Clean up VMs used to review Airlock requests

[tanya-borisova]

In order to review import and export Airlock requests, reviewers will create VMs in Review Workspace for import and Research Workspaces to be able to look at imported / exported data.
These VMs are relatively short lived, and can be cleaned up after the data review is complete.
Note: This proposal assumes no reuse of the VM between different requests.

A possible implementation would be to create a shared service, e.g. airlock-review-vm-cleanup, that would contain e.g. an Azure Function (using a Terraform data block, the Airlock processor Function App can be reused for this).
The function will be triggered by the Event Grid events from the topic , which would contain the request ID of the Airlock request that was either approved or rejected.

The function will then proceed to clean up the VMs that aren't needed.
There are two ways to do that:

• A quicker but less clean way would be to just delete the VM that is tagged with a request ID (note: for this, when review VMs are created, they must be tagged with a request ID, possibly accepted as a bundle parameter in the user resource template). This should be possible to do from outside the Workspace, even though the VM is created within the Workspace network, because this is a Management Plane operation.
• A nicer way would be to issue an API request to delete the VM. For this, an identity will need to be created that has permissions to do this.

See a simplified diagram below:

[tanya-borisova]

Had a chat with @marrobi and we think that it would actually make more sense for the cleanup mechanism to be part of the API, as we are also planning to add an endpoint for creating the review VMs, too.

To find which VMs to clean up, we will need to query Cosmos for VMs that have the corresponding Airlock Request ID (as part of their properties, perhaps).

[tanya-borisova]

Resolved here: #2740