[DCJ-357] Add TDR managed offers to sam.conf

[okotsopoulos]

Ticket: https://broadworkbench.atlassian.net/browse/DCJ-357

What:

Using #1303 as a guide, added TDR's private managed application offers to Sam configuration.

Why:

This will enable TDR to call Sam's createManagedResourceGroup endpoint when creating new billing profiles. This Sam endpoint does the following:

• Checks that the calling user is authorized to use the MRG for billing profile creation
• Associates the billing profile ID with the MRG's coordinates

Right now, TDR performs its own access checks on the TDR MRG. I'm not sure yet if we'll be able to remove them, though.

All of this is a prerequisite for TDR to use Sam's createActionManagedIdentity endpoint to mint new UAMIs for TDR MRGs.

How:

Besides this configuration change, we also had to publish a new version of the tdr-dev managed app offer which makes the terra-workspace-dev Azure group an Owner of the offer. This was needed so that Sam's service principals are allowed to operate in TDR MRGs. Slack

Unfortunately, offer changes are not retroactive to already deployed apps, so I had to deploy a new TDR managed application in order to test this out on my BEE. I documented that process through step 5 here: https://broadworkbench.atlassian.net/wiki/spaces/DCJ/pages/3165519875/20240521+Manual+POC+accessing+a+private+storage+account+within+TDR+MRG

Notable is that I was able to manually link a TDR billing profile to its MRG coords through this endpoint, and then subsequently use Sam to create an UAMI off of it!

---

PR checklist

• I've followed the instructions if I've made any changes to the API, especially if they're breaking changes
• I've filled out the Security Risk Assessment (requires Broad Internal network access) and attached the result to the JIRA ticket

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

[rushtong]

👍🏽