Miscellaneous fixes from TRESA testing

[jemrobinson]

:white_check_mark: Checklist

• [x] You have given your pull request a meaningful title (e.g. Enable foobar integration rather than 515 foobar).
• [x] You are targeting the appropriate branch. If you're not certain which one this is, it should be develop.
• [x] Your branch is up-to-date with the target branch (it probably was when you started, but it may have changed since then).

:vertical_traffic_light: Depends on

n/a

:arrow_heading_up: Summary

Miscellaneous fixes from TRESA testing. Mostly documentation, but the following code changes:

• add an explicit list of Azure locations that will work at the command line
• replace any separators in the SHM name with - when constructing the Pulumi stack name (which is used for resource naming).
• relax restrictions on Azure subscription naming which were preventing the use of subscriptions that already exist

:closed_umbrella: Related issues

Closes #2063 Closes #2066

:microscope: Tests

Tested through TRESA deployment

:thought_balloon: Thoughts

• Is a hardcoded list of Azure locations a good idea?
  • We can't check it programmatically because we do the validation before signing in to the CLI.
  • However, leaving it without validation (as was done previously) leaves us open to quite opaque errors when e.g. "UK South" is provided instead of "uksouth".
  • Another option might be to maintain a dict/enum/data structure of allowed options which map onto the short names
• Is there an authoritative list of which characters are allowed in Azure subscriptions? The Microsoft guidance says that e.g. "[" is not allowed at the beginning of a name, which is provably false.

[github-actions[bot]]

Coverage report

Click to see where and how coverage changed

File	Statements	Missing	Coverage	Coverage (new stmts)	Lines missing
data_safe_haven/external/api
graph_api.py					440
data_safe_haven/infrastructure/programs
declarative_sre.py
data_safe_haven/validators
validators.py
Project Total

This report was generated by python-coverage-comment-action

[jemrobinson]

Thoughts on the hard-coded list of allowed locations @JimMadge @craddm ?

[JimMadge]

Thoughts on the hard-coded list of allowed locations @JimMadge @craddm ?

I almost commented on that. I think it is a sensible compromise.

We could use az CLI to get the list, but that would require signing in, be difficult to test in CI, and slow down the code.

[craddm]

Thoughts on the hard-coded list of allowed locations @JimMadge @craddm ?

I almost commented on that. I think it is a sensible compromise.

We could use az CLI to get the list, but that would require signing in, be difficult to test in CI, and slow down the code.

Same, I had a look if you could get a list using the Python SDK and couldn't see an obvious one, and only one mentioned on stackoverflow that would require logging in

[jemrobinson]

We have a function for this in our AzureSDK here: https://github.com/alan-turing-institute/data-safe-haven/blob/78ba7b77270ddb680203f818874fc1c5ceb092ee/data_safe_haven/external/api/azure_sdk.py#L677-L696

However, this means you'd need to log in to the Azure CLI before being able to validate location and I wasn't sure whether this was a good idea or not.