Navigation
InfrastructureUpdated July 3, 2026

VM Deployment Standards

terraformvm-deploymentazureepicinfrastructurehealthcare

VM Deployment Standards

Terraform-based virtual machine deployment standards for OHEMR Epic healthcare infrastructure.


๐ŸŽฏ Overview

All virtual machines supporting Epic healthcare systems are deployed through Infrastructure as Code (IaC) using Terraform. This standardized approach ensures consistent security controls, backup strategies, and compliance requirements across all healthcare environments.

Benefits

  • Epic Certification Compliance: Maintains Epic-required infrastructure standards
  • HIPAA Audit Readiness: Consistent security controls and logging
  • Clinical Uptime: Standardized backup and disaster recovery
  • Operational Efficiency: Automated deployment with validation gates

๐Ÿ“‹ Terraform Configuration Structure

Required Configuration Blocks

All VM deployments must include the following standardized blocks:

BlockPurposeHealthcare Requirement
tagsStandard resource taggingHIPAA audit trail and cost tracking
rgsResource group configurationEnvironment isolation and access control
vnetVirtual network assignmentNetwork segmentation for PHI protection
backupRecovery services vaultClinical data protection and DR
deploymentsVM grouping and configurationEpic application tier organization

๐Ÿฅ Epic-Specific Deployment Patterns

Epic Production Environment

# Epic Production VDA Deployment
deployments = {
  "epic-prod-vda" = {
    vm_count = 10

    # Epic-specific VM configuration
    vm_size = "Standard_D8s_v3"  # Epic minimum requirements

    tags = {
      SolutionName     = "epic-app"
      epic-app         = "hyperspace"
      epic-stamp       = "production"
      Component        = "Epic VDA"
      DataClassification = "PHI"
    }

    # Epic-required disk configuration
    disks = {
      os_disk = {
        disk_size_gb = 128
        storage_account_type = "Premium_LRS"
        caching = "ReadWrite"
      }
      data_disk_1 = {
        disk_size_gb = 500
        storage_account_type = "Premium_LRS"
        caching = "ReadOnly"
      }
    }

    # Availability configuration for clinical uptime
    vms = {
      availability_zone = ["1", "2", "3"]
      subnet_name = "epic-prod-subnet"
    }
  }
}

Epic Infrastructure Services

# BCA Web Servers for Clinical Decision Support
deployments = {
  "epic-bca-web" = {
    vm_count = 3
    vm_size = "Standard_D4s_v3"

    tags = {
      SolutionName = "epic-app"
      epic-app = "bca"
      Component = "Epic BCA Web"
      epic-stamp = "production"
    }

    # Load balancer configuration for high availability
    load_balancer = {
      enable = true
      type = "internal"
      backend_pool = "epic-bca-pool"
    }
  }
}

Epic Infrastructure Appliances

Epic Infrastructure Appliances such as Palo Alto, Infoblox and Netscalers are deployed using Azure MarketPlace images in Private Marketplace.

Code for Appliance deployment is present in the bewlo repo links


๐Ÿ”ง Standard Configuration Requirements

1. Resource Tagging Standards

Global Tags (required on all resources):

tags = {
  # Standard organizational tags
  aide-id               = "AIDE_0085665"
  item-assignment-group = "EPIC NATIONAL INSTANCE โ€“ SPT"
  Division              = "Optum Health"
  Product               = "Epic EMR"
  environment           = "prd"
  GL_Code               = "44770-01530-USASS800-169950"
  service-tier          = "p1"
  platform-managed      = "true"

  # Compliance and security
  DataClassification    = "PHI"
  DR                    = "Yes"

  # Deployment tracking
  workspace-id          = "ohemr-epic-pro-001"
  working-directory     = "westepicpro/cogitocentralus"
  source-code-repo      = "https://github.com/optum-tech-compute/ohemr-epic-pro-001"
}

Complete list of tags is present in the page Tagging Strategy: Tagging Strategy for EoA Servers

2. Network Configuration

Virtual Network Requirements:

vnet = {
  name                = "vnet-epic-prod-westus3"
  resource_group_name = "rg-epic-network-prod-westus3"

  # Epic network segmentation
  subnets = {
    epic-app-subnet = {
      address_prefixes = ["10.1.1.0/24"]
      nsg_name = "nsg-epic-app-prod"
    }
    epic-data-subnet = {
      address_prefixes = ["10.1.2.0/24"]
      nsg_name = "nsg-epic-data-prod"
    }
  }
}

3. Backup and Recovery Configuration

Recovery Services Vault:

backup = {
  recovery_vault_name         = "rsv-epic-prod-westus3"
  recovery_vault_rg_name      = "rg-epic-backup-prod-westus3"
  backup_policy_name          = "epic-vm-backup-policy"

  # Clinical data protection requirements
  backup_frequency            = "Daily"
  backup_time                 = "22:00"  # After clinical hours
  retention_daily             = 30
  retention_weekly            = 12
  retention_monthly           = 12
  retention_yearly            = 7

  # Geo-redundant for disaster recovery
  storage_mode_type           = "GeoRedundant"
  cross_region_restore_enabled = true
}

4. Scale Set Configuration (Optional)

Epic Training Environment Scale Set:

orchestrated_scale_set = {
  "epic-training-vmss" = {
    instances           = 5
    upgrade_mode        = "Manual"  # Controlled Epic updates
    zones               = ["1", "2", "3"]

    # Epic-specific scaling
    scale_out_capacity  = 20  # Training surge capacity
    scale_in_capacity   = 2   # Minimum for Epic services

    # Maintenance coordination
    max_unhealthy_percent = 20
    max_surge_percent     = 10
  }
}

4. Capacity Reservation Configuration (Optional)

Epic Prod Environment Capacity reservation:

 "capacity_reservations": {
      "epic-training-crg": {
        "rg": "epic-rg",
        "location": "Central US",
        "zones": [
          "1",
          "2",
          "3"
        ],

        "reservations": {
          "cr-d16asv5-az1-cus-01": {
            "sku_name": "Standard_D16as_v5",
            "capacity": "1",
            "zone": "1"
          },
        }
      }
  }

5. Storage account Configuration (Optional)

Epic Storage accounts

"storage": {
          "staccountname": {
            "shared_access_key_enabled": true,
            "public_network_access_enabled": false,
            "resource_group_name": "ohemr-rg",
            "account_tier": "Standard",
            "account_replication_type": "ZRS",
            "bypass": ["AzureServices"],
            "private_endpoints": {
              "stssiswestcwprowus301-pe": {
                "pe_subnet": "ohemr-snet-west_epic_pe-pro-wus3-001",
                "virtual_network": "ohemr-vnet-west_epic_main-pro-wus3-001",
                "virtual_network_rg": "ohemr-rg-epic_network-pro-wus3-001",
                "psc_name": "stssiswestcwprowus301-psc",
                "subresource_names": [
                  "blob"
                ],
                "private_dns_zones": [
                  {
                    "id": "/subscriptions/subid/resourceGroups/rgname/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net"
                  }
                ]
              }
            }
          }
        }

๐Ÿ” Validation Requirements

Pre-Deployment Validation

Before deploying VMs, verify:

  1. Epic Requirements: VM sizing meets Epic minimum specifications
  2. Network Security: NSG rules align with Epic security requirements
  3. Backup Policy: Recovery vault configured for clinical data protection
  4. Tagging Compliance: All required tags present with valid values
  5. Availability Zones: Proper distribution for Epic uptime requirements

Terraform Validation Commands

# Initialize and validate Terraform configuration
terraform init
terraform validate

# Plan deployment with target resource verification
terraform plan -target="module.vm_deployment"

# Apply with Epic-specific validation
terraform apply -var="validate_epic_compliance=true"

Code Validation (tfvars/JSON BOM Check)

For validation of configuration files (such as tfvars.json) against the Bill of Materials (BOM):

  1. Download the validation Python script Download the script from from url and save it in the local folder with a .py extension.

  2. Prepare your files Place the code to be validated (e.g., tfvars.json) in the same folder as the script.

  3. Run the script Execute the script from the terminal:

    python <scriptname>.py
    
  4. Review the output The script generates a CSV file. Open this file in Excel and format columns according to the provided validation template.

  5. Validate against BOM Compare the values against the BOM sheet.

    • If mismatches are found, contact the code owner to correct the values.
    • If values are correct, you may proceed with deployment.
  6. Documentation Save all validation files in SharePoint, organized by subscription and region.

    • Template and storage location:
      • Template
      • Location in Sharepoint Epic on Azure -> Documents -> General -> 4 - Delivery -> 2 - Epic -> 1 - Epic Infrastructure -> 4 - Epic Infra Provisioning -> 4 - TFVARS Validation

ORC Validation (VM Specification Check)

To validate that deployed VMs match BOM specifications:

Download and Configure

  1. Download the ORC PowerShell script Get the ORC validation script here.

  2. Configure the script Open the script in your code editor. Enter the relevant Subscription and Resource Group(s) for the VMs you want to validate.

  3. Run the script Execute it in PowerShell, observing any errors.

  4. Review output The script creates output folders by Subscription and Resource Group, with JSON and CSV files for each VM.

  5. Validate Open the <vmname>.csv file, check columns, and compare values against the BOM.

    • If mismatches exist, notify the developer for correction.
    • If values are correct, deployment is complete.
  6. Documentation The path to all ORC files: Epic on Azure -> Documents -> General -> 4 - Delivery -> 2 - Epic -> 1 - Epic Infrastructure -> 4 - Epic Infra Provisioning -> 5 - ORC Validation


If any values do not match the BOM, contact the code owner or developer to resolve prior to production deployment.


๐Ÿšจ Troubleshooting Guide

Common Deployment Issues

Problem: VM deployment fails with naming convention error

Diagnosis: Check Azure Policy enforcement for naming standards

Resolution:

  1. Verify VM name follows OHEMR convention: [Platform][Region][Environment][OS][Purpose][Role][Series]
  2. Update terraform.tfvars.json with compliant names
  3. Re-run terraform plan and apply

Problem: Epic VM performance issues post-deployment

Diagnosis: VM sizing insufficient for Epic workload

Resolution:

  1. Review Epic minimum requirements documentation
  2. Update VM size in Terraform configuration
  3. Schedule maintenance window for VM resize

Problem: Backup policy not applied to new VMs

Diagnosis: Recovery Services Vault permissions or policy assignment

Resolution:

  1. Verify managed identity has Backup Contributor role
  2. Check backup policy exists in target vault
  3. Manually assign backup policy if needed

Epic-Specific Troubleshooting

Problem: Epic application won't start after VM deployment

Diagnosis: Epic service dependencies or network connectivity Resolution:

  1. Verify all Epic application VMs are deployed and running

  2. Check Epic database connectivity from application VMs

  3. Validate Epic service account permissions

  4. Review Epic logs for specific error messages


๐Ÿ”— Related Documentation

Implementation References

๐Ÿ“ž Support & Contacts

Deployment Approval Process

EnvironmentApproval RequiredLead Time
ProductionEpic Team + Security + Architecture5 business days
Non-ProductionInfrastructure Team2 business days
DevelopmentDevelopment LeadSame day

Emergency Contacts


๐Ÿ—๏ธ Deployment Excellence: Standardized Terraform-based VM deployment ensures reliable, compliant healthcare infrastructure supporting Epic clinical systems.