fix: Infra reliability & security improvements — reduce quota demand, add Bicep guard, remove hardcoded VM credentials#901
Open
Roopan-Microsoft wants to merge 2 commits intodev-v4from
Conversation
…ardcoded VM credentials - Reduce model capacities: gpt4_1 150->80, gptModel 50->30, reasoning 50->30 (total 250->140 TPM) - Add bicep >= 0.33.0 to requiredVersions in azure.yaml - Remove hardcoded VM password fallback (OWASP A07:2021) - Add @minValue(1) constraints to capacity parameters - Improve VM credential parameter descriptions
Roopan-Microsoft
requested review from
Avijit-Microsoft,
Fr4nc3,
Prajwal-Microsoft,
Vinay-Microsoft,
aniaroramsft,
dgp10801,
marktayl1,
nchandhi and
toherman-msft
as code owners
Roopan-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
- PR #3: Add enablePurgeProtection: false to Key Vault (fixes FlagMustBeSetForRestore - 68 occurrences, 21 machines) - PR #4: Separate model deployments from AI Services account creation with @batchsize(1) via ai-services-deployments.bicep (fixes ETag conflicts - 152 occurrences, 27+ machines) - PR #6: Restrict AI service regions to eastus2, swedencentral, westus and update usageName to match reduced capacities (fixes InvalidResourceLocation - 61 occurrences, 12 machines) - PR #7: Re-enable Search Service private endpoints and publicNetworkAccess toggle for WAF deployments (closes security gap) - PR #8: Enable MCP Server authentication by default (ENABLE_AUTH: true)
Roopan-Microsoft
temporarily deployed
to
production
GitHub Actions
Inactive
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Addresses 3 high-impact findings from MACAE error analysis (telemetry: 2025-12-01 to 2026-04-06). Template has 30.3% success rate (2,247 failures / 3,228 provisions).
Changes
1. Reduce default model capacities (addresses 20.2% of failures)
Error: \InsufficientQuota\ + \SubscriptionIsOverQuotaForSku\ — 453 occurrences, 84 machines
2. Add Bicep version guard (addresses 45.8% of failures)
Error: \InvalidTemplate\ + \ ool.bicep.failed\ — 1,030 occurrences, 131+ machines
equiredVersions\ in \�zure.yaml\
3. Remove hardcoded VM credentials (SECURITY)
Issue: OWASP A07:2021 — hardcoded password visible in public repo
Files Changed
Impact