fix: remove hardcoded VM password, secure credential docs, and eliminate eval in quota script

[Rafi-Microsoft]

Purpose

Addresses security and code quality concerns identified by GitHub Copilot code reviews on PR #131. This PR makes three targeted fixes:

1. Remove hardcoded VM password default (infra/main.bicepparam): The vmAdminPassword parameter previously used readEnvironmentVariable('VM_ADMIN_PASSWORD', 'JumpboxAdminP@ssw0rd1234!') - a known credential deployed by default. Changed the fallback to an empty string so deployment requires explicit credential configuration via azd env set.

2. Update deployment guide security guidance (docs/deploymentguide.md): Removed documentation that encouraged committing VM passwords to source control via main.bicepparam. Replaced with a security warning recommending azd env set, secrets managers, or pipeline secret variables.

3. Replace unsafe eval with associative array (scripts/quota_check.sh): Replaced eval-based dynamic variable names with a declare -A associative array keyed by region:index. This eliminates potential code-injection risks and improves script maintainability. Tested and verified the script runs correctly with the new approach.

Cross-repo alignment: All other Microsoft solution accelerators (Content Generation, Code Modernization, DKM, Container Migration, RTI, BYOCC, etc.) use pure environment variable substitution with no hardcoded password defaults for VM credentials. This fix aligns Deploy-Your-AI-Application-In-Production with that established security pattern.

Does this introduce a breaking change?

• Yes
• No

Existing deployments that already set VM_ADMIN_PASSWORD via azd env set are unaffected. Deployments relying on the hardcoded default will now need to explicitly set the password - this is the intended behavior to prevent insecure defaults. The quota check script behavior is unchanged - only internal variable storage mechanism was refactored.

Golden Path Validation

• I have tested the primary workflows (the "golden path") to ensure they function correctly without errors.

Quota check script tested with --regions eastus,westus --verbose and confirmed correct quota retrieval, summary table rendering, and pass/fail reporting.

Deployment Validation

• I have validated the deployment process successfully and all services are running as expected with this change.

Infrastructure parameter and documentation change. Quota check script is a pre-deployment utility and does not affect runtime services.

What to Check

Verify that the following are valid:

• azd env set VM_ADMIN_PASSWORD "<strong-password>" followed by azd up deploys the Jump VM successfully
• Deployment without setting VM_ADMIN_PASSWORD prompts or fails gracefully (no hardcoded password deployed)
• Documentation in docs/deploymentguide.md renders correctly with the security warning
• ./scripts/quota_check.sh --regions eastus,westus --verbose runs correctly and displays quota summary table

Other Information

• Related to Copilot review findings on chore: dev to main merge #131:
  • Hardcoded password in main.bicepparam (line 208)
  • Insecure documentation guidance in deploymentguide.md (line 219)
  • Unsafe eval usage in quota_check.sh (lines 191, 216, 226, 294)
• Follows VM credential patterns from peer accelerators: Content Generation, Code Modernization, DKM, Container Migration