the_order/infra/terraform/modules/regional-landing-zone

Regional Landing Zone Module

Reusable Terraform module for deploying a complete landing zone in a single Azure region, following Cloud for Sovereignty and Well-Architected Framework principles.

Features

• Hub-and-Spoke Network Architecture

  • Hub VNet with gateway, firewall, and management subnets
  • Spoke VNet with application, database, and storage subnets
  • VNet peering between hub and spoke

• Security

  • Azure Firewall for centralized security
  • Private endpoints for Key Vault and Storage
  • Network security groups

• Compliance

  • Customer-managed encryption
  • Data residency tags
  • Private endpoints for data sovereignty

• Monitoring

  • Regional Log Analytics Workspace
  • Application Insights ready

Usage

module "west_europe_landing_zone" {
  source = "../../modules/regional-landing-zone"

  region             = "westeurope"
  environment        = "dev"
  management_group_id = "SOVEREIGN-ORDER-OF-HOSPITALLERS"
  hub_vnet_address_space = "10.0.0.0/16"
  spoke_vnet_address_space = "10.1.0.0/16"

  tags = {
    Project = "the-order"
    CostCenter = "engineering"
  }
}

Variables

• region (required): Azure region (must be non-US commercial)
• environment (required): dev, stage, or prod
• management_group_id (required): Management group ID
• hub_vnet_address_space (optional): Hub VNet CIDR (default: 10.0.0.0/16)
• spoke_vnet_address_space (optional): Spoke VNet CIDR (default: 10.1.0.0/16)
• tags (optional): Additional tags

Outputs

• resource_group_name: Resource group name
• hub_vnet_id: Hub VNet ID
• spoke_vnet_id: Spoke VNet ID
• firewall_id: Azure Firewall ID
• key_vault_id: Key Vault ID
• log_analytics_workspace_id: Log Analytics Workspace ID
• storage_account_name: Storage account name
• subnet_ids: Map of subnet names to IDs