How to run Aidbox in GCP Cloud Run

Objectives

Before you begin

  • You must have an active Google Cloud account. More information here .

Create a Managed PostgreSQL Database

  1. 1.

    Log in to Google Cloud Console, go to SQL Service, and create a new Cloud SQL instance.

    Google Cloud Console SQL Service page with Create Instance button
  2. 2.

    Choose PostgreSQL for the database engine

    Database engine selection screen showing PostgreSQL option
  3. 3.

    Choose Enterprise Cloud SQL Edition and "Sandbox" edition preset

    Cloud SQL edition selection showing Enterprise with Sandbox preset
  4. 4.

    Enter the required parameters

    Cloud SQL instance configuration page with instance ID and password fields


    5. Configure the private IP access to the database instance.

Restricting database access at the network level is a recommended security best practice. In this tutorial, we take a simple approach by allowing access from the default VPC network and configuring Cloud Run to use the same network for outbound connections. For production environments, we strongly encourage implementing more granular and restrictive network policies tailored to your security needs.

In the "Customize your Instance -> Connections" section, enable the "Private IP" option and disable the "Public IP" option.

Network connections configuration showing Private IP enabled and Public IP disabled


6. Click the "Create Instance" button and wait until the instance is created.

Cloud SQL instance overview showing instance is ready and running

Create a database and a user for the Aidbox service

  1. 1.

    Open Cloud SQL Studio.

    Cloud SQL Studio button in the instance overview page
  2. 2.

    Connect to the postgres database with the username postgres and the password you've chosen when you created the database.

    Cloud SQL Studio connection dialog with database and credentials fields
  3. 3.

    Create the database and user for the Aidbox.

    Run the following statements one by one in Cloud SQL Studio Editor

    -- 1. Create the user (and a role) for Aidbox
CREATE USER aidbox WITH PASSWORD '<your password for aidbox user>';
-- 2. Grant the role aidbox to postgres, because postgres is not a superuser
-- in Google Cloud SQL. 
-- It's required to execute the following ALTER DATABASE statement
GRANT aidbox TO postgres;
-- 3. Create the database for Aidbox owned by the aidbox user
CREATE DATABASE aidbox OWNER aidbox;

During initialization, Aidbox creates certain database extensions. You can find more details here. If you prefer not to grant the Aidbox user the permissions required for this, you can pre-create the necessary extensions using a privileged user and disable automatic extension creation via settings. This is the approach we follow in the current tutorial.

  1. 4.
    Connect to the database aidbox , that you've created using user postgres, and create the extensions.
CREATE EXTENSION pg_stat_statements;

CREATE EXTENSION unaccent;

Create the service for Aidbox in Cloud Run

  1. 1.

    Navigate to the "Cloud Run" section in the Google Cloud Console and create a new service from the container .

    Cloud Run create service page with Deploy container option
  2. 2.

    Enter healthsamurai/aidboxone:edge as a container image URL and add a service name.

    Container image URL field with healthsamurai/aidboxone:edge and service name
  3. 3.

    Disable authentication.

    Authentication settings with Allow unauthenticated invocations selected
  4. 4.

    Select "Instance-based" billing, set Auto scaling to 1 and leave other properties by default.\

    Instance-based billing configuration with auto scaling set to 1
  5. 5.

    Configure Memory and CPU Limits

    Memory and CPU limits configuration settings
  6. 6.

    Enable "Second generation" execution environment for better performance

    Execution environment settings with Second generation selected
  7. 7.

    In the container properties, add environment variables.

    Container environment variables configuration interface

    Add the following environment variables:\

    - name: BOX_SECURITY_AUDIT_LOG_ENABLED
  value: true
- name: BOX_FHIR_SCHEMA_VALIDATION
  value: true
- name: BOX_DB_PORT
  value: 5432
- name: BOX_WEB_PORT
  value: 8080
- name: BOX_SECURITY_DEV_MODE
  value: true
- name: BOX_BOOTSTRAP_FHIR_PACKAGES
  value: hl7.fhir.r4.core#4.0.1
- name: BOX_DB_DATABASE
  value: aidbox
- name: BOX_FHIR_CREATEDAT_URL
  value: https://aidbox.app/ex/createdAt
- name: BOX_ROOT_CLIENT_SECRET
  value: <put the default API client secret here>
- name: BOX_FHIR_CORRECT_AIDBOX_FORMAT
  value: true
- name: BOX_SETTINGS_MODE
  value: read-write
- name: BOX_DB_USER
  value: aidbox
- name: BOX_FHIR_COMPLIANT_MODE
  value: true
- name: BOX_FHIR_SEARCH_COMPARISONS
  value: true
- name: BOX_COMPATIBILITY_VALIDATION_JSON__SCHEMA_REGEX
  value: #{:fhir-datetime}
- name: BOX_FHIR_TERMINOLOGY_SERVICE_BASE_URL
  value: https://tx.health-samurai.io/fhir
- name: BOX_DB_HOST
  value: <put your PostgreSQL internal IP here>
- name: BOX_FHIR_SEARCH_AUTHORIZE_INLINE_REQUESTS
  value: true
# See https://cloud.google.com/run/docs/triggering/https-request#deterministic  
# for more info about deterministic URLs
- name: BOX_WEB_BASE_URL
  value: <put your deterministic URL here>
- name: BOX_DB_PASSWORD
  value: <put the password of aidbox database user here>
- name: BOX_ADMIN_PASSWORD
  value: <put the password of aidbox built-in admin user here>
- name: BOX_SEARCH_INCLUDE_CONFORMANT
  value: true
- name: BOX_DB_INSTALL_PG_EXTENSIONS
  value: false
- name: BOX_DB_MAINTENANCE_DATABASE
  value: aidbox
- name: JAVA_OPTS
  value: -XX:MaxRAMPercentage=75 -XshowSettings:vm


    See more about recommended Aidbox environment variables here.

    Networking tab with VPC connector settings
  8. 8.

    At the Networking tab, configure the outbound traffic to go to the default subnet.\

    Outbound traffic configuration set to use default VPC network
  9. 9.

    Click the "Create" button and wait for the service to deploy successfully.

Cloud Run service successfully deployed with status indicator
  1. 10.
    Access the service via the URL.
Cloud Run service URL displayed in the overview page
  1. 11.
    Activate the Aidbox instance.

What's next

See more about different options for running Aidbox: