Merge pull request #138 from Rafi-Microsoft/fix/vm-credential-security

Roopan-Microsoft · web-flow · commit cecacb392c7b · 2026-04-23T22:15:30.000+05:30
fix: Remove hardcoded VM admin password and improve credential security
diff --git a/docs/deploymentguide.md b/docs/deploymentguide.md
@@ -245,15 +245,10 @@ For network-isolated deployments, set the VM credentials before running `azd up`
 
 ```powershell
 azd env set VM_ADMIN_USERNAME "youradminuser"
-azd env set VM_ADMIN_PASSWORD "Use-A-Strong-Password-Here!"
+azd env set VM_ADMIN_PASSWORD "<your-strong-password>"
 ```
 
-If you prefer source-controlled defaults, set them in [infra/main.bicepparam](../infra/main.bicepparam) instead:
-
-```bicep
-param vmUserName = 'youradminuser'
-param vmAdminPassword = 'Use-A-Strong-Password-Here!'
-```
+> ⚠️ **Security Warning:** Do **not** commit VM passwords to source control. Always use `azd env set`, a secrets manager, or pipeline secret variables for sensitive credentials. The `infra/main.bicepparam` file reads the password from the `VM_ADMIN_PASSWORD` environment variable at deployment time — no default is provided intentionally, so deployment will prompt or fail if the variable is unset.
 
 </details>
 
diff --git a/infra/main.bicepparam b/infra/main.bicepparam
@@ -205,7 +205,7 @@ param containerAppsList = [
 ]
 
 param vmUserName = readEnvironmentVariable('VM_ADMIN_USERNAME', 'testvmuser')
-param vmAdminPassword = readEnvironmentVariable('VM_ADMIN_PASSWORD', 'JumpboxAdminP@ssw0rd1234!')
+param vmAdminPassword = readEnvironmentVariable('VM_ADMIN_PASSWORD', '')
 param vmSize = 'Standard_D2s_v4'
 
 // ========================================
diff --git a/scripts/quota_check.sh b/scripts/quota_check.sh
@@ -180,6 +180,7 @@ MODEL_COUNT=${#MODEL_NAMES[@]}
 
 # ---- Results tracking ----
 declare -A REGION_STATUS
+declare -A RESULTS
 VALID_REGIONS=()
 
 # ---- Main quota check loop ----
@@ -213,7 +214,7 @@ for REGION in "${REGIONS[@]}"; do
                 echo "      (Looked for: $primary_key${alt_key:+, $alt_key})"
             fi
             ALL_PASS=false
-            eval "RESULT_${safe_region}_${i}=N_A"
+            RESULTS["${safe_region}:${i}"]="N_A"
             continue
         fi
 
@@ -223,7 +224,7 @@ for REGION in "${REGIONS[@]}"; do
         LIMIT=${LIMIT%%.*}
         AVAILABLE=$((LIMIT - CURRENT))
 
-        eval "RESULT_${safe_region}_${i}=${AVAILABLE}_${LIMIT}"
+        RESULTS["${safe_region}:${i}"]="${AVAILABLE}_${LIMIT}"
 
         if [[ "$AVAILABLE" -lt "$mcap" ]]; then
             echo "   ❌ $display | Used: $CURRENT | Limit: $LIMIT | Available: $AVAILABLE | Need: $mcap"
@@ -291,7 +292,7 @@ for REGION in "${REGIONS[@]}"; do
 
     for ((i=0; i<MODEL_COUNT; i++)); do
         mcap="${MODEL_CAPS[$i]}"
-        eval "val=\${RESULT_${safe_region}_${i}:-N_A}"
+        val="${RESULTS["${safe_region}:${i}"]:-N_A}"
 
         if [[ "$val" == "N_A" ]]; then
             printf "%-30s" "⚠️  N/A"

Original file line number	Diff line number	Diff line change
`@@ -205,7 +205,7 @@ param containerAppsList = [`
`205`	`205`	`]`
`206`	`206`
`207`	`207`	`param vmUserName = readEnvironmentVariable('VM_ADMIN_USERNAME', 'testvmuser')`
`208`		`-param vmAdminPassword = readEnvironmentVariable('VM_ADMIN_PASSWORD', 'JumpboxAdminP@ssw0rd1234!')`
	`208`	`+param vmAdminPassword = readEnvironmentVariable('VM_ADMIN_PASSWORD', '')`
`209`	`209`	`param vmSize = 'Standard_D2s_v4'`
`210`	`210`
`211`	`211`	`// ========================================`