Deployment

Local development

docker compose up    # starts all four services

Production — AWS Lightsail

The recommended production topology uses AWS Lightsail:

Lightsail Instance (8 GB RAM, $40/month)
├── docker-compose.yml
│   ├── hapi-fhir (hapiproject/hapi:v7.4.0)
│   └── auth-server (your ECR image)
└── nginx (reverse proxy + Let's Encrypt SSL)

RDS PostgreSQL (db.t4g.small, $25/month)
├── database: smartfhir   (auth server)
└── database: hapifhir    (HAPI)

Subdomains:
  fhir.demo.ajsmart.com  → HAPI :8080
  auth.demo.ajsmart.com  → Auth server :9000

See the production deployment guide for step-by-step instructions.

CI/CD — GitHub Actions

Three jobs run on every push to main:

Test — runs all tests (mvn test)
Build + push — Docker image → Amazon ECR
Deploy — Lightsail container service updated

GitHub Secrets required: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, DB_URL, DB_USER, DB_PASSWORD, FHIR_BASE_URL, ISSUER_URL

RSA key persistence

Without a keystore, a new RSA key is generated on every restart — all tokens become invalid.

keytool -genkeypair -alias smart-fhir-server \
  -keyalg RSA -keysize 2048 -storetype PKCS12 \
  -keystore ./keystore/smart-fhir-server.p12 -validity 3650

Set KEYSTORE_PATH and KEYSTORE_PASSWORD in .env.

Deployment

Local development​

Production — AWS Lightsail​

CI/CD — GitHub Actions​

RSA key persistence​

Local development

Production — AWS Lightsail

CI/CD — GitHub Actions

RSA key persistence