Merge pull request #52 from metriport/626-fix-cicd

626 Reenable CICD for FHIR Server

.github/workflows/deploy-production.yml

@@ -1,13 +1,13 @@
-name: Deploy - Production
+name: Deploy - PRODUCTION
 
 on:
-  # push: # a commit to the specified branches, if any
-  #   branches:
-  #     - master
+  push: # a commit to the specified branches, if any
+    branches:
+      - master
   workflow_dispatch: # manually executed by a user
 
 jobs:
-  deploy:
+  deploy-prod:
     uses: ./.github/workflows/_reusable_deploy.yml
     with:
       deploy_env: "production"
@@ -16,3 +16,14 @@ jobs:
       AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
       AWS_REGION: ${{ secrets.REGION_PRODUCTION }}
       INFRA_CONFIG: ${{ secrets.INFRA_CONFIG_PRODUCTION }}
+
+  deploy-sandbox:
+    uses: ./.github/workflows/_reusable_deploy.yml
+    needs: [deploy-prod]
+    with:
+      deploy_env: "sandbox"
+    secrets:
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      AWS_REGION: ${{ secrets.REGION_SANDBOX }}
+      INFRA_CONFIG: ${{ secrets.INFRA_CONFIG_SANDBOX }}

.github/workflows/deploy-staging.yml

@@ -1,9 +1,9 @@
 name: Deploy - Staging
 
 on:
-  # push: # a commit to the specified branches, if any
-  #   branches:
-  #     - develop
+  push: # a commit to the specified branches, if any
+    branches:
+      - develop
   workflow_dispatch: # manually executed by a user
 
 jobs:

Dockerfile

@@ -1,4 +1,4 @@
-FROM --platform=linux/arm64/v8 maven:3.9-eclipse-temurin-17 as build-fhir
+FROM --platform=linux/amd64 maven:3.9-eclipse-temurin-17 as build-fhir
 WORKDIR /tmp/hapi-fhir-jpaserver-starter
 
 ARG OPENTELEMETRY_JAVA_AGENT_VERSION=1.17.0

Dockerfile.dev

@@ -0,0 +1,29 @@
+FROM --platform=linux/arm64/v8 maven:3.9-eclipse-temurin-17 as build-fhir
+WORKDIR /tmp/hapi-fhir-jpaserver-starter
+
+ARG OPENTELEMETRY_JAVA_AGENT_VERSION=1.17.0
+RUN curl -LSsO https://github.com/open-telemetry/opentelemetry-java-instrumentation/releases/download/v${OPENTELEMETRY_JAVA_AGENT_VERSION}/opentelemetry-javaagent.jar
+
+COPY pom.xml .
+COPY server.xml .
+RUN mvn -ntp dependency:go-offline
+
+COPY src/ ./src/
+RUN mvn clean install -DskipTests -Djdk.lang.Process.launchMechanism=vfork
+
+FROM build-fhir AS build-distroless
+RUN mvn package spring-boot:repackage -Pboot
+RUN mkdir /app && cp ./target/ROOT.war /app/main.war
+
+########### distroless brings focus on security and runs on plain spring boot - this is the default image
+FROM gcr.io/distroless/java17-debian11:nonroot as default
+# 65532 is the nonroot user's uid
+# used here instead of the name to allow Kubernetes to easily detect that the container
+# is running as a non-root (uid != 0) user.
+USER 65532:65532
+WORKDIR /app
+
+COPY --chown=nonroot:nonroot --from=build-distroless /app /app
+COPY --chown=nonroot:nonroot --from=build-fhir /tmp/hapi-fhir-jpaserver-starter/opentelemetry-javaagent.jar /app
+
+ENTRYPOINT ["java", "--class-path", "/app/main.war", "-Dloader.path=main.war!/WEB-INF/classes/,main.war!/WEB-INF/,/app/extra-classes", "org.springframework.boot.loader.PropertiesLauncher", "app/main.war"]

docker-compose.yml

@@ -1,7 +1,9 @@
 version: "3"
 services:
   fhir-server:
-    build: .
+    build:
+      context: ./
+      dockerfile: ./Dockerfile.dev
     container_name: fhir-server
     depends_on:
       fhir-postgres:

infra/README.md

@@ -14,3 +14,18 @@ Run these commands on the terminal from the `./infra` folder of this repository:
 $ cdk bootstrap -c env=<env> # only needs to be run once
 $ ./deploy.sh
 ```
+
+### Updating the configuration
+
+Currently, the configuration is Base64 encoded and stored on GH secrets.
+
+```shell
+$ base64 -i infra/config/staging.ts
+$ base64 -i infra/config/production.ts
+$ base64 -i infra/config/sandbox.ts
+```
+
+Copy the resulting strings and update the respective secrets:
+- `INFRA_CONFIG_STAGING`
+- `INFRA_CONFIG_PRODUCTION`
+- `INFRA_CONFIG_SANDBOX`