Fix GPU node count parity, add Bicep RG outputs, update docs accuracy

- Fix GPU node pool initial count: Bicep 1->0 to match TF (avoid surprise cost)
- Add resource group name outputs to Bicep main (parity with TF outputs)
- Add @description to all Bicep root outputs
- Fix docs/networking.md: add port 5432 (PostgreSQL) to data subnet NSG rules
- Fix docs/security.md: Defender for Key Vault enabled on both subs, not prod only

Author: ricmmartins

docs/networking.md

@@ -92,8 +92,8 @@ No inbound rules needed — VNet integration is outbound only.
 
 **For data subnet:**
 ```
-110  Inbound  Allow  snet-aks    snet-data  1433,6380,443  (SQL, Redis, Storage)
-120  Inbound  Allow  snet-app    snet-data  1433,6380,443
+110  Inbound  Allow  snet-aks    snet-data  1433,5432,6380,443  (SQL, PostgreSQL, Redis, Storage)
+120  Inbound  Allow  snet-app    snet-data  1433,5432,6380,443
 ```
 
 **For shared subnet:**

docs/security.md

@@ -12,7 +12,7 @@ Security that protects you without slowing you down. Every recommendation here i
 | Defender for Servers P2 | Prod only | ~$15/server/month | EDR via Defender for Endpoint, vulnerability assessment, JIT VM access, adaptive application controls. |
 | Defender for Containers | If running AKS | ~$7/vCPU/month | Runtime threat detection, image vulnerability scanning, Kubernetes audit log monitoring. |
 | Defender for Databases | Prod only | Varies | SQL/Postgres threat detection — alerts on SQL injection, anomalous access, brute force. |
-| Defender for Key Vault | Prod only | ~$0.02/10k transactions | Alerts on unusual access patterns to secrets. Cheap insurance. |
+| Defender for Key Vault | Both subs | ~$0.02/10k transactions | Alerts on unusual access patterns to secrets. Cheap insurance. Always enabled by default. |
 | Defender for ARM | Both subs | ~$4/sub/month | Detects suspicious control-plane operations (mass deletions, privilege escalation). Always enabled by this landing zone. |
 | Defender for Storage | No | ~$10/month per account | Malware scanning. Skip unless you accept user file uploads. |
 | Defender for App Service | No | ~$15/month per instance | Limited value compared to other plans. Revisit later. |

examples/ai-startup/main.bicep

@@ -118,7 +118,7 @@ resource gpuNodePool 'Microsoft.ContainerService/managedClusters/agentPools@2024
   name: 'gpu'
   properties: {
     mode: 'User'
-    count: 1
+    count: 0
     minCount: 0
     maxCount: 3
     enableAutoScaling: true

infra/bicep/main.bicep

@@ -174,7 +174,15 @@ module policies 'modules/policy-assignments.bicep' = {
 // Outputs
 // ============================================================================
 
+@description('Monitoring resource group name')
+output resourceGroupMonitoring string = rgMonitoring
+@description('Networking resource group name')
+output resourceGroupNetworking string = deployNetworking ? rgNetworking : ''
+@description('Log Analytics workspace resource ID')
 output logAnalyticsWorkspaceId string = logAnalytics.outputs.workspaceId
+@description('Log Analytics workspace name')
 output logAnalyticsWorkspaceName string = logAnalytics.outputs.workspaceName
+@description('Virtual network resource ID')
 output vnetId string = deployNetworking ? networking.outputs.vnetId : ''
+@description('Virtual network name')
 output vnetName string = deployNetworking ? networking.outputs.vnetName : ''