1.3 Deploy services

Outcome

The four runtime services — rcm-core, rcm-app, edi-gateway, edi-app — are running in Azure, configured to talk to master DB, Key Vault, and Service Bus.

Prerequisites

1.2 Infrastructure complete.

Service map

Steps

Configure GitHub Actions secrets

In the repo's GitHub Actions secrets, add:

Secret	Value
`AZURE_CREDENTIALS`	Output of `az ad sp create-for-rbac --name sp-rcm-deploy --role Contributor --scopes /subscriptions/$(az account show --query id -o tsv) --sdk-auth`
`AZURE_RG`	`rg-rcm-prod-eastus2`
`KEY_VAULT_NAME`	`kv-rcm-prod-eastus2`
`MASTER_DB_HOST`	`pg-rcm-master-prod.postgres.database.azure.com`
`SERVICE_BUS_NAMESPACE`	`sb-rcm-prod-eastus2`
`STORAGE_ACCOUNT`	`strcmprodeastus2`

Trigger the deploy workflow
```
gh workflow run deploy-prod.yml -f environment=prod
gh run watch
```
The pipeline:
1. Builds all four apps with pnpm turbo build.
2. Pushes container images for rcm-core and edi-gateway to acrrcmprod.
3. Deploys those container images to Azure Container Apps with managed identity.
4. Deploys rcm-app and edi-app static bundles to their Static Web Apps.
5. Health-checks each service before marking the run green.

Bind managed identities to Key Vault

The container apps need read access to the Key Vault secrets they'll consume at runtime:

for app in rcm-core edi-gateway; do
  PRINCIPAL_ID=$(az containerapp identity show \
    --resource-group rg-rcm-prod-eastus2 \
    --name "ca-$app-prod" \
    --query principalId -o tsv)
  az role assignment create \
    --assignee "$PRINCIPAL_ID" \
    --role "Key Vault Secrets User" \
    --scope $(az keyvault show -n kv-rcm-prod-eastus2 --query id -o tsv)
done

Verify each service is up

curl -fsSL https://rcm-core.medsuite.com/health
curl -fsSL https://edi-gateway.medsuite.com/health

Both should return {"status":"ok"}.

Validation

Check	Expected
`gh run list --workflow deploy-prod.yml --limit 1`	latest run is `completed/success`
`curl rcm-core.medsuite.com/health`	200 + `{"status":"ok"}`
`curl edi-gateway.medsuite.com/health`	200 + `{"status":"ok"}`
`curl rcm-core.medsuite.com/metrics`	200 (Prometheus exposition)

Troubleshooting

Symptom	Likely cause	Fix
`/health` returns 503	Service can't reach master DB	Check the container app's outbound networking + firewall rule on the master DB.
`Cannot find secret` in container app logs	Managed identity missing role assignment	Re-run step 3 for the affected app.
Build fails with `turbo daemon` errors in CI	Stale Turbo cache	Clear `.turbo` cache in the workflow with `pnpm turbo prune --scope=…` or pin the Turbo version.

1.4 — Master DB initialization

Outcome​

Prerequisites​

Service map​

Steps​

Validation​

Troubleshooting​

Next​