Filter deleted resources in get_by_id repository methods

[Copilot]

What is being addressed

The get_*_by_id methods in repository classes return deleted resources, while list methods filter them out. This allows accessing deleted workspaces, workspace services, user resources, and shared services via direct URL after deletion.

How is this addressed

Added deploymentStatus != Status.Deleted filter to all get_by_id queries:

• WorkspaceRepository.get_workspace_by_id()
• WorkspaceServiceRepository.get_workspace_service_by_id()
• UserResourceRepository.get_user_resource_by_id()
• SharedServiceRepository.get_shared_service_by_id()

Query pattern:

query += ' AND c.deploymentStatus != @deletedStatus'
parameters.append({'name': '@deletedStatus', 'value': Status.Deleted})

Updated E2E tests to support the filtering changes:

• Modified check_deployment() in e2e_tests/resources/deployment.py to treat 404 status as a valid deleted state
• When a resource is deleted, the operations endpoint returns 404 (since deleted resources are filtered out), which is now correctly interpreted as successful deletion

Updated unit tests to verify deleted resources raise EntityDoesNotExist.

Updated CHANGELOG.md with bug fix entry.

Incremented API version to 0.25.12 in api_app/_version.py.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Deleted workspaces are still accessible via URL</issue_title>
<issue_description>Describe the bug
workspaces are still accessible via their URL after they are deleted
See also #4307 as this functionality may be required

Steps to reproduce

1. Create a workspace
2. copy the url
3. delete the workspace
4. re-visit the url

Azure TRE release version (e.g. v0.14.0 or main):
main
Deployed Azure TRE components - click the (i) in the UI:

Azure TRE
UI Version:
0.8.17
API Version:
0.25.2</issue_description>

Comments on the Issue (you are @copilot in this section)

@marrobi Ok, it looks like the get `X_by_id` methods are not filtering deleted out, but the list methods are.

Entity Type	List Endpoint (filters deleted?)	Get-by-ID (filters deleted?)
Workspace	Yes	No
Workspace Service	Yes	No
User Resource	Yes	No
Shared Service	Yes	No

So need something like:

async def get_workspace_by_id(self, workspace_id: str) -> Workspace:
    query = 'SELECT * FROM c WHERE c.resourceType = @resourceType AND c.id = @workspaceId AND c.deploymentStatus != @deletedStatus'
    parameters = [
        {'name': '@resourceType', 'value': ResourceType.Workspace},
        {'name': '@workspaceId', 'value': str(workspace_id)},
        {'name': '@deletedStatus', 'value': Status.Deleted}
    ]
    workspaces = await self.query(query=query, parameters=parameters)
    if not workspaces:
        raise EntityDoesNotExist
    return parse_obj_as(Workspace, workspaces[0])

There should also be unit tests to verify this.

@tamirkamara @jonnyry welcome your view on this, I don't think these endpoints should return deleted resources?

@jonnyry @marrobi Hmm I can't think of a reason why the current codebase would need Get-by-ID methods to return deleted entities.

There might be some possible use cases in future, perhaps an audit trail or those outlined in #4307, but for those cases you could an additional optional parameter to include deleted resources (with a default of false).</comment_new>

• Fixes Deleted workspaces are still accessible via URL #4755

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[github-actions]

Unit Test Results

668 tests   668 ✅  7s ⏱️
  1 suites    0 💤
  1 files      0 ❌

Results for commit f73fac4.

♻️ This comment has been updated with latest results.

[marrobi]

@copilot update the API version

[Copilot]

@copilot update the API version

Updated API version to 0.25.7 in commit 2e4d7e8

[JC-wk]

api version will need upping again

[JC-wk]

I have tested this and deleted workspaces are no longer visible @marrobi

[marrobi]

@tamirkamara are you able to look at this one? Thanks.

[tamirkamara]

@marrobi I believe something not right here as the E2E consistently fail to delete workspaces.

[marrobi]

Ah, I know what it is. The operation is giving 404 as the service no longer exists. The tests need updating to accept a 404 as its been deleted.

I thought had fixed this. Maybe not pushed.

[marrobi]

@copilot The e2e tests in this pr fail as the operations endpoint returns 404. Once the workspace services and user resource are deleted it cannot be accessed. 404 should be a valid response that the resource has been deleted. Please fix this.

[Copilot]

@copilot The e2e tests in this pr fail as the operations endpoint returns 404. Once the workspace services and user resource are deleted it cannot be accessed. 404 should be a valid response that the ...

Fixed in commit ba01e4a. The check_deployment function in e2e_tests now treats 404 responses as a valid deleted state, since deleted resources are filtered out by the get_by_id methods and their operations endpoints will return 404.

api version will need upping again

Updated API version to 0.25.12 in commit ba01e4a

[marrobi]

/test-extended ba01e4a

[github-actions]

🤖 pr-bot 🤖

🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/21144706377 (with refid 95c03b79)

(in response to this comment from @marrobi)

[marrobi]

@tamirkamara can you take another look?

[tamirkamara]

/test-force-approve
my comments were about the changelog file and previous tests were successful

[github-actions]

🤖 pr-bot 🤖

✅ Marking tests as complete (for commit f73fac4)

(in response to this comment from @tamirkamara)