feat(azure-yaml): add enterprise SFTP blob storage example with advan…

[rshade]

…ced security

Summary

Add new Pulumi YAML example demonstrating Azure Blob Storage with SFTP support, featuring enterprise-grade security controls including customer-managed encryption, private network access, and comprehensive audit logging.

Features

• Customer-Managed Encryption: HSM-backed 4096-bit RSA keys in Azure Key Vault Premium
• Infrastructure Encryption: Double encryption layer for maximum data protection
• Private Network Only: Zero public internet access with private endpoints
• Immutable Storage: WORM compliance with version control and change tracking
• Extended Audit Logging: 7-year retention for compliance requirements
• Role-Based Access: Admin and auditor users with granular container permissions
• Latest Azure Native Provider: Uses Azure Native v3.8+ features and 2024 API versions

Technical Implementation

Core Components

• Storage Account: Data Lake Gen2 (hierarchical namespace) with SFTP enabled
• Key Vault Premium: HSM-backed customer-managed encryption keys
• Encryption Scope: Dedicated scope with infrastructure encryption
• Virtual Network: Isolated VNet with subnets for storage and Key Vault
• Private Endpoints: Secure access to storage and Key Vault services
• Managed Identity: Secure Key Vault access without shared keys
• Log Analytics: Comprehensive monitoring with extended retention

Security Posture

Encryption:
  - At Rest: Customer-managed keys (4096-bit RSA-HSM)
  - In Transit: TLS 1.2+ and SSH
  - Infrastructure: Double encryption enabled

Network Security:
  - Public Access: Disabled
  - Private Endpoints: Required
  - Network Rules: Explicit deny all
  - Service Bypass: None

Access Control:
  - Authentication: SSH keys only (passwords disabled)
  - Shared Keys: Disabled
  - Authorization: Azure AD OAuth
  - User Types: Admin (full) and Auditor (read-only)

Data Integrity:
  - Immutable Storage: Enabled on all containers
  - Versioning: Full version control
  - Change Feed: 7-year audit trail
  - Soft Delete: 7-year retention

Documentation

README.md (193 lines)

• Clean technical implementation guide
• Quick start with configuration examples
• Architecture diagram with mermaid
• Troubleshooting and support information
• Minimal length focused on essentials

HIPAA_COMPLIANCE.md (562 lines)

• Healthcare security reference (educational only)
• Comprehensive legal disclaimers
• Technical security patterns for regulated industries
• No compliance guarantees - professional validation required

Total Documentation: 755 lines

• Reduced from initial 3,754 lines (80% reduction)
• Removed excessive operational guides
• Focused on practical implementation

Healthcare & Compliance Notes

While this example implements security controls commonly required by healthcare and financial organizations, it includes prominent disclaimers:

• ⚠️ No guarantee of HIPAA, PHI, or regulatory compliance
• ⚠️ Professional legal and compliance consultation required
• ⚠️ Independent security assessment needed for production use
• ⚠️ Compliance standards evolve - always verify current requirements

Healthcare organizations can reference HIPAA_COMPLIANCE.md for additional security considerations, but must validate with their own compliance teams.

Testing

To test this example:

cd azure-yaml-sftp-blob

# Initialize stack
pulumi stack init dev

# Configure
pulumi config set azure-native:location "East US 2"
pulumi config set storageAccountName "testsftpstorage$(date +%s)"
pulumi config set userPublicKey "$(cat ~/.ssh/id_rsa.pub)"

# Preview (validate syntax)
pulumi preview

# Deploy (requires Azure credentials and VPN for private network access)
pulumi up

Language Conversion

This YAML example can be converted to other languages:

pulumi convert --language typescript --out ./typescript-version
pulumi convert --language python --out ./python-version
pulumi convert --language go --out ./go-version
pulumi convert --language csharp --out ./csharp-version

Breaking Changes

None - this is a new example.

Related Issues

Closes #XXXX (if applicable)

Checklist

• Code follows repository standards
• Documentation is clear and concise
• Example includes architecture diagram
• Security best practices implemented
• Legal disclaimers for compliance content
• Formatting validated with make format and make check_python_formatting
• Tested deployment with pulumi preview
• Tested full deployment cycle (requires Azure environment)

Notes for Reviewers

1. Legal Review: The HIPAA_COMPLIANCE.md file includes extensive legal disclaimers. Please validate these are sufficient to protect against liability claims.

2. Azure Syntax: Some Pulumi YAML syntax should be validated during review:

   • Managed identity property structure (line 150)
   • getClientConfig function syntax (lines 60, 108)
   • Subnet array indexing (lines 393, 414)
   • BlobService versioning property name (line 212)

3. Security Configuration: All security features use latest Azure Native provider capabilities. Review that:

   • Customer-managed keys are properly configured
   • Infrastructure encryption is enabled at all layers
   • Private network access is enforced correctly
   • Audit logging captures all required events

4. Documentation Scope: Intentionally kept documentation minimal (755 lines total) to avoid overwhelming users. More detailed operational guides were removed as they were too extensive for an example.

Additional Context

This example was created in response to requests for:

• Modern SFTP support in Azure with latest security features
• Customer-managed encryption implementation patterns
• Healthcare/compliance-ready infrastructure examples (with appropriate disclaimers)
• Pulumi YAML examples demonstrating complex Azure architectures

[dirien]

@rshade you could rebranch and I approve this.