Configure airlock review VMs to use Nexus proxy for pip and conda

[Copilot]

Resolves #4009

What is being addressed

Airlock import/export review VMs boot without Nexus proxy configuration, so users cannot install packages via pip or conda to inspect specialised file types during review. The regular guacamole VMs already have this configuration.

How is this addressed

Mirrors the Nexus proxy setup from the regular guacamole Windows VM (vm_config.ps1) into both airlock review VM templates:

• main.tf — Add azurerm.core provider alias (needed to read the app gateway public IP from the core resource group)
• data.tf — Add data.azurerm_resource_group.core and data.azurerm_public_ip.app_gateway_ip data sources
• locals.tf — Add nexus_proxy_url local derived from the app gateway FQDN
• download_review_data.ps1 — Configure pip (pip.ini) and conda channels/alias to route through Nexus before downloading review data
• windowsvm.tf — Pass nexus_proxy_url and CondaConfig to the script template
• porter.yaml — Bump import reviewvm 0.4.4 → 0.5.0, export reviewvm 0.3.5 → 0.4.0
• CHANGELOG.md updated

[marrobi]

@copilot Is there a reason the airlock review VMs can't build on the existing windows and Linux guacamole VMs, rather than having duplciated content? Like the import workspace builds off the base workspace?

[Copilot]

@copilot Is there a reason the airlock review VMs can't build on the existing windows and Linux guacamole VMs, rather than having duplciated content? Like the import workspace builds off the base work...

The --build-context inheritance pattern (via porter-build-context.env + COPY --from=base in Dockerfile.tmpl) currently only exists at the workspace level — airlock-import-review and unrestricted inherit from base. No user resource templates use this pattern today.

The review VMs and regular Windows VMs have significant structural differences that make direct inheritance non-trivial:

• Different providers — review VMs don't use the azuread provider or auth_client_id/auth_client_secret credentials
• Different parameters — review VMs have airlock_request_sas_url but lack owner_id, admin_username, shared_storage_access, shutdown_schedule, etc.
• Different Terraform resources — export review VM has NSG rules, both have time_sleep and random_string for username (vs. deriving from Azure AD)
• Different setup scripts — download_review_data.ps1 vs vm_config.ps1 (which includes shared storage mounts, Docker proxy, R config, etc.)

The shared code added here is specifically the pip/conda Nexus proxy configuration (~15 lines of PowerShell), matching what vm_config.ps1 already had. Introducing the build-context inheritance pattern for user resources would be a larger architectural change — worth exploring as a separate refactoring effort but beyond the scope of this bug fix.