fix: remove hardcoded VM admin password and update credential docs

Rafi-Microsoft · Copilot · Rafi-Microsoft · commit 9c8071b1f55d · 2026-04-17T18:00:12.000+05:30
- Remove hardcoded default password from vmAdminPassword parameter in
  main.bicepparam to prevent known credentials from being deployed
  unintentionally. The parameter now defaults to an empty string,
  requiring users to set VM_ADMIN_PASSWORD via azd env set.

- Update deployment guide to remove guidance that encouraged committing
  VM credentials to source control. Replaced with security warning
  recommending azd env set, secrets manager, or pipeline secret
  variables.

- Aligned with VM credential patterns used by other Microsoft solution
  accelerators (Content Generation, Code Modernization, DKM, Container
  Migration) which use pure environment variable substitution with no
  hardcoded password defaults.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/docs/deploymentguide.md b/docs/deploymentguide.md
@@ -209,15 +209,10 @@ For network-isolated deployments, set the VM credentials before running `azd up`
 
 ```powershell
 azd env set VM_ADMIN_USERNAME "youradminuser"
-azd env set VM_ADMIN_PASSWORD "Use-A-Strong-Password-Here!"
+azd env set VM_ADMIN_PASSWORD "<your-strong-password>"
 ```
 
-If you prefer source-controlled defaults, set them in [infra/main.bicepparam](../infra/main.bicepparam) instead:
-
-```bicep
-param vmUserName = 'youradminuser'
-param vmAdminPassword = 'Use-A-Strong-Password-Here!'
-```
+> ⚠️ **Security Warning:** Do **not** commit VM passwords to source control. Always use `azd env set`, a secrets manager, or pipeline secret variables for sensitive credentials. The `infra/main.bicepparam` file reads the password from the `VM_ADMIN_PASSWORD` environment variable at deployment time — no default is provided intentionally, so deployment will prompt or fail if the variable is unset.
 
 </details>
 
diff --git a/infra/main.bicepparam b/infra/main.bicepparam
@@ -205,7 +205,7 @@ param containerAppsList = [
 ]
 
 param vmUserName = readEnvironmentVariable('VM_ADMIN_USERNAME', 'testvmuser')
-param vmAdminPassword = readEnvironmentVariable('VM_ADMIN_PASSWORD', 'JumpboxAdminP@ssw0rd1234!')
+param vmAdminPassword = readEnvironmentVariable('VM_ADMIN_PASSWORD', '')
 param vmSize = 'Standard_D2s_v4'
 
 // ========================================

Original file line number	Diff line number	Diff line change
`@@ -205,7 +205,7 @@ param containerAppsList = [`
`205`	`205`	`]`
`206`	`206`
`207`	`207`	`param vmUserName = readEnvironmentVariable('VM_ADMIN_USERNAME', 'testvmuser')`
`208`		`-param vmAdminPassword = readEnvironmentVariable('VM_ADMIN_PASSWORD', 'JumpboxAdminP@ssw0rd1234!')`
	`208`	`+param vmAdminPassword = readEnvironmentVariable('VM_ADMIN_PASSWORD', '')`
`209`	`209`	`param vmSize = 'Standard_D2s_v4'`
`210`	`210`
`211`	`211`	`// ========================================`