feat: comprehensive project structure improvements and Cloud for Sovereignty landing zone

- Add Cloud for Sovereignty landing zone architecture and deployment
- Implement complete legal document management system
- Reorganize documentation with improved navigation
- Add infrastructure improvements (Dockerfiles, K8s, monitoring)
- Add operational improvements (graceful shutdown, rate limiting, caching)
- Create comprehensive project structure documentation
- Add Azure deployment automation scripts
- Improve repository navigation and organization

infra/scripts/azure-complete-setup.sh

@@ -0,0 +1,53 @@
+#!/bin/bash
+# Complete Azure setup using .env file
+# This script orchestrates the entire Azure deployment setup process
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+
+echo "╔══════════════════════════════════════════════════════════════╗"
+echo "║   COMPLETE AZURE SETUP FROM .ENV FILE                       ║"
+echo "╚══════════════════════════════════════════════════════════════╝"
+echo ""
+
+# Step 1: Integrate existing CDN config if available
+echo "Step 1: Integrating existing CDN configuration..."
+"$SCRIPT_DIR/azure-integrate-cdn-env.sh"
+
+# Step 2: Validate environment
+echo ""
+echo "Step 2: Validating environment variables..."
+source "$SCRIPT_DIR/azure-validate-env.sh"
+
+# Step 3: Sync to Terraform
+echo ""
+echo "Step 3: Syncing environment to Terraform..."
+"$SCRIPT_DIR/azure-sync-env-to-terraform.sh"
+
+# Step 4: Update Kubernetes configs
+echo ""
+echo "Step 4: Updating Kubernetes configurations..."
+"$SCRIPT_DIR/azure-update-k8s-secrets.sh"
+
+echo ""
+echo "╔══════════════════════════════════════════════════════════════╗"
+echo "║   SETUP COMPLETE - READY FOR DEPLOYMENT                     ║"
+echo "╚══════════════════════════════════════════════════════════════╝"
+echo ""
+echo "✅ All configurations synced from .env file"
+echo ""
+echo "Next steps:"
+echo "  1. Review Terraform plan:"
+echo "     cd infra/terraform && terraform plan"
+echo ""
+echo "  2. Deploy infrastructure:"
+echo "     ./infra/scripts/azure-deploy.sh"
+echo ""
+echo "  3. After deployment, update Kubernetes secrets:"
+echo "     ./infra/scripts/azure-update-k8s-secrets.sh"
+echo ""
+echo "  4. Deploy services to Kubernetes:"
+echo "     kubectl apply -k infra/k8s/overlays/dev"
+

infra/scripts/azure-deploy.sh

@@ -0,0 +1,59 @@
+#!/bin/bash
+# Complete Azure deployment script
+# Uses environment variables from .env file
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+TERRAFORM_DIR="$PROJECT_ROOT/infra/terraform"
+
+echo "🚀 Starting Azure deployment..."
+
+# Load environment variables
+source "$SCRIPT_DIR/azure-load-env.sh"
+
+# Change to Terraform directory
+cd "$TERRAFORM_DIR"
+
+# Initialize Terraform
+echo "📦 Initializing Terraform..."
+terraform init
+
+# Validate configuration
+echo "✅ Validating Terraform configuration..."
+terraform validate
+
+# Plan deployment
+echo "📋 Planning deployment..."
+terraform plan -out=tfplan
+
+# Ask for confirmation
+read -p "Do you want to apply these changes? (yes/no): " -r
+if [[ ! $REPLY =~ ^[Yy][Ee][Ss]$ ]]; then
+  echo "Deployment cancelled."
+  exit 0
+fi
+
+# Apply changes
+echo "🔨 Applying Terraform configuration..."
+terraform apply tfplan
+
+# Get outputs
+echo ""
+echo "📊 Deployment outputs:"
+terraform output
+
+# Save kubeconfig if AKS was created
+if terraform output -raw aks_kube_config > /dev/null 2>&1; then
+  KUBECONFIG_FILE="$PROJECT_ROOT/.kube/config"
+  mkdir -p "$(dirname "$KUBECONFIG_FILE")"
+  terraform output -raw aks_kube_config > "$KUBECONFIG_FILE"
+  echo ""
+  echo "✅ Kubernetes config saved to: $KUBECONFIG_FILE"
+  echo "   You can now use: kubectl --kubeconfig=$KUBECONFIG_FILE get nodes"
+fi
+
+echo ""
+echo "✅ Azure deployment complete!"
+

infra/scripts/azure-fix-env-mapping.sh

@@ -0,0 +1,77 @@
+#!/bin/bash
+# Fix .env file to ensure proper ARM_* variable mapping for Terraform
+# Adds ARM_* aliases for AZURE_* variables if they don't exist
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+ENV_FILE="$PROJECT_ROOT/.env"
+BACKUP_FILE="${ENV_FILE}.backup.$(date +%Y%m%d_%H%M%S)"
+
+if [ ! -f "$ENV_FILE" ]; then
+  echo "❌ .env file not found at: $ENV_FILE"
+  exit 1
+fi
+
+echo "🔧 Fixing .env file variable mapping..."
+echo ""
+
+# Backup original
+cp "$ENV_FILE" "$BACKUP_FILE"
+echo "✓ Backup created: $BACKUP_FILE"
+echo ""
+
+# Load current values
+set -a
+source "$ENV_FILE"
+set +a
+
+# Check what needs to be added
+ADDITIONS=()
+
+if [ -n "$AZURE_SUBSCRIPTION_ID" ] && [ -z "$ARM_SUBSCRIPTION_ID" ]; then
+  ADDITIONS+=("ARM_SUBSCRIPTION_ID=\"$AZURE_SUBSCRIPTION_ID\"")
+fi
+
+if [ -n "$AZURE_TENANT_ID" ] && [ -z "$ARM_TENANT_ID" ]; then
+  ADDITIONS+=("ARM_TENANT_ID=\"$AZURE_TENANT_ID\"")
+fi
+
+if [ -n "$AZURE_LOCATION" ] && [ -z "$ARM_LOCATION" ]; then
+  ADDITIONS+=("ARM_LOCATION=\"$AZURE_LOCATION\"")
+fi
+
+# Add TF_VAR_environment if not set
+if [ -z "$TF_VAR_environment" ]; then
+  ADDITIONS+=("TF_VAR_environment=\"dev\"")
+fi
+
+if [ ${#ADDITIONS[@]} -eq 0 ]; then
+  echo "✅ No fixes needed - all variables are properly mapped"
+  rm -f "$BACKUP_FILE"
+  exit 0
+fi
+
+echo "Adding the following variables:"
+for var in "${ADDITIONS[@]}"; do
+  echo "  + $var"
+done
+echo ""
+
+# Append to .env file
+echo "" >> "$ENV_FILE"
+echo "# Terraform ARM variables (auto-added by azure-fix-env-mapping.sh)" >> "$ENV_FILE"
+for var in "${ADDITIONS[@]}"; do
+  echo "$var" >> "$ENV_FILE"
+done
+
+echo "✅ .env file updated!"
+echo ""
+echo "Changes:"
+echo "  • Added ${#ADDITIONS[@]} variable(s)"
+echo "  • Backup saved to: $BACKUP_FILE"
+echo ""
+echo "To verify:"
+echo "  ./infra/scripts/azure-validate-current-env.sh"
+

infra/scripts/azure-integrate-cdn-env.sh

@@ -0,0 +1,68 @@
+#!/bin/bash
+# Integrate existing Azure CDN configuration from azure-cdn-config.env
+# Updates .env file with CDN values if they exist
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+CDN_CONFIG="$PROJECT_ROOT/azure-cdn-config.env"
+ENV_FILE="$PROJECT_ROOT/.env"
+
+echo "🔄 Integrating Azure CDN configuration..."
+
+if [ -f "$CDN_CONFIG" ]; then
+  echo "Found existing CDN configuration: $CDN_CONFIG"
+  
+  # Load CDN config
+  set -a
+  source "$CDN_CONFIG"
+  set +a
+  
+  # Update .env file with CDN values if not already set
+  if [ -f "$ENV_FILE" ]; then
+    # Check if CDN values are already in .env
+    if ! grep -q "AZURE_STORAGE_ACCOUNT=" "$ENV_FILE" 2>/dev/null; then
+      echo "Adding CDN configuration to .env file..."
+      cat >> "$ENV_FILE" << EOF
+
+# Azure CDN Configuration (from azure-cdn-config.env)
+AZURE_STORAGE_ACCOUNT=${AZURE_STORAGE_ACCOUNT:-}
+AZURE_STORAGE_KEY=${AZURE_STORAGE_KEY:-}
+AZURE_STORAGE_CONTAINER=${AZURE_STORAGE_CONTAINER:-images}
+AZURE_RESOURCE_GROUP=${AZURE_RESOURCE_GROUP:-}
+AZURE_CDN_PROFILE=${AZURE_CDN_PROFILE:-}
+AZURE_CDN_ENDPOINT=${AZURE_CDN_ENDPOINT:-}
+CDN_BASE_URL=${CDN_BASE_URL:-}
+CDN_BASE_URL_BLOB=${CDN_BASE_URL_BLOB:-}
+CDN_BASE_URL_CDN=${CDN_BASE_URL_CDN:-}
+EOF
+      echo "✅ CDN configuration added to .env"
+    else
+      echo "ℹ️  CDN configuration already exists in .env"
+    fi
+  else
+    echo "⚠️  .env file not found. Creating from CDN config..."
+    cp "$CDN_CONFIG" "$ENV_FILE"
+    echo "✅ Created .env from CDN config"
+  fi
+  
+  # Export for Terraform
+  export TF_VAR_storage_account_name="${AZURE_STORAGE_ACCOUNT}"
+  export TF_VAR_cdn_profile_name="${AZURE_CDN_PROFILE}"
+  export TF_VAR_cdn_endpoint_name="${AZURE_CDN_ENDPOINT}"
+  
+  echo ""
+  echo "CDN Configuration:"
+  echo "  Storage Account: ${AZURE_STORAGE_ACCOUNT}"
+  echo "  CDN Profile: ${AZURE_CDN_PROFILE}"
+  echo "  CDN Endpoint: ${AZURE_CDN_ENDPOINT}"
+  echo "  Base URL: ${CDN_BASE_URL}"
+else
+  echo "ℹ️  No existing CDN configuration found at: $CDN_CONFIG"
+  echo "   CDN will be created by Terraform if needed"
+fi
+
+echo ""
+echo "✅ CDN integration complete!"
+

infra/scripts/azure-load-env.sh

@@ -0,0 +1,98 @@
+#!/bin/bash
+# Load Azure environment variables from .env file
+# Usage: source infra/scripts/azure-load-env.sh
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+ENV_FILE="$PROJECT_ROOT/.env"
+TERRAFORM_ENV_FILE="$PROJECT_ROOT/infra/terraform/.env"
+
+echo "🔧 Loading Azure environment variables..."
+
+# Check for .env file in project root
+if [ -f "$ENV_FILE" ]; then
+  echo "Loading from: $ENV_FILE"
+  set -a
+  source "$ENV_FILE"
+  set +a
+elif [ -f "$TERRAFORM_ENV_FILE" ]; then
+  echo "Loading from: $TERRAFORM_ENV_FILE"
+  set -a
+  source "$TERRAFORM_ENV_FILE"
+  set +a
+else
+  echo "⚠️  No .env file found. Looking for:"
+  echo "   - $ENV_FILE"
+  echo "   - $TERRAFORM_ENV_FILE"
+  echo ""
+  echo "Creating example file..."
+  cp "$PROJECT_ROOT/infra/terraform/.env.example" "$TERRAFORM_ENV_FILE"
+  echo "✅ Created $TERRAFORM_ENV_FILE"
+  echo "Please edit it with your Azure credentials and run this script again."
+  return 1
+fi
+
+# Map AZURE_* to ARM_* if needed (for Terraform compatibility)
+if [ -n "$AZURE_SUBSCRIPTION_ID" ] && [ -z "$ARM_SUBSCRIPTION_ID" ]; then
+  export ARM_SUBSCRIPTION_ID="$AZURE_SUBSCRIPTION_ID"
+fi
+
+if [ -n "$AZURE_TENANT_ID" ] && [ -z "$ARM_TENANT_ID" ]; then
+  export ARM_TENANT_ID="$AZURE_TENANT_ID"
+fi
+
+if [ -n "$AZURE_LOCATION" ] && [ -z "$ARM_LOCATION" ]; then
+  export ARM_LOCATION="$AZURE_LOCATION"
+fi
+
+# Validate required variables (check both ARM_* and AZURE_*)
+SUBSCRIPTION_ID="${ARM_SUBSCRIPTION_ID:-$AZURE_SUBSCRIPTION_ID}"
+TENANT_ID="${ARM_TENANT_ID:-$AZURE_TENANT_ID}"
+
+MISSING_VARS=()
+
+if [ -z "$SUBSCRIPTION_ID" ]; then
+  MISSING_VARS+=("ARM_SUBSCRIPTION_ID or AZURE_SUBSCRIPTION_ID")
+fi
+
+if [ -z "$TENANT_ID" ]; then
+  MISSING_VARS+=("ARM_TENANT_ID or AZURE_TENANT_ID")
+fi
+
+if [ ${#MISSING_VARS[@]} -gt 0 ]; then
+  echo "❌ Missing required environment variables:"
+  for var in "${MISSING_VARS[@]}"; do
+    echo "   - $var"
+  done
+  echo ""
+  echo "Please set these in your .env file."
+  return 1
+fi
+
+# Set Terraform variables from environment (use mapped values)
+export TF_VAR_subscription_id="${SUBSCRIPTION_ID}"
+export TF_VAR_tenant_id="${TENANT_ID}"
+export TF_VAR_client_id="${ARM_CLIENT_ID:-$AZURE_CLIENT_ID:-}"
+export TF_VAR_client_secret="${ARM_CLIENT_SECRET:-$AZURE_CLIENT_SECRET:-}"
+
+# Set Azure CLI defaults if using CLI auth
+if [ -z "$ARM_CLIENT_ID" ] && [ -z "$AZURE_CLIENT_ID" ]; then
+  echo "ℹ️  Using Azure CLI authentication (no service principal set)"
+  az account set --subscription "$SUBSCRIPTION_ID" 2>/dev/null || true
+fi
+
+echo "✅ Environment variables loaded"
+echo ""
+echo "Azure Configuration:"
+echo "  Subscription ID: ${SUBSCRIPTION_ID:0:8}...${SUBSCRIPTION_ID: -4}"
+echo "  Tenant ID: ${TENANT_ID:0:8}...${TENANT_ID: -4}"
+echo "  Location: ${ARM_LOCATION:-${AZURE_LOCATION:-westeurope}}"
+echo "  Environment: ${TF_VAR_environment:-dev}"
+if [ -n "$AZURE_MANAGEMENT_GROUP_ID" ]; then
+  echo "  Management Group: $AZURE_MANAGEMENT_GROUP_ID"
+fi
+echo ""
+echo "You can now run Terraform commands."
+

infra/scripts/azure-sync-env-to-terraform.sh

@@ -0,0 +1,66 @@
+#!/bin/bash
+# Sync environment variables from .env to Terraform variables
+# Ensures Terraform uses values from .env file
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+ENV_FILE="$PROJECT_ROOT/.env"
+TERRAFORM_DIR="$PROJECT_ROOT/infra/terraform"
+
+echo "🔄 Syncing environment variables to Terraform..."
+
+# Load and validate environment
+source "$SCRIPT_DIR/azure-validate-env.sh"
+
+# Create terraform.tfvars from environment variables
+TFVARS_FILE="$TERRAFORM_DIR/terraform.tfvars"
+
+cat > "$TFVARS_FILE" << EOF
+# Terraform variables generated from .env file
+# DO NOT EDIT MANUALLY - regenerated by azure-sync-env-to-terraform.sh
+# Last updated: $(date -u +"%Y-%m-%d %H:%M:%S UTC")
+
+# Azure Configuration
+azure_region = "${ARM_LOCATION:-westeurope}"
+environment = "${TF_VAR_environment:-dev}"
+project_name = "the-order"
+
+# Azure Authentication (sensitive - use environment variables)
+# subscription_id = "${ARM_SUBSCRIPTION_ID}"
+# tenant_id = "${ARM_TENANT_ID}"
+# client_id = "${ARM_CLIENT_ID:-}"
+# client_secret = "${ARM_CLIENT_SECRET:-}"
+
+# Resource Naming
+resource_group_name = "${TF_VAR_resource_group_name}"
+storage_account_name = "${TF_VAR_storage_account_name}"
+key_vault_name = "${TF_VAR_key_vault_name}"
+
+# AKS Configuration
+aks_cluster_name = "${TF_VAR_aks_cluster_name:-the-order-aks-${TF_VAR_environment:-dev}}"
+aks_node_count = ${TF_VAR_aks_node_count:-2}
+aks_vm_size = "${TF_VAR_aks_vm_size:-Standard_B2s}"
+
+# Database Configuration
+database_name = "${TF_VAR_database_name:-the-order-db-${TF_VAR_environment:-dev}}"
+database_admin_user = "${TF_VAR_database_admin_user:-theorder_admin}"
+
+# Tags
+tags = {
+  Environment = "${TF_VAR_environment:-dev}"
+  Project     = "the-order"
+  ManagedBy   = "terraform"
+  CreatedBy   = "azure-sync-env-to-terraform.sh"
+}
+EOF
+
+echo "✅ Terraform variables synced to: $TFVARS_FILE"
+echo ""
+echo "You can now run Terraform commands:"
+echo "  cd $TERRAFORM_DIR"
+echo "  terraform init"
+echo "  terraform plan"
+echo "  terraform apply"
+

infra/scripts/azure-update-k8s-secrets.sh

@@ -0,0 +1,64 @@
+#!/bin/bash
+# Update Kubernetes secrets from Azure Key Vault
+# Uses values from .env file to configure External Secrets
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+
+echo "🔄 Updating Kubernetes secrets configuration from .env..."
+
+# Load environment
+source "$SCRIPT_DIR/azure-validate-env.sh"
+
+# Get Key Vault URI from Terraform output if available
+cd "$PROJECT_ROOT/infra/terraform"
+if terraform output -json key_vault_uri &> /dev/null; then
+  KEY_VAULT_URI=$(terraform output -raw key_vault_uri)
+  echo "Found Key Vault URI from Terraform: $KEY_VAULT_URI"
+else
+  # Construct from known values
+  KEY_VAULT_NAME="${TF_VAR_key_vault_name:-the-order-kv-${TF_VAR_environment:-dev}}"
+  KEY_VAULT_URI="https://${KEY_VAULT_NAME}.vault.azure.net/"
+  echo "Using constructed Key Vault URI: $KEY_VAULT_URI"
+fi
+
+# Update External Secrets configuration
+EXTERNAL_SECRETS_FILE="$PROJECT_ROOT/infra/k8s/base/external-secrets.yaml"
+
+# Use sed or create a template update
+if [ -f "$EXTERNAL_SECRETS_FILE" ]; then
+  # Create updated version
+  sed -i.bak "s|tenantId: \"\"|tenantId: \"${ARM_TENANT_ID}\"|g" "$EXTERNAL_SECRETS_FILE"
+  sed -i.bak "s|vaultUrl: \"\"|vaultUrl: \"${KEY_VAULT_URI}\"|g" "$EXTERNAL_SECRETS_FILE"
+  rm -f "${EXTERNAL_SECRETS_FILE}.bak"
+  echo "✅ Updated External Secrets configuration"
+else
+  echo "⚠️  External Secrets file not found: $EXTERNAL_SECRETS_FILE"
+fi
+
+# Update Azure ConfigMap
+CONFIGMAP_FILE="$PROJECT_ROOT/infra/k8s/base/configmap-azure.yaml"
+
+if [ -f "$CONFIGMAP_FILE" ]; then
+  # Update with actual values (non-sensitive)
+  sed -i.bak "s|AZURE_REGION: \".*\"|AZURE_REGION: \"${ARM_LOCATION:-westeurope}\"|g" "$CONFIGMAP_FILE"
+  sed -i.bak "s|AKS_RESOURCE_GROUP: \".*\"|AKS_RESOURCE_GROUP: \"${TF_VAR_resource_group_name}\"|g" "$CONFIGMAP_FILE"
+  rm -f "${CONFIGMAP_FILE}.bak"
+  echo "✅ Updated Azure ConfigMap"
+else
+  echo "⚠️  ConfigMap file not found: $CONFIGMAP_FILE"
+fi
+
+echo ""
+echo "✅ Kubernetes secrets configuration updated!"
+echo ""
+echo "Next steps:"
+echo "  1. Review updated files:"
+echo "     - $EXTERNAL_SECRETS_FILE"
+echo "     - $CONFIGMAP_FILE"
+echo "  2. Apply to Kubernetes:"
+echo "     kubectl apply -f $EXTERNAL_SECRETS_FILE"
+echo "     kubectl apply -f $CONFIGMAP_FILE"
+

infra/scripts/azure-validate-current-env.sh

@@ -0,0 +1,188 @@
+#!/bin/bash
+# Validate current .env file against Azure deployment requirements
+# Provides detailed analysis and recommendations
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+ENV_FILE="$PROJECT_ROOT/.env"
+
+echo "╔══════════════════════════════════════════════════════════════╗"
+echo "║   .ENV FILE ANALYSIS FOR AZURE DEPLOYMENTS                  ║"
+echo "╚══════════════════════════════════════════════════════════════╝"
+echo ""
+
+if [ ! -f "$ENV_FILE" ]; then
+  echo "❌ .env file not found at: $ENV_FILE"
+  exit 1
+fi
+
+echo "📄 Analyzing: $ENV_FILE"
+echo ""
+
+# Load environment
+set -a
+source "$ENV_FILE"
+set +a
+
+# Check required variables
+echo "✅ REQUIRED VARIABLES:"
+echo ""
+
+# Subscription ID
+if [ -n "$AZURE_SUBSCRIPTION_ID" ] || [ -n "$ARM_SUBSCRIPTION_ID" ]; then
+  SUB_ID="${AZURE_SUBSCRIPTION_ID:-$ARM_SUBSCRIPTION_ID}"
+  echo "  ✓ Subscription ID: ${SUB_ID:0:8}...${SUB_ID: -4}"
+  if [[ ! "$SUB_ID" =~ ^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$ ]]; then
+    echo "    ⚠️  Warning: Format may be invalid (should be UUID)"
+  fi
+else
+  echo "  ❌ Subscription ID: MISSING"
+fi
+
+# Tenant ID
+if [ -n "$AZURE_TENANT_ID" ] || [ -n "$ARM_TENANT_ID" ]; then
+  TENANT_ID="${AZURE_TENANT_ID:-$ARM_TENANT_ID}"
+  echo "  ✓ Tenant ID: ${TENANT_ID:0:8}...${TENANT_ID: -4}"
+  if [[ ! "$TENANT_ID" =~ ^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$ ]]; then
+    echo "    ⚠️  Warning: Format may be invalid (should be UUID)"
+  fi
+else
+  echo "  ❌ Tenant ID: MISSING"
+fi
+
+# Location
+if [ -n "$AZURE_LOCATION" ] || [ -n "$ARM_LOCATION" ]; then
+  LOCATION="${AZURE_LOCATION:-$ARM_LOCATION}"
+  echo "  ✓ Location: $LOCATION"
+  if [[ "$LOCATION" =~ ^us ]]; then
+    echo "    ❌ ERROR: US regions are not allowed!"
+  fi
+else
+  echo "  ⚠️  Location: NOT SET (will default to westeurope)"
+fi
+
+echo ""
+echo "📋 OPTIONAL BUT RECOMMENDED:"
+echo ""
+
+# Management Group
+if [ -n "$AZURE_MANAGEMENT_GROUP_ID" ]; then
+  echo "  ✓ Management Group: $AZURE_MANAGEMENT_GROUP_ID"
+else
+  echo "  ○ Management Group: Not set"
+fi
+
+# Resource Group
+if [ -n "$AZURE_RESOURCE_GROUP" ] || [ -n "$TF_VAR_resource_group_name" ]; then
+  RG="${AZURE_RESOURCE_GROUP:-$TF_VAR_resource_group_name}"
+  echo "  ✓ Resource Group: $RG"
+else
+  echo "  ⚠️  Resource Group: Not set (will use default naming convention)"
+fi
+
+# Environment
+if [ -n "$TF_VAR_environment" ]; then
+  echo "  ✓ Environment: $TF_VAR_environment"
+else
+  echo "  ⚠️  Environment: Not set (will default to 'dev')"
+fi
+
+# Storage Account
+if [ -n "$TF_VAR_storage_account_name" ] || [ -n "$AZURE_STORAGE_ACCOUNT" ]; then
+  SA="${TF_VAR_storage_account_name:-$AZURE_STORAGE_ACCOUNT}"
+  echo "  ✓ Storage Account: $SA"
+else
+  echo "  ⚠️  Storage Account: Not set (will use default naming)"
+fi
+
+# Key Vault
+if [ -n "$TF_VAR_key_vault_name" ] || [ -n "$AZURE_KEY_VAULT_NAME" ]; then
+  KV="${TF_VAR_key_vault_name:-$AZURE_KEY_VAULT_NAME}"
+  echo "  ✓ Key Vault: $KV"
+else
+  echo "  ⚠️  Key Vault: Not set (will use default naming)"
+fi
+
+echo ""
+echo "🔧 TERRAFORM VARIABLE MAPPING:"
+echo ""
+
+# Check if variables need to be mapped
+NEEDS_MAPPING=false
+
+if [ -n "$AZURE_SUBSCRIPTION_ID" ] && [ -z "$ARM_SUBSCRIPTION_ID" ]; then
+  echo "  ⚠️  AZURE_SUBSCRIPTION_ID found, but Terraform expects ARM_SUBSCRIPTION_ID"
+  echo "     Recommendation: Add ARM_SUBSCRIPTION_ID=\"$AZURE_SUBSCRIPTION_ID\""
+  NEEDS_MAPPING=true
+fi
+
+if [ -n "$AZURE_TENANT_ID" ] && [ -z "$ARM_TENANT_ID" ]; then
+  echo "  ⚠️  AZURE_TENANT_ID found, but Terraform expects ARM_TENANT_ID"
+  echo "     Recommendation: Add ARM_TENANT_ID=\"$AZURE_TENANT_ID\""
+  NEEDS_MAPPING=true
+fi
+
+if [ -n "$AZURE_LOCATION" ] && [ -z "$ARM_LOCATION" ]; then
+  echo "  ⚠️  AZURE_LOCATION found, but Terraform expects ARM_LOCATION"
+  echo "     Recommendation: Add ARM_LOCATION=\"$AZURE_LOCATION\""
+  NEEDS_MAPPING=true
+fi
+
+if [ "$NEEDS_MAPPING" = false ]; then
+  echo "  ✓ All variables properly mapped for Terraform"
+fi
+
+echo ""
+echo "📊 SUMMARY:"
+echo ""
+
+# Count issues
+ISSUES=0
+WARNINGS=0
+
+if [ -z "$AZURE_SUBSCRIPTION_ID" ] && [ -z "$ARM_SUBSCRIPTION_ID" ]; then
+  ISSUES=$((ISSUES + 1))
+fi
+
+if [ -z "$AZURE_TENANT_ID" ] && [ -z "$ARM_TENANT_ID" ]; then
+  ISSUES=$((ISSUES + 1))
+fi
+
+if [ -z "$AZURE_LOCATION" ] && [ -z "$ARM_LOCATION" ]; then
+  WARNINGS=$((WARNINGS + 1))
+fi
+
+if [ "$ISSUES" -eq 0 ] && [ "$WARNINGS" -eq 0 ]; then
+  echo "  ✅ .env file is properly configured for Azure deployments"
+elif [ "$ISSUES" -eq 0 ]; then
+  echo "  ⚠️  .env file is mostly configured ($WARNINGS warning(s))"
+else
+  echo "  ❌ .env file has $ISSUES critical issue(s) and $WARNINGS warning(s)"
+fi
+
+echo ""
+echo "💡 RECOMMENDATIONS:"
+echo ""
+
+if [ "$NEEDS_MAPPING" = true ]; then
+  echo "  1. Add ARM_* variables for Terraform compatibility"
+  echo "     (Our scripts will auto-map, but explicit is better)"
+fi
+
+if [ -z "$TF_VAR_environment" ]; then
+  echo "  2. Add TF_VAR_environment=\"dev\" (or stage/prod)"
+fi
+
+if [ -z "$TF_VAR_resource_group_name" ] && [ -z "$AZURE_RESOURCE_GROUP" ]; then
+  echo "  3. Consider setting TF_VAR_resource_group_name for custom naming"
+fi
+
+echo ""
+echo "✅ Analysis complete!"
+echo ""
+echo "To use with Azure deployments:"
+echo "  source infra/scripts/azure-validate-env.sh"
+echo "  ./infra/scripts/azure-complete-setup.sh"
+

infra/scripts/azure-validate-env.sh

@@ -0,0 +1,133 @@
+#!/bin/bash
+# Validate Azure environment variables from .env file
+# Ensures all required variables are set for deployments
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+ENV_FILE="$PROJECT_ROOT/.env"
+
+echo "🔍 Validating Azure environment configuration..."
+
+# Load environment file if it exists
+if [ -f "$ENV_FILE" ]; then
+  echo "Loading environment from: $ENV_FILE"
+  set -a
+  source "$ENV_FILE"
+  set +a
+else
+  echo "⚠️  No .env file found at: $ENV_FILE"
+  echo "Creating from example..."
+  if [ -f "$PROJECT_ROOT/infra/terraform/.env.example" ]; then
+    cp "$PROJECT_ROOT/infra/terraform/.env.example" "$ENV_FILE"
+    echo "✅ Created $ENV_FILE - please fill in your values"
+  fi
+  exit 1
+fi
+
+# Required Azure variables
+REQUIRED_VARS=(
+  "ARM_SUBSCRIPTION_ID"
+  "ARM_TENANT_ID"
+)
+
+# Optional but recommended
+RECOMMENDED_VARS=(
+  "ARM_LOCATION"
+  "TF_VAR_environment"
+  "TF_VAR_resource_group_name"
+  "TF_VAR_storage_account_name"
+  "TF_VAR_key_vault_name"
+)
+
+# Check required variables
+MISSING_REQUIRED=()
+for var in "${REQUIRED_VARS[@]}"; do
+  if [ -z "${!var}" ]; then
+    MISSING_REQUIRED+=("$var")
+  fi
+done
+
+# Check recommended variables
+MISSING_RECOMMENDED=()
+for var in "${RECOMMENDED_VARS[@]}"; do
+  if [ -z "${!var}" ]; then
+    MISSING_RECOMMENDED+=("$var")
+  fi
+done
+
+# Report results
+if [ ${#MISSING_REQUIRED[@]} -gt 0 ]; then
+  echo "❌ Missing required variables:"
+  for var in "${MISSING_REQUIRED[@]}"; do
+    echo "   - $var"
+  done
+  echo ""
+  echo "Please set these in your .env file."
+  exit 1
+fi
+
+if [ ${#MISSING_RECOMMENDED[@]} -gt 0 ]; then
+  echo "⚠️  Missing recommended variables (will use defaults):"
+  for var in "${MISSING_RECOMMENDED[@]}"; do
+    echo "   - $var"
+  done
+  echo ""
+fi
+
+# Validate Azure CLI authentication
+if command -v az &> /dev/null; then
+  if az account show &> /dev/null; then
+    CURRENT_SUB=$(az account show --query id -o tsv)
+    if [ "$CURRENT_SUB" != "$ARM_SUBSCRIPTION_ID" ]; then
+      echo "⚠️  Azure CLI subscription ($CURRENT_SUB) differs from ARM_SUBSCRIPTION_ID"
+      echo "   Setting Azure CLI to use: $ARM_SUBSCRIPTION_ID"
+      az account set --subscription "$ARM_SUBSCRIPTION_ID" || true
+    fi
+  else
+    echo "⚠️  Not logged in to Azure CLI. Run: az login"
+  fi
+else
+  echo "⚠️  Azure CLI not installed. Install from: https://aka.ms/InstallAzureCLIDeb"
+fi
+
+# Set defaults for missing recommended vars
+export ARM_LOCATION="${ARM_LOCATION:-westeurope}"
+export TF_VAR_environment="${TF_VAR_environment:-dev}"
+export TF_VAR_azure_region="${ARM_LOCATION}"
+
+# Export Terraform variables
+export TF_VAR_subscription_id="${ARM_SUBSCRIPTION_ID}"
+export TF_VAR_tenant_id="${ARM_TENANT_ID}"
+export TF_VAR_client_id="${ARM_CLIENT_ID:-}"
+export TF_VAR_client_secret="${ARM_CLIENT_SECRET:-}"
+
+# Generate resource names if not set
+if [ -z "$TF_VAR_resource_group_name" ]; then
+  export TF_VAR_resource_group_name="the-order-rg-${TF_VAR_environment}"
+fi
+
+if [ -z "$TF_VAR_storage_account_name" ]; then
+  # Generate unique storage account name
+  TIMESTAMP=$(date +%s | tail -c 5)
+  export TF_VAR_storage_account_name="theorder${TF_VAR_environment}${TIMESTAMP}"
+fi
+
+if [ -z "$TF_VAR_key_vault_name" ]; then
+  export TF_VAR_key_vault_name="the-order-kv-${TF_VAR_environment}"
+fi
+
+echo "✅ Environment validation complete!"
+echo ""
+echo "Azure Configuration:"
+echo "  Subscription ID: ${ARM_SUBSCRIPTION_ID:0:8}..."
+echo "  Tenant ID: ${ARM_TENANT_ID:0:8}..."
+echo "  Location: ${ARM_LOCATION}"
+echo "  Environment: ${TF_VAR_environment}"
+echo "  Resource Group: ${TF_VAR_resource_group_name}"
+echo "  Storage Account: ${TF_VAR_storage_account_name}"
+echo "  Key Vault: ${TF_VAR_key_vault_name}"
+echo ""
+echo "All Terraform variables are set and ready for deployment."
+

infra/scripts/deploy-sovereignty-landing-zone.sh

@@ -0,0 +1,109 @@
+#!/bin/bash
+# Deploy Cloud for Sovereignty Landing Zone
+# Uses Well-Architected Framework principles
+# Deploys across all non-US commercial Azure regions
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+TERRAFORM_DIR="$PROJECT_ROOT/infra/terraform"
+
+echo "╔══════════════════════════════════════════════════════════════╗"
+echo "║   CLOUD FOR SOVEREIGNTY LANDING ZONE DEPLOYMENT             ║"
+echo "╚══════════════════════════════════════════════════════════════╝"
+echo ""
+
+# Load environment
+source "$SCRIPT_DIR/azure-load-env.sh"
+
+# Get management group ID from .env or use default
+MANAGEMENT_GROUP_ID="${AZURE_MANAGEMENT_GROUP_ID:-SOVEREIGN-ORDER-OF-HOSPITALLERS}"
+ENVIRONMENT="${TF_VAR_environment:-dev}"
+
+echo "Configuration:"
+echo "  Management Group: $MANAGEMENT_GROUP_ID"
+echo "  Environment: $ENVIRONMENT"
+echo "  Subscription: ${ARM_SUBSCRIPTION_ID:0:8}..."
+echo ""
+
+# Confirm deployment
+read -p "Deploy landing zone to all non-US commercial regions? (yes/no): " -r
+if [[ ! $REPLY =~ ^[Yy][Ee][Ss]$ ]]; then
+  echo "Deployment cancelled."
+  exit 0
+fi
+
+cd "$TERRAFORM_DIR"
+
+# Step 1: Deploy Management Group Hierarchy
+echo ""
+echo "Step 1: Deploying Management Group Hierarchy..."
+cd management-groups
+terraform init
+terraform plan -var="management_group_id=$MANAGEMENT_GROUP_ID" -out=tfplan
+read -p "Apply management group changes? (yes/no): " -r
+if [[ $REPLY =~ ^[Yy][Ee][Ss]$ ]]; then
+  terraform apply tfplan
+fi
+cd ..
+
+# Step 2: Deploy Policies
+echo ""
+echo "Step 2: Deploying Sovereignty Policies..."
+cd policies
+terraform init
+terraform plan -var="management_group_id=$MANAGEMENT_GROUP_ID" -out=tfplan
+read -p "Apply policy changes? (yes/no): " -r
+if [[ $REPLY =~ ^[Yy][Ee][Ss]$ ]]; then
+  terraform apply tfplan
+fi
+cd ..
+
+# Step 3: Deploy Multi-Region Landing Zones
+echo ""
+echo "Step 3: Deploying Multi-Region Landing Zones..."
+cd multi-region
+terraform init
+terraform plan \
+  -var="environment=$ENVIRONMENT" \
+  -var="management_group_id=$MANAGEMENT_GROUP_ID" \
+  -var="deploy_all_regions=true" \
+  -out=tfplan
+
+echo ""
+echo "This will deploy landing zones to:"
+echo "  • West Europe (Netherlands) - Primary"
+echo "  • North Europe (Ireland) - Secondary"
+echo "  • UK South (London)"
+echo "  • Switzerland North (Zurich)"
+echo "  • Norway East (Oslo)"
+echo "  • France Central (Paris)"
+echo "  • Germany West Central (Frankfurt)"
+echo ""
+
+read -p "Apply multi-region deployment? (yes/no): " -r
+if [[ $REPLY =~ ^[Yy][Ee][Ss]$ ]]; then
+  terraform apply tfplan
+  
+  echo ""
+  echo "✅ Multi-region landing zone deployment complete!"
+  echo ""
+  echo "Deployment outputs:"
+  terraform output
+fi
+
+cd "$PROJECT_ROOT"
+
+echo ""
+echo "╔══════════════════════════════════════════════════════════════╗"
+echo "║   DEPLOYMENT COMPLETE                                        ║"
+echo "╚══════════════════════════════════════════════════════════════╝"
+echo ""
+echo "Next steps:"
+echo "  1. Review deployed resources in Azure Portal"
+echo "  2. Configure application workloads"
+echo "  3. Set up monitoring and alerting"
+echo "  4. Review compliance status in Azure Policy"
+echo ""
+