Hacker News new | ask | show | jobs
by jesdynf 3105 days ago
I wrote a reference implementation of OpenEMR, the "OpenEMR Full Stack", that's taking aim at facility-grade loads. It's deployed from Amazon CloudFormation, and the highlights include multi-AZ redundancy, an Elastic Beanstalk deployment fronted with a load balancer running parallel OpenEMR instances in multiple AZs, an internal Route53 domain protected with SSL between nodes, redundant document stores for patient records, and enterprise-grade backup and recovery structures all wrapped up CloudTrail and Amazon's Key Management System.

https://github.com/openemr/openemr-devops/tree/master/packag...
2 comments
toomuchtodo 3105 days ago
I just spoke with someone today who argued that HIPAA requires TLS termination on an instance, not the ELB. Can’t confirm or deny, as I’m in financial services, thought I’d mention it for those under such compliance/regulations.
link
jesdynf 3104 days ago
Yeah, you won't believe the work I had to put in over it. As part of the stack creation process, I have to create a backend CA and hand certificates out to a bunch of services, and then make other services use 'em. Getting Elastic Beanstalk to use an arbitrary certificate for the backhaul is both possible and documented, but not as well I would've liked.
link
toomuchtodo 3104 days ago
Let me know what would’ve made it easier on the AWS side and I’ll try to get it implemented with our TAM.
link
jesdynf 3104 days ago
It was CloudFormation that made it difficult -- I had to work out exactly how to get the certificate all the way down to the load balancer's configuration details, starting from CloudFormation's interface into provisioning Elastic Beanstalk.

However, the format ELB would accept a certificate in was really frustrating, too -- I ended up having to create a Lambda function that would load a certificate file from S3 and then parse it and then return the results as a resource CFN could later refer to. If I could've simply provided an S3 URI that the CA lived in, and had the ELB load it up during initial config, I could've used many fewer layers.

The CFN syntax for actually setting those critical ELB details was also unclear, too. It took some experimentation and off-Amazon examples before I finally understood how the rule groupings worked together.

If you're curious about what the final results were, the tail-end of https://github.com/openemr/openemr-devops/blob/master/packag.... covers a lot of that ground. Thanks!

link
fraidy_cat 3105 days ago
wow, very nice
link
jesdynf 3104 days ago
Thanks!
link