Create groups for AAD app reg roles

[marrobi]

Resolves #2480

What is being addressed

• Adds groups to AAD terraform
• Set workspace owner as owner of the groups.
• Adds boolean to create groups to porter.yaml
• Updates aad schema to provide group boolean.
• Add environment variable to enable the feature
• Update app reg scripts to grant required permissions to app registration
• Update changelog

[github-actions]

Unit Test Results

503 tests  +486   501 ✔️ +484   15s ⏱️ +8s
    1 suites ±    0       2 💤 +    2 
    1 files   ±    0       0 ❌ ±    0 

Results for commit c890c1e. ± Comparison against base commit 03a3aab.

This pull request removes 17 and adds 503 tests. Note that renamed tests count towards both.

test_provisioned_health_api ‑ test_health
test_shared_service_templates ‑ test_get_shared_service_template[tre-shared-service-firewall]
test_shared_service_templates ‑ test_get_shared_service_template[tre-shared-service-gitea]
test_shared_service_templates ‑ test_get_shared_service_templates[tre-shared-service-firewall]
test_shared_service_templates ‑ test_get_shared_service_templates[tre-shared-service-gitea]
test_ui ‑ test_ui
test_workspace_service_templates ‑ test_create_workspace_service_templates
test_workspace_service_templates ‑ test_get_workspace_service_template[tre-service-azureml]
test_workspace_service_templates ‑ test_get_workspace_service_template[tre-service-guacamole]
test_workspace_service_templates ‑ test_get_workspace_service_template[tre-service-innereye]
…

tests_ma.test_api.test_errors.test_422_error ‑ test_frw_validation_error_format
tests_ma.test_api.test_errors.test_error ‑ test_frw_validation_error_format
tests_ma.test_api.test_routes.test_airlock.TestAirlockRoutesThatRequireAirlockManagerRights ‑ test_post_create_airlock_review_approves_airlock_request_returns_200
tests_ma.test_api.test_routes.test_airlock.TestAirlockRoutesThatRequireAirlockManagerRights ‑ test_post_create_airlock_review_input_is_malformed_returns_400
tests_ma.test_api.test_routes.test_airlock.TestAirlockRoutesThatRequireAirlockManagerRights ‑ test_post_create_airlock_review_with_event_grid_not_responding_returns_503
tests_ma.test_api.test_routes.test_airlock.TestAirlockRoutesThatRequireAirlockManagerRights ‑ test_post_create_airlock_review_with_illegal_status_change_returns_400
tests_ma.test_api.test_routes.test_airlock.TestAirlockRoutesThatRequireOwnerOrResearcherRights ‑ test_get_airlock_container_link_cancelled_request_returns_400
tests_ma.test_api.test_routes.test_airlock.TestAirlockRoutesThatRequireOwnerOrResearcherRights ‑ test_get_airlock_container_link_in_progress_request_returns_400
tests_ma.test_api.test_routes.test_airlock.TestAirlockRoutesThatRequireOwnerOrResearcherRights ‑ test_get_airlock_container_link_no_airlock_request_found_returns_404
tests_ma.test_api.test_routes.test_airlock.TestAirlockRoutesThatRequireOwnerOrResearcherRights ‑ test_get_airlock_container_link_no_workspace_request_found_returns_404
…

♻️ This comment has been updated with latest results.

[tamirkamara]

What about adding the groups to their respective roles in the workspace app?

[marrobi]

@tamirkamara became a bit more involved than I expected. Appreciate feedback, and if someone has time to test it. I have and got desired result:

[marrobi]

Might need to output the group IDs too, then can link to a URI such as:

https://account.activedirectory.windowsazure.com/r#/manageMembership?objectType=Group&objectId=xxxx

To manage group members.

[tamirkamara]

Looks good with a couple of small comments.

[marrobi]

/test

[github-actions]

🤖 pr-bot 🤖

🏃 Running tests: https://github.com/microsoft/AzureTRE/actions/runs/2999673697 (with refid 9f314729)

(in response to this comment from @marrobi)

[marrobi]

/test

[github-actions]

🤖 pr-bot 🤖

🏃 Running tests: https://github.com/microsoft/AzureTRE/actions/runs/3007192495 (with refid 9f314729)

(in response to this comment from @marrobi)

[marrobi]

/test

[github-actions]

🤖 pr-bot 🤖

🏃 Running tests: https://github.com/microsoft/AzureTRE/actions/runs/3009145901 (with refid 9f314729)

(in response to this comment from @marrobi)

[marrobi]

/test-destroy-env

[github-actions]

Destroying PR test environment (RG: rg-tre9f314729)... (run: https://github.com/microsoft/AzureTRE/actions/runs/3009327735)

[github-actions]

PR test environment destroy complete (RG: rg-tre9f314729)

[marrobi]

/test

[github-actions]

🤖 pr-bot 🤖

🏃 Running tests: https://github.com/microsoft/AzureTRE/actions/runs/3009450629 (with refid 9f314729)

(in response to this comment from @marrobi)

[marrobi]

/test

[github-actions]

🤖 pr-bot 🤖

🏃 Running tests: https://github.com/microsoft/AzureTRE/actions/runs/3013623377 (with refid 9f314729)

(in response to this comment from @marrobi)

[marrobi]

/test

[github-actions]

🤖 pr-bot 🤖

🏃 Running tests: https://github.com/microsoft/AzureTRE/actions/runs/3021309456 (with refid 9f314729)

(in response to this comment from @marrobi)

[marrobi]

/test

[github-actions]

🤖 pr-bot 🤖

🏃 Running tests: https://github.com/microsoft/AzureTRE/actions/runs/3047996550 (with refid 9f314729)

(in response to this comment from @marrobi)

[tamirkamara]

/test

[github-actions]

🤖 pr-bot 🤖

🏃 Running tests: https://github.com/microsoft/AzureTRE/actions/runs/3050648354 (with refid 9f314729)

(in response to this comment from @tamirkamara)

[marrobi]

/test-force-approve (passed in https://github.com/microsoft/AzureTRE/actions/runs/3050648354)

[github-actions]

🤖 pr-bot 🤖

✅ Marking tests as complete (for commit c890c1e)

(in response to this comment from @marrobi)