feat(azure-yaml): add enterprise SFTP blob storage example with advanced security

Add new Pulumi YAML example demonstrating Azure Blob Storage with SFTP support, featuring enterprise-grade security controls including customer-managed encryption, private network access, and comprehensive audit logging.

- **Customer-Managed Encryption**: HSM-backed 4096-bit RSA keys in Azure Key Vault Premium
- **Infrastructure Encryption**: Double encryption layer for maximum data protection
- **Private Network Only**: Zero public internet access with private endpoints
- **Immutable Storage**: WORM compliance with version control and change tracking
- **Extended Audit Logging**: 7-year retention for compliance requirements
- **Role-Based Access**: Admin and auditor users with granular container permissions
- **Latest Azure Native Provider**: Uses Azure Native v3.8+ features and 2024 API versions

- **Storage Account**: Data Lake Gen2 (hierarchical namespace) with SFTP enabled
- **Key Vault Premium**: HSM-backed customer-managed encryption keys
- **Encryption Scope**: Dedicated scope with infrastructure encryption
- **Virtual Network**: Isolated VNet with subnets for storage and Key Vault
- **Private Endpoints**: Secure access to storage and Key Vault services
- **Managed Identity**: Secure Key Vault access without shared keys
- **Log Analytics**: Comprehensive monitoring with extended retention

```yaml
Encryption:
  - At Rest: Customer-managed keys (4096-bit RSA-HSM)
  - In Transit: TLS 1.2+ and SSH
  - Infrastructure: Double encryption enabled

Network Security:
  - Public Access: Disabled
  - Private Endpoints: Required
  - Network Rules: Explicit deny all
  - Service Bypass: None

Access Control:
  - Authentication: SSH keys only (passwords disabled)
  - Shared Keys: Disabled
  - Authorization: Azure AD OAuth
  - User Types: Admin (full) and Auditor (read-only)

Data Integrity:
  - Immutable Storage: Enabled on all containers
  - Versioning: Full version control
  - Change Feed: 7-year audit trail
  - Soft Delete: 7-year retention
```

- Clean technical implementation guide
- Quick start with configuration examples
- Architecture diagram with mermaid
- Troubleshooting and support information
- Minimal length focused on essentials

- Healthcare security reference (educational only)
- Comprehensive legal disclaimers
- Technical security patterns for regulated industries
- No compliance guarantees - professional validation required

- Reduced from initial 3,754 lines (80% reduction)
- Removed excessive operational guides
- Focused on practical implementation

While this example implements security controls commonly required by healthcare and financial organizations, it includes prominent disclaimers:

- ⚠️ No guarantee of HIPAA, PHI, or regulatory compliance
- ⚠️ Professional legal and compliance consultation required
- ⚠️ Independent security assessment needed for production use
- ⚠️ Compliance standards evolve - always verify current requirements

Healthcare organizations can reference `HIPAA_COMPLIANCE.md` for additional security considerations, but must validate with their own compliance teams.

To test this example:

```bash
cd azure-yaml-sftp-blob

pulumi stack init dev

pulumi config set azure-native:location "East US 2"
pulumi config set storageAccountName "testsftpstorage$(date +%s)"
pulumi config set userPublicKey "$(cat ~/.ssh/id_rsa.pub)"

pulumi preview

pulumi up
```

This YAML example can be converted to other languages:

```bash
pulumi convert --language typescript --out ./typescript-version
pulumi convert --language python --out ./python-version
pulumi convert --language go --out ./go-version
pulumi convert --language csharp --out ./csharp-version
```

None - this is a new example.

Closes #XXXX (if applicable)

- [x] Code follows repository standards
- [x] Documentation is clear and concise
- [x] Example includes architecture diagram
- [x] Security best practices implemented
- [x] Legal disclaimers for compliance content
- [x] Formatting validated with `make format` and `make check_python_formatting`
- [ ] Tested deployment with `pulumi preview`
- [ ] Tested full deployment cycle (requires Azure environment)

1. **Legal Review**: The HIPAA_COMPLIANCE.md file includes extensive legal disclaimers. Please validate these are sufficient to protect against liability claims.

2. **Azure Syntax**: Some Pulumi YAML syntax should be validated during review:
   - Managed identity property structure (line 150)
   - `getClientConfig` function syntax (lines 60, 108)
   - Subnet array indexing (lines 393, 414)
   - BlobService versioning property name (line 212)

3. **Security Configuration**: All security features use latest Azure Native provider capabilities. Review that:
   - Customer-managed keys are properly configured
   - Infrastructure encryption is enabled at all layers
   - Private network access is enforced correctly
   - Audit logging captures all required events

4. **Documentation Scope**: Intentionally kept documentation minimal (755 lines total) to avoid overwhelming users. More detailed operational guides were removed as they were too extensive for an example.

This example was created in response to requests for:
- Modern SFTP support in Azure with latest security features
- Customer-managed encryption implementation patterns
- Healthcare/compliance-ready infrastructure examples (with appropriate disclaimers)
- Pulumi YAML examples demonstrating complex Azure architectures

Author: rshade

.gitignore

@@ -31,3 +31,4 @@ Gopkg.lock
 target/
 *-test/
 .claude/settings.local.json
+PR_MESSAGE.md

CLAUDE.md

@@ -0,0 +1,295 @@
+# Pulumi Examples Repository - Development Guide
+
+This repository contains hundreds of Infrastructure as Code (IaC) examples using Pulumi across multiple cloud providers and programming languages.
+
+## Repository Architecture
+
+### High-Level Structure
+This is a monorepo containing **300+ examples** organized by cloud provider and programming language:
+
+```
+{cloud}-{language}-{example-type}/
+├── aws-{go|py|ts|js|cs|fs}-{feature}/
+├── azure-{go|py|ts|js|cs|fs}-{feature}/
+├── gcp-{go|py|ts|js|cs|fs}-{feature}/
+├── kubernetes-{go|py|ts|js|cs|fs}-{feature}/
+└── testing-{integration|unit}-{language}/
+```
+
+**Supported Languages:**
+- **TypeScript/JavaScript** (`ts`/`js`) - Most comprehensive coverage
+- **Python** (`py`) - Second-most coverage
+- **Go** (`go`) - Growing coverage, especially for AWS
+- **C#** (`cs`) - .NET examples
+- **F#** (`fs`) - Functional .NET examples
+
+**Cloud Providers:**
+- AWS (largest coverage)
+- Azure (comprehensive)
+- Google Cloud Platform (GCP)
+- Kubernetes
+- DigitalOcean, Equinix Metal, Linode, OVHCloud
+
+### Project Structure Patterns
+
+Each example follows a consistent structure:
+```
+example-name/
+├── Pulumi.yaml           # Project definition
+├── main.{go|py|ts|js}   # Infrastructure code
+├── go.mod               # Go modules (Go projects)
+├── package.json         # Node dependencies (TS/JS)
+├── requirements.txt     # Python dependencies
+├── README.md           # Usage documentation
+├── app/                # Application code (if containerized)
+└── .gitignore
+```
+
+### Core Architectural Patterns
+
+1. **Infrastructure Components**: Reusable modules for common patterns
+   - VPC/Network setup with public/private subnets
+   - Load balancers with target groups
+   - ECS/Fargate containers with ECR repositories
+   - IAM roles and policies
+   - Security groups with ingress/egress rules
+
+2. **Multi-Tier Applications**: Complete application stacks
+   - Web servers with databases
+   - Container orchestration (ECS, EKS, AKS, GKE)
+   - Serverless functions with API gateways
+   - Static websites with CDNs
+
+3. **Testing Patterns**: Comprehensive testing strategies
+   - Unit tests with mocking
+   - Integration tests with real deployments
+   - Policy-as-Code validation
+
+## Development Commands
+
+### Essential Commands for Daily Development
+
+#### Working with Individual Examples
+```bash
+# Navigate to an example and preview changes
+cd aws-typescript-eks && pulumi preview
+
+# Deploy an example
+cd aws-typescript-eks && pulumi up
+
+# Clean up resources
+cd aws-typescript-eks && pulumi destroy
+
+# Check stack outputs
+cd aws-typescript-eks && pulumi stack output
+```
+
+#### Building and Testing
+```bash
+# Quick validation of code formatting and linting
+make format && make lint
+
+# Run all integration tests (4-hour timeout)
+make only_test
+
+# Run tests for specific cloud/language combination
+make specific_test_set TestSet=AwsGo
+
+# Run tests with specific tags
+make specific_tag_set TagSet=aws TestSet=Go
+
+# Test a single example
+make test_example.TestAccAwsPyS3Folder
+
+# Preview changes in PR mode (tests only changed examples)
+make pr_preview
+```
+
+#### Language-Specific Linting and Formatting
+```bash
+# Repository-wide linting and formatting
+make lint                      # Run all linting across languages
+make format                    # Format all code (Python with Black)
+
+# Python-specific
+make check_python_formatting   # Validate Python formatting
+make setup_python              # Setup Python virtual environment
+
+# TypeScript linting (repository-wide)
+tslint -c tslint.json **/*.ts
+
+# Go formatting (per-project)
+cd aws-go-fargate && go fmt ./...
+cd aws-go-fargate && go mod tidy
+
+# C#/.NET (per-project)
+cd aws-cs-webserver && dotnet format
+```
+
+#### Testing Infrastructure
+```bash
+# Setup test dependencies
+make ensure
+
+# Go unit tests (specific project)
+cd testing-unit-go && go test
+
+# Python unit tests
+cd testing-unit-py && python -m pytest
+
+# TypeScript unit tests
+cd testing-unit-ts/mocha && npm test
+```
+
+### CI/CD Workflows
+
+The repository uses GitHub Actions with several specialized workflows:
+
+#### Main Test Workflow (`test-examples.yml`)
+- **TypeScript Linting**: `tslint` validation across all TS files
+- **Unit Tests**: Language-specific unit test execution
+- **Python Formatting**: Black code formatting validation
+- **Integration Tests**: Matrix testing across cloud providers and languages
+  - Platforms: AWS, Azure, GCP, DigitalOcean, Equinix Metal
+  - Languages: Go, Python, TypeScript, JavaScript, C#, F#
+- **Kubernetes Tests**: Specialized K8s testing with Minikube
+
+#### PR Preview Workflow
+- Detects changed examples vs base branch
+- Automatically seeds missing configuration with safe placeholders
+- Runs `pulumi preview` on changed examples only
+- Supports multiple runtime detection (Node.js, Python, Go, .NET, YAML)
+
+### Testing Architecture
+
+#### Integration Testing Framework
+Located in `misc/test/`, the testing system:
+
+1. **Test Definitions**: Structured test configuration in `definitions/`
+   - Tagged by language and cloud provider
+   - Uses Pulumi's `integration.ProgramTestOptions`
+   - Supports parallel execution (40 parallel tests)
+
+2. **Test Execution**:
+   - Go-based test runner with `gotestfmt` formatting
+   - 4-hour timeout for full test suite
+   - Comprehensive cloud provider authentication
+
+3. **Test Categories**:
+   - **Unit Tests**: Mock-based testing with `pulumi.WithMocks()`
+   - **Integration Tests**: Deploy-check-destroy lifecycle
+   - **Policy Tests**: Policy-as-Code validation
+
+#### Example Unit Test Pattern (Go)
+```go
+// Mock resource creation
+func (mocks) NewResource(args pulumi.MockResourceArgs) (string, resource.PropertyMap, error) {
+    outputs := args.Inputs.Mappable()
+    if args.TypeToken == "aws:ec2/instance:Instance" {
+        outputs["publicIp"] = "203.0.113.12"
+    }
+    return args.Name + "_id", resource.NewPropertyMapFromMap(outputs), nil
+}
+
+// Test infrastructure properties
+func TestInfrastructure(t *testing.T) {
+    err := pulumi.RunErr(func(ctx *pulumi.Context) error {
+        infra, err := createInfrastructure(ctx)
+        // Assert expected properties
+        pulumi.All(infra.server.Tags).ApplyT(func(tags interface{}) error {
+            assert.Contains(t, tags, "Name")
+            return nil
+        })
+        return err
+    }, pulumi.WithMocks("project", "stack", mocks(0)))
+    assert.NoError(t, err)
+}
+```
+
+### Development Workflow
+
+#### Before Working on Examples
+1. **Prerequisites Setup**:
+   - Configure cloud provider credentials (AWS CLI, Azure CLI, gcloud)
+   - Install language-specific tools (Node.js, Python, Go, .NET)
+   - Run `pulumi login` to authenticate with Pulumi
+
+2. **Working with Existing Examples**:
+   - Navigate to example directory: `cd aws-typescript-eks`
+   - Install dependencies: `npm install` (or language equivalent)
+   - Configure stack: `pulumi config set aws:region us-west-2`
+   - Preview: `pulumi preview`
+   - Deploy: `pulumi up`
+   - Clean up: `pulumi destroy`
+
+#### Adding New Examples
+1. **Naming and Structure**:
+   - Follow `{cloud}-{language}-{feature}` naming convention
+   - Create directory with standard structure (see Project Structure Patterns above)
+   - Include comprehensive README with deployment steps
+
+2. **Testing Integration**:
+   - Add test definitions to `misc/test/definitions/`
+   - Tag appropriately for CI matrix execution
+   - Test locally before submitting PR
+
+3. **Code Quality**:
+   - Run language-specific linting and formatting
+   - Ensure example works with `pulumi preview` and `pulumi up`
+   - Include proper resource tagging and cleanup
+
+#### PR Workflow
+- Run `make pr_preview` to test only changed examples
+- Automatic linting and formatting validation
+- Integration tests run on maintainer approval
+- Use `make format && make lint` before committing
+
+## Key Dependencies and Tools
+
+### Core Infrastructure
+- **Pulumi SDK**: v3.x across all languages
+- **Cloud Provider SDKs**: AWS SDK v7, Azure SDK, GCP SDK
+- **Docker**: For containerized examples
+
+### Testing and CI
+- **gotestfmt**: Go test output formatting
+- **pytest**: Python testing framework
+- **Mocha**: TypeScript/JavaScript testing
+- **tslint**: TypeScript linting
+- **Black**: Python code formatting
+
+### Development Tools
+- **Node.js 20**: TypeScript/JavaScript runtime
+- **Python 3.9+**: Python runtime
+- **Go 1.21+**: Go runtime
+- **Helm**: Kubernetes package management
+- **kubectl**: Kubernetes CLI
+
+## Common Development Issues
+
+### Authentication Problems
+- **Cloud Provider Credentials**: Ensure AWS CLI, Azure CLI, or gcloud is configured
+- **Pulumi Backend**: Run `pulumi login` to authenticate with Pulumi service
+- **Permission Errors**: Check IAM roles have sufficient permissions for resource creation
+
+### Resource Conflicts
+- **Stack State**: Use unique stack names to avoid conflicts: `pulumi stack select dev-yourname`
+- **Resource Names**: Many examples use randomized names to avoid conflicts
+- **Region Conflicts**: Configure appropriate regions: `pulumi config set aws:region us-west-2`
+
+### Testing Issues
+- **Long Test Times**: Full integration tests take up to 4 hours - use `make pr_preview` for quick validation
+- **Parallel Test Failures**: Tests run 40 in parallel - occasional timeouts are expected
+- **Resource Cleanup**: Always run `pulumi destroy` after testing to avoid costs
+
+## Architecture Insights
+
+This repository demonstrates several key IaC architectural patterns:
+
+1. **Multi-Cloud Abstraction**: Examples show similar patterns across cloud providers
+2. **Language Polyglot**: Same infrastructure patterns implemented across multiple programming languages
+3. **Component Reusability**: Higher-level components built from cloud primitives
+4. **Testing Strategy**: Comprehensive unit, integration, and policy testing
+5. **CI/CD Integration**: Automated testing and validation at scale
+
+The testing infrastructure alone processes hundreds of examples across multiple cloud providers, languages, and test types, making it one of the most comprehensive IaC testing frameworks available.