Live-smoke automation for the Azure and GCP passwordless deploy paths

[fheikens]

Summary

The AWS aws_rds_iam deploy path is now validated live (#201 closed — green run, passwordless snapshot against an IAM-auth RDS). The Azure (azure_entra) and GCP (gcp_cloudsql_iam) deploy paths have the same template + runbook (#205) but no live-smoke automation yet.

Port the AWS operator-gated live smoke (.github/workflows/aws-rds-iam-live-smoke.yml) to Azure and GCP:

• Swap the cloud auth: azure/login (Azure OIDC federated credential) / google-github-actions/auth (GCP Workload Identity Federation) instead of aws-actions/configure-aws-credentials.
• Swap the verify path: reach the loopback-only API on the VM — Azure via az vm run-command, GCP via gcloud compute ssh/IAP or the OS-login equivalent — instead of SSM.
• Same shape otherwise: apply → force a collection → assert a passwordless snapshot → always destroy.

Prereqs mirror #201: an IAM-auth-enabled DB (Azure Entra auth on Flexible Server / Cloud SQL IAM auth), the one-time DB principal/grant, and a federated CI identity.

Acceptance criteria

• A green workflow_dispatch live smoke for each of Azure and GCP, producing a passwordless snapshot and tearing down, with the run attached here.

Post-RC1 (AWS is the RC blocker and is done). Reference: AWS harness in .github/workflows/aws-rds-iam-live-smoke.yml + deploy/aws/LIVE-SMOKE.md.