "Dedicated")
+      workspace_resource_id                    = optional(string, null)
+      storage_account_resource_id              = optional(string, null)
+      event_hub_authorization_rule_resource_id = optional(string, null)
+      event_hub_name                           = optional(string, null)
+      marketplace_partner_resource_id          = optional(string, null)
+    })), {})
     hostname_configuration = optional(object({
       management = optional(list(object({
         host_name                       = string
@@ -63,6 +76,10 @@ variable "apim_definition" {
         ssl_keyvault_identity_client_id = optional(string, null)
       })), [])
     }), null)
+    managed_identities = optional(object({
+      system_assigned            = optional(bool, false)
+      user_assigned_resource_ids = optional(set(string), [])
+    }))
     min_api_version           = optional(string)
     notification_sender_email = optional(string, null)
     protocols = optional(object({
@@ -120,6 +137,18 @@ Configuration object for the Azure API Management service to be deployed.
   - `store_name` - The certificate store name (e.g., "CertificateAuthority", "Root").
   - `certificate_password` - (Optional) The password for the certificate.
 - `client_certificate_enabled` - (Optional) Whether client certificate authentication is enabled. Default is false.
+- `enable_diagnostic_settings` - (Optional) Whether diagnostic settings are enabled. Default is true.
+- `diagnostic_settings` - (Optional) Map of diagnostic settings configurations for the API Management service. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.
+  - `name` - (Optional) The name of the diagnostic setting.
+  - `log_categories` - (Optional) Set of log categories to enable. Default is an empty set.
+  - `log_groups` - (Optional) Set of log groups to enable. Default is ["allLogs"].
+  - `metric_categories` - (Optional) Set of metric categories to enable. Default is ["AllMetrics"].
+  - `log_analytics_destination_type` - (Optional) The destination type for Log Analytics. Default is "Dedicated".
+  - `workspace_resource_id` - (Optional) Resource ID of the Log Analytics workspace.
+  - `storage_account_resource_id` - (Optional) Resource ID of the storage account for diagnostics.
+  - `event_hub_authorization_rule_resource_id` - (Optional) Resource ID of the Event Hub authorization rule.
+  - `event_hub_name` - (Optional) Name of the Event Hub.
+  - `marketplace_partner_resource_id` - (Optional) Resource ID of the marketplace partner resource.
 - `hostname_configuration` - (Optional) Hostname configuration for different endpoints.
   - `management` - (Optional) List of custom hostnames for the management endpoint.
   - `portal` - (Optional) List of custom hostnames for the developer portal endpoint.
@@ -134,6 +163,9 @@ Configuration object for the Azure API Management service to be deployed.
     - `negotiate_client_certificate` - (Optional) Whether to negotiate client certificates.
     - `ssl_keyvault_identity_client_id` - (Optional) Client ID of the user-assigned managed identity for Key Vault access.
     - `default_ssl_binding` - (Optional, proxy only) Whether this is the default SSL binding.
+- `managed_identities` - (Optional) Managed identities configuration.
+  - `system_assigned` - (Optional) Whether to enable system-assigned managed identity. Default is false.
+  - `user_assigned_resource_ids` - (Optional) Set of user-assigned managed identity resource IDs.
 - `min_api_version` - (Optional) The minimum API version that the API Management service will accept.
 - `notification_sender_email` - (Optional) Email address from which notifications will be sent.
 - `protocols` - (Optional) Protocol configuration.
diff --git a/variables.compute.tf b/variables.compute.tf
index ee62ac2..cb62417 100644
--- a/variables.compute.tf
+++ b/variables.compute.tf
@@ -1,8 +1,20 @@
 variable "container_app_environment_definition" {
   type = object({
-    deploy                              = optional(bool, true)
-    name                                = optional(string)
-    enable_diagnostic_settings          = optional(bool, true)
+    deploy                     = optional(bool, true)
+    name                       = optional(string)
+    enable_diagnostic_settings = optional(bool, true)
+    diagnostic_settings = optional(map(object({
+      name                                     = optional(string, null)
+      log_categories                           = optional(set(string), [])
+      log_groups                               = optional(set(string), ["allLogs"])
+      metric_categories                        = optional(set(string), ["AllMetrics"])
+      log_analytics_destination_type           = optional(string, "Dedicated")
+      workspace_resource_id                    = optional(string, null)
+      storage_account_resource_id              = optional(string, null)
+      event_hub_authorization_rule_resource_id = optional(string, null)
+      event_hub_name                           = optional(string, null)
+      marketplace_partner_resource_id          = optional(string, null)
+    })), {})
     tags                                = optional(map(string), {})
     internal_load_balancer_enabled      = optional(bool, true)
     log_analytics_workspace_resource_id = optional(string)
@@ -41,6 +53,17 @@ Configuration object for the Container App Environment to be created for GenAI s
 - `deploy` - (Optional) Whether to deploy the Container App Environment. Default is true.
 - `name` - (Optional) The name of the Container App Environment. If not provided, a name will be generated.
 - `enable_diagnostic_settings` - (Optional) Whether diagnostic settings are enabled. Default is true.
+- `diagnostic_settings` - (Optional) Map of diagnostic settings configurations for the Container App Environment. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.
+  - `name` - (Optional) The name of the diagnostic setting.
+  - `log_categories` - (Optional) Set of log categories to enable. Default is an empty set.
+  - `log_groups` - (Optional) Set of log groups to enable. Default is ["allLogs"].
+  - `metric_categories` - (Optional) Set of metric categories to enable. Default is ["AllMetrics"].
+  - `log_analytics_destination_type` - (Optional) The destination type for Log Analytics. Default is "Dedicated".
+  - `workspace_resource_id` - (Optional) Resource ID of the Log Analytics workspace.
+  - `storage_account_resource_id` - (Optional) Resource ID of the storage account for diagnostics.
+  - `event_hub_authorization_rule_resource_id` - (Optional) Resource ID of the Event Hub authorization rule.
+  - `event_hub_name` - (Optional) Name of the Event Hub.
+  - `marketplace_partner_resource_id` - (Optional) Resource ID of the marketplace partner resource.
 - `tags` - (Optional) Map of tags to assign to the Container App Environment.
 - `internal_load_balancer_enabled` - (Optional) Whether the load balancer is internal. Default is true.
 - `log_analytics_workspace_resource_id` - (Optional) Resource ID of the Log Analytics workspace for logging.
diff --git a/variables.foundry.tf b/variables.foundry.tf
index ddf3914..a34723c 100644
--- a/variables.foundry.tf
+++ b/variables.foundry.tf
@@ -6,8 +6,21 @@ variable "ai_foundry_definition" {
     create_byor      = optional(bool, true)
     purge_on_destroy = optional(bool, false)
     ai_foundry = optional(object({
-      name                     = optional(string, null)
-      disable_local_auth       = optional(bool, false)
+      name                       = optional(string, null)
+      disable_local_auth         = optional(bool, false)
+      enable_diagnostic_settings = optional(bool, true)
+      diagnostic_settings = optional(map(object({
+        name                                     = optional(string, null)
+        log_categories                           = optional(set(string), [])
+        log_groups                               = optional(set(string), ["allLogs"])
+        metric_categories                        = optional(set(string), ["AllMetrics"])
+        log_analytics_destination_type           = optional(string, "Dedicated")
+        workspace_resource_id                    = optional(string, null)
+        storage_account_resource_id              = optional(string, null)
+        event_hub_authorization_rule_resource_id = optional(string, null)
+        event_hub_name                           = optional(string, null)
+        marketplace_partner_resource_id          = optional(string, null)
+      })), {})
       allow_project_management = optional(bool, true)
       create_ai_agent_service  = optional(bool, false)
       #network_injections is statically set to vnet/subnet created in the module.
@@ -69,10 +82,22 @@ variable "ai_foundry_definition" {
     # Bring Your Own Resources (BYOR) Configuration
     # One or more AI search installations.
     ai_search_definition = optional(map(object({
-      existing_resource_id         = optional(string, null)
-      name                         = optional(string)
-      private_dns_zone_resource_id = optional(string, null)
-      enable_diagnostic_settings   = optional(bool, true)
+      existing_resource_id                    = optional(string, null)
+      name                                    = optional(string)
+      private_dns_zone_resource_id            = optional(string, null)
+      private_endpoints_manage_dns_zone_group = optional(bool, true)
+      diagnostic_settings = optional(map(object({
+        name                                     = optional(string, null)
+        log_categories                           = optional(set(string), [])
+        log_groups                               = optional(set(string), ["allLogs"])
+        metric_categories                        = optional(set(string), ["AllMetrics"])
+        log_analytics_destination_type           = optional(string, "Dedicated")
+        workspace_resource_id                    = optional(string, null)
+        storage_account_resource_id              = optional(string, null)
+        event_hub_authorization_rule_resource_id = optional(string, null)
+        event_hub_name                           = optional(string, null)
+        marketplace_partner_resource_id          = optional(string, null)
+      })), {})
       sku                          = optional(string, "standard")
       local_authentication_enabled = optional(bool, true)
       partition_count              = optional(number, 1)
@@ -95,10 +120,22 @@ variable "ai_foundry_definition" {
     })), {})
 
     cosmosdb_definition = optional(map(object({
-      existing_resource_id         = optional(string, null)
-      private_dns_zone_resource_id = optional(string, null)
-      enable_diagnostic_settings   = optional(bool, true)
-      name                         = optional(string)
+      existing_resource_id                    = optional(string, null)
+      private_dns_zone_resource_id            = optional(string, null)
+      private_endpoints_manage_dns_zone_group = optional(bool, true)
+      diagnostic_settings = optional(map(object({
+        name                                     = optional(string, null)
+        log_categories                           = optional(set(string), [])
+        log_groups                               = optional(set(string), ["allLogs"])
+        metric_categories                        = optional(set(string), ["AllMetrics"])
+        log_analytics_destination_type           = optional(string, "Dedicated")
+        workspace_resource_id                    = optional(string, null)
+        storage_account_resource_id              = optional(string, null)
+        event_hub_authorization_rule_resource_id = optional(string, null)
+        event_hub_name                           = optional(string, null)
+        marketplace_partner_resource_id          = optional(string, null)
+      })), {})
+      name = optional(string)
       secondary_regions = optional(list(object({
         location          = string
         zone_redundant    = optional(bool, true)
@@ -152,12 +189,24 @@ variable "ai_foundry_definition" {
     })), {})
 
     key_vault_definition = optional(map(object({
-      existing_resource_id         = optional(string, null)
-      name                         = optional(string)
-      private_dns_zone_resource_id = optional(string, null)
-      enable_diagnostic_settings   = optional(bool, true)
-      sku                          = optional(string, "standard")
-      tenant_id                    = optional(string)
+      existing_resource_id                    = optional(string, null)
+      name                                    = optional(string)
+      private_dns_zone_resource_id            = optional(string, null)
+      private_endpoints_manage_dns_zone_group = optional(bool, true)
+      diagnostic_settings = optional(map(object({
+        name                                     = optional(string, null)
+        log_categories                           = optional(set(string), [])
+        log_groups                               = optional(set(string), ["allLogs"])
+        metric_categories                        = optional(set(string), ["AllMetrics"])
+        log_analytics_destination_type           = optional(string, "Dedicated")
+        workspace_resource_id                    = optional(string, null)
+        storage_account_resource_id              = optional(string, null)
+        event_hub_authorization_rule_resource_id = optional(string, null)
+        event_hub_name                           = optional(string, null)
+        marketplace_partner_resource_id          = optional(string, null)
+      })), {})
+      sku       = optional(string, "standard")
+      tenant_id = optional(string)
       role_assignments = optional(map(object({
         role_definition_id_or_name             = string
         principal_id                           = string
@@ -171,24 +220,28 @@ variable "ai_foundry_definition" {
       tags = optional(map(string), {})
     })), {})
 
-    law_definition = optional(map(object({
-      existing_resource_id = optional(string)
-      name                 = optional(string)
-      retention            = optional(number, 30)
-      sku                  = optional(string, "PerGB2018")
-      tags                 = optional(map(string), {})
-    })), {})
-
     storage_account_definition = optional(map(object({
-      existing_resource_id       = optional(string, null)
-      enable_diagnostic_settings = optional(bool, true)
-      name                       = optional(string, null)
-      account_kind               = optional(string, "StorageV2")
-      account_tier               = optional(string, "Standard")
-      account_replication_type   = optional(string, "ZRS")
+      existing_resource_id = optional(string, null)
+      diagnostic_settings = optional(map(object({
+        name                                     = optional(string, null)
+        log_categories                           = optional(set(string), [])
+        log_groups                               = optional(set(string), ["allLogs"])
+        metric_categories                        = optional(set(string), ["AllMetrics"])
+        log_analytics_destination_type           = optional(string, "Dedicated")
+        workspace_resource_id                    = optional(string, null)
+        storage_account_resource_id              = optional(string, null)
+        event_hub_authorization_rule_resource_id = optional(string, null)
+        event_hub_name                           = optional(string, null)
+        marketplace_partner_resource_id          = optional(string, null)
+      })), {})
+      name                     = optional(string, null)
+      account_kind             = optional(string, "StorageV2")
+      account_tier             = optional(string, "Standard")
+      account_replication_type = optional(string, "ZRS")
       endpoints = optional(map(object({
-        type                         = string
-        private_dns_zone_resource_id = optional(string, null)
+        type                                    = string
+        private_dns_zone_resource_id            = optional(string, null)
+        private_endpoints_manage_dns_zone_group = optional(bool, true)
         })), {
         blob = {
           type = "blob"
@@ -215,10 +268,21 @@ Configuration object for the Azure AI Foundry deployment (hub, projects, and Bri
 
 - `create_byor` - (Optional) Whether to create BYOR resources managed by this module. Default is true.
 - `purge_on_destroy` - (Optional) Whether to purge soft-delete–capable resources on destroy. Default is false.
-
 - `ai_foundry` - (Optional) Azure AI Foundry hub settings.
   - `name` - (Optional) Name of the hub. If not provided, a name will be generated.
   - `disable_local_auth` - (Optional) Whether to disable local authentication. Default is false.
+  - `enable_diagnostic_settings` - (Optional) Whether diagnostic settings are enabled. Default is true.
+  - `diagnostic_settings` - (Optional) - map of diagnostic settings for the main foundry module and resource
+    - `name` - (Optional) The name of the diagnostic setting. One will be generated if not set, however this will not be unique if you want to create multiple diagnostic setting resources.
+    - `log_categories` - (Optional) A set of log categories to send to the log analytics workspace. Defaults to `[]`.
+    - `log_groups` - (Optional) A set of log groups to send to the log analytics workspace. Defaults to `["allLogs"]`.
+    - `metric_categories` - (Optional) A set of metric categories to send to the log analytics workspace. Defaults to `["AllMetrics"]`.
+    - `log_analytics_destination_type` - (Optional) The destination type for the diagnostic setting. Possible values are `Dedicated` and `AzureDiagnostics`. Defaults to `Dedicated`.
+    - `workspace_resource_id` - (Optional) The resource ID of the log analytics workspace to send logs and metrics to.
+    - `storage_account_resource_id` - (Optional) The resource ID of the storage account to send logs and metrics to.
+    - `event_hub_authorization_rule_resource_id` - (Optional) The resource ID of the event hub authorization rule to send logs and metrics to.
+    - `event_hub_name` - (Optional) The name of the event hub. If none is specified, the default event hub will be selected.
+    - `marketplace_partner_resource_id` - (Optional) The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.
   - `allow_project_management` - (Optional) Whether project management is allowed from the hub. Default is true.
   - `create_ai_agent_service` - (Optional) Whether to create the AI Agent service in the hub. Default is false.
   - `private_dns_zone_resource_ids` - (Optional) List of private DNS zone resource IDs for hub endpoints. Default is [].
@@ -272,7 +336,18 @@ Configuration object for the Azure AI Foundry deployment (hub, projects, and Bri
     - `existing_resource_id` - (Optional) Resource ID of an existing service to reuse.
     - `name` - (Optional) Name of the service if creating new.
     - `private_dns_zone_resource_id` - (Optional) Private DNS zone resource ID for the service.
-    - `enable_diagnostic_settings` - (Optional) Whether diagnostic settings are enabled. Default is true.
+    - `private_endpoints_manage_dns_zone_group` - (Optional) Whether to manage private DNS zone groups with this module. If set to false, you must manage private DNS zone groups externally, e.g. using Azure Policy. Default is true.
+    - `diagnostic_settings` - (Optional) - map of diagnostic settings for the main foundry module's byor ai_search resource
+        - `name` - (Optional) The name of the diagnostic setting. One will be generated if not set, however this will not be unique if you want to create multiple diagnostic setting resources.
+        - `log_categories` - (Optional) A set of log categories to send to the log analytics workspace. Defaults to `[]`.
+        - `log_groups` - (Optional) A set of log groups to send to the log analytics workspace. Defaults to `["allLogs"]`.
+        - `metric_categories` - (Optional) A set of metric categories to send to the log analytics workspace. Defaults to `["AllMetrics"]`.
+        - `log_analytics_destination_type` - (Optional) The destination type for the diagnostic setting. Possible values are `Dedicated` and `AzureDiagnostics`. Defaults to `Dedicated`.
+        - `workspace_resource_id` - (Optional) The resource ID of the log analytics workspace to send logs and metrics to.
+        - `storage_account_resource_id` - (Optional) The resource ID of the storage account to send logs and metrics to.
+        - `event_hub_authorization_rule_resource_id` - (Optional) The resource ID of the event hub authorization rule to send logs and metrics to.
+        - `event_hub_name` - (Optional) The name of the event hub. If none is specified, the default event hub will be selected.
+        - `marketplace_partner_resource_id` - (Optional) The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.
     - `sku` - (Optional) Service SKU. Default is "standard".
     - `local_authentication_enabled` - (Optional) Whether local auth is enabled. Default is true.
     - `partition_count` - (Optional) Number of partitions. Default is 1.
@@ -295,7 +370,18 @@ Configuration object for the Azure AI Foundry deployment (hub, projects, and Bri
   - `cosmosdb_definition` - (Optional) Map defining one or more Azure Cosmos DB accounts.
     - `existing_resource_id` - (Optional) Resource ID of an existing account to reuse.
     - `private_dns_zone_resource_id` - (Optional) Private DNS zone resource ID.
-    - `enable_diagnostic_settings` - (Optional) Whether diagnostic settings are enabled. Default is true.
+    - `private_endpoints_manage_dns_zone_group` - (Optional) Whether to manage private DNS zone groups with this module. If set to false, you must manage private DNS zone groups externally, e.g. using Azure Policy. Default is true.
+    - `diagnostic_settings` - (Optional) - map of diagnostic settings for the foundry module's byor cosmos resource
+        - `name` - (Optional) The name of the diagnostic setting. One will be generated if not set, however this will not be unique if you want to create multiple diagnostic setting resources.
+        - `log_categories` - (Optional) A set of log categories to send to the log analytics workspace. Defaults to `[]`.
+        - `log_groups` - (Optional) A set of log groups to send to the log analytics workspace. Defaults to `["allLogs"]`.
+        - `metric_categories` - (Optional) A set of metric categories to send to the log analytics workspace. Defaults to `["AllMetrics"]`.
+        - `log_analytics_destination_type` - (Optional) The destination type for the diagnostic setting. Possible values are `Dedicated` and `AzureDiagnostics`. Defaults to `Dedicated`.
+        - `workspace_resource_id` - (Optional) The resource ID of the log analytics workspace to send logs and metrics to.
+        - `storage_account_resource_id` - (Optional) The resource ID of the storage account to send logs and metrics to.
+        - `event_hub_authorization_rule_resource_id` - (Optional) The resource ID of the event hub authorization rule to send logs and metrics to.
+        - `event_hub_name` - (Optional) The name of the event hub. If none is specified, the default event hub will be selected.
+        - `marketplace_partner_resource_id` - (Optional) The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.
     - `name` - (Optional) Name of the account if creating new.
     - `secondary_regions` - (Optional) List of secondary regions for geo-replication. Default is [].
       - `location` - Azure region name for the secondary location.
@@ -344,7 +430,18 @@ Configuration object for the Azure AI Foundry deployment (hub, projects, and Bri
     - `existing_resource_id` - (Optional) Resource ID of an existing vault to reuse.
     - `name` - (Optional) Name of the vault if creating new.
     - `private_dns_zone_resource_id` - (Optional) Private DNS zone resource ID.
-    - `enable_diagnostic_settings` - (Optional) Whether diagnostic settings are enabled. Default is true.
+    - `private_endpoints_manage_dns_zone_group` - (Optional) Whether to manage private DNS zone groups with this module. If set to false, you must manage private DNS zone groups externally, e.g. using Azure Policy. Default is true.
+    - `diagnostic_settings` - (Optional) - map of diagnostic settings for the foundry module's byor key vault resource
+        - `name` - (Optional) The name of the diagnostic setting. One will be generated if not set, however this will not be unique if you want to create multiple diagnostic setting resources.
+        - `log_categories` - (Optional) A set of log categories to send to the log analytics workspace. Defaults to `[]`.
+        - `log_groups` - (Optional) A set of log groups to send to the log analytics workspace. Defaults to `["allLogs"]`.
+        - `metric_categories` - (Optional) A set of metric categories to send to the log analytics workspace. Defaults to `["AllMetrics"]`.
+        - `log_analytics_destination_type` - (Optional) The destination type for the diagnostic setting. Possible values are `Dedicated` and `AzureDiagnostics`. Defaults to `Dedicated`.
+        - `workspace_resource_id` - (Optional) The resource ID of the log analytics workspace to send logs and metrics to.
+        - `storage_account_resource_id` - (Optional) The resource ID of the storage account to send logs and metrics to.
+        - `event_hub_authorization_rule_resource_id` - (Optional) The resource ID of the event hub authorization rule to send logs and metrics to.
+        - `event_hub_name` - (Optional) The name of the event hub. If none is specified, the default event hub will be selected.
+        - `marketplace_partner_resource_id` - (Optional) The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.
     - `sku` - (Optional) Vault SKU. Default is "standard".
     - `tenant_id` - (Optional) Tenant ID for the Key Vault.
     - `role_assignments` - (Optional) Map of role assignments on the vault.
@@ -358,16 +455,19 @@ Configuration object for the Azure AI Foundry deployment (hub, projects, and Bri
       - `principal_type` - (Optional) Type of the principal (User, Group, ServicePrincipal).
     - `tags` - (Optional) Map of tags for the vault.
 
-  - `law_definition` - (Optional) Map defining one or more Log Analytics Workspaces.
-    - `existing_resource_id` - (Optional) Resource ID of an existing workspace to reuse.
-    - `name` - (Optional) Name of the workspace if creating new.
-    - `retention` - (Optional) Data retention in days. Default is 30.
-    - `sku` - (Optional) Workspace SKU. Default is "PerGB2018".
-    - `tags` - (Optional) Map of tags for the workspace.
-
   - `storage_account_definition` - (Optional) Map defining one or more Storage Accounts.
     - `existing_resource_id` - (Optional) Resource ID of an existing account to reuse.
-    - `enable_diagnostic_settings` - (Optional) Whether diagnostic settings are enabled. Default is true.
+    - `diagnostic_settings` - (Optional) - map of diagnostic settings for the foundry module's byor storage account resource
+      - `name` - (Optional) The name of the diagnostic setting. One will be generated if not set, however this will not be unique if you want to create multiple diagnostic setting resources.
+      - `log_categories` - (Optional) A set of log categories to send to the log analytics workspace. Defaults to `[]`.
+      - `log_groups` - (Optional) A set of log groups to send to the log analytics workspace. Defaults to `["allLogs"]`.
+      - `metric_categories` - (Optional) A set of metric categories to send to the log analytics workspace. Defaults to `["AllMetrics"]`.
+      - `log_analytics_destination_type` - (Optional) The destination type for the diagnostic setting. Possible values are `Dedicated` and `AzureDiagnostics`. Defaults to `Dedicated`.
+      - `workspace_resource_id` - (Optional) The resource ID of the log analytics workspace to send logs and metrics to.
+      - `storage_account_resource_id` - (Optional) The resource ID of the storage account to send logs and metrics to.
+      - `event_hub_authorization_rule_resource_id` - (Optional) The resource ID of the event hub authorization rule to send logs and metrics to.
+      - `event_hub_name` - (Optional) The name of the event hub. If none is specified, the default event hub will be selected.
+      - `marketplace_partner_resource_id` - (Optional) The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.
     - `name` - (Optional) Name of the account if creating new.
     - `account_kind` - (Optional) Storage account kind. Default is "StorageV2".
     - `account_tier` - (Optional) Storage account tier. Default is "Standard".
@@ -376,6 +476,7 @@ Configuration object for the Azure AI Foundry deployment (hub, projects, and Bri
       - map key - Endpoint name (e.g., `blob`).
       - `type` - Endpoint type (e.g., "blob").
       - `private_dns_zone_resource_id` - (Optional) Private DNS zone resource ID for the endpoint.
+      - `private_endpoints_manage_dns_zone_group` - (Optional) Whether to manage private DNS zone groups with this module. If set to false, you must manage private DNS zone groups externally, e.g. using Azure Policy. Default is true.
     - `access_tier` - (Optional) Access tier for the account. Default is "Hot".
     - `shared_access_key_enabled` - (Optional) Whether shared access keys are enabled. Default is false.
     - `role_assignments` - (Optional) Map of role assignments on the storage account.
diff --git a/variables.genai_services.tf b/variables.genai_services.tf
index 6e0fe42..ea52627 100644
--- a/variables.genai_services.tf
+++ b/variables.genai_services.tf
@@ -22,6 +22,19 @@ variable "genai_app_configuration_definition" {
       delegated_managed_identity_resource_id = optional(string, null)
       principal_type                         = optional(string, null)
     })), {})
+    enable_diagnostic_settings = optional(bool, true)
+    diagnostic_settings = optional(map(object({
+      name                                     = optional(string, null)
+      log_categories                           = optional(set(string), [])
+      log_groups                               = optional(set(string), ["allLogs"])
+      metric_categories                        = optional(set(string), ["AllMetrics"])
+      log_analytics_destination_type           = optional(string, "Dedicated")
+      workspace_resource_id                    = optional(string, null)
+      storage_account_resource_id              = optional(string, null)
+      event_hub_authorization_rule_resource_id = optional(string, null)
+      event_hub_name                           = optional(string, null)
+      marketplace_partner_resource_id          = optional(string, null)
+    })), {})
   })
   default     = {}
   description = <<DESCRIPTION
@@ -46,6 +59,18 @@ Configuration object for the Azure App Configuration service to be created for G
   - `condition_version` - (Optional) Version of the condition.
   - `delegated_managed_identity_resource_id` - (Optional) Resource ID of the delegated managed identity.
   - `principal_type` - (Optional) Type of the principal (User, Group, ServicePrincipal).
+- `enable_diagnostic_settings` - (Optional) Whether diagnostic settings are enabled. Default is true.
+- `diagnostic_settings` - (Optional) Map of diagnostic settings configurations for the App Configuration store. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.
+  - `name` - (Optional) The name of the diagnostic setting.
+  - `log_categories` - (Optional) Set of log categories to enable. Default is an empty set.
+  - `log_groups` - (Optional) Set of log groups to enable. Default is ["allLogs"].
+  - `metric_categories` - (Optional) Set of metric categories to enable. Default is ["AllMetrics"].
+  - `log_analytics_destination_type` - (Optional) The destination type for Log Analytics. Default is "Dedicated".
+  - `workspace_resource_id` - (Optional) Resource ID of the Log Analytics workspace.
+  - `storage_account_resource_id` - (Optional) Resource ID of the storage account for diagnostics.
+  - `event_hub_authorization_rule_resource_id` - (Optional) Resource ID of the Event Hub authorization rule.
+  - `event_hub_name` - (Optional) Name of the Event Hub.
+  - `marketplace_partner_resource_id` - (Optional) Resource ID of the marketplace partner resource.
 DESCRIPTION
 }
 
@@ -59,7 +84,19 @@ variable "genai_container_registry_definition" {
     zone_redundancy_enabled       = optional(bool, true)
     public_network_access_enabled = optional(bool, false)
     enable_diagnostic_settings    = optional(bool, true)
-    tags                          = optional(map(string), {})
+    diagnostic_settings = optional(map(object({
+      name                                     = optional(string, null)
+      log_categories                           = optional(set(string), [])
+      log_groups                               = optional(set(string), ["allLogs"])
+      metric_categories                        = optional(set(string), ["AllMetrics"])
+      log_analytics_destination_type           = optional(string, "Dedicated")
+      workspace_resource_id                    = optional(string, null)
+      storage_account_resource_id              = optional(string, null)
+      event_hub_authorization_rule_resource_id = optional(string, null)
+      event_hub_name                           = optional(string, null)
+      marketplace_partner_resource_id          = optional(string, null)
+    })), {})
+    tags = optional(map(string), {})
     role_assignments = optional(map(object({
       role_definition_id_or_name             = string
       principal_id                           = string
@@ -80,6 +117,18 @@ Configuration object for the Azure Container Registry to be created for GenAI se
 - `sku` - (Optional) The SKU of the Container Registry. Default is "Premium".
 - `zone_redundancy_enabled` - (Optional) Whether zone redundancy is enabled. Default is true.
 - `public_network_access_enabled` - (Optional) Whether public network access is enabled. Default is false.
+- `enable_diagnostic_settings` - (Optional) Whether diagnostic settings are enabled. Default is true.
+- `diagnostic_settings` - (Optional) Map of diagnostic settings configurations for the Container Registry. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.
+  - `name` - (Optional) The name of the diagnostic setting.
+  - `log_categories` - (Optional) Set of log categories to enable. Default is an empty set.
+  - `log_groups` - (Optional) Set of log groups to enable. Default is ["allLogs"].
+  - `metric_categories` - (Optional) Set of metric categories to enable. Default is ["AllMetrics"].
+  - `log_analytics_destination_type` - (Optional) The destination type for Log Analytics. Default is "Dedicated".
+  - `workspace_resource_id` - (Optional) Resource ID of the Log Analytics workspace.
+  - `storage_account_resource_id` - (Optional) Resource ID of the storage account for diagnostics.
+  - `event_hub_authorization_rule_resource_id` - (Optional) Resource ID of the Event Hub authorization rule.
+  - `event_hub_name` - (Optional) Name of the Event Hub.
+  - `marketplace_partner_resource_id` - (Optional) Resource ID of the marketplace partner resource.
 - `tags` - (Optional) Map of tags to assign to the Container Registry.
 - `role_assignments` - (Optional) Map of role assignments to create on the Container Registry. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.
   - `role_definition_id_or_name` - The role definition ID or name to assign.
@@ -98,6 +147,18 @@ variable "genai_cosmosdb_definition" {
     deploy                     = optional(bool, true)
     name                       = optional(string)
     enable_diagnostic_settings = optional(bool, true)
+    diagnostic_settings = optional(map(object({
+      name                                     = optional(string, null)
+      log_categories                           = optional(set(string), [])
+      log_groups                               = optional(set(string), ["allLogs"])
+      metric_categories                        = optional(set(string), ["AllMetrics"])
+      log_analytics_destination_type           = optional(string, "Dedicated")
+      workspace_resource_id                    = optional(string, null)
+      storage_account_resource_id              = optional(string, null)
+      event_hub_authorization_rule_resource_id = optional(string, null)
+      event_hub_name                           = optional(string, null)
+      marketplace_partner_resource_id          = optional(string, null)
+    })), {})
     secondary_regions = optional(list(object({
       location          = string
       zone_redundant    = optional(bool, true)
@@ -144,13 +205,25 @@ Configuration object for the Azure Cosmos DB account to be created for GenAI ser
 
 - `deploy` - (Optional) Whether to deploy the Cosmos DB account. Default is true.
 - `name` - (Optional) The name of the Cosmos DB account. If not provided, a name will be generated.
+- `enable_diagnostic_settings` - (Optional) Whether diagnostic settings are enabled. Default is true.
+- `diagnostic_settings` - (Optional) Map of diagnostic settings configurations for the Cosmos DB account. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.
+  - `name` - (Optional) The name of the diagnostic setting.
+  - `log_categories` - (Optional) Set of log categories to enable. Default is an empty set.
+  - `log_groups` - (Optional) Set of log groups to enable. Default is ["allLogs"].
+  - `metric_categories` - (Optional) Set of metric categories to enable. Default is ["AllMetrics"].
+  - `log_analytics_destination_type` - (Optional) The destination type for Log Analytics. Default is "Dedicated".
+  - `workspace_resource_id` - (Optional) Resource ID of the Log Analytics workspace.
+  - `storage_account_resource_id` - (Optional) Resource ID of the storage account for diagnostics.
+  - `event_hub_authorization_rule_resource_id` - (Optional) Resource ID of the Event Hub authorization rule.
+  - `event_hub_name` - (Optional) Name of the Event Hub.
+  - `marketplace_partner_resource_id` - (Optional) Resource ID of the marketplace partner resource.
 - `secondary_regions` - (Optional) List of secondary regions for geo-replication.
   - `location` - The Azure region for the secondary location.
   - `zone_redundant` - (Optional) Whether zone redundancy is enabled for the secondary region. Default is true.
   - `failover_priority` - (Optional) The failover priority for the secondary region. Default is 0.
 - `public_network_access_enabled` - (Optional) Whether public network access is enabled. Default is false.
 - `analytical_storage_enabled` - (Optional) Whether analytical storage is enabled. Default is true.
-- `automatic_failover_enabled` - (Optional) Whether automatic failover is enabled. Default is false.
+- `automatic_failover_enabled` - (Optional) Whether automatic failover is enabled. Default is true.
 - `local_authentication_disabled` - (Optional) Whether local authentication is disabled. Default is true.
 - `partition_merge_enabled` - (Optional) Whether partition merge is enabled. Default is false.
 - `multiple_write_locations_enabled` - (Optional) Whether multiple write locations are enabled. Default is false.
@@ -191,6 +264,19 @@ variable "genai_key_vault_definition" {
     public_network_access_enabled = optional(bool, false)
     sku                           = optional(string, "standard")
     tenant_id                     = optional(string)
+    enable_diagnostic_settings    = optional(bool, true)
+    diagnostic_settings = optional(map(object({
+      name                                     = optional(string, null)
+      log_categories                           = optional(set(string), [])
+      log_groups                               = optional(set(string), ["allLogs"])
+      metric_categories                        = optional(set(string), ["AllMetrics"])
+      log_analytics_destination_type           = optional(string, "Dedicated")
+      workspace_resource_id                    = optional(string, null)
+      storage_account_resource_id              = optional(string, null)
+      event_hub_authorization_rule_resource_id = optional(string, null)
+      event_hub_name                           = optional(string, null)
+      marketplace_partner_resource_id          = optional(string, null)
+    })), {})
     role_assignments = optional(map(object({
       role_definition_id_or_name             = string
       principal_id                           = string
@@ -216,6 +302,18 @@ Configuration object for the Azure Key Vault to be created for GenAI services.
 - `public_network_access_enabled` - (Optional) Whether public network access is enabled. Default is false.
 - `sku` - (Optional) The SKU of the Key Vault. Default is "standard".
 - `tenant_id` - (Optional) The tenant ID for the Key Vault. If not provided, the current tenant will be used.
+- `enable_diagnostic_settings` - (Optional) Whether diagnostic settings are enabled. Default is true.
+- `diagnostic_settings` - (Optional) Map of diagnostic settings configurations for the Key Vault. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.
+  - `name` - (Optional) The name of the diagnostic setting.
+  - `log_categories` - (Optional) Set of log categories to enable. Default is an empty set.
+  - `log_groups` - (Optional) Set of log groups to enable. Default is ["allLogs"].
+  - `metric_categories` - (Optional) Set of metric categories to enable. Default is ["AllMetrics"].
+  - `log_analytics_destination_type` - (Optional) The destination type for Log Analytics. Default is "Dedicated".
+  - `workspace_resource_id` - (Optional) Resource ID of the Log Analytics workspace.
+  - `storage_account_resource_id` - (Optional) Resource ID of the storage account for diagnostics.
+  - `event_hub_authorization_rule_resource_id` - (Optional) Resource ID of the Event Hub authorization rule.
+  - `event_hub_name` - (Optional) Name of the Event Hub.
+  - `marketplace_partner_resource_id` - (Optional) Resource ID of the marketplace partner resource.
 - `role_assignments` - (Optional) Map of role assignments to create on the Key Vault. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.
   - `role_definition_id_or_name` - The role definition ID or name to assign.
   - `principal_id` - The principal ID to assign the role to.
@@ -231,9 +329,21 @@ DESCRIPTION
 
 variable "genai_storage_account_definition" {
   type = object({
-    deploy                        = optional(bool, true)
-    name                          = optional(string)
-    enable_diagnostic_settings    = optional(bool, true)
+    deploy                     = optional(bool, true)
+    name                       = optional(string)
+    enable_diagnostic_settings = optional(bool, true)
+    diagnostic_settings = optional(map(object({
+      name                                     = optional(string, null)
+      log_categories                           = optional(set(string), [])
+      log_groups                               = optional(set(string), ["allLogs"])
+      metric_categories                        = optional(set(string), ["AllMetrics"])
+      log_analytics_destination_type           = optional(string, "Dedicated")
+      workspace_resource_id                    = optional(string, null)
+      storage_account_resource_id              = optional(string, null)
+      event_hub_authorization_rule_resource_id = optional(string, null)
+      event_hub_name                           = optional(string, null)
+      marketplace_partner_resource_id          = optional(string, null)
+    })), {})
     account_kind                  = optional(string, "StorageV2")
     account_tier                  = optional(string, "Standard")
     account_replication_type      = optional(string, "GRS")
@@ -262,6 +372,18 @@ Configuration object for the Azure Storage Account to be created for GenAI servi
 
 - `deploy` - (Optional) Whether to deploy the Storage Account. Default is true.
 - `name` - (Optional) The name of the Storage Account. If not provided, a name will be generated.
+- `enable_diagnostic_settings` - (Optional) Whether diagnostic settings are enabled. Default is true.
+- `diagnostic_settings` - (Optional) Map of diagnostic settings configurations for the Storage Account. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.
+  - `name` - (Optional) The name of the diagnostic setting.
+  - `log_categories` - (Optional) Set of log categories to enable. Default is an empty set.
+  - `log_groups` - (Optional) Set of log groups to enable. Default is ["allLogs"].
+  - `metric_categories` - (Optional) Set of metric categories to enable. Default is ["AllMetrics"].
+  - `log_analytics_destination_type` - (Optional) The destination type for Log Analytics. Default is "Dedicated".
+  - `workspace_resource_id` - (Optional) Resource ID of the Log Analytics workspace.
+  - `storage_account_resource_id` - (Optional) Resource ID of the storage account for diagnostics.
+  - `event_hub_authorization_rule_resource_id` - (Optional) Resource ID of the Event Hub authorization rule.
+  - `event_hub_name` - (Optional) Name of the Event Hub.
+  - `marketplace_partner_resource_id` - (Optional) Resource ID of the marketplace partner resource.
 - `account_kind` - (Optional) The kind of storage account. Default is "StorageV2".
 - `account_tier` - (Optional) The performance tier of the storage account. Default is "Standard".
 - `account_replication_type` - (Optional) The replication type for the storage account. Default is "GRS".
diff --git a/variables.jumpvm.tf b/variables.jumpvm.tf
index 3866db2..52f7593 100644
--- a/variables.jumpvm.tf
+++ b/variables.jumpvm.tf
@@ -10,6 +10,7 @@ variable "jumpvm_definition" {
   description = <<DESCRIPTION
 Configuration object for the Jump VM to be created for managing the implementation services.
 
+- `deploy` - (Optional) Whether to deploy the Jump VM. Default is true.
 - `name` - (Optional) The name of the Jump VM. If not provided, a name will be generated.
 - `sku` - (Optional) The VM size/SKU for the Jump VM. Default is "Standard_B2s".
 - `tags` - (Optional) Map of tags to assign to the Jump VM.
diff --git a/variables.knowledge_sources.tf b/variables.knowledge_sources.tf
index 16c03fc..e2aa07c 100644
--- a/variables.knowledge_sources.tf
+++ b/variables.knowledge_sources.tf
@@ -1,8 +1,20 @@
 variable "ks_ai_search_definition" {
   type = object({
-    deploy                        = optional(bool, true)
-    name                          = optional(string)
-    enable_diagnostic_settings    = optional(bool, true)
+    deploy                     = optional(bool, true)
+    name                       = optional(string)
+    enable_diagnostic_settings = optional(bool, true)
+    diagnostic_settings = optional(map(object({
+      name                                     = optional(string, null)
+      log_categories                           = optional(set(string), [])
+      log_groups                               = optional(set(string), ["allLogs"])
+      metric_categories                        = optional(set(string), ["AllMetrics"])
+      log_analytics_destination_type           = optional(string, "Dedicated")
+      workspace_resource_id                    = optional(string, null)
+      storage_account_resource_id              = optional(string, null)
+      event_hub_authorization_rule_resource_id = optional(string, null)
+      event_hub_name                           = optional(string, null)
+      marketplace_partner_resource_id          = optional(string, null)
+    })), {})
     sku                           = optional(string, "standard")
     local_authentication_enabled  = optional(bool, true)
     partition_count               = optional(number, 1)
@@ -28,6 +40,18 @@ Configuration object for the Azure AI Search service to be created as part of th
 
 - `deploy` - (Optional) Deploy the AI Search service. Default is true.
 - `name` - (Optional) The name of the AI Search service. If not provided, a name will be generated.
+- `enable_diagnostic_settings` - (Optional) Whether diagnostic settings are enabled. Default is true.
+- `diagnostic_settings` - (Optional) Map of diagnostic settings configurations for the AI Search service. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.
+  - `name` - (Optional) The name of the diagnostic setting.
+  - `log_categories` - (Optional) Set of log categories to enable. Default is an empty set.
+  - `log_groups` - (Optional) Set of log groups to enable. Default is ["allLogs"].
+  - `metric_categories` - (Optional) Set of metric categories to enable. Default is ["AllMetrics"].
+  - `log_analytics_destination_type` - (Optional) The destination type for Log Analytics. Default is "Dedicated".
+  - `workspace_resource_id` - (Optional) Resource ID of the Log Analytics workspace.
+  - `storage_account_resource_id` - (Optional) Resource ID of the storage account for diagnostics.
+  - `event_hub_authorization_rule_resource_id` - (Optional) Resource ID of the Event Hub authorization rule.
+  - `event_hub_name` - (Optional) Name of the Event Hub.
+  - `marketplace_partner_resource_id` - (Optional) Resource ID of the marketplace partner resource.
 - `sku` - (Optional) The SKU of the AI Search service. Default is "standard".
 - `local_authentication_enabled` - (Optional) Whether local authentication is enabled. Default is true.
 - `partition_count` - (Optional) The number of partitions for the search service. Default is 1.
diff --git a/variables.monitoring.tf b/variables.monitoring.tf
index 14a2da8..3ffbe5b 100644
--- a/variables.monitoring.tf
+++ b/variables.monitoring.tf
@@ -1,5 +1,6 @@
 variable "law_definition" {
   type = object({
+    deploy      = optional(bool, true)
     resource_id = optional(string)
     name        = optional(string)
     retention   = optional(number, 30)
@@ -8,8 +9,8 @@ variable "law_definition" {
   })
   default     = {}
   description = <<DESCRIPTION
-Configuration object for the Log Analytics Workspace to be created for monitoring and logging.
-
+Configuration object for the Log Analytics Workspace to be created for monitoring and logging. If no resource_id is provided, and deploy is set to false, then each resource will default to not including diagnostic settings unless an explicit diagnostic_setting value is provided for that resource. Explicitly set resource diagnostic_settings values will always be preferred.
+- `deploy` - (Optional) Boolean to indicate whether to deploy a new Log Analytics Workspace if no resource_id is provided. Default is true.
 - `resource_id` - (Optional) The resource ID of an existing Log Analytics Workspace to use. If provided, the workspace will not be created and the other inputs will be ignored.
 - `name` - (Optional) The name of the Log Analytics Workspace. If not provided, a name will be generated.
 - `retention` - (Optional) The data retention period in days for the workspace. Default is 30.
diff --git a/variables.networking.tf b/variables.networking.tf
index 1f6dc33..edb9d42 100644
--- a/variables.networking.tf
+++ b/variables.networking.tf
@@ -6,15 +6,47 @@ variable "vnet_definition" {
       firewall_ip_address = optional(string)
       }
     )), {})
-    address_space                    = optional(string, "192.168.0.0/20")
+    address_space = optional(list(string), ["192.168.0.0/20"])
+    ipam_pools = optional(list(object({
+      id            = string
+      prefix_length = string
+    })))
     ddos_protection_plan_resource_id = optional(string)
-    dns_servers                      = optional(set(string), [])
+    enable_diagnostic_settings       = optional(bool, true)
+    diagnostic_settings = optional(map(object({
+      name                                     = optional(string, null)
+      log_categories                           = optional(set(string), [])
+      log_groups                               = optional(set(string), ["allLogs"])
+      metric_categories                        = optional(set(string), ["AllMetrics"])
+      log_analytics_destination_type           = optional(string, "Dedicated")
+      workspace_resource_id                    = optional(string, null)
+      storage_account_resource_id              = optional(string, null)
+      event_hub_authorization_rule_resource_id = optional(string, null)
+      event_hub_name                           = optional(string, null)
+      marketplace_partner_resource_id          = optional(string, null)
+    })), {})
+    dns_servers = optional(set(string), [])
+    role_assignments = optional(map(object({
+      role_definition_id_or_name             = string
+      principal_id                           = string
+      description                            = optional(string, null)
+      skip_service_principal_aad_check       = optional(bool, false)
+      condition                              = optional(string, null)
+      condition_version                      = optional(string, null)
+      delegated_managed_identity_resource_id = optional(string, null)
+      principal_type                         = optional(string, null)
+    })), {})
     subnets = optional(map(object({
       enabled        = optional(bool, true)
       name           = optional(string)
       address_prefix = optional(string)
+      ipam_pools = optional(list(object({
+        pool_id       = string
+        prefix_length = string
+      })))
       }
     )), {})
+    tags = optional(map(string), {})
     vnet_peering_configuration = optional(object({
       peer_vnet_resource_id                = optional(string)
       name                                 = optional(string)
@@ -42,12 +74,40 @@ Configuration object for the Virtual Network (VNet) to be deployed.
   - `vnet_resource_id` - Resource ID of the existing Virtual Network to use.
   - `firewall_ip_address` - (Optional) IP address of the firewall if a firewall is deployed for use by the BYO vnet. This IP address wlll be used to configure the route table for the subnets when provided. If using a BYO Vnet, the firewall is assumed to be deployed and configured outside of this module.
 - `address_space` - (Optional) The address space for the Virtual Network in CIDR notation. Defaults to 192.168.0.0/20 if none provided. Not used when `existing_byo_vnet` is configured.
+- `ipam_pools` - (Optional) List of IPAM pools to associate with the VNet. If present, the address_space will be ignored and IPAM pools will be used for address allocation.
+  - `id` - The ID of the IPAM pool.
+  - `prefix_length` - The prefix length to request from the IPAM pool.
 - `ddos_protection_plan_resource_id` - (Optional) Resource ID of the DDoS Protection Plan to associate with the VNet. This is not used for BYO VNet configurations as that is assumed to be handled outside the module.
+- `enable_diagnostic_settings` - (Optional) Whether diagnostic settings are enabled. Default is true.
+- `diagnostic_settings` - (Optional) Map of diagnostic settings configurations for the VNet. If you set a configuration then all diagnostic preset configuration included in the module will be ignored. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.
+  - `name` - (Optional) The name of the diagnostic setting.
+  - `log_categories` - (Optional) Set of log categories to enable. Default is an empty set.
+  - `log_groups` - (Optional) Set of log groups to enable. Default is ["allLogs"].
+  - `metric_categories` - (Optional) Set of metric categories to enable. Default is ["AllMetrics"].
+  - `log_analytics_destination_type` - (Optional) The destination type for Log Analytics. Default is "Dedicated".
+  - `workspace_resource_id` - (Optional) Resource ID of the Log Analytics workspace.
+  - `storage_account_resource_id` - (Optional) Resource ID of the storage account for diagnostics.
+  - `event_hub_authorization_rule_resource_id` - (Optional) Resource ID of the Event Hub authorization rule.
+  - `event_hub_name` - (Optional) Name of the Event Hub.
+  - `marketplace_partner_resource_id` - (Optional) Resource ID of the marketplace partner resource.
 - `dns_servers` - (Optional) Set of custom DNS server IP addresses for the VNet.
+- `role_assignments` - (Optional) Map of role assignments to create on the VNet. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.
+  - `role_definition_id_or_name` - The role definition ID or name to assign.
+  - `principal_id` - The principal ID to assign the role to.
+  - `description` - (Optional) Description of the role assignment.
+  - `skip_service_principal_aad_check` - (Optional) Whether to skip AAD check for service principal.
+  - `condition` - (Optional) Condition for the role assignment.
+  - `condition_version` - (Optional) Version of the condition.
+  - `delegated_managed_identity_resource_id` - (Optional) Resource ID of the delegated managed identity.
+  - `principal_type` - (Optional) Type of the principal (User, Group, ServicePrincipal).
 - `subnets` - (Optional) Map of subnet configurations that can be used to override the default subnet configurations. The map key must match the desired subnet usage to override the default configuration.
   - `enabled` - (Optional) Whether the subnet is enabled. Default is true.
   - `name` - (Optional) The name of the subnet. If not provided, a name will be generated.
   - `address_prefix` - (Optional) The address prefix for the subnet in CIDR notation.
+  - `ipam_pools` - (Optional) List of IPAM pools to associate with the subnet. If present, the address_prefix will be ignored and IPAM pools will be used for address allocation.
+    - `pool_id` - The ID of the IPAM pool.
+    - `prefix_length` - The prefix length to request from the IPAM pool.
+- `tags` - (Optional) Map of tags to assign to the VNet.
 - `vnet_peering_configuration` - (Optional) Configuration for VNet peering. This is not used for BYO VNet configurations as that is assumed to be handled outside the module.
   - `peer_vnet_resource_id` - (Optional) Resource ID of the peer VNet.
   - `name` - (Optional) Name of the peering connection.
@@ -256,7 +316,20 @@ variable "app_gateway_definition" {
       }))
     })), null)
 
-    tags = optional(map(string), {})
+    tags                       = optional(map(string), {})
+    enable_diagnostic_settings = optional(bool, true)
+    diagnostic_settings = optional(map(object({
+      name                                     = optional(string, null)
+      log_categories                           = optional(set(string), [])
+      log_groups                               = optional(set(string), ["allLogs"])
+      metric_categories                        = optional(set(string), ["AllMetrics"])
+      log_analytics_destination_type           = optional(string, "Dedicated")
+      workspace_resource_id                    = optional(string, null)
+      storage_account_resource_id              = optional(string, null)
+      event_hub_authorization_rule_resource_id = optional(string, null)
+      event_hub_name                           = optional(string, null)
+      marketplace_partner_resource_id          = optional(string, null)
+    })), {})
     role_assignments = optional(map(object({
       role_definition_id_or_name             = string
       principal_id                           = string
@@ -381,6 +454,18 @@ Configuration object for the Azure Application Gateway to be deployed.
   - `default_backend_address_pool_name` - (Optional) Default backend address pool name.
   - `path_rules` - Map of path-based routing rules.
 - `tags` - (Optional) Map of tags to assign to the Application Gateway.
+- `enable_diagnostic_settings` - (Optional) Whether diagnostic settings are enabled. Default is true.
+- `diagnostic_settings` - (Optional) Map of diagnostic settings configurations for the Application Gateway. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.
+  - `name` - (Optional) The name of the diagnostic setting.
+  - `log_categories` - (Optional) Set of log categories to enable. Default is an empty set.
+  - `log_groups` - (Optional) Set of log groups to enable. Default is ["allLogs"].
+  - `metric_categories` - (Optional) Set of metric categories to enable. Default is ["AllMetrics"].
+  - `log_analytics_destination_type` - (Optional) The destination type for Log Analytics. Default is "Dedicated".
+  - `workspace_resource_id` - (Optional) Resource ID of the Log Analytics workspace.
+  - `storage_account_resource_id` - (Optional) Resource ID of the storage account for diagnostics.
+  - `event_hub_authorization_rule_resource_id` - (Optional) Resource ID of the Event Hub authorization rule.
+  - `event_hub_name` - (Optional) Name of the Event Hub.
+  - `marketplace_partner_resource_id` - (Optional) Resource ID of the marketplace partner resource.
 - `role_assignments` - (Optional) Map of role assignments to create on the Application Gateway. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.
   - `role_definition_id_or_name` - The role definition ID or name to assign.
   - `principal_id` - The principal ID to assign the role to.
@@ -417,11 +502,34 @@ DESCRIPTION
 
 variable "firewall_definition" {
   type = object({
-    deploy              = optional(bool, true)
-    name                = optional(string)
-    sku                 = optional(string, "AZFW_VNet")
-    tier                = optional(string, "Standard")
-    zones               = optional(list(string), ["1", "2", "3"])
+    deploy                     = optional(bool, true)
+    name                       = optional(string)
+    sku                        = optional(string, "AZFW_VNet")
+    tier                       = optional(string, "Standard")
+    zones                      = optional(list(string), ["1", "2", "3"])
+    enable_diagnostic_settings = optional(bool, true)
+    diagnostic_settings = optional(map(object({
+      name                                     = optional(string, null)
+      log_categories                           = optional(set(string), [])
+      log_groups                               = optional(set(string), ["allLogs"])
+      metric_categories                        = optional(set(string), ["AllMetrics"])
+      log_analytics_destination_type           = optional(string, "Dedicated")
+      workspace_resource_id                    = optional(string, null)
+      storage_account_resource_id              = optional(string, null)
+      event_hub_authorization_rule_resource_id = optional(string, null)
+      event_hub_name                           = optional(string, null)
+      marketplace_partner_resource_id          = optional(string, null)
+    })), {})
+    role_assignments = optional(map(object({
+      role_definition_id_or_name             = string
+      principal_id                           = string
+      description                            = optional(string, null)
+      skip_service_principal_aad_check       = optional(bool, false)
+      condition                              = optional(string, null)
+      condition_version                      = optional(string, null)
+      delegated_managed_identity_resource_id = optional(string, null)
+      principal_type                         = optional(string, null)
+    })), {})
     tags                = optional(map(string), {})
     resource_group_name = optional(string)
   })
@@ -434,6 +542,27 @@ Configuration object for the Azure Firewall to be deployed.
 - `sku` - (Optional) The SKU of the Azure Firewall. Default is "AZFW_VNet".
 - `tier` - (Optional) The tier of the Azure Firewall. Default is "Standard".
 - `zones` - (Optional) List of availability zones for the Azure Firewall. Default is ["1", "2", "3"].
+- `enable_diagnostic_settings` - (Optional) Whether diagnostic settings are enabled. Default is true.
+- `diagnostic_settings` - (Optional) Map of diagnostic settings configurations for the Azure Firewall. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.
+  - `name` - (Optional) The name of the diagnostic setting.
+  - `log_categories` - (Optional) Set of log categories to enable. Default is an empty set.
+  - `log_groups` - (Optional) Set of log groups to enable. Default is ["allLogs"].
+  - `metric_categories` - (Optional) Set of metric categories to enable. Default is ["AllMetrics"].
+  - `log_analytics_destination_type` - (Optional) The destination type for Log Analytics. Default is "Dedicated".
+  - `workspace_resource_id` - (Optional) Resource ID of the Log Analytics workspace.
+  - `storage_account_resource_id` - (Optional) Resource ID of the storage account for diagnostics.
+  - `event_hub_authorization_rule_resource_id` - (Optional) Resource ID of the Event Hub authorization rule.
+  - `event_hub_name` - (Optional) Name of the Event Hub.
+  - `marketplace_partner_resource_id` - (Optional) Resource ID of the marketplace partner resource.
+- `role_assignments` - (Optional) Map of role assignments to create on the Azure Firewall. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.
+  - `role_definition_id_or_name` - The role definition ID or name to assign.
+  - `principal_id` - The principal ID to assign the role to.
+  - `description` - (Optional) Description of the role assignment.
+  - `skip_service_principal_aad_check` - (Optional) Whether to skip AAD check for service principal.
+  - `condition` - (Optional) Condition for the role assignment.
+  - `condition_version` - (Optional) Version of the condition.
+  - `delegated_managed_identity_resource_id` - (Optional) Resource ID of the delegated managed identity.
+  - `principal_type` - (Optional) Type of the principal (User, Group, ServicePrincipal).
 - `tags` - (Optional) Map of tags to assign to the Azure Firewall.
 - `resource_group_name` - (Optional) The name of the resource group to deploy the Azure Firewall into. If not provided, the module's resource group will be used.
 DESCRIPTION
@@ -533,6 +662,7 @@ DESCRIPTION
 
 variable "private_dns_zones" {
   type = object({
+    azure_policy_pe_zone_linking_enabled      = optional(bool, true)
     existing_zones_resource_group_resource_id = optional(string)
     allow_internet_resolution_fallback        = optional(bool, false)
     network_links = optional(map(object({
@@ -545,6 +675,7 @@ variable "private_dns_zones" {
   description = <<DESCRIPTION
 Configuration object for Private DNS Zones and their network links.
 
+- `azure_policy_pe_zone_linking_enabled` - (Optional) Whether Azure Policy is used to enable private endpoint dns zone linking when using a platform landing zone (platform landing zone flag = true). Default is true.
 - `existing_zones_resource_group_resource_id` - (Optional) Resource group resource id where existing Private DNS Zones are located.
 - `allow_internet_resolution_fallback` - (Optional) Whether to allow fallback to internet resolution for Private DNS Zone network links. Default is false.
 - `network_links` - (Optional) Map of network links to create for Private DNS Zones. The map key is deliberately arbitrary to avoid issues where map keys may be unknown at plan time.