🚧 DevSecOps Implementation

In this article, we’ll explore the key components of an EHR infrastructure, including servers, databases, and networking, and discuss best practices for designing and implementing a scalable, secure, and reliable system.

🚧 Draft / Work in Progress

This page is currently a draft and a work in progress. Please check back soon for updates (and/or connect with me on LinkedIn)! Infrastructure is the backbone of any software system, and an Electronic Health Record (EHR) is no exception.

GitHub Integration

Connect to a GitHub Repository
Required IAM Permissions (I needed to add the time condition to make these permissions temporary, please set to a reasonable time)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
PROJECT_ID=ehr-system-426323
PN=$(gcloud projects describe ${PROJECT_ID} --format="value(projectNumber)")
CLOUD_BUILD_SERVICE_AGENT="service-${PN}@gcp-sa-cloudbuild.iam.gserviceaccount.com"

CONDITION_EXPRESSION="request.time < timestamp('2028-01-01T00:00:00.000Z')"
CONDITION_TITLE="cloudbuild-connection-setup"
CONDITION_DESCRIPTION="Temporary access for Cloud Build setup"

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
  --member="serviceAccount:${CLOUD_BUILD_SERVICE_AGENT}" \
  --role="roles/secretmanager.admin" \
  --condition=expression="${CONDITION_EXPRESSION}",title="${CONDITION_TITLE}",description="${CONDITION_DESCRIPTION}"

Test the Cloud Run service

Test your private service

Use the following script to properly decode the JWT token payload:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# Generate the Token
TOKEN=$(gcloud auth print-identity-token --audiences=https://appointment-scheduler-xtxfjdrdea-uc.a.run.app)

# Extract the Payload Part
PAYLOAD=$(echo $TOKEN | cut -d '.' -f 2)

# Add Necessary Padding:
# The JWT base64-encoded payload needs padding. The script checks the 
# length of the payload and adds the appropriate padding:
MOD=$((${#PAYLOAD} % 4))
if [ $MOD -eq 2 ]; then
  PAYLOAD="$PAYLOAD"'=='
elif [ $MOD -eq 3 ]; then
  PAYLOAD="$PAYLOAD"'='
fi

# Decode and Pretty Print with jq
echo $PAYLOAD | base64 --decode | jq

# Validate the Token
curl -H "Authorization: Bearer $TOKEN" https://oauth2.googleapis.com/tokeninfo?id_token=$TOKEN

# Call the Cloud Run Service
curl -H "Authorization: Bearer $TOKEN" https://appointment-scheduler-xtxfjdrdea-uc.a.run.app


curl -H "Authorization: Bearer $(gcloud auth print-identity-token --audiences=https://appointment-scheduler-xtxfjdrdea-uc.a.run.app)" https://appointment-scheduler-xtxfjdrdea-uc.a.run.app

🚧 Draft / Work in Progress#

GitHub Integration#

Test the Cloud Run service#

🚧 Draft / Work in Progress

GitHub Integration

Test the Cloud Run service