# Phase 1: Fix Plan for Critical Gaps

## Immediate Fixes Required

### 1. Fix Boot Diagnostics Storage Account

**Problem**: Boot diagnostics enabled but no storage account provided.

**Solution**: Create storage accounts for boot diagnostics in each region.

**Files to Modify**:
- `phase1-main.tf`: Add storage account creation for each region
- Update VM module call to pass storage account name

### 2. Fix Nginx Proxy Backend Connectivity

**Problem**: Nginx proxy in West Europe cannot reach VMs in US regions via private IPs (not routable across regions).

**Solution Options**:
- **Option A (Recommended)**: Give VMs public IPs for RPC access
  - Modify VM module to create public IPs for "besu-node" type
  - Update NSG rules to allow RPC from Nginx proxy public IP only
- **Option B**: Use Azure VPN/ExpressRoute (more complex, higher cost)
- **Option C**: Deploy Nginx proxy in each region (not recommended)

**Files to Modify**:
- `modules/vm-deployment/main.tf`: Add public IP creation for "besu-node" type
- `phase1-main.tf`: Ensure node_type allows public IPs
- `modules/networking-vm/main.tf`: Restrict RPC rules to Nginx proxy IP

### 3. Add Storage Accounts for Backups

**Problem**: No storage for backups, chaindata, or configuration.

**Solution**: Add storage module for each region.

**Files to Modify**:
- `phase1-main.tf`: Add storage module for each US region
- Use existing `modules/storage` module

### 4. Add Basic Monitoring

**Problem**: No observability infrastructure.

**Solution**: Add Log Analytics Workspace and basic monitoring.

**Files to Create/Modify**:
- Create `modules/monitoring` module
- Add Log Analytics Workspace
- Add diagnostic settings for VMs

### 5. Fix Nginx Proxy Configuration

**Problem**: 
- Missing `environment` variable in template
- No health checks
- SSL not automated

**Solution**: 
- Fix template variables
- Add health check configuration
- Add certbot automation script

**Files to Modify**:
- `modules/nginx-proxy/nginx-cloud-init.yaml`: Fix template, add health checks
- Add certbot automation

### 6. Security Hardening

**Problem**: NSG rules too permissive, no Key Vault access policies.

**Solution**:
- Restrict NSG rules to specific IP ranges (variables)
- Add Key Vault access policies for VM Managed Identities

**Files to Modify**:
- `modules/networking-vm/main.tf`: Use variables for source IPs
- `modules/secrets/main.tf`: Add Managed Identity access policies
- `phase1-main.tf`: Add variables for allowed IPs

### 7. Add Comprehensive Outputs

**Problem**: Missing useful outputs for management.

**Solution**: Add outputs for:
- SSH connection strings
- VM resource IDs
- Storage account names
- Monitoring workspace IDs

**Files to Modify**:
- `phase1-main.tf`: Add comprehensive outputs

## Implementation Order

1. **Fix Boot Diagnostics** (Critical - blocks deployment)
2. **Fix Nginx Backend Connectivity** (Critical - blocks functionality)
3. **Add Storage Accounts** (High - needed for backups)
4. **Add Basic Monitoring** (High - needed for operations)
5. **Security Hardening** (High - security risk)
6. **Fix Nginx Configuration** (Medium - operational improvement)
7. **Add Outputs** (Low - convenience)

## Testing Checklist

After fixes:
- [ ] Terraform plan succeeds without errors
- [ ] Boot diagnostics work on VMs
- [ ] Nginx proxy can reach backend VMs
- [ ] Storage accounts created and accessible
- [ ] Log Analytics Workspace receives logs
- [ ] NSG rules properly restrict access
- [ ] Key Vault accessible by VMs via Managed Identity
- [ ] All outputs provide useful information