Merge pull request #427 from aurelianware/copilot/deploy-fhir-api-documentation

Deploy FHIR API docs (Swagger UI) and HAPI FHIR sandbox infrastructure

Author: aurelianware

.github/workflows/deploy-api-docs.yml

@@ -0,0 +1,81 @@
+name: Deploy API Docs
+
+on:
+  push:
+    branches: ["main"]
+    paths:
+      - 'src/api-docs/**'
+      - 'api/openapi/**'
+      - 'containers/api-docs/**'
+      - '.github/workflows/deploy-api-docs.yml'
+  workflow_dispatch:
+
+permissions:
+  id-token: write
+  contents: read
+
+env:
+  IMAGE_NAME: api-docs
+  ACA_NAME: api-docs
+  ACA_ENV: cho-aca-env
+  RESOURCE_GROUP: rg-cloudhealthoffice-prod
+
+jobs:
+  deploy:
+    name: Build & Deploy API Docs to Azure Container Apps
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Azure login via OIDC
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Log in to Azure Container Registry
+        run: az acr login --name ${{ vars.ACR_NAME }}
+
+      - name: Build and push Docker image
+        run: |
+          IMAGE_TAG="${{ vars.ACR_LOGIN_SERVER }}/${{ env.IMAGE_NAME }}:${{ github.sha }}"
+          IMAGE_LATEST="${{ vars.ACR_LOGIN_SERVER }}/${{ env.IMAGE_NAME }}:latest"
+          docker build -f containers/api-docs/Dockerfile . -t "${IMAGE_TAG}" -t "${IMAGE_LATEST}"
+          docker push "${IMAGE_TAG}"
+          docker push "${IMAGE_LATEST}"
+
+      - name: Deploy to Azure Container Apps
+        run: |
+          IMAGE_TAG="${{ vars.ACR_LOGIN_SERVER }}/${{ env.IMAGE_NAME }}:${{ github.sha }}"
+          az containerapp create \
+            --name "${{ env.ACA_NAME }}" \
+            --resource-group "${{ env.RESOURCE_GROUP }}" \
+            --environment "${{ env.ACA_ENV }}" \
+            --image "${IMAGE_TAG}" \
+            --ingress external \
+            --target-port 80 \
+            --min-replicas 1 \
+            --max-replicas 3 \
+            --cpu 0.25 \
+            --memory 0.5Gi \
+            --registry-server "${{ vars.ACR_LOGIN_SERVER }}" 2>/dev/null || \
+          az containerapp update \
+            --name "${{ env.ACA_NAME }}" \
+            --resource-group "${{ env.RESOURCE_GROUP }}" \
+            --image "${IMAGE_TAG}"
+
+      - name: Verify health endpoint
+        run: |
+          echo "Waiting for container app to start..."
+          sleep 30
+          FQDN=$(az containerapp show \
+            --name "${{ env.ACA_NAME }}" \
+            --resource-group "${{ env.RESOURCE_GROUP }}" \
+            --query "properties.configuration.ingress.fqdn" -o tsv)
+          echo "Container App FQDN: ${FQDN}"
+          curl -sf "https://${FQDN}/" -o /dev/null && \
+            echo "✅ API Docs is healthy" || \
+            echo "⚠️  Health check failed — container may still be warming up"

.github/workflows/deploy-sandbox.yml

@@ -0,0 +1,83 @@
+name: Deploy HAPI FHIR Sandbox
+
+on:
+  push:
+    branches: ["main"]
+    paths:
+      - 'containers/hapi-fhir-sandbox/**'
+      - '.github/workflows/deploy-sandbox.yml'
+  workflow_dispatch:
+
+permissions:
+  id-token: write
+  contents: read
+
+env:
+  ACR_REGISTRY: choacrhy6h2vdulfru6.azurecr.io
+  IMAGE_NAME: hapi-fhir-sandbox
+  ACA_NAME: hapi-fhir-sandbox
+  ACA_ENV: cho-aca-env
+  RESOURCE_GROUP: rg-cloudhealthoffice-prod
+
+jobs:
+  build-and-deploy:
+    name: Build & Deploy HAPI FHIR Sandbox
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Azure login via OIDC
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Log in to Azure Container Registry
+        run: az acr login --name ${{ vars.ACR_NAME }}
+
+      - name: Build and push Docker image
+        run: |
+          IMAGE_TAG="${{ env.ACR_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}"
+          IMAGE_LATEST="${{ env.ACR_REGISTRY }}/${{ env.IMAGE_NAME }}:latest"
+          docker build containers/hapi-fhir-sandbox -t "${IMAGE_TAG}" -t "${IMAGE_LATEST}"
+          docker push "${IMAGE_TAG}"
+          docker push "${IMAGE_LATEST}"
+
+      - name: Deploy to Azure Container Apps
+        run: |
+          IMAGE_TAG="${{ env.ACR_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}"
+
+          # Scale-to-zero (min-replicas 0) for cost control.
+          # Note: HAPI FHIR cold-start takes ~60-90s on first request after idle scale-down.
+          az containerapp create \
+            --name "${{ env.ACA_NAME }}" \
+            --resource-group "${{ env.RESOURCE_GROUP }}" \
+            --environment "${{ env.ACA_ENV }}" \
+            --image "${IMAGE_TAG}" \
+            --ingress external \
+            --target-port 8080 \
+            --min-replicas 0 \
+            --max-replicas 2 \
+            --cpu 0.5 \
+            --memory 1Gi \
+            --registry-server "${{ env.ACR_REGISTRY }}" 2>/dev/null || \
+          az containerapp update \
+            --name "${{ env.ACA_NAME }}" \
+            --resource-group "${{ env.RESOURCE_GROUP }}" \
+            --image "${IMAGE_TAG}"
+
+      - name: Verify health endpoint
+        run: |
+          echo "Waiting for container app to start..."
+          sleep 30
+          FQDN=$(az containerapp show \
+            --name "${{ env.ACA_NAME }}" \
+            --resource-group "${{ env.RESOURCE_GROUP }}" \
+            --query "properties.configuration.ingress.fqdn" -o tsv)
+          echo "Container App FQDN: ${FQDN}"
+          curl -sf "https://${FQDN}/fhir/r4/metadata" -o /dev/null && \
+            echo "✅ HAPI FHIR sandbox is healthy" || \
+            echo "⚠️  Health check failed — container may still be warming up"

containers/api-docs/Dockerfile

@@ -0,0 +1,15 @@
+FROM nginx:1.27-alpine
+
+# Add YAML MIME type (not included in nginx defaults)
+RUN sed -i 's|text/plain\s*txt;|text/plain  txt;\n    text/yaml   yaml yml;|' /etc/nginx/mime.types
+
+# Custom nginx configuration
+COPY containers/api-docs/nginx.conf /etc/nginx/conf.d/default.conf
+
+# Swagger UI HTML
+COPY src/api-docs/index.html /usr/share/nginx/html/index.html
+
+# OpenAPI YAML specs
+COPY api/openapi/ /usr/share/nginx/html/specs/
+
+EXPOSE 80

containers/api-docs/nginx.conf

@@ -0,0 +1,25 @@
+server {
+    listen 80;
+    server_name _;
+    root /usr/share/nginx/html;
+    index index.html;
+
+    # Security headers
+    add_header X-Frame-Options "DENY" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header Access-Control-Allow-Origin "https://portal.cloudhealthoffice.com" always;
+
+    # Redirect /fhir/r4 paths to the Swagger UI patient-access spec
+    location = /fhir/r4 {
+        return 302 /?spec=patient-access;
+    }
+
+    location /fhir/r4/ {
+        return 302 /?spec=patient-access;
+    }
+
+    # Serve static files; fall back to index.html for client-side routing
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
+}

containers/hapi-fhir-sandbox/Dockerfile

@@ -0,0 +1,15 @@
+FROM hapiproject/hapi:v7.4.0
+
+# Copy configuration
+COPY application.yaml /app/config/application.yaml
+
+# Copy synthetic data loader script
+COPY load-synthea.sh /app/load-synthea.sh
+RUN chmod +x /app/load-synthea.sh
+
+ENV SPRING_CONFIG_LOCATION=file:///app/config/application.yaml
+ENV HAPI_FHIR_ALLOW_EXTERNAL_REFERENCES=true
+
+EXPOSE 8080
+
+ENTRYPOINT ["/app/load-synthea.sh"]

containers/hapi-fhir-sandbox/application.yaml

@@ -0,0 +1,31 @@
+spring:
+  datasource:
+    url: ${SPRING_DATASOURCE_URL:jdbc:h2:mem:hapi-fhir;DB_CLOSE_DELAY=-1;MODE=MySQL}
+    username: sa
+    password: ""
+    driverClassName: org.h2.Driver
+  jpa:
+    properties:
+      hibernate.dialect: ca.uhn.fhir.jpa.model.dialect.HapiFhirH2Dialect
+    hibernate:
+      ddl-auto: update
+
+hapi:
+  fhir:
+    fhir_version: R4
+    server_address: https://sandbox.cloudhealthoffice.com/fhir/r4
+    default_encoding: JSON
+    default_pretty_print: true
+    allow_multiple_delete: false
+    allow_external_references: true
+    expunge_enabled: false
+    # Sandbox safety: limit destructive operations (no multiple delete, no expunge, no narratives)
+    # Note: standard FHIR write operations (create/update/patch) remain enabled; full read-only must be enforced elsewhere
+    narrative_enabled: false
+    cors:
+      allow_Credentials: false
+      allowed_origin:
+        - "*"
+    validation:
+      requests_enabled: false
+      responses_enabled: false

containers/hapi-fhir-sandbox/load-synthea.sh

@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+# load-synthea.sh — Starts HAPI FHIR server and loads Synthea bundles on first boot.
+# The data-loaded flag file prevents re-loading on subsequent restarts.
+
+set -euo pipefail
+
+DATA_DIR="/data/synthea"
+LOADED_FLAG="/data/.synthea-loaded"
+HAPI_BASE_URL="http://localhost:8080/fhir"
+MAX_WAIT=120  # seconds to wait for HAPI to become ready
+
+# ── Start HAPI in background ──────────────────────────────────────────────────
+echo "[load-synthea] Starting HAPI FHIR server..."
+/usr/local/bin/entrypoint.sh &
+HAPI_PID=$!
+
+# ── Wait for HAPI to be ready ─────────────────────────────────────────────────
+echo "[load-synthea] Waiting for HAPI FHIR to be ready (up to ${MAX_WAIT}s)..."
+elapsed=0
+until curl -sf "${HAPI_BASE_URL}/metadata" -o /dev/null; do
+  if [ $elapsed -ge $MAX_WAIT ]; then
+    echo "[load-synthea] ERROR: HAPI FHIR did not start within ${MAX_WAIT} seconds."
+    exit 1
+  fi
+  sleep 5
+  elapsed=$((elapsed + 5))
+  echo "[load-synthea] Still waiting... (${elapsed}s)"
+done
+echo "[load-synthea] HAPI FHIR is ready."
+
+# ── Load Synthea bundles (once only) ─────────────────────────────────────────
+if [ -f "${LOADED_FLAG}" ]; then
+  echo "[load-synthea] Synthetic data already loaded. Skipping."
+else
+  if [ -d "${DATA_DIR}" ] && compgen -G "${DATA_DIR}/*.json" > /dev/null 2>&1; then
+    echo "[load-synthea] Loading Synthea FHIR bundles from ${DATA_DIR}..."
+    failed_bundles=0
+    for bundle in "${DATA_DIR}"/*.json; do
+      echo "[load-synthea]   POST ${bundle}"
+      if ! curl -sf \
+        -X POST "${HAPI_BASE_URL}" \
+        -H "Content-Type: application/fhir+json" \
+        --data-binary "@${bundle}" \
+        -o /dev/null; then
+        echo "[load-synthea]   ERROR: Failed to POST bundle ${bundle}"
+        failed_bundles=$((failed_bundles + 1))
+      fi
+    done
+    if [ "${failed_bundles}" -gt 0 ]; then
+      echo "[load-synthea] Synthetic data load completed with ${failed_bundles} bundle error(s). Flag not set — will retry on next start."
+    else
+      touch "${LOADED_FLAG}"
+      echo "[load-synthea] Synthetic data loaded successfully."
+    fi
+  else
+    echo "[load-synthea] No Synthea bundles found in ${DATA_DIR}. Skipping data load (flag not set; will retry on next start)."
+  fi
+fi
+
+# ── Hand off to HAPI foreground process ───────────────────────────────────────
+echo "[load-synthea] Handing off to HAPI FHIR (PID ${HAPI_PID})..."
+wait "${HAPI_PID}"