Add optional preserveResources flag to skip cleanup of resources and custom role definition

[Copilot]

This PR adds a new global --preserveResources flag that allows users to preserve resources created during MPF execution, including the custom role definition, instead of automatically cleaning them up.

Problem

Previously, MPF would always clean up all resources at the end of execution:

• Terraform resources via terraform destroy
• Custom role definitions
• Role assignments
• Auto-created resource groups

This made it difficult for users to:

• Investigate deployed resources for debugging
• Reuse discovered custom roles with minimal permissions
• Control cleanup timing for expensive resources
• Build incrementally on previous permission discoveries

Solution

Added a new global flag --preserveResources (environment variable: MPF_PRESERVERESOURCES) that:

• Skips terraform destroy when finding permissions for Terraform deployments
• Preserves custom role definition with discovered minimal permissions
• Keeps role assignments attached to the service principal
• Preserves auto-created resource groups (for ARM/Bicep deployments)
• Shows preservation info including custom role name and ID for manual cleanup

Usage Examples

# Using command line flag
azmpf terraform --preserveResources --tfPath terraform --workingDir ./config

# Using environment variable  
export MPF_PRESERVERESOURCES=true
azmpf terraform --tfPath terraform --workingDir ./config

# Works with all deployment types
azmpf arm --preserveResources --templateFilePath template.json --parametersFilePath params.json
azmpf bicep --preserveResources --bicepFilePath main.bicep --parametersFilePath params.json

Implementation Details

• Added PreserveResources field to domain.MPFConfig to pass flag through the system
• Modified MPFService.CleanUpResources() to conditionally skip cleanup operations
• Updated all deployment authorization checkers (Terraform, ARM, Bicep) to respect the flag
• Maintained full backward compatibility - default behavior unchanged
• Added comprehensive logging to inform users what resources are preserved

Testing

• ✅ All existing unit tests pass
• ✅ Code compiles successfully
• ✅ Flag appears correctly in CLI help
• ✅ Environment variable binding works
• ✅ Functional testing confirms both default and preserve behaviors work correctly

Fixes #84.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[maniSbindra]

this flag is only needed for terraform

[Copilot]

You're absolutely right. I've removed the preserveResources flag from the ARM command. It now uses false instead of flgPreserveResources since ARM deployments don't perform expensive infrastructure destruction like terraform destroy. The flag remains available in the CLI for consistency but has no effect for ARM commands. Fixed in commit a38b73c.

[maniSbindra]

this flag is only needed for terraform

[Copilot]

Agreed. I've removed the preserveResources flag from the Bicep command as well. It now uses false instead of flgPreserveResources since Bicep deployments, like ARM, don't have the same infrastructure destruction semantics as Terraform. The flag has no effect for Bicep commands. Fixed in commit a38b73c.