1.1 Prerequisites
Outcome
You have an Azure subscription, the right access, the required local tooling, and a clear sizing estimate before any infrastructure is provisioned.
Prerequisites
This is the very first step — there are none.
Azure subscription
- Dedicated Azure subscription for the RCM platform (do not share with unrelated workloads).
- Owner role on the subscription (required for the initial Bicep/Terraform deploys).
- Cost alerts configured at $250 / $500 / $1000 per month for the bootstrap environment.
Region selection
Pick a primary region close to your customer base. Each tenant is later assigned to a
db_server row in master, and db_server rows are pinned to a region. Tenant traffic
should land in the same region as its DB server.
| Region role | Typical choice |
|---|---|
| Primary | eastus2 (Virginia) for east-coast / national customers |
| Secondary (DR) | centralus (Iowa) — required for DR drills |
| Optional add-on | westus3 (Phoenix) for west-coast customers |
The platform was built to support multi-region; see
Tenant Sharding + Rebalancing (mining target — currently in
OPERATIONS_RUNBOOK.md §17).
Sizing — initial environment
For a bootstrap environment expecting ≤ 10 tenants in year one:
| Resource | Initial size | Notes |
|---|---|---|
| Master DB (Postgres flexible server) | Burstable B2ms, 64 GB storage | Low traffic; reads dominate. Not in the data path of every claim. |
| First tenant DB server (Postgres flexible) | GP_Standard_D2s_v3, 128 GB | One server hosts multiple tenants until row counts justify a split. |
| Service Bus namespace | Standard tier | Premium upgrade only when tenant count > 50. |
| Azure Storage (with SFTP) | Standard LRS | Geo-redundancy added at enterprise tier. |
| Azure Key Vault | Standard | One vault per environment. |
| Static Web Apps | Standard | One per docs site + one per app subdomain. |
Local tooling
Install on the workstation that will run the bootstrap commands:
| Tool | Minimum version | Purpose |
|---|---|---|
| Node.js | 20 LTS | Run the pnpm workspace and provisioning CLIs. |
| pnpm | 9.x | Package manager for the monorepo. |
| Docker | 24+ | Local Postgres for verification + integration tests. |
Azure CLI (az) | 2.60+ | Provision Azure resources. |
psql | 14+ | Run migrations and verify master/tenant DBs. |
gh | latest | Trigger and monitor GitHub Actions deploys. |
node --version # v20.x or higher
pnpm --version # 9.x
az --version | head -1 # azure-cli >= 2.60
psql --version # >= 14
docker --version
gh --version
Access checklist
- Azure subscription Owner
- DNS zone admin for
medsuite.com(or whichever apex you're using) - GitHub admin access to the deploy repo (to add secrets and approve workflow runs)
- PagerDuty / on-call platform admin (for go-live alerting setup)
- Email/Teams channel for
#rcm-opsnotifications - Approved certificate provider (or Azure-managed cert) for
*.rcm.medsuite.com
Validation
az account show --query "{name:name, id:id, state:state}" -o table
gh auth status
node --version && pnpm --version
If all four return without error, you're ready for 1.2 — Infrastructure.
Troubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
az login opens browser but never completes | Conditional access policy | Run az login --use-device-code |
pnpm install fails on workspace symlinks | Old pnpm | Upgrade to pnpm 9 (npm i -g pnpm@9) |
gh auth status shows expired token | SSO expired | gh auth refresh -h github.com -s repo,workflow |