Improve credential logging and choice

[jemrobinson]

✅ Checklist

• You have given your pull request a meaningful title (e.g. Enable foobar integration rather than 515 foobar).
• You are targeting the appropriate branch. If you're not certain which one this is, it should be develop.
• Your branch is up-to-date with the target branch (it probably was when you started, but it may have changed since then).

🚦 Depends on

n/a

⤴️ Summary

Currently credential confirmation is written to the logs in unnecessary places (e.g. in the Pulumi output) and the user is not given a chance to check that the credentials are correct.

This adds:

• a confirmation prompt the first time a set of credentials are used
• suppresses credential information
  • after approval has been given
  • inside Pulumi (which is run as a separate process, so the previous class-variable solution was not working)

🌂 Related issues

n/a

🔬 Tests

Tested on a fresh SRE deployment and on update

[github-actions]

Coverage report

Click to see where and how coverage changed

File	Statements	Missing	Coverage	Coverage (new stmts)	Lines missing
data_safe_haven/external/api
azure_sdk.py
credentials.py
Project Total

This report was generated by python-coverage-comment-action

[JimMadge]

We recently removed the prompt for users to confirm the credentials, was that because it was difficult to keep in restructuring or because we decided it wasn't a good idea?

[craddm]

Was maybe because it was super annoying to have to reconfirm every time? Doing it the first time makes sense

[jemrobinson]

Because it was prompting during non-interactive sessions (i.e. during Pulumi calls) which caused lock-ups. With this PR we can set the skip_confirmation flag in the Pulumi code which should mean that the prompt (and associated messages) only happen in the interactive part of the code.

[JimMadge]

Looks good but I think we should make sure to test the confirmation behaviour.