refactor: improve health checks for Azure services

Transition health checks to use less-privileged roles, enhancing security by reducing permission requirements in Azure Key Vault, Blob Storage, Queue Storage, SQL Server, and Redis.

Author: winromulus

src/ES.FX.Ignite.Azure.Security.KeyVault.Secrets/HealthChecks/SimpleKeyVaultSecretsHealthCheck.cs

@@ -1,3 +1,4 @@
+using Azure;
 using Azure.Security.KeyVault.Secrets;
 using Microsoft.Extensions.Diagnostics.HealthChecks;
 
@@ -6,22 +7,31 @@ namespace ES.FX.Ignite.Azure.Security.KeyVault.Secrets.HealthChecks;
 /// <summary>
 ///     Azure Key Vault secrets health check.
 /// </summary>
+/// <remarks>
+///     Probes the vault by issuing <see cref="SecretClient.GetSecretAsync(string, string, CancellationToken)" />
+///     against a sentinel secret name. The check only requires "Get" permission on that one secret name
+///     (no List permission needed). A 404 response is treated as healthy because the connection succeeded —
+///     the absence of the sentinel secret is intentional and does not require it to exist.
+/// </remarks>
 internal sealed class SimpleKeyVaultSecretsHealthCheck(SecretClient secretClient) : IHealthCheck
 {
+    private const string ProbeSecretName = "AzureKeyVaultSecretsHealthCheck";
+
     /// <inheritdoc />
     public async Task<HealthCheckResult> CheckHealthAsync(HealthCheckContext context,
         CancellationToken cancellationToken = default)
     {
         try
         {
-            await secretClient
-                .GetPropertiesOfSecretsAsync(cancellationToken)
-                .GetAsyncEnumerator(cancellationToken)
-                .MoveNextAsync()
+            await secretClient.GetSecretAsync(ProbeSecretName, cancellationToken: cancellationToken)
                 .ConfigureAwait(false);
 
             return HealthCheckResult.Healthy();
         }
+        catch (RequestFailedException ex) when (ex.Status == 404)
+        {
+            return HealthCheckResult.Healthy();
+        }
         catch (Exception ex)
         {
             return new HealthCheckResult(context.Registration.FailureStatus, exception: ex);

src/ES.FX.Ignite.Azure.Storage.Blobs/HealthChecks/SimpleBlobServiceHealthCheck.cs

@@ -6,6 +6,11 @@ namespace ES.FX.Ignite.Azure.Storage.Blobs.HealthChecks;
 /// <summary>
 ///     Azure Blob Storage health check.
 /// </summary>
+/// <remarks>
+///     Uses a page-list probe (page size 1) instead of <c>BlobServiceClient.GetPropertiesAsync</c> so the check
+///     works with the least-privileged role assignment ("Storage Blob Data Reader" at storage account level).
+///     <c>GetPropertiesAsync</c> requires elevated permissions that "Storage Blob Data Contributor" does not grant.
+/// </remarks>
 internal sealed class SimpleBlobServiceHealthCheck(BlobServiceClient blobServiceClient) : IHealthCheck
 {
     /// <inheritdoc />
@@ -14,7 +19,13 @@ public async Task<HealthCheckResult> CheckHealthAsync(HealthCheckContext context
     {
         try
         {
-            await blobServiceClient.GetPropertiesAsync(cancellationToken).ConfigureAwait(false);
+            await blobServiceClient
+                .GetBlobContainersAsync(cancellationToken: cancellationToken)
+                .AsPages(pageSizeHint: 1)
+                .GetAsyncEnumerator(cancellationToken)
+                .MoveNextAsync()
+                .ConfigureAwait(false);
+
             return HealthCheckResult.Healthy();
         }
         catch (Exception ex)

src/ES.FX.Ignite.Azure.Storage.Queues/HealthChecks/SimpleQueueServiceHealthCheck.cs

@@ -6,6 +6,11 @@ namespace ES.FX.Ignite.Azure.Storage.Queues.HealthChecks;
 /// <summary>
 ///     Azure Queue Storage health check.
 /// </summary>
+/// <remarks>
+///     Uses a page-list probe (page size 1) instead of <c>QueueServiceClient.GetPropertiesAsync</c> so the check
+///     works with the least-privileged role assignment ("Storage Queue Data Reader" at storage account level).
+///     <c>GetPropertiesAsync</c> requires elevated permissions that "Storage Queue Data Contributor" does not grant.
+/// </remarks>
 internal sealed class SimpleQueueServiceHealthCheck(QueueServiceClient queueServiceClient) : IHealthCheck
 {
     /// <inheritdoc />
@@ -14,7 +19,13 @@ public async Task<HealthCheckResult> CheckHealthAsync(HealthCheckContext context
     {
         try
         {
-            await queueServiceClient.GetPropertiesAsync(cancellationToken).ConfigureAwait(false);
+            await queueServiceClient
+                .GetQueuesAsync(cancellationToken: cancellationToken)
+                .AsPages(pageSizeHint: 1)
+                .GetAsyncEnumerator(cancellationToken)
+                .MoveNextAsync()
+                .ConfigureAwait(false);
+
             return HealthCheckResult.Healthy();
         }
         catch (Exception ex)

src/ES.FX.Ignite.Microsoft.Data.SqlClient/HealthChecks/SimpleSqlServerHealthCheck.cs

@@ -4,20 +4,23 @@
 namespace ES.FX.Ignite.Microsoft.Data.SqlClient.HealthChecks;
 
 /// <summary>
-///     SQL Server health check that opens a connection and executes a simple query.
+///     SQL Server health check that opens a connection and executes a probe query.
 /// </summary>
 internal sealed class SimpleSqlServerHealthCheck(string connectionString) : IHealthCheck
 {
+    private const string HealthQuery = "SELECT 1;";
+
     /// <inheritdoc />
     public async Task<HealthCheckResult> CheckHealthAsync(HealthCheckContext context,
         CancellationToken cancellationToken = default)
     {
         try
         {
-            await using var connection = new SqlConnection(connectionString);
+            using var connection = new SqlConnection(connectionString);
             await connection.OpenAsync(cancellationToken).ConfigureAwait(false);
-            await using var command = connection.CreateCommand();
-            command.CommandText = "SELECT 1;";
+
+            using var command = connection.CreateCommand();
+            command.CommandText = HealthQuery;
             await command.ExecuteScalarAsync(cancellationToken).ConfigureAwait(false);
 
             return HealthCheckResult.Healthy();

src/ES.FX.Ignite.StackExchange.Redis/HealthChecks/SimpleRedisHealthCheck.cs

@@ -4,8 +4,13 @@
 namespace ES.FX.Ignite.StackExchange.Redis.HealthChecks;
 
 /// <summary>
-///     Redis health check that pings the connection multiplexer.
+///     Redis health check.
 /// </summary>
+/// <remarks>
+///     Iterates every configured endpoint on the multiplexer. For non-cluster servers, both the database
+///     and the server endpoint are pinged. For cluster nodes, <c>CLUSTER INFO</c> is executed and the
+///     response is inspected for <c>cluster_state:ok</c>.
+/// </remarks>
 internal sealed class SimpleRedisHealthCheck(IConnectionMultiplexer connectionMultiplexer) : IHealthCheck
 {
     /// <inheritdoc />
@@ -14,8 +19,30 @@ public async Task<HealthCheckResult> CheckHealthAsync(HealthCheckContext context
     {
         try
         {
-            cancellationToken.ThrowIfCancellationRequested();
-            await connectionMultiplexer.GetDatabase().PingAsync().ConfigureAwait(false);
+            foreach (var endPoint in connectionMultiplexer.GetEndPoints(configuredOnly: true))
+            {
+                cancellationToken.ThrowIfCancellationRequested();
+
+                var server = connectionMultiplexer.GetServer(endPoint);
+
+                if (server.ServerType != ServerType.Cluster)
+                {
+                    await connectionMultiplexer.GetDatabase().PingAsync().ConfigureAwait(false);
+                    await server.PingAsync().ConfigureAwait(false);
+                    continue;
+                }
+
+                var clusterInfo = await server.ExecuteAsync("CLUSTER", "INFO").ConfigureAwait(false);
+
+                if (clusterInfo.IsNull)
+                    return new HealthCheckResult(context.Registration.FailureStatus,
+                        $"INFO CLUSTER is null or can't be read for endpoint {endPoint}");
+
+                if (!clusterInfo.ToString()!.Contains("cluster_state:ok"))
+                    return new HealthCheckResult(context.Registration.FailureStatus,
+                        $"INFO CLUSTER is not on OK state for endpoint {endPoint}");
+            }
+
             return HealthCheckResult.Healthy();
         }
         catch (Exception ex)