feat: automatically recreate azure bastion vm with latest version

[timtalbot]

Description

This change implements automatic recreation of Azure Bastion jumpbox VMs when a new Ubuntu image version becomes available. Previously, the jumpbox VM used version="latest" which would only apply the latest image on initial creation, but would not update existing VMs when new images were released. This change fetches the actual latest version number at Pulumi runtime and configures the VM resource to be automatically recreated when that version changes.

Code Flow

1. Image Version Discovery (azure_sdk.py)

The new get_latest_vm_image_version() function queries the Azure Compute Management API to retrieve all available versions for a given image (publisher/offer/SKU combination), then sorts them to
find the latest:

This replaces the use of the magic "latest" string with a concrete version number that Pulumi can track for changes.

2. Bastion VM Configuration (azure_bastion.py)

The AzureBastion component now:

• Accepts an image_version parameter instead of hardcoding "latest"
• Tags the VM with the image version for visibility
• Configures critical Pulumi resource options:
  • replace_on_changes=["storageProfile.imageReference.version"] triggers VM recreation when the image version changes
  • delete_before_replace=True ensures the old VM is deleted before creating the new one (avoiding name conflicts)
  • protect=False explicitly allows the VM to be replaced
  • delete_option="Delete" on the OS disk to ensure cleanup when the VM is replaced
  • Enables automatic platform patching configuration for the VM OS, to provide updates in between Pulumi runs

3. Integration (azure_workload_persistent.py)

The _define_bastion() method:

1. Calls get_latest_vm_image_version() with the subscription ID and region from the workload config
2. Handles any errors during the fetch operation
3. Passes the concrete version to the AzureBastion constructor

Category of change

• Bug fix (non-breaking change which fixes an issue)
• Version upgrade (upgrading the version of a service or product)
• New feature (non-breaking change which adds functionality)
• Build: a code change that affects the build system or external dependencies
• Performance: a code change that improves performance
• Refactor: a code change that neither fixes a bug nor adds a feature
• Documentation: documentation changes
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist

• I have reviewed my own diff and added inline comments on lines I want reviewers to focus on or that I am uncertain about

[timtalbot]

replace_on_changes forces VM recreation when the imageReference version changes, otherwise it would be an update which doesn't actually update the image running on the VM.

[timtalbot]

We ensure we delete the old VM first so it cleans up its disks and has no conflicts with the pending new VM.