# Cloud for Sovereignty Landing Zone - Deployment Plan

## Overview

This plan outlines the deployment of a Well-Architected Framework Cloud for Sovereignty landing zone across all Azure commercial Non-US regions.

## Architecture

### Management Group Structure

```
Root Management Group
└── Landing Zones
    ├── Platform
    │   ├── Management
    │   ├── Connectivity
    │   └── Identity
    └── Workloads
        ├── Production
        ├── Non-Production
        └── Sandbox
```

### Per-Region Structure

Each region follows the Well-Architected Framework with separate resource groups:

- **Network** (`rg-net-001`): Virtual networks, subnets, NSGs
- **Compute** (`rg-comp-001`): AKS clusters, VMs
- **Storage** (`rg-stor-001`): Storage accounts, backups
- **Security** (`rg-sec-001`): Key Vaults, Security Centers
- **Monitoring** (`rg-mon-001`): Log Analytics, Application Insights
- **Identity** (`rg-id-001`): Managed identities

## Deployment Phases

### Phase 1: Foundation (Current)
- [x] Management Group structure
- [x] Subscription organization
- [ ] Resource Groups (all regions)
- [ ] Virtual Networks
- [ ] Key Vaults
- [ ] Log Analytics Workspaces
- [ ] Storage Accounts

**Command:**
```bash
./scripts/deployment/deploy-cloud-sovereignty-foundation.sh
```

### Phase 2: AKS Clusters
- [ ] AKS clusters in selected regions
- [ ] Node pools (validators, sentries, RPC)
- [ ] Container registries

**Configuration:**
Set `deploy_aks_clusters = true` in `terraform.tfvars`

### Phase 3: Besu Network
- [ ] Besu validators
- [ ] Besu sentries
- [ ] Besu RPC nodes
- [ ] Monitoring stack

**Configuration:**
Set `deploy_besu_network = true` in `terraform.tfvars`

### Phase 4: Governance
- [ ] Policy definitions
- [ ] Policy assignments
- [ ] RBAC roles
- [ ] Budgets and alerts

## Regions

### Total: 44 Non-US Commercial Regions

**Europe (18 regions)**
- Belgium Central, France Central, France South
- Germany North, Germany West Central
- Italy North, North Europe
- Norway East, Norway West
- Poland Central, Spain Central
- Sweden Central
- Switzerland North, Switzerland West
- UK South, UK West
- West Europe

**Asia Pacific (16 regions)**
- Australia East, Australia Southeast
- East Asia
- Central India, South India, West India
- Indonesia Central
- Japan East, Japan West
- Korea Central, Korea South
- Malaysia West
- New Zealand North
- Southeast Asia

**Middle East & Africa (6 regions)**
- Israel Central
- Qatar Central
- South Africa North, South Africa West
- UAE Central, UAE North

**Americas - Non-US (6 regions)**
- Brazil South, Brazil Southeast
- Canada Central, Canada East
- Chile Central
- Mexico Central

## Naming Convention

Format: `{cloud}-{env}-{region}-rg-{type}-{instance}`

Examples:
- `az-p-we-rg-comp-001` (West Europe Compute)
- `az-p-ne-rg-net-001` (North Europe Network)
- `az-p-uks-rg-sec-001` (UK South Security)

## Cost Considerations

### Estimated Costs (Per Region)
- Resource Groups: $0
- Virtual Networks: ~$10/month
- Key Vaults: ~$3/month
- Log Analytics: ~$50/month (90-day retention)
- Storage Accounts: ~$5/month

**Total per region (foundation): ~$68/month**
**Total for 44 regions: ~$3,000/month**

### Cost Optimization
- Use Log Analytics basic tier where appropriate
- Implement lifecycle management for storage
- Use reserved capacity for AKS clusters
- Implement budgets and alerts

## Security & Compliance

### Data Sovereignty
- All data remains within specified region
- No cross-region data replication
- Regional compliance certifications

### Security Controls
- Regional Key Vaults
- Network isolation per region
- Regional monitoring and logging
- RBAC per region

## Monitoring

### Centralized Dashboard
- Cross-region metrics aggregation
- Regional health monitoring
- Cost tracking per region
- Compliance reporting

## Next Steps

1. **Review Configuration**
   - Check `terraform.tfvars`
   - Verify subscription ID
   - Select regions (or use all)

2. **Deploy Foundation**
   ```bash
   ./scripts/deployment/deploy-cloud-sovereignty-foundation.sh
   ```

3. **Verify Deployment**
   - Check resource groups in Azure Portal
   - Verify naming conventions
   - Review tags

4. **Deploy AKS Clusters**
   - Update `terraform.tfvars`
   - Run deployment

5. **Deploy Besu Network**
   - Update `terraform.tfvars`
   - Run deployment