Add subscription-scoped Bicep demo for Windows VM stack

[Codex]

Provision a demo-friendly Azure VM stack in Sweden Central via Bicep, creating the RG, networking, NSG, NIC, public IP, and Windows Server VM with low-cost defaults and deployment guidance.

• Subscription entrypoint: infra/bicep/main.bicep creates the resource group and calls a resource-group–scoped VM stack module; parameters include location, VM size, image SKU, and secure admin credentials.
• VM stack module: infra/bicep/modules/vmStack.bicep builds VNet/Subnet, NSG, public IP, NIC, and a Standard_B2s Windows Server VM with managed OS disk.
• Parameters & docs: Added infra/bicep/main.bicepparam sample (placeholder password) and expanded infra/bicep/README.md with validate/deploy commands.

Example:

module vmStack 'modules/vmStack.bicep' = {
  name: 'vmStack'
  scope: demoRg
  params: {
    location: location
    adminUsername: adminUsername
    adminPassword: adminPassword
    vmSize: vmSize
    windowsSku: windowsSku
  }
}

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Demo IaC Generator: Azure VM + Network</issue_title>
<issue_description>You are generating demo IaC for Azure for infrastructure engineers/DevOps personas.

Parameters

IaC Language: Bicep

Requirements

• Use Azure Bicep for the IaC
• Create a virtual machine and associated resources:
  • Azure region: Sweden Central
  • Operating System: Windows Server
  • Virtual Network + Subnet: Use default address spaces
  • VM Size: Use a common, low-cost size suitable for demo
  • Network Security Group (NSG) with default rules
  • Network Interface (NIC)
  • Managed OS Disk
  • Public IP (for demo access)
• Keep defaults low-cost and demo-friendly.
• Do not output secrets or keys.
• Assume deployment scope is subscription (include resource group creation).
• Update the README.md in the IaC language folder to document how to deploy the generated IaC code.
• Create a .bicepparam file with example parameter values (no secrets).
• Ensure the IaC is deployable by verifying lint errors are resolved, and validation passes.</issue_description>

Comments on the Issue (you are @codex[agent] in this section)

• Fixes Demo IaC Generator: Azure VM + Network #7

[Copilot]

Pull request overview

Adds a demo Azure VM stack under infra/bicep/ using a subscription-scoped entrypoint that creates a resource group and deploys a resource-group–scoped module to provision networking + a Windows Server VM in Sweden Central.

Changes:

• Added infra/bicep/main.bicep (subscription scope) to create the RG and invoke the VM stack module.
• Added infra/bicep/modules/vmStack.bicep to deploy VNet/Subnet/NSG/Public IP/NIC and a Windows Server VM.
• Added a sample parameter file and deployment documentation (main.bicepparam, README.md).

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File	Description
infra/bicep/main.bicep	Subscription-scope entrypoint that creates the RG and calls the VM stack module.
infra/bicep/modules/vmStack.bicep	Resource-group module that defines the networking resources and Windows VM.
infra/bicep/main.bicepparam	Sample parameter values to drive the deployment.
infra/bicep/README.md	Local build + Azure validate/deploy instructions for the demo stack.

[Copilot]

osProfile.computerName for Windows VMs must be 15 characters or fewer. vmName is derived from demo${uniqueString(...)}-vm and will exceed that limit, which will cause the deployment to fail. Introduce a separate, shorter computerName value (e.g., a truncated/sanitized version) and keep the Azure resource name as-is if desired.

[Copilot]

The public IP is created as sku: Basic with publicIPAllocationMethod: Dynamic. For new/long-lived demos this is brittle (and in some subscriptions/regions Basic is no longer permitted); Standard + Static is the recommended SKU and avoids unexpected IP changes.

[Copilot]

adminPassword is marked @secure() in main.bicep, but the .bicepparam file still includes an adminPassword entry. Even with a placeholder, this pattern encourages putting secrets into source-controlled param files and can lead to accidental check-ins of real passwords. Prefer removing adminPassword from main.bicepparam and supplying it only via CLI/secure mechanisms (as already shown in the README).

Suggested change

param adminPassword = '<enter-strong-password>'

[Copilot]

The README states main.bicep creates the networking/public IP/NIC/VM, but those resources are actually created in modules/vmStack.bicep (with main.bicep only creating the RG and invoking the module). Updating this description will prevent confusion when readers browse the files.

Suggested change

	- `main.bicep` – subscription-scope deployment that creates the resource group, networking, public IP, NIC, and VM
	- `main.bicep` – subscription-scope deployment that creates the resource group and invokes the `modules/vmStack.bicep` module for the networking, public IP, NIC, and VM