Send Docker image with CI build (#924)

Creates Docker images on PR and CI builds and pushes them to a Azure Container Repository.

Co-authored-by: Brendan Kowitz <bkowitz@microsoft.com>

build/.vsts-ci.yml

@@ -3,7 +3,7 @@
 
 name: $(SourceBranchName)-$(Date:yyyyMMdd)$(Rev:-r)
 variables:
-  buildConfiguration: 'Release'
+- template: build-variables.yml
 jobs:
 - job: Windows
   pool:
@@ -13,8 +13,12 @@ jobs:
 
 - job: Linux
   pool:
-    vmImage: 'ubuntu-16.04'
+    vmImage: 'ubuntu-latest'
   steps:
   - template: build.yml
     parameters:
-      packageArtifacts: false
+      packageArtifacts: false
+
+- template: docker-build-all.yml
+  parameters: 
+    tag: $(SourceBranchName) 

build/.vsts-pr.yml

@@ -3,7 +3,7 @@
 
 name: pr$(system.pullRequest.pullRequestNumber)-$(Date:yyyyMMdd)$(Rev:-r)
 variables:
-  buildConfiguration: 'Release'
+- template: build-variables.yml
 jobs:
 - job: Windows
   pool:
@@ -13,8 +13,12 @@ jobs:
 
 - job: Linux
   pool:
-    vmImage: 'ubuntu-16.04'
+    vmImage: 'ubuntu-latest'
   steps:
   - template: build.yml
     parameters:
       packageArtifacts: false
+            
+- template: docker-build-all.yml
+  parameters: 
+    tag: pr$(system.pullRequest.pullRequestNumber)

build/build-variables.yml

@@ -0,0 +1,8 @@
+# DESCRIPTION: 
+# Variables used during builds.
+
+variables:
+  buildConfiguration: 'Release' 
+  azureSubscriptionEndpoint: 'docker-build'
+  azureContainerRegistry: 'healthplatformregistry.azurecr.io'
+  composeLocation: 'build/docker/docker-compose.yaml'

build/docker-build-all.yml

@@ -0,0 +1,22 @@
+# DESCRIPTION: 
+# Builds and pushes images for all supported FHIR versions
+
+parameters:
+- name: tag
+  type: string
+
+jobs:            
+- template: docker-build-push.yml
+  parameters: 
+    version: "R4"
+    tag: ${{parameters.tag}}
+
+- template: docker-build-push.yml
+  parameters: 
+    version: "Stu3"
+    tag: ${{parameters.tag}}
+
+- template: docker-build-push.yml
+  parameters: 
+    version: "R5"
+    tag: ${{parameters.tag}}

build/docker-build-push.yml

@@ -0,0 +1,34 @@
+# DESCRIPTION: 
+# Builds and pushes a docker image for a given FHIR version
+
+parameters:
+- name: version
+  type: string
+- name: tag
+  type: string
+
+jobs:
+- job: '${{parameters.version}}_Docker'
+  pool:
+    vmImage: 'ubuntu-latest'
+  steps:
+  - task: DockerCompose@0
+    displayName: 'Build FHIR ${{parameters.version}} Server Image'
+    inputs:
+      action: Build services
+      azureSubscriptionEndpoint: $(azureSubscriptionEndpoint)
+      azureContainerRegistry: $(azureContainerRegistry)
+      dockerComposeFile: $(composeLocation)
+      dockerComposeFileArgs: FHIR_VERSION = ${{parameters.version}}
+      projectName: ${{parameters.version}}
+      additionalImageTags: ${{parameters.tag}}
+
+  - task: DockerCompose@0
+    displayName: 'Push FHIR ${{parameters.version}} Server Image'
+    inputs:
+      action: Push services
+      azureSubscriptionEndpoint: $(azureSubscriptionEndpoint)
+      azureContainerRegistry: $(azureContainerRegistry)
+      dockerComposeFile: $(composeLocation)
+      projectName: ${{parameters.version}}
+      additionalImageTags: ${{parameters.tag}}

build/docker/Dockerfile

@@ -2,7 +2,7 @@ FROM mcr.microsoft.com/dotnet/core/sdk:3.1.100-bionic AS build
 
 ARG FHIR_VERSION=R4
 
-WORKDIR /build
+WORKDIR ./build
 
 COPY ./ ./
 
@@ -22,4 +22,4 @@ COPY --from=build /build .
 
 RUN ln -s "Microsoft.Health.Fhir.${FHIR_VERSION}.Web.dll" "Microsoft.Health.Fhir.Web.dll"
 
-ENTRYPOINT ["dotnet", "Microsoft.Health.Fhir.Web.dll"]
+ENTRYPOINT ["dotnet", "Microsoft.Health.Fhir.Web.dll"]

build/docker/docker-compose.yaml

@@ -0,0 +1,6 @@
+version: "3"
+services:
+  fhir-server:
+    build: 
+      context: ./../../
+      dockerfile: ./build/docker/Dockerfile

release/docker-compose.yaml

@@ -0,0 +1,25 @@
+version: "3"
+services:
+  fhir-api:
+    image: "healthplatformregistry.azurecr.io/r4_fhir-server"
+    restart: on-failure
+    environment:
+      FHIRServer__Security__Enabled: "false"
+      SqlServer__ConnectionString: "Server=tcp:sql,1433;Initial Catalog=FHIR;Persist Security Info=False;User ID=sa;Password=${SAPASSWORD};MultipleActiveResultSets=False;Connection Timeout=30;"
+      SqlServer__AllowDatabaseCreation: "true"
+      SqlServer__Initialize: "true"
+      DataStore: "SqlServer"
+    ports:     
+      - "80:80"
+    depends_on:
+      - sql
+  sql:
+    image: "mcr.microsoft.com/mssql/server"
+    environment:
+      SA_PASSWORD: ${SAPASSWORD}
+      ACCEPT_EULA: "Y"
+    healthcheck:
+        test: ["CMD", "/opt/mssql-tools/bin/sqlcmd","-U sa -P ${SAPASSWORD} -Q 'SELECT * FROM INFORMATION_SCHEMA.TABLES'"]
+        interval: 10s
+        timeout: 10s
+        retries: 6

release/scripts/PowerShell/ConvertTo-FlattenedConfigurationHashtable.ps1

@@ -25,7 +25,7 @@ function Flatten ($Prefix, $Object) {
 
     if ($Object -is [System.Management.Automation.PSCustomObject]) {
         $Object.psobject.properties | ForEach-Object {
-            Flatten -Prefix "$Prefix$(if ($Prefix) { ":" })$($_.Name)" -Object $_.Value
+            Flatten -Prefix "$Prefix$(if ($Prefix) { "__" })$($_.Name)" -Object $_.Value
         }
 
         return
@@ -33,7 +33,7 @@ function Flatten ($Prefix, $Object) {
 
     if ($Object -is [object[]]) {
         for ($i = 0; $i -lt $Object.Length; $i++) {
-            Flatten -Prefix "$Prefix$(if ($Prefix) { ":" })$i" -Object $Object[$i]
+            Flatten -Prefix "$Prefix$(if ($Prefix) { "__" })$i" -Object $Object[$i]
         }
 
         return
@@ -42,4 +42,4 @@ function Flatten ($Prefix, $Object) {
     @{$Prefix = $Object}
 }
 
-@(Flatten -Prefix $PathPrefix -Object $InputObject) | ForEach-Object { $hash = @{} } { $hash += $_ } { $hash }
+@(Flatten -Prefix $PathPrefix -Object $InputObject) | ForEach-Object { $hash = @{} } { $hash += $_ } { $hash }

samples/docker/README.md

@@ -1,12 +1,52 @@
 # Running Azure FHIR Server with Docker
 
-*IMPORTANT:* This sample has been created to enable Dev/Test scenarios and is not suitable for production scenarios. Passwords are contained in deployment files, the SQL server connection is not encrypted and authentication on the FHIR Server has been disabled.
+*IMPORTANT:* This sample has been created to enable Dev/Test scenarios and is not suitable for production scenarios. Passwords are contained in deployment files, the SQL server connection is not encrypted, authentication on the FHIR Server has been disabled, and data is not persisted between container restarts.
 
 The following instructions detail how to build and run the FHIR Server in Docker on Linux.
 
+## Use CI image
+
+If it is not desirable to clone this repository and build locally an image of the most recent CI build is available from the Azure Container Repository HealthPlatformRegistry. Both of the following methods will generate a R4 server, but a STU3 or R5 server can be created by changing which image is pulled.
+
+Using docker-compose this image can be started with the following steps:
+1. Open a terminal window.
+2. Set the enviornment variable SAPASSWORD to what you want the SQL access password to be. Be sure to follow the [SQL server password complexity requirements](https://docs.microsoft.com/en-us/sql/relational-databases/security/password-policy?view=sql-server-ver15#password-complexity).
+3. Copy & save a local version of the docker-compose file from the release directory of the fhir-server project.
+4. Run the command: 
+
+```bash
+docker-compose up -d .
+```
+
+5. After giving the container a minute to start up it should be accessable at http://localhost/metadata.
+
+
+Using just docker this image can be started with the following steps. Replace the `<SA_PASSWORD>` below with your chosen SQL connection password, following the complexity rules linked above.
+1. Open a terminal window.
+2. Run the command: 
+
+```bash
+docker network create fhir_network
+```
+
+3. Run the command: 
+
+```bash
+docker run --net fhir_network --name fhir_sql -e SA_PASSWORD=<SA_PASSWORD> -e ACCEPT_EULA="Y" -d mcr.microsoft.com/mssql/server
+```
+
+4. Give the SQL server a minute to start up.
+5. Run the command: 
+
+```bash
+docker run --net fhir_network -e FhirServer__Security__Enabled="false" -e SqlServer__ConnectionString="Server=tcp:fhir_sql,1433;Initial Catalog=FHIR;Persist Security Info=False;User ID=sa;Password=<SA_PASSWORD>;MultipleActiveResultSets=False;Connection Timeout=30;" -e SqlServer__AllowDatabaseCreation="true" -e SqlServer__Initialize="true" -e DataStore="SqlServer" -p 80:80 -d healthplatformregistry.azurecr.io/r4_fhir-server azure-fhir-api
+```
+
+6. After giving the container a minute to start up it should be accessible at http://localhost/metadata.
+
 ## Build and run with SQL Server using Docker Compose
 
-The quickest way to get the Azure FHIR Server up and running on Docker is to build and run the Azure FHIR Server with a SQL server container using docker compose. Run the following command, replacing `<SA_PASSWORD>` with your chosen password (be sure to follow the [SQL server password complexity requirements](https://docs.microsoft.com/en-us/sql/relational-databases/security/password-policy?view=sql-server-ver15#password-complexity)), from the root of the `microsoft/fhir-server` repository:
+Another way to get the Azure FHIR Server up and running on Docker is to build and run the Azure FHIR Server with a SQL server container using docker compose. Run the following command, replacing `<SA_PASSWORD>` with your chosen password (be sure to follow the [SQL server password complexity requirements](https://docs.microsoft.com/en-us/sql/relational-databases/security/password-policy?view=sql-server-ver15#password-complexity)), from the root of the `microsoft/fhir-server` repository:
 
 ```bash
 env SAPASSWORD='<SA_PASSWORD>' docker-compose -f samples/docker/docker-compose.yaml up -d

samples/docker/docker-compose.yaml

@@ -3,9 +3,9 @@ services:
   fhir-api:
     build: 
       context: ./../../
-      dockerfile: ./samples/docker/Dockerfile
+      dockerfile: ./build/docker/Dockerfile
       args:
-        FHIR_VERSION: Stu3
+        FHIR_VERSION: R4
     restart: on-failure
     environment:
       FHIRServer__Security__Enabled: "false"
@@ -26,4 +26,4 @@ services:
         test: ["CMD", "/opt/mssql-tools/bin/sqlcmd","-U sa -P ${SAPASSWORD} -Q 'SELECT * FROM INFORMATION_SCHEMA.TABLES'"]
         interval: 10s
         timeout: 10s
-        retries: 6
+        retries: 6

samples/templates/default-azuredeploy-sql.json

@@ -129,7 +129,7 @@
                 "description": "Only applies when MsdeployPackageUrl is not specified."
             }
         },
-        "enableExport" : {
+        "enableExport": {
             "type": "bool",
             "defaultValue": false,
             "metadata": {
@@ -150,7 +150,7 @@
         "deployAppInsights": "[and(parameters('deployApplicationInsights'),not(variables('isMAG')))]",
         "appInsightsName": "[concat('AppInsights-', variables('serviceName'))]",
         "storageBlobDataContributerRoleId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]",
-        "blobStorageUri" : "[if(variables('isMAG'), '.blob.core.usgovcloudapi.net', '.blob.core.windows.net')]",
+        "blobStorageUri": "[if(variables('isMAG'), '.blob.core.usgovcloudapi.net', '.blob.core.windows.net')]",
         "staticFhirServerConfigProperties": {
             "APPINSIGHTS_PORTALINFO": "ASP.NETCORE",
             "APPINSIGHTS_PROFILERFEATURE_VERSION": "1.0.0",
@@ -279,7 +279,7 @@
                         "name": "Standard",
                         "tier": "Standard",
                         "capacity": 20
-                      },
+                    },
                     "type": "databases"
                 },
                 {
@@ -336,7 +336,7 @@
             "apiVersion": "2015-06-01",
             "properties": {
                 "contentType": "text/plain",
-                "value":  "[concat('Server=tcp:', reference(variables('computedSqlServerReference'), '2015-05-01-preview').fullyQualifiedDomainName,',1433;Initial Catalog=FHIR;Persist Security Info=False;User ID=', reference(variables('computedSqlServerReference'), '2015-05-01-preview').administratorLogin,';Password=',parameters('sqlAdminPassword'),';MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;')]"
+                "value": "[concat('Server=tcp:', reference(variables('computedSqlServerReference'), '2015-05-01-preview').fullyQualifiedDomainName,',1433;Initial Catalog=FHIR;Persist Security Info=False;User ID=', reference(variables('computedSqlServerReference'), '2015-05-01-preview').administratorLogin,';Password=',parameters('sqlAdminPassword'),';MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;')]"
             },
             "dependsOn": [
                 "[resourceId('Microsoft.KeyVault/vaults', variables('serviceName'))]",

samples/templates/default-azuredeploy.json

@@ -125,7 +125,7 @@
                 "description": "Only applies when MsdeployPackageUrl is not specified."
             }
         },
-        "enableExport" : {
+        "enableExport": {
             "type": "bool",
             "defaultValue": false,
             "metadata": {
@@ -133,38 +133,38 @@
             }
         }
     },
-  "variables": {
-    "defaultMsdeployPackageUrl": "[concat('https://fhirserverforazure.blob.core.windows.net/builds/ci/Microsoft.Health.Fhir.', parameters('fhirVersion'),'.Web.zip')]",
-    "isMAG": "[or(contains(resourceGroup().location,'usgov'),contains(resourceGroup().location,'usdod'))]",
-    "serviceName": "[toLower(parameters('serviceName'))]",
-    "keyvaultEndpoint": "[if(variables('isMAG'), concat('https://', variables('serviceName'), '.vault.usgovcloudapi.net/'), concat('https://', variables('serviceName'), '.vault.azure.net/'))]",
-    "appServicePlanResourceGroup": "[if(empty(parameters('appServicePlanResourceGroup')), resourceGroup().name, parameters('appServicePlanResourceGroup'))]",
-    "appServicePlanName": "[if(empty(parameters('appServicePlanName')),concat(variables('serviceName'),'-asp'),parameters('appServicePlanName'))]",
-    "appServiceResourceId": "[resourceId('Microsoft.Web/sites', variables('serviceName'))]",
-    "securityAuthenticationEnabled": "[and(not(empty(parameters('securityAuthenticationAuthority'))),not(empty(parameters('securityAuthenticationAudience'))))]",
-    "msdeployPackageUrlToUse": "[if(empty(parameters('msdeployPackageUrl')),variables('defaultMsdeployPackageUrl'),parameters('msdeployPackageUrl'))]",
-    "deployAppInsights": "[and(parameters('deployApplicationInsights'),not(variables('isMAG')))]",
-    "appInsightsName": "[concat('AppInsights-', variables('serviceName'))]",
-    "storageBlobDataContributerRoleId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]",
-    "blobStorageUri" : "[if(variables('isMAG'), '.blob.core.usgovcloudapi.net', '.blob.core.windows.net')]",
-    "staticFhirServerConfigProperties": {
-      "APPINSIGHTS_PORTALINFO": "ASP.NETCORE",
-      "APPINSIGHTS_PROFILERFEATURE_VERSION": "1.0.0",
-      "APPINSIGHTS_SNAPSHOTFEATURE_VERSION": "1.0.0",
-      "WEBSITE_NODE_DEFAULT_VERSION": "6.9.4",
-      "KeyVault:Endpoint": "[variables('keyvaultEndpoint')]",
-      "FhirServer:Security:Enabled": "[variables('securityAuthenticationEnabled')]",
-      "FhirServer:Security:EnableAadSmartOnFhirProxy": "[parameters('enableAadSmartOnFhirProxy')]",
-      "FhirServer:Security:Authentication:Authority": "[parameters('securityAuthenticationAuthority')]",
-      "FhirServer:Security:Authentication:Audience": "[parameters('securityAuthenticationAudience')]",
-      "CosmosDb:ContinuationTokenSizeLimitInKb": "1",
-      "DataStore": "CosmosDb",
-      "FhirServer:Operations:Export:Enabled": "[parameters('enableExport')]",
-      "FhirServer:Operations:Export:StorageAccountUri": "[if(parameters('enableExport'), concat('https://', variables('storageAccountName'), variables('blobStorageUri')), 'null')]"
+    "variables": {
+        "defaultMsdeployPackageUrl": "[concat('https://fhirserverforazure.blob.core.windows.net/builds/ci/Microsoft.Health.Fhir.', parameters('fhirVersion'),'.Web.zip')]",
+        "isMAG": "[or(contains(resourceGroup().location,'usgov'),contains(resourceGroup().location,'usdod'))]",
+        "serviceName": "[toLower(parameters('serviceName'))]",
+        "keyvaultEndpoint": "[if(variables('isMAG'), concat('https://', variables('serviceName'), '.vault.usgovcloudapi.net/'), concat('https://', variables('serviceName'), '.vault.azure.net/'))]",
+        "appServicePlanResourceGroup": "[if(empty(parameters('appServicePlanResourceGroup')), resourceGroup().name, parameters('appServicePlanResourceGroup'))]",
+        "appServicePlanName": "[if(empty(parameters('appServicePlanName')),concat(variables('serviceName'),'-asp'),parameters('appServicePlanName'))]",
+        "appServiceResourceId": "[resourceId('Microsoft.Web/sites', variables('serviceName'))]",
+        "securityAuthenticationEnabled": "[and(not(empty(parameters('securityAuthenticationAuthority'))),not(empty(parameters('securityAuthenticationAudience'))))]",
+        "msdeployPackageUrlToUse": "[if(empty(parameters('msdeployPackageUrl')),variables('defaultMsdeployPackageUrl'),parameters('msdeployPackageUrl'))]",
+        "deployAppInsights": "[and(parameters('deployApplicationInsights'),not(variables('isMAG')))]",
+        "appInsightsName": "[concat('AppInsights-', variables('serviceName'))]",
+        "storageBlobDataContributerRoleId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]",
+        "blobStorageUri": "[if(variables('isMAG'), '.blob.core.usgovcloudapi.net', '.blob.core.windows.net')]",
+        "staticFhirServerConfigProperties": {
+            "APPINSIGHTS_PORTALINFO": "ASP.NETCORE",
+            "APPINSIGHTS_PROFILERFEATURE_VERSION": "1.0.0",
+            "APPINSIGHTS_SNAPSHOTFEATURE_VERSION": "1.0.0",
+            "WEBSITE_NODE_DEFAULT_VERSION": "6.9.4",
+            "KeyVault:Endpoint": "[variables('keyvaultEndpoint')]",
+            "FhirServer:Security:Enabled": "[variables('securityAuthenticationEnabled')]",
+            "FhirServer:Security:EnableAadSmartOnFhirProxy": "[parameters('enableAadSmartOnFhirProxy')]",
+            "FhirServer:Security:Authentication:Authority": "[parameters('securityAuthenticationAuthority')]",
+            "FhirServer:Security:Authentication:Audience": "[parameters('securityAuthenticationAudience')]",
+            "CosmosDb:ContinuationTokenSizeLimitInKb": "1",
+            "DataStore": "CosmosDb",
+            "FhirServer:Operations:Export:Enabled": "[parameters('enableExport')]",
+            "FhirServer:Operations:Export:StorageAccountUri": "[if(parameters('enableExport'), concat('https://', variables('storageAccountName'), variables('blobStorageUri')), 'null')]"
+        },
+        "combinedFhirServerConfigProperties": "[union(variables('staticFhirServerConfigProperties'), parameters('additionalFhirServerConfigProperties'))]",
+        "storageAccountName": "[concat(substring(replace(variables('serviceName'), '-', ''), 0, min(11, length(variables('serviceName')))), uniquestring(resourceGroup().id, variables('serviceName')))]"
     },
-    "combinedFhirServerConfigProperties": "[union(variables('staticFhirServerConfigProperties'), parameters('additionalFhirServerConfigProperties'))]",
-    "storageAccountName": "[concat(substring(replace(variables('serviceName'), '-', ''), 0, min(11, length(variables('serviceName')))), uniquestring(resourceGroup().id, variables('serviceName')))]"
-  },
     "resources": [
         {
             "condition": "[empty(parameters('appServicePlanResourceGroup'))]",