feat: implement comprehensive Well-Architected Framework and Cloud for Sovereignty compliance

- Add Well-Architected Framework implementation guide covering all 5 pillars
- Create Well-Architected Terraform module (cost, operations, performance, reliability, security)
- Add Cloud for Sovereignty compliance guide
- Implement data residency policies and enforcement
- Add operational sovereignty features (CMK, independent logging)
- Configure compliance monitoring and reporting
- Add budget management and cost optimization
- Implement comprehensive security controls
- Add backup and disaster recovery automation
- Create performance optimization resources (Redis, Front Door)
- Add operational excellence tools (Log Analytics, App Insights, Automation)

infra/terraform/modules/well-architected/main.tf

@@ -0,0 +1,395 @@
+/**
+ * Well-Architected Framework Module
+ * Implements all five pillars: Cost, Operations, Performance, Reliability, Security
+ * Cloud for Sovereignty compliant
+ */
+
+terraform {
+  required_version = ">= 1.5.0"
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 3.0"
+    }
+  }
+}
+
+# Data sources
+data "azurerm_client_config" "current" {}
+data "azurerm_subscription" "current" {}
+
+# Local values
+locals {
+  name_prefix = var.name_prefix != "" ? var.name_prefix : "the-order"
+  env_short   = var.environment == "production" ? "prod" : var.environment == "staging" ? "stg" : "dev"
+  
+  # Standard tags for cost optimization
+  common_tags = merge(var.tags, {
+    Environment        = var.environment
+    Project           = "the-order"
+    CostCenter        = var.cost_center
+    Owner             = var.owner
+    DataClassification = var.data_classification
+    Sovereignty       = "required"
+    ManagedBy         = "terraform"
+    WellArchitected   = "true"
+  })
+
+  # Regions for sovereignty
+  allowed_regions = var.allowed_regions != [] ? var.allowed_regions : [
+    "westeurope",
+    "northeurope",
+    "uksouth",
+    "switzerlandnorth",
+    "norwayeast",
+    "francecentral",
+    "germanywestcentral"
+  ]
+}
+
+# ============================================================================
+# COST OPTIMIZATION
+# ============================================================================
+
+# Budget and cost management
+resource "azurerm_consumption_budget_subscription" "main" {
+  count            = var.enable_cost_management ? 1 : 0
+  name             = "${local.name_prefix}-budget-${local.env_short}"
+  subscription_id = data.azurerm_subscription.current.id
+
+  amount     = var.monthly_budget_amount
+  time_grain = "Monthly"
+
+  time_period {
+    start_date = formatdate("YYYY-MM-01T00:00:00Z", timestamp())
+    end_date   = timeadd(formatdate("YYYY-MM-01T00:00:00Z", timestamp()), "1y")
+  }
+
+  notification {
+    enabled        = true
+    threshold      = 50
+    operator       = "GreaterThan"
+    threshold_type = "Actual"
+    contact_emails = var.budget_alert_emails
+  }
+
+  notification {
+    enabled        = true
+    threshold      = 75
+    operator       = "GreaterThan"
+    threshold_type = "Actual"
+    contact_emails = var.budget_alert_emails
+  }
+
+  notification {
+    enabled        = true
+    threshold      = 90
+    operator       = "GreaterThan"
+    threshold_type = "Actual"
+    contact_emails = var.budget_alert_emails
+  }
+
+  notification {
+    enabled        = true
+    threshold      = 100
+    operator       = "GreaterThan"
+    threshold_type = "Actual"
+    contact_emails = var.budget_alert_emails
+  }
+}
+
+# Cost Management export
+resource "azurerm_cost_management_export_resource_group" "main" {
+  count                = var.enable_cost_management ? 1 : 0
+  name                 = "${local.name_prefix}-cost-export-${local.env_short}"
+  resource_group_id    = var.resource_group_id
+  recurrence_type      = "Monthly"
+  recurrence_period_start_date = formatdate("YYYY-MM-01T00:00:00Z", timestamp())
+  recurrence_period_end_date   = timeadd(formatdate("YYYY-MM-01T00:00:00Z", timestamp()), "1y")
+
+  export_data_storage_location {
+    container_id    = var.cost_export_storage_container_id
+    root_folder_path = "cost-exports"
+  }
+
+  export_data_options {
+    type       = "Usage"
+    time_frame = "MonthToDate"
+  }
+}
+
+# ============================================================================
+# OPERATIONAL EXCELLENCE
+# ============================================================================
+
+# Log Analytics Workspace for centralized logging
+resource "azurerm_log_analytics_workspace" "main" {
+  name                = "${local.name_prefix}-logs-${local.env_short}-${substr(var.region, 0, 6)}"
+  location            = var.region
+  resource_group_name = var.resource_group_name
+  sku                 = "PerGB2018"
+  retention_in_days   = var.environment == "production" ? 90 : 30
+
+  tags = local.common_tags
+}
+
+# Application Insights for APM
+resource "azurerm_application_insights" "main" {
+  name                = "${local.name_prefix}-appinsights-${local.env_short}-${substr(var.region, 0, 6)}"
+  location            = var.region
+  resource_group_name = var.resource_group_name
+  application_type    = "web"
+  workspace_id        = azurerm_log_analytics_workspace.main.id
+
+  tags = local.common_tags
+}
+
+# Automation Account for runbooks
+resource "azurerm_automation_account" "main" {
+  count               = var.enable_automation ? 1 : 0
+  name                = "${local.name_prefix}-automation-${local.env_short}-${substr(var.region, 0, 6)}"
+  location            = var.region
+  resource_group_name = var.resource_group_name
+  sku_name            = "Basic"
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+  tags = local.common_tags
+}
+
+# ============================================================================
+# PERFORMANCE EFFICIENCY
+# ============================================================================
+
+# Azure Front Door for global load balancing and CDN
+resource "azurerm_front_door" "main" {
+  count               = var.enable_front_door ? 1 : 0
+  name                = "${local.name_prefix}-fd-${local.env_short}"
+  resource_group_name = var.resource_group_name
+  location            = "Global"
+
+  routing_rule {
+    name               = "default-rule"
+    accepted_protocols = ["Https"]
+    patterns_to_match  = ["/*"]
+    frontend_endpoints = ["${local.name_prefix}-fd-${local.env_short}"]
+    forwarding_configuration {
+      forwarding_protocol = "HttpsOnly"
+      backend_pool_name  = "default-backend"
+    }
+  }
+
+  backend_pool_load_balancing {
+    name = "default-load-balancer"
+  }
+
+  backend_pool_health_probe {
+    name = "default-health-probe"
+  }
+
+  backend_pool {
+    name = "default-backend"
+    backend {
+      host_header = var.backend_host_header
+      address     = var.backend_address
+      http_port   = 80
+      https_port  = 443
+    }
+    load_balancing_name = "default-load-balancer"
+    health_probe_name   = "default-health-probe"
+  }
+
+  frontend_endpoint {
+    name      = "${local.name_prefix}-fd-${local.env_short}"
+    host_name = "${local.name_prefix}-fd-${local.env_short}.azurefd.net"
+  }
+
+  tags = local.common_tags
+}
+
+# Redis Cache for application caching
+resource "azurerm_redis_cache" "main" {
+  count               = var.enable_redis_cache ? 1 : 0
+  name                = "${local.name_prefix}-redis-${local.env_short}-${substr(var.region, 0, 6)}"
+  location            = var.region
+  resource_group_name = var.resource_group_name
+  capacity            = var.redis_capacity
+  family              = var.redis_family
+  sku_name           = "${var.redis_family}${var.redis_capacity}"
+  enable_non_ssl_port = false
+  minimum_tls_version = "1.2"
+
+  redis_configuration {
+    maxmemory_reserved = 2
+    maxmemory_delta   = 2
+    maxmemory_policy  = "allkeys-lru"
+  }
+
+  tags = local.common_tags
+}
+
+# ============================================================================
+# RELIABILITY
+# ============================================================================
+
+# Recovery Services Vault for backups
+resource "azurerm_recovery_services_vault" "main" {
+  count               = var.enable_backup ? 1 : 0
+  name                = "${local.name_prefix}-rsv-${local.env_short}-${substr(var.region, 0, 6)}"
+  location            = var.region
+  resource_group_name = var.resource_group_name
+  sku                 = "Standard"
+  soft_delete_enabled = true
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+  tags = local.common_tags
+}
+
+# Backup policy
+resource "azurerm_backup_policy_vm" "main" {
+  count               = var.enable_backup ? 1 : 0
+  name                = "${local.name_prefix}-backup-policy-${local.env_short}"
+  resource_group_name = var.resource_group_name
+  recovery_vault_name = azurerm_recovery_services_vault.main[0].name
+
+  timezone = "UTC"
+
+  backup {
+    frequency = "Daily"
+    time      = "23:00"
+  }
+
+  retention_daily {
+    count = var.environment == "production" ? 30 : 7
+  }
+
+  retention_weekly {
+    count    = var.environment == "production" ? 12 : 4
+    weekdays = ["Sunday"]
+  }
+
+  retention_monthly {
+    count    = var.environment == "production" ? 12 : 3
+    months   = ["January", "July"]
+    weekdays = ["Sunday"]
+    weeks    = ["First"]
+  }
+}
+
+# ============================================================================
+# SECURITY
+# ============================================================================
+
+# Key Vault for secrets management (if not already created)
+resource "azurerm_key_vault" "main" {
+  count               = var.create_key_vault ? 1 : 0
+  name                = "${local.name_prefix}-kv-${local.env_short}-${substr(var.region, 0, 6)}"
+  location            = var.region
+  resource_group_name = var.resource_group_name
+  tenant_id           = data.azurerm_client_config.current.tenant_id
+  sku_name            = "premium"
+
+  # Network ACLs - Private endpoint only
+  network_acls {
+    default_action = "Deny"
+    bypass         = "AzureServices"
+  }
+
+  # Enable soft delete and purge protection
+  soft_delete_retention_days = 90
+  purge_protection_enabled   = var.environment == "production"
+
+  tags = merge(local.common_tags, {
+    Purpose = "SecretsManagement"
+  })
+}
+
+# Microsoft Defender for Cloud
+resource "azurerm_security_center_subscription_pricing" "main" {
+  count        = var.enable_defender ? 1 : 0
+  tier         = "Standard"
+  subplan      = "P2"
+  resource_type = "VirtualMachines"
+}
+
+# DDoS Protection Plan
+resource "azurerm_network_ddos_protection_plan" "main" {
+  count               = var.enable_ddos_protection ? 1 : 0
+  name                = "${local.name_prefix}-ddos-${local.env_short}-${substr(var.region, 0, 6)}"
+  location            = var.region
+  resource_group_name = var.resource_group_name
+
+  tags = local.common_tags
+}
+
+# ============================================================================
+# CLOUD FOR SOVEREIGNTY
+# ============================================================================
+
+# Azure Policy for data residency enforcement
+resource "azurerm_policy_definition" "data_residency" {
+  count        = var.enable_sovereignty_policies ? 1 : 0
+  name         = "${local.name_prefix}-data-residency-${local.env_short}"
+  policy_type  = "Custom"
+  mode         = "All"
+  display_name = "Enforce Data Residency - ${var.environment}"
+
+  policy_rule = jsonencode({
+    if = {
+      allOf = [
+        {
+          field  = "location"
+          notIn  = local.allowed_regions
+        }
+      ]
+    }
+    then = {
+      effect = "deny"
+    }
+  })
+
+  metadata = jsonencode({
+    category = "Sovereignty"
+  })
+}
+
+# Policy assignment
+resource "azurerm_policy_assignment" "data_residency" {
+  count                = var.enable_sovereignty_policies ? 1 : 0
+  name                 = "${local.name_prefix}-data-residency-assignment-${local.env_short}"
+  scope                = var.management_group_id != "" ? var.management_group_id : data.azurerm_subscription.current.id
+  policy_definition_id = azurerm_policy_definition.data_residency[0].id
+  display_name         = "Enforce Data Residency - ${var.environment}"
+
+  identity {
+    type = "SystemAssigned"
+  }
+}
+
+# Outputs
+output "log_analytics_workspace_id" {
+  value       = azurerm_log_analytics_workspace.main.id
+  description = "Log Analytics Workspace ID"
+}
+
+output "application_insights_instrumentation_key" {
+  value       = azurerm_application_insights.main.instrumentation_key
+  sensitive   = true
+  description = "Application Insights Instrumentation Key"
+}
+
+output "redis_cache_hostname" {
+  value       = var.enable_redis_cache ? azurerm_redis_cache.main[0].hostname : null
+  description = "Redis Cache Hostname"
+}
+
+output "key_vault_uri" {
+  value       = var.create_key_vault ? azurerm_key_vault.main[0].vault_uri : null
+  description = "Key Vault URI"
+}
+

infra/terraform/modules/well-architected/variables.tf

@@ -0,0 +1,172 @@
+variable "name_prefix" {
+  description = "Prefix for resource names"
+  type        = string
+  default     = ""
+}
+
+variable "environment" {
+  description = "Environment name (dev, staging, production)"
+  type        = string
+  validation {
+    condition     = contains(["dev", "staging", "production"], var.environment)
+    error_message = "Environment must be dev, staging, or production."
+  }
+}
+
+variable "region" {
+  description = "Azure region"
+  type        = string
+}
+
+variable "resource_group_name" {
+  description = "Resource group name"
+  type        = string
+}
+
+variable "resource_group_id" {
+  description = "Resource group ID"
+  type        = string
+}
+
+variable "tags" {
+  description = "Additional tags"
+  type        = map(string)
+  default     = {}
+}
+
+variable "cost_center" {
+  description = "Cost center for cost allocation"
+  type        = string
+  default     = "legal-services"
+}
+
+variable "owner" {
+  description = "Resource owner"
+  type        = string
+  default     = "legal-team"
+}
+
+variable "data_classification" {
+  description = "Data classification level"
+  type        = string
+  default     = "confidential"
+}
+
+# Cost Optimization
+variable "enable_cost_management" {
+  description = "Enable cost management features"
+  type        = bool
+  default     = true
+}
+
+variable "monthly_budget_amount" {
+  description = "Monthly budget amount"
+  type        = number
+  default     = 10000
+}
+
+variable "budget_alert_emails" {
+  description = "Email addresses for budget alerts"
+  type        = list(string)
+  default     = []
+}
+
+variable "cost_export_storage_container_id" {
+  description = "Storage container ID for cost exports"
+  type        = string
+  default     = ""
+}
+
+# Operational Excellence
+variable "enable_automation" {
+  description = "Enable automation account"
+  type        = bool
+  default     = true
+}
+
+# Performance Efficiency
+variable "enable_front_door" {
+  description = "Enable Azure Front Door"
+  type        = bool
+  default     = false
+}
+
+variable "backend_host_header" {
+  description = "Backend host header for Front Door"
+  type        = string
+  default     = ""
+}
+
+variable "backend_address" {
+  description = "Backend address for Front Door"
+  type        = string
+  default     = ""
+}
+
+variable "enable_redis_cache" {
+  description = "Enable Redis cache"
+  type        = bool
+  default     = true
+}
+
+variable "redis_capacity" {
+  description = "Redis cache capacity"
+  type        = number
+  default     = 1
+}
+
+variable "redis_family" {
+  description = "Redis cache family (C or P)"
+  type        = string
+  default     = "C"
+  validation {
+    condition     = contains(["C", "P"], var.redis_family)
+    error_message = "Redis family must be C or P."
+  }
+}
+
+# Reliability
+variable "enable_backup" {
+  description = "Enable backup services"
+  type        = bool
+  default     = true
+}
+
+# Security
+variable "create_key_vault" {
+  description = "Create Key Vault (if not already exists)"
+  type        = bool
+  default     = false
+}
+
+variable "enable_defender" {
+  description = "Enable Microsoft Defender for Cloud"
+  type        = bool
+  default     = true
+}
+
+variable "enable_ddos_protection" {
+  description = "Enable DDoS Protection"
+  type        = bool
+  default     = true
+}
+
+# Cloud for Sovereignty
+variable "enable_sovereignty_policies" {
+  description = "Enable sovereignty policies"
+  type        = bool
+  default     = true
+}
+
+variable "allowed_regions" {
+  description = "List of allowed regions for data residency"
+  type        = list(string)
+  default     = []
+}
+
+variable "management_group_id" {
+  description = "Management group ID for policy assignment"
+  type        = string
+  default     = ""
+}
+

infra/terraform/well-architected/main.tf

@@ -0,0 +1,90 @@
+/**
+ * Well-Architected Framework Implementation
+ * Main entry point for deploying Well-Architected infrastructure
+ */
+
+terraform {
+  required_version = ">= 1.5.0"
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 3.0"
+    }
+  }
+}
+
+# Data sources
+data "azurerm_client_config" "current" {}
+data "azurerm_subscription" "current" {}
+
+# Load environment variables
+locals {
+  environment = var.environment != "" ? var.environment : (var.ENVIRONMENT != "" ? var.ENVIRONMENT : "dev")
+  region      = var.azure_region != "" ? var.azure_region : (var.AZURE_LOCATION != "" ? var.AZURE_LOCATION : "westeurope")
+  
+  # Management group ID from environment or variable
+  management_group_id = var.management_group_id != "" ? var.management_group_id : (var.AZURE_MANAGEMENT_GROUP_ID != "" ? var.AZURE_MANAGEMENT_GROUP_ID : "")
+}
+
+# Resource Group
+resource "azurerm_resource_group" "well_architected" {
+  name     = "rg-well-architected-${local.environment}"
+  location = local.region
+
+  tags = {
+    Environment     = local.environment
+    Project         = "the-order"
+    CostCenter      = "legal-services"
+    Owner           = "legal-team"
+    DataClassification = "confidential"
+    Sovereignty     = "required"
+    ManagedBy       = "terraform"
+    WellArchitected = "true"
+  }
+}
+
+# Well-Architected Module
+module "well_architected" {
+  source = "../modules/well-architected"
+
+  name_prefix         = "the-order"
+  environment         = local.environment
+  region              = local.region
+  resource_group_name = azurerm_resource_group.well_architected.name
+  resource_group_id   = azurerm_resource_group.well_architected.id
+
+  # Cost Optimization
+  enable_cost_management     = true
+  monthly_budget_amount      = var.monthly_budget_amount
+  budget_alert_emails        = var.budget_alert_emails
+  cost_export_storage_container_id = var.cost_export_storage_container_id
+
+  # Operational Excellence
+  enable_automation = true
+
+  # Performance Efficiency
+  enable_front_door = var.enable_front_door
+  backend_host_header = var.backend_host_header
+  backend_address     = var.backend_address
+  enable_redis_cache  = true
+  redis_capacity      = local.environment == "production" ? 2 : 1
+  redis_family        = "C"
+
+  # Reliability
+  enable_backup = true
+
+  # Security
+  create_key_vault      = false # Use existing Key Vault
+  enable_defender       = true
+  enable_ddos_protection = true
+
+  # Cloud for Sovereignty
+  enable_sovereignty_policies = true
+  allowed_regions            = var.allowed_regions
+  management_group_id        = local.management_group_id
+
+  tags = {
+    WellArchitected = "true"
+  }
+}
+

infra/terraform/well-architected/variables.tf

@@ -0,0 +1,89 @@
+variable "environment" {
+  description = "Environment name (dev, staging, production)"
+  type        = string
+  default     = ""
+}
+
+variable "ENVIRONMENT" {
+  description = "Environment name from environment variable"
+  type        = string
+  default     = ""
+  sensitive   = true
+}
+
+variable "azure_region" {
+  description = "Azure region"
+  type        = string
+  default     = ""
+}
+
+variable "AZURE_LOCATION" {
+  description = "Azure location from environment variable"
+  type        = string
+  default     = ""
+  sensitive   = true
+}
+
+variable "management_group_id" {
+  description = "Management group ID"
+  type        = string
+  default     = ""
+}
+
+variable "AZURE_MANAGEMENT_GROUP_ID" {
+  description = "Management group ID from environment variable"
+  type        = string
+  default     = ""
+  sensitive   = true
+}
+
+variable "monthly_budget_amount" {
+  description = "Monthly budget amount"
+  type        = number
+  default     = 10000
+}
+
+variable "budget_alert_emails" {
+  description = "Email addresses for budget alerts"
+  type        = list(string)
+  default     = []
+}
+
+variable "cost_export_storage_container_id" {
+  description = "Storage container ID for cost exports"
+  type        = string
+  default     = ""
+}
+
+variable "enable_front_door" {
+  description = "Enable Azure Front Door"
+  type        = bool
+  default     = false
+}
+
+variable "backend_host_header" {
+  description = "Backend host header for Front Door"
+  type        = string
+  default     = ""
+}
+
+variable "backend_address" {
+  description = "Backend address for Front Door"
+  type        = string
+  default     = ""
+}
+
+variable "allowed_regions" {
+  description = "List of allowed regions for data residency"
+  type        = list(string)
+  default     = [
+    "westeurope",
+    "northeurope",
+    "uksouth",
+    "switzerlandnorth",
+    "norwayeast",
+    "francecentral",
+    "germanywestcentral"
+  ]
+}
+