Miscellaneous fixes from TRESA testing

[jemrobinson]

✅ Checklist

• You have given your pull request a meaningful title (e.g. Enable foobar integration rather than 515 foobar).
• You are targeting the appropriate branch. If you're not certain which one this is, it should be develop.
• Your branch is up-to-date with the target branch (it probably was when you started, but it may have changed since then).

🚦 Depends on

n/a

⤴️ Summary

Miscellaneous fixes from TRESA testing. Mostly documentation, but the following code changes:

• add an explicit list of Azure locations that will work at the command line
• replace any separators in the SHM name with - when constructing the Pulumi stack name (which is used for resource naming).
• relax restrictions on Azure subscription naming which were preventing the use of subscriptions that already exist

🌂 Related issues

Closes #2063
Closes #2066

🔬 Tests

Tested through TRESA deployment

💭 Thoughts

• Is a hardcoded list of Azure locations a good idea?
  • We can't check it programmatically because we do the validation before signing in to the CLI.
  • However, leaving it without validation (as was done previously) leaves us open to quite opaque errors when e.g. "UK South" is provided instead of "uksouth".
  • Another option might be to maintain a dict/enum/data structure of allowed options which map onto the short names
• Is there an authoritative list of which characters are allowed in Azure subscriptions? The Microsoft guidance says that e.g. "[" is not allowed at the beginning of a name, which is provably false.

[github-actions]

Coverage report

Click to see where and how coverage changed

File	Statements	Missing	Coverage	Coverage (new stmts)	Lines missing
data_safe_haven/external/api
graph_api.py					440
data_safe_haven/infrastructure/programs
declarative_sre.py
data_safe_haven/validators
validators.py
Project Total

This report was generated by python-coverage-comment-action

[craddm]

LGTM

[jemrobinson]

Thoughts on the hard-coded list of allowed locations @JimMadge @craddm ?

[JimMadge]

Thoughts on the hard-coded list of allowed locations @JimMadge @craddm ?

I almost commented on that. I think it is a sensible compromise.

We could use az CLI to get the list, but that would require signing in, be difficult to test in CI, and slow down the code.

[craddm]

Thoughts on the hard-coded list of allowed locations @JimMadge @craddm ?

I almost commented on that. I think it is a sensible compromise.

We could use az CLI to get the list, but that would require signing in, be difficult to test in CI, and slow down the code.

Same, I had a look if you could get a list using the Python SDK and couldn't see an obvious one, and only one mentioned on stackoverflow that would require logging in

[jemrobinson]

We have a function for this in our AzureSDK here:

data-safe-haven/data_safe_haven/external/api/azure_sdk.py

Lines 677 to 696 in 78ba7b7

	def get_locations(self) -> list[str]:
	"""Retrieve list of Azure locations
	Returns:
	List[str]: Names of Azure locations
	"""
	try:
	subscription_client = SubscriptionClient(self.credential())
	return [
	str(location.name)
	for location in cast(
	list[Location],
	subscription_client.subscriptions.list_locations(
	subscription_id=self.subscription_id
	),
	)
	]
	except AzureError as exc:
	msg = "Azure locations could not be loaded."
	raise DataSafeHavenAzureError(msg) from exc

However, this means you'd need to log in to the Azure CLI before being able to validate location and I wasn't sure whether this was a good idea or not.