# Multi-Region Landing Zone Deployment

Deploys Cloud for Sovereignty landing zones across all non-US commercial Azure regions.

## Supported Regions

1. **West Europe** (Netherlands) - Primary region
2. **North Europe** (Ireland) - Secondary region
3. **UK South** (London) - UK-specific workloads
4. **Switzerland North** (Zurich) - Swiss-specific workloads
5. **Norway East** (Oslo) - Nordic-specific workloads
6. **France Central** (Paris) - French-specific workloads
7. **Germany West Central** (Frankfurt) - German-specific workloads

## Architecture

Each region includes:
- Hub Virtual Network (gateway, firewall, management)
- Spoke Virtual Network (application, database, storage)
- Azure Firewall (centralized security)
- Key Vault (regional secrets with private endpoints)
- Log Analytics Workspace (regional logging)
- Storage Account (regional storage with private endpoints)

## Usage

### Deploy All Regions

```bash
cd infra/terraform/multi-region
terraform init
terraform plan -var="environment=dev" -var="management_group_id=SOVEREIGN-ORDER-OF-HOSPITALLERS"
terraform apply
```

### Deploy Specific Regions

```bash
terraform plan \
  -var="environment=dev" \
  -var="deploy_all_regions=false" \
  -var='regions_to_deploy=["westeurope", "northeurope"]'
terraform apply
```

## Variables

- `environment`: dev, stage, or prod
- `management_group_id`: Root management group ID
- `deploy_all_regions`: Deploy to all supported regions (default: true)
- `regions_to_deploy`: Specific regions if deploy_all_regions is false

## Outputs

- `deployed_regions`: List of deployed regions
- `regional_resource_groups`: Resource group names per region
- `regional_key_vaults`: Key Vault names per region
- `regional_storage_accounts`: Storage account names per region
- `deployment_summary`: Complete deployment summary