Document secure output

Author: mumian

articles/azure-resource-manager/bicep/data-types.md

@@ -423,7 +423,7 @@ You can use the union type syntax in [user-defined data types](./user-defined-da
 
 Secure strings use the same format as string, and secure objects use the same format as object. With Bicep, you add the `@secure()` [decorator](./parameters.md#use-decorators) to a string or object.
 
-When you set a parameter to a secure string or secure object, the value of the parameter isn't saved to the deployment history or logged. If you set that secure value to a property that isn't expecting a secure value, the value isn't protected. For example, if you set a secure string to a tag, that value is stored as plain text. Use secure strings for passwords and secrets.
+When you set a parameter (or an output) to a secure string or secure object, the value of the parameter (or the output) isn't saved to the deployment history or logged. If you set that secure value to a property that isn't expecting a secure value, the value isn't protected. For example, if you set a secure string to a tag, that value is stored as plain text. Use secure strings for passwords and secrets.
 
 The following example shows two secure parameters:
 
@@ -435,6 +435,8 @@ param password string
 param configValues object
 ```
 
+For more information, see [Secure parameters](./parameters.md#secure-parameters) and [Secure outputs](./outputs.md#secure-outputs).
+
 ## Data type assignability
 
 In Bicep, you can assign a value of one type (source type) to another type (target type). The following table shows which source type (listed horizontally) you can or can't assign to which target type (listed vertically). In the table, _X_ means assignable, an empty space means not assignable, and _?_ means only if the types are compatible.

articles/azure-resource-manager/bicep/outputs.md

@@ -68,6 +68,7 @@ Decorators are written in the format `@expression` and are placed above output d
 | [minLength](#length-constraints) | array, string | int | This provides the minimum length for string and array outputs, and the value is inclusive. |
 | [minValue](#integer-constraints) | int | int | This provides the minimum value for the integer output, and the value is inclusive. |
 | [sealed](#sealed) | object | none | Elevate [BCP089](./diagnostics/bcp089.md) from a warning to an error when a property name of a use-define data type is likely a typo. For more information, see [Elevate error level](./user-defined-data-types.md#elevate-error-level). |
+| [secure](#secure-outputs) | string, object | none | Marks the output as secure. The value for a secure output isn't saved to the deployment history and isn't logged. For more information, see [Secure strings and objects](data-types.md#secure-strings-and-objects). |
 
 Decorators are in the [`sys` namespace](bicep-functions.md#namespaces-for-functions). If you need to differentiate a decorator from another item with the same name, preface the decorator with `sys`. For example, if your Bicep file includes a parameter named `description`, you must add the `sys` namespace when using the **description** decorator.
 
@@ -150,6 +151,22 @@ When you provide a `@metadata()` decorator with a property that conflicts with a
 
 See [Elevate error level](./user-defined-data-types.md#elevate-error-level).
 
+### Secure outputs
+
+With Bicep version 0.35.1 and later, you can mark string or object outputs as secure. The value of a secure output isn't saved to the deployment history and isn't logged.
+
+```bicep
+@secure()
+output demoPassword string
+
+@secure()
+output demoSecretObject object
+```
+
+There are several linter rules related to this decorator: [Secure parameter default](./linter-rule-secure-parameter-default.md), [Secure parameters in nested deployments](./linter-rule-secure-params-in-nested-deploy.md), [Secure secrets in parameters](./linter-rule-secure-secrets-in-parameters.md).
+
+
+
 ## Conditional output
 
 When the value to return depends on a condition in the deployment, use the `?` operator.