Configuration options
The configuration file is stored in JSON format in config.json.
How configuration options are determined
Fire Arrow specifies defaults for most configuration options. Defaults have the lowest priority. When starting up, Fire Arrow initializes its configuration from defaults. It will then load config.json and override any configuration with values found in that file. Last but not least Fire Arrow will inspect the environment and give precedence to values found in the environment.
This behavior enables building Docker containers with standardized configuration for a certain application without having to ship secrets in those containers. Any secret can then be supplied via environment variables.
Overriding configuration options via environment variables
Any configuration option can be overridden by supplying a value through an environment variable. Environment values always take predence over defaults and over values specified in the configuration file.
The name of the environment variable is always the full JSON path of the configuration option.
Examples:
enable_playgroundcan be overriden viaENABLE_PLAYGROUNDfhir.base_urlcan be overriden viaFHIR_BASE_URLstorage.azure_blob.connection_stringcan be overriden viaSTORAGE_AZURE_BLOB_CONNECTION_STRING
Reference of configuration options
General
General options are supplied at the root of config.json.
| Option | Required | Default | Description |
|---|---|---|---|
server_identifier | null | Server identifier which is returned in the response headers. By default Fire Arrow will not reveal any information. | |
server_version | null | Server version which is returned in the response headers. By default Fire Arrow will not reveal any information. | |
server_port | 8080 | Port to bind to. | |
enable_graphql_playground | false | Enables the GraphQL playground at /playground. Should only be enabled for development purposes. | |
enable_schema_introspection | false | Enables schema introspection queries. Should only be enabled for development purposes. | |
enable_schema_download | false | Enables downloading the GraphQL schema in SDL format. Should only be enabled for development purposes. | |
enable_proxied_azure_cli_credential | false | Allows running Fire Arrow in local Docker containers by querying Azure Identity tokens through a proxy service. | |
auto_create_search_parameters | false | Automatically creates required search parameters on the server. Search parameters are currently required for Fire Arrow's custom OrganizationCompartment. This setting should be turned on if the FHIR backend is primarily used for Fire Arrow and/or adding additional search parameters is no concern. | |
auto_reindex_server | false | If auto_create_search_parameters is turned on and Fire Arrow creates a search parameter, Fire Arrow can automatically trigger a reindex operation to activate the search parameter. Should be turned on if the FHIR backend is primarily used for Fire Arrow and/or running reindex operations is no concern. |
FHIR backend
Options are supplied in the section fhir.
| Option | Required | Default | Description |
|---|---|---|---|
base_url | yes | none | Base url to the backend FHIR server. |
External storage
Options are supplied in the section storage.
| Option | Required | Default | Description |
|---|---|---|---|
enabled | false | Turns the external storage system on. If this value is true, at least one storage subsystem must be properly configured or Fire Arrow won't start. | |
backend | none | Specifies which storage subsystem to use. Possible values are azure_blob or s3. | |
link_expiration_seconds | none | Number of seconds for which a link to a file in external storage is valid. Should be from about 30 seconds to a few minutes at most. Fire Arrow will automatically generate pre-signed URLs to any file stored in external storage. Pre-signed URLs allow the use of these URLs in standard browser requests (to enable PDF viewers, diagrams embedded in websites, etc.). These URLs automatically timeout so that an accidental leak of the URL doesn't compromise confidential data. |
External storage - S3
Options are supplied in the section storage.s3.
| Option | Required | Default | Description |
|---|---|---|---|
endpoint | none | S3 storage endpoint | |
secret_key | none | S3 storage secret key | |
region | auto | Storage region | |
bucket | none | S3 bucket name |
External storage - Azure Blob Storage
Options are supplied in the section storage.azure_blob.
| Option | Required | Default | Description |
|---|---|---|---|
connection_string | none | Connection string to blob storage | |
container | none | Container name | |
block_size | 3999999 | Block size |
Authentication settings
Options are supplied in the section auth.
| Option | Required | Default | Description |
|---|---|---|---|
systems | [] | List of authentication systems that can be used to authenticate requests. | |
auto_create_entity | false | When set to true, automatically creates a client's entity in the FHIR database if it doesn't exist. Enables client self-registration which is often used in self-sign-up patient apps or similar settings. Fire Arrow will create an entity on the client's behalf. This makes it possible to grant clients to modify their own entity (which will always exist) but while at the same time preventing them from creating arbitrary user entities in the FHIR backend. |
An authentication system is always configured with the same format:
| Option | Required | Default | Description |
|---|---|---|---|
type | yes | none | Type of the authentication system to be configured. Valid options are azure_identity and oauth. |
parameters | yes | {} | A list of system-specific configuration parameters. |
Configuration parameters valid for Azure Identity:
| Option | Required | Default | Description |
|---|---|---|---|
tenant_id | yes | none | ID of the tenant for which Azure Identity tokens are accepted. |
Configuration parameters valid for OAuth:
| Option | Required | Default | Description |
| oidc_url | | none | OpenID Connect well-known URL for auto-configuration. If this value is supplied, issuer and jwks_uri are not required. |
| jwks_uri | | none | URL at which the JWT key store can be downloaded. Value can be retrieved from the OAuth server's configuration. Only needed if oidc_url is not set. |
| issuer | | none | Expected issuer in the auth token. Only needed if oidc_url is not set. |
| entity_type_claim | yes | none | Name of claim in which a client's entity type (and thus the client's role) is recorded. |
| entity_id_claim | yes | none | Name of claim in which a client's entity ID is recorded. |
Validator specific options
Options are supplied in the section validators.
| Option | Required | Default | Description |
|---|---|---|---|
legitimate_interest.role_inheritance_levels | 0 | Number of levels to inherit roles. The legitimate interest validator supports inheritance of roles from any organization to its child organizations. The value of this setting specifies how many levels down roles are inherited. 0 means that roles are only valid for the organization to which they are directly related. 1 will inherit the role to direct children of that organization, 2 to direct children and their children, etc. |
Role based access control
Options are supplied in the section rbac.
| Option | Required | Default | Description |
|---|---|---|---|
default_access | Forbidden | Default validator to use for requests that don't match any validation rule. Should almost always be set to Forbidden. | |
validation_rules | [] | List of request validation rules. |
Plan Definition apply options
Options are supplied in the section plan_definition_apply.
| Option | Required | Default | Description |
|---|---|---|---|
allow_client_to_apply_submitted_plandefinition | false | Controls if clients are allowed to submit PlanDefinition objects instead of referring to an object on the server. | |
remove_plan_definition_actions_without_definitions | false | Removes empty actions from PlanDefinition(actions that neither contain definitionCanonical nor definitionUri) during PlanDefinitionApply |
|