Merge pull request #1169 from NHSDigital/DTOSS-12458-investigate-container-startup-probes-and-credential-chain

[DTOSS-12458] - feat(manage_breast_screening): add managed identity support for Azure Blob Storage and PostgreSQL

Author: josielsouzanordcloud

docs/infrastructure/environment-variables.md

@@ -30,7 +30,7 @@ Description: Private key used to sign JWT and sent to API OAuth2 provider. Used
 
 To rotate: [Generate a new keypair](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/application-restricted-restful-apis-signed-jwt-authentication#step-2-generate-a-key-pair) and contact the NHS Notify onboarding team so they can update the public key.
 
-## AZURE_CLIENT_ID
+## AZURE_DB_CLIENT_ID
 
 Client ID of the database managed identity, when using.
 

infrastructure/modules/container-apps/variables.tf

@@ -255,7 +255,7 @@ locals {
   }
 
   azure_db_env = {
-    AZURE_CLIENT_ID = var.deploy_database_as_container ? null : module.db_connect_identity[0].client_id
+    AZURE_DB_CLIENT_ID = var.deploy_database_as_container ? null : module.db_connect_identity[0].client_id
     DATABASE_HOST   = var.deploy_database_as_container ? null : module.postgres[0].host
     DATABASE_NAME   = var.deploy_database_as_container ? null : module.postgres[0].database_names[0]
     DATABASE_USER   = var.deploy_database_as_container ? null : module.db_connect_identity[0].name

manage_breast_screening/config/azure_blob_storage.py

@@ -0,0 +1,19 @@
+from os import environ
+
+from azure.identity import DefaultAzureCredential
+from storages.backends.azure_storage import AzureStorage
+
+
+class ManagedIdentityAzureStorage(AzureStorage):
+    """
+    AzureStorage subclass that instantiates DefaultAzureCredential in __init__
+    rather than at settings import time, avoiding credential chain errors during
+    Django startup before the managed identity is available.
+    """
+
+    def __init__(self, **kwargs):
+        kwargs.setdefault(
+            "token_credential",
+            DefaultAzureCredential(managed_identity_client_id=environ.get("BLOB_MI_CLIENT_ID")),
+        )
+        super().__init__(**kwargs)

manage_breast_screening/config/postgresql/base.py

@@ -1,3 +1,5 @@
+from os import environ
+
 from azure.identity import DefaultAzureCredential
 from django.db.backends.postgresql import base
 
@@ -24,7 +26,9 @@ class DatabaseWrapper(base.DatabaseWrapper):
 
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
-        self.azure_credential = DefaultAzureCredential()
+        self.azure_credential = DefaultAzureCredential(
+            managed_identity_client_id=environ.get("AZURE_DB_CLIENT_ID")
+        )
 
     def _get_azure_connection_password(self) -> str:
         # This makes use of in-memory token caching

manage_breast_screening/config/settings.py

@@ -14,7 +14,6 @@
 from os import environ
 from pathlib import Path
 
-from azure.identity import DefaultAzureCredential
 from dotenv import load_dotenv
 from jinja2 import ChainableUndefined
 
@@ -210,13 +209,10 @@ def list_env(key):
             },
         }
 else:
-    # In production, use DefaultAzureCredential for authentication
+    # In production, authenticate to Azure Blob Storage using managed identity.
     dicom_storage_options = {
-        "BACKEND": "storages.backends.azure_storage.AzureStorage",
+        "BACKEND": "manage_breast_screening.config.azure_blob_storage.ManagedIdentityAzureStorage",
         "OPTIONS": {
-            "token_credential": DefaultAzureCredential(
-                managed_identity_client_id=environ.get("BLOB_MI_CLIENT_ID")
-            ),
             "account_name": environ.get("STORAGE_ACCOUNT_NAME"),
             "azure_container": "dicom",
         },