d-bis/the_order
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: comprehensive project structure improvements and Cloud for Sovereignty landing zone

Browse Source 
- Add Cloud for Sovereignty landing zone architecture and deployment
- Implement complete legal document management system
- Reorganize documentation with improved navigation
- Add infrastructure improvements (Dockerfiles, K8s, monitoring)
- Add operational improvements (graceful shutdown, rate limiting, caching)
- Create comprehensive project structure documentation
- Add Azure deployment automation scripts
- Improve repository navigation and organization
This commit is contained in:
defiQUG
2025-11-13 09:32:55 -08:00
parent 92cc41d26d
commit 6a8582e54d
202 changed files with 22699 additions and 981 deletions
Download Patch File Download Diff File Expand all files Collapse all files

350
docs/deployment/azure/SOVEREIGNTY_LANDING_ZONE_DEPLOYMENT.md Normal file
View File

@@ -0,0 +1,350 @@
# Cloud for Sovereignty Landing Zone Deployment Guide
**Last Updated**: 2025-01-27
**Management Group**: SOVEREIGN-ORDER-OF-HOSPITALLERS
**Framework**: Azure Well-Architected Framework + Cloud for Sovereignty
## Overview
This guide walks through deploying a complete Cloud for Sovereignty landing zone across all non-US commercial Azure regions, using the Azure Well-Architected Framework principles.
## Prerequisites
1. **Azure Subscription** with access to management group
2. **Management Group**: `SOVEREIGN-ORDER-OF-HOSPITALLERS` must exist
3. **Azure CLI** installed and authenticated
4. **Terraform** >= 1.5.0 installed
5. **Environment Variables** configured in `.env` file
## Architecture Overview
### Management Group Hierarchy
```
SOVEREIGN-ORDER-OF-HOSPITALLERS (Root)
├── Landing Zones
│ ├── Platform
│ ├── Sandbox
│ └── Workloads
├── Management
│ ├── Identity
│ ├── Security
│ └── Monitoring
└── Connectivity
├── Hub Networks
└── Spoke Networks
```
### Regional Architecture
Each region (7 total) includes:
- Hub Virtual Network (gateway, firewall, management)
- Spoke Virtual Network (application, database, storage)
- Azure Firewall
- Key Vault with private endpoint
- Log Analytics Workspace
- Storage Account with private endpoint
## Deployment Steps
### Step 1: Validate Environment
```bash
# Load and validate environment variables
source infra/scripts/azure-load-env.sh
# Verify management group exists
az account management-group show --name SOVEREIGN-ORDER-OF-HOSPITALLERS
```
### Step 2: Deploy Management Group Hierarchy
```bash
cd infra/terraform/management-groups
# Initialize Terraform
terraform init
# Review plan
terraform plan -var="management_group_id=SOVEREIGN-ORDER-OF-HOSPITALLERS"
# Apply
terraform apply
```
This creates:
- Landing Zones management group
- Platform, Sandbox, and Workloads groups
- Management group (Identity, Security, Monitoring)
- Connectivity group (Hub Networks, Spoke Networks)
### Step 3: Deploy Sovereignty Policies
```bash
cd ../policies
# Initialize Terraform
terraform init
# Review plan
terraform plan -var="management_group_id=SOVEREIGN-ORDER-OF-HOSPITALLERS"
# Apply
terraform apply
```
This creates and assigns:
- Allowed locations policy (non-US regions only)
- Deny US regions policy
- Require data residency tags
- Require encryption at rest
- Require resource tags
- Policy initiative for sovereignty compliance
### Step 4: Deploy Multi-Region Landing Zones
```bash
cd ../multi-region
# Initialize Terraform
terraform init
# Review plan (all regions)
terraform plan \
-var="environment=dev" \
-var="management_group_id=SOVEREIGN-ORDER-OF-HOSPITALLERS" \
-var="deploy_all_regions=true"
# Apply
terraform apply
```
This deploys landing zones to:
1. West Europe (Netherlands) - Primary
2. North Europe (Ireland) - Secondary
3. UK South (London)
4. Switzerland North (Zurich)
5. Norway East (Oslo)
6. France Central (Paris)
7. Germany West Central (Frankfurt)
### Step 5: Verify Deployment
```bash
# Check resource groups
az group list --query "[?contains(name, 'az-')]" --output table
# Check Key Vaults
az keyvault list --query "[?contains(name, 'az-')]" --output table
# Check Virtual Networks
az network vnet list --query "[?contains(name, 'az-')]" --output table
# Check policy compliance
az policy state list --filter "complianceState eq 'NonCompliant'" --query "[].{Resource:resourceId, Policy:policyDefinitionName}" --output table
```
## Automated Deployment
Use the deployment script for automated deployment:
```bash
./infra/scripts/deploy-sovereignty-landing-zone.sh
```
This script:
1. Loads environment variables
2. Deploys management group hierarchy
3. Deploys sovereignty policies
4. Deploys multi-region landing zones
5. Provides deployment summary
## Regional Resources
### Per Region Resources
Each region deployment creates:
- **1 Resource Group**
- **2 Virtual Networks** (Hub + Spoke)
- **6 Subnets** (3 hub + 3 spoke)
- **1 Azure Firewall**
- **1 Public IP** (for firewall)
- **2 VNet Peerings** (hub ↔ spoke)
- **1 Key Vault** (with private endpoint)
- **1 Log Analytics Workspace**
- **1 Storage Account** (with private endpoint)
- **2 Private Endpoints** (Key Vault + Storage)
### Total Resources (7 regions)
- **7 Resource Groups**
- **14 Virtual Networks**
- **42 Subnets**
- **7 Azure Firewalls**
- **7 Public IPs**
- **14 VNet Peerings**
- **7 Key Vaults**
- **7 Log Analytics Workspaces**
- **7 Storage Accounts**
- **14 Private Endpoints**
## Network Architecture
### Hub Network
- **Gateway Subnet**: VPN/ExpressRoute connectivity
- **Azure Firewall Subnet**: Centralized security
- **Management Subnet**: Management and monitoring
### Spoke Network
- **Application Subnet**: Application workloads
- **Database Subnet**: Database servers (with delegation)
- **Storage Subnet**: Storage private endpoints
### Connectivity
- Hub and Spoke connected via VNet peering
- Hub allows gateway transit
- Spoke uses remote gateways
## Security Features
### Data Sovereignty
- **Private Endpoints**: All PaaS services use private endpoints
- **Customer-Managed Keys**: Encryption with Key Vault
- **Data Residency Tags**: All resources tagged with region
- **Network Isolation**: Hub-and-spoke architecture
### Compliance
- **Azure Policies**: Enforce location and encryption
- **Tagging**: Required tags for governance
- **Audit Logging**: Log Analytics for all regions
- **Access Control**: RBAC and management groups
## Cost Estimation
### Per Region (Monthly)
- Virtual Networks: ~$50
- Azure Firewall: ~$1,200 (Standard SKU)
- Key Vault: ~$15 (Premium SKU)
- Log Analytics: ~$200-500 (data ingestion)
- Storage Account: ~$50-200 (depending on usage)
- Private Endpoints: ~$35 (2 endpoints)
**Total per region**: ~$1,550-2,000/month
### Multi-Region (7 regions)
- **Development**: ~$10,850-14,000/month
- **Production**: ~$15,000-20,000/month (with higher usage)
## Monitoring
### Regional Monitoring
Each region has:
- Log Analytics Workspace
- Application Insights ready
- Azure Monitor metrics
- Network Watcher
### Centralized Monitoring
- Cross-region querying
- Centralized dashboards
- Alert rules per region
- Cost tracking per region
## Disaster Recovery
### Regional Failover
- Primary: West Europe
- Secondary: North Europe
- Backup regions: Other 5 regions
### RTO/RPO
- **RTO**: 4 hours
- **RPO**: 1 hour
### DR Strategy
1. Automated failover for critical services
2. Manual failover for non-critical services
3. Geo-replication for storage
4. Cross-region backup
## Next Steps
After deployment:
1. **Configure Application Workloads**
- Deploy AKS clusters per region
- Configure application networking
- Set up application monitoring
2. **Set Up Monitoring**
- Create Grafana dashboards
- Configure alert rules
- Set up cost alerts
3. **Implement Security**
- Configure Azure Firewall rules
- Set up Microsoft Defender for Cloud
- Configure Azure Sentinel
4. **Optimize Costs**
- Review resource usage
- Implement reserved instances
- Optimize storage tiers
## Troubleshooting
### Management Group Not Found
```bash
# Verify management group exists
az account management-group show --name SOVEREIGN-ORDER-OF-HOSPITALLERS
# Create if needed (requires appropriate permissions)
az account management-group create --name SOVEREIGN-ORDER-OF-HOSPITALLERS
```
### Policy Assignment Fails
```bash
# Check policy assignment
az policy assignment list --scope "/providers/Microsoft.Management/managementGroups/SOVEREIGN-ORDER-OF-HOSPITALLERS"
# Verify permissions
az role assignment list --assignee <your-user-id>
```
### Region Deployment Fails
```bash
# Check resource provider registration
az provider list --query "[?namespace=='Microsoft.Network']"
az provider register --namespace Microsoft.Network
# Check quotas
az vm list-usage --location westeurope --output table
```
## References
- [Azure Well-Architected Framework](https://docs.microsoft.com/azure/architecture/framework/)
- [Cloud for Sovereignty](https://azure.microsoft.com/solutions/sovereignty/)
- [Azure Landing Zones](https://docs.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/)
- [Management Groups](https://docs.microsoft.com/azure/governance/management-groups/)
---
**Last Updated**: 2025-01-27