Skip to content

fix: Reduce quota demand, add Bicep version guard, remove hardcoded VM credentials#396

Open
Roopan-Microsoft wants to merge 1 commit intodevfrom
fix/infra-reliability-and-security-improvements
Open

fix: Reduce quota demand, add Bicep version guard, remove hardcoded VM credentials#396
Roopan-Microsoft wants to merge 1 commit intodevfrom
fix/infra-reliability-and-security-improvements

Conversation

@Roopan-Microsoft
Copy link
Copy Markdown
Contributor

@Roopan-Microsoft Roopan-Microsoft commented Apr 7, 2026

Summary

Addresses 3 high-impact findings from the Modernize-your-code error analysis (telemetry: 2025-12-01 to 2026-04-06). Template currently has 61.1% success rate (229 failures / 588 provisions).

Changes

1. Add Bicep version guard (P1 - addresses 43.2% of failures)

Error: \InvalidTemplate\ — 99 occurrences, 35 machines. The #1 error category.

  • Added \�icep: '>= 0.33.0'\ to \
    equiredVersions\ in both \�zure.yaml\ and \�zure_custom.yaml\
  • Why: Template uses Bicep 0.33+ features (\deployer()\, \
    esourceInput<>\, null-forgiving \!\) but only guarded azd version. Users with older Bicep get cryptic compile errors. Now azd fails fast with a clear message.

2. Reduce default model capacity (P1 - addresses 2.2% of failures)

Error: \InsufficientQuota\ — 5 occurrences, 2 machines

  • \gptModelCapacity\: 150 -> 30 TPM (80% reduction)
  • Added \@minValue(1)\ constraint
  • Why: 150 TPM is excessive for a single-model template. Many subscriptions lack this quota. Template remains fully functional at 30 TPM.

3. Remove hardcoded VM credentials (SECURITY - OWASP A07:2021)

Issue: Hardcoded password \JumpboxAdminP@ssw0rd1234!\ visible in public repository

  • Removed fallback defaults from \main.bicep\, \main_custom.bicep\, and \main.json\
  • VM credentials now required when \�nablePrivateNetworking = true\ (fails fast if not provided)
  • Updated \docs/DeploymentGuide.md\ and \docs/CustomizingAzdParameters.md\ accordingly

Files Changed (7 files)

File Changes
\�zure.yaml\ Added Bicep version requirement
\�zure_custom.yaml\ Added Bicep version requirement
\infra/main.bicep\ Reduced capacity, removed hardcoded creds, improved param descriptions
\infra/main_custom.bicep\ Same fixes as main.bicep
\infra/main.json\ Compiled ARM template updated to match
\docs/CustomizingAzdParameters.md\ Updated defaults and descriptions
\docs/DeploymentGuide.md\ VM creds now required, not optional

Impact

  • Projected success rate: 61.1% -> ~75-80%
  • Security vulnerabilities fixed: 1 critical (hardcoded credentials)
  • Zero breaking changes for non-WAF deployments

@Roopan-Microsoft
fix: reduce default model capacity, add Bicep version guard, remove h…
b53fe9f 
…ardcoded VM credentials

- Reduce gptModelCapacity default from 150 to 30 TPM (addresses InsufficientQuota errors - 2.2% of failures)
- Add bicep >= 0.33.0 to requiredVersions in azure.yaml and azure_custom.yaml (addresses InvalidTemplate errors - 43.2% of failures)
- Remove hardcoded VM password fallback from main.bicep, main_custom.bicep, and main.json (OWASP A07:2021)
- Add @minValue(1) constraint to gptModelCapacity parameter
- Update docs to reflect new required VM credentials and reduced capacity default
- Applied consistently across main.bicep, main_custom.bicep, main.json, and documentation
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Avijit-Microsoft Avijit-Microsoft Awaiting requested review from Avijit-Microsoft Avijit-Microsoft is a code owner

@Prajwal-Microsoft Prajwal-Microsoft Awaiting requested review from Prajwal-Microsoft Prajwal-Microsoft is a code owner

@aniaroramsft aniaroramsft Awaiting requested review from aniaroramsft aniaroramsft is a code owner

@marktayl1 marktayl1 Awaiting requested review from marktayl1 marktayl1 is a code owner

@Vinay-Microsoft Vinay-Microsoft Awaiting requested review from Vinay-Microsoft Vinay-Microsoft is a code owner

@toherman-msft toherman-msft Awaiting requested review from toherman-msft toherman-msft is a code owner

@nchandhi nchandhi Awaiting requested review from nchandhi nchandhi is a code owner

@dgp10801 dgp10801 Awaiting requested review from dgp10801 dgp10801 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Roopan-Microsoft