From 9c8071b1f55dcb9960d433a3c8b067af23c1d9b2 Mon Sep 17 00:00:00 2001
From: Rafi-Microsoft <v-rafmd@microsoft.com>
Date: Fri, 17 Apr 2026 18:00:12 +0530
Subject: [PATCH 1/2] fix: remove hardcoded VM admin password and update
 credential docs

- Remove hardcoded default password from vmAdminPassword parameter in
  main.bicepparam to prevent known credentials from being deployed
  unintentionally. The parameter now defaults to an empty string,
  requiring users to set VM_ADMIN_PASSWORD via azd env set.

- Update deployment guide to remove guidance that encouraged committing
  VM credentials to source control. Replaced with security warning
  recommending azd env set, secrets manager, or pipeline secret
  variables.

- Aligned with VM credential patterns used by other Microsoft solution
  accelerators (Content Generation, Code Modernization, DKM, Container
  Migration) which use pure environment variable substitution with no
  hardcoded password defaults.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 docs/deploymentguide.md | 9 ++-------
 infra/main.bicepparam   | 2 +-
 2 files changed, 3 insertions(+), 8 deletions(-)

diff --git a/docs/deploymentguide.md b/docs/deploymentguide.md
index ca930a2..936c0a0 100644
--- a/docs/deploymentguide.md
+++ b/docs/deploymentguide.md
@@ -209,15 +209,10 @@ For network-isolated deployments, set the VM credentials before running `azd up`
 
 ```powershell
 azd env set VM_ADMIN_USERNAME "youradminuser"
-azd env set VM_ADMIN_PASSWORD "Use-A-Strong-Password-Here!"
+azd env set VM_ADMIN_PASSWORD "<your-strong-password>"
 ```
 
-If you prefer source-controlled defaults, set them in [infra/main.bicepparam](../infra/main.bicepparam) instead:
-
-```bicep
-param vmUserName = 'youradminuser'
-param vmAdminPassword = 'Use-A-Strong-Password-Here!'
-```
+> ⚠️ **Security Warning:** Do **not** commit VM passwords to source control. Always use `azd env set`, a secrets manager, or pipeline secret variables for sensitive credentials. The `infra/main.bicepparam` file reads the password from the `VM_ADMIN_PASSWORD` environment variable at deployment time — no default is provided intentionally, so deployment will prompt or fail if the variable is unset.
 
 </details>
 
diff --git a/infra/main.bicepparam b/infra/main.bicepparam
index a3342c0..82c63f5 100644
--- a/infra/main.bicepparam
+++ b/infra/main.bicepparam
@@ -205,7 +205,7 @@ param containerAppsList = [
 ]
 
 param vmUserName = readEnvironmentVariable('VM_ADMIN_USERNAME', 'testvmuser')
-param vmAdminPassword = readEnvironmentVariable('VM_ADMIN_PASSWORD', 'JumpboxAdminP@ssw0rd1234!')
+param vmAdminPassword = readEnvironmentVariable('VM_ADMIN_PASSWORD', '')
 param vmSize = 'Standard_D2s_v4'
 
 // ========================================

From 376107e3a7800932a2c8f037408d2eab71ef75b4 Mon Sep 17 00:00:00 2001
From: Rafi-Microsoft <v-rafmd@microsoft.com>
Date: Mon, 20 Apr 2026 14:36:36 +0530
Subject: [PATCH 2/2] fix: replace eval with associative array in
 quota_check.sh

Replace unsafe eval-based dynamic variable names with a declare -A
associative array keyed by 'region:index'. This eliminates potential
code-injection risks from eval and improves script maintainability.

Addresses Copilot review comments on PR #131 (lines 191, 216, 226, 294
of scripts/quota_check.sh).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 scripts/quota_check.sh | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/scripts/quota_check.sh b/scripts/quota_check.sh
index a481534..53b6885 100644
--- a/scripts/quota_check.sh
+++ b/scripts/quota_check.sh
@@ -180,6 +180,7 @@ MODEL_COUNT=${#MODEL_NAMES[@]}
 
 # ---- Results tracking ----
 declare -A REGION_STATUS
+declare -A RESULTS
 VALID_REGIONS=()
 
 # ---- Main quota check loop ----
@@ -213,7 +214,7 @@ for REGION in "${REGIONS[@]}"; do
                 echo "      (Looked for: $primary_key${alt_key:+, $alt_key})"
             fi
             ALL_PASS=false
-            eval "RESULT_${safe_region}_${i}=N_A"
+            RESULTS["${safe_region}:${i}"]="N_A"
             continue
         fi
 
@@ -223,7 +224,7 @@ for REGION in "${REGIONS[@]}"; do
         LIMIT=${LIMIT%%.*}
         AVAILABLE=$((LIMIT - CURRENT))
 
-        eval "RESULT_${safe_region}_${i}=${AVAILABLE}_${LIMIT}"
+        RESULTS["${safe_region}:${i}"]="${AVAILABLE}_${LIMIT}"
 
         if [[ "$AVAILABLE" -lt "$mcap" ]]; then
             echo "   ❌ $display | Used: $CURRENT | Limit: $LIMIT | Available: $AVAILABLE | Need: $mcap"
@@ -291,7 +292,7 @@ for REGION in "${REGIONS[@]}"; do
 
     for ((i=0; i<MODEL_COUNT; i++)); do
         mcap="${MODEL_CAPS[$i]}"
-        eval "val=\${RESULT_${safe_region}_${i}:-N_A}"
+        val="${RESULTS["${safe_region}:${i}"]:-N_A}"
 
         if [[ "$val" == "N_A" ]]; then
             printf "%-30s" "⚠️  N/A"