Support for deployment in Azure Government Cloud (Leonardo)

[bennettn4]

Part of large effort to add support for services to run in Azure Government cloud.

Two parts:

1. Support for government cloud curls

• Added environment variable for AZURE_ENVIRONMENT
• Updated azure-vm-init script to support gov suffix

2. Fixes for running Leo in Azure. The user pet token is unavailable in Azure so calls which used it for Leo->WSM were replaced with the Leo service account token, and appropriate permissions to the workspace were given to the Leo service account.

https://broadworkbench.atlassian.net/browse/TOAZ-372
See related pull requests here:
workbench-libs sam bpm wsm cromwell terra-helmfile

[codecov]

Codecov Report

Attention: Patch coverage is 78.43137% with 11 lines in your changes missing coverage. Please review.

Project coverage is 74.77%. Comparing base (109a9a7) to head (9f228c7).

Files with missing lines	Patch %	Lines
...bench/leonardo/config/AzureHostingModeConfig.scala	60.00%	6 Missing ⚠️
...sde/workbench/leonardo/monitor/MonitorAtBoot.scala	54.54%	5 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #4813      +/-   ##
===========================================
- Coverage    74.77%   74.77%   -0.01%     
===========================================
  Files          165      165              
  Lines        14954    14955       +1     
  Branches      1187     1234      +47     
===========================================
  Hits         11182    11182              
- Misses        3772     3773       +1     

Files with missing lines	Coverage Δ
...de/workbench/leonardo/app/CromwellAppInstall.scala	71.42% <100.00%> (+2.46%)	⬆️
...kbench/leonardo/app/CromwellRunnerAppInstall.scala	87.80% <100.00%> (+2.09%)	⬆️
...e/workbench/leonardo/app/HailBatchAppInstall.scala	62.50% <ø> (ø)
...te/dsde/workbench/leonardo/app/WdsAppInstall.scala	87.50% <100.00%> (+5.14%)	⬆️
...e/workbench/leonardo/app/WorkflowsAppInstall.scala	70.83% <100.00%> (+2.83%)	⬆️
...rkbench/leonardo/http/AppDependenciesBuilder.scala	97.91% <100.00%> (+0.02%)	⬆️
...ch/leonardo/http/service/LeoAppServiceInterp.scala	87.44% <100.00%> (+0.07%)	⬆️
.../dsde/workbench/leonardo/util/AKSInterpreter.scala	88.66% <100.00%> (-0.13%)	⬇️
...e/workbench/leonardo/util/AzurePubsubHandler.scala	84.56% <100.00%> (-0.11%)	⬇️
...workbench/leonardo/util/BuildHelmChartValues.scala	97.18% <ø> (ø)
... and 2 more

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 109a9a7...9f228c7. Read the comment docs.

[LizBaldo]

Were you able to test this? The Azure integration tests have been removed a few months ago unfortunately 🤔

This looks good, but I have a few comments around preserving the pre-existing behavior for GCP as much as possible.

[LizBaldo]

It would be good to differentiate between the azure case that does not require the token, and a true failure in the GCP case where the token is not found. Without the error message it is going to be trickier for us to debug potential user issues

[LizBaldo]

Same comment as above, it would be good to preserve the error message in case of a true failure on the GCP side

[LizBaldo]

Could you link the PR? if it is the terra helmfile one you should be good to merge I think

[LizBaldo]

Same comment re preserving the error message

[LizBaldo]

Same comment re preserving the error message

[LizBaldo]

It would be good to leave a comment here explaining what the leoEmail will be used for. I am assuming that the answer is in the sam client, but would be good to isolate the GCP from the Azure case, even in a small comment

[LizBaldo]

Why the change here for both GCP and Azure case? I would like to keep using the cached token wherever possible.

[jsaun]

Were you able to test this? The Azure integration tests have been removed a few months ago unfortunately 🤔

Yeah, we've been running this branch in our dev environment for a while, it will need some final validation as I don't think we've tested the most recent commits though.

This looks good, but I have a few comments around preserving the pre-existing behavior for GCP as much as possible.

Yep, makes sense. I was trying to avoid the branching logic if possible to keep it consistent/simpler but I will try to update shortly for those cases you pointed out.