module "cde_vpc" {
  source = "./modules/secure-vpc"
  
  name               = "cde-payment"
  cidr               = "10.0.0.0/16"
  azs                = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
  
  # Security controls
  enable_nat_gateway = true
  single_nat_gateway = false
  
  tags = {
    Environment = "production"
    Compliance  = "pci-dss"
    DataClass   = "cardholder"
  }
}

Organization Structure (15+ Accounts):

Management OU:
  - management: Root account, Control Tower, Organizations
  - logging: Centralized logging (CloudTrail, Config, Flow Logs)
  - security: Security Hub, GuardDuty findings aggregation
  - audit: Read-only audit access for compliance

Infrastructure OU:
  - network: Transit Gateway, shared networking
  - shared-services: DNS, Active Directory, central repositories

Workloads OU:
  Production:
    - prod-cde: PCI DSS Cardholder Data Environment
    - prod-non-cde: Non-CDE production workloads

  Non-Production:
    - staging: Pre-production testing environment
    - dev: Development environment
    - sandbox: Experimentation and POCs

Security OU:
  - security-tooling: Security tools and scanning
  - incident-response: IR automation and forensics

Transit Gateway (TGW) Hub:
  Purpose: Central routing for all VPCs
  Regions:
    - Primary: eu-west-1 (Ireland)
    - DR: eu-west-2 (London)

  Routing:
    - Centralized egress via NAT Gateways
    - Inter-VPC communication controls
    - On-premise connectivity (future VPN/Direct Connect)
    - Route table segmentation for CDE isolation

VPC Design per Account:
  Subnets:
    - Public: NAT GW, ALB, bastion (jump hosts)
    - Private: Application tier, EKS nodes
    - Data: Databases, ElastiCache, MSK
    - Management: Systems Manager endpoints

  CIDR Strategy:
    - Non-overlapping ranges across all accounts
    - /16 for production, /20 for non-production
    - Reserved ranges for future expansion

Network Firewall:
  - Centralized in network account
  - Deep packet inspection
  - Intrusion prevention (IPS)
  - Domain filtering for egress
  - Threat intelligence integration

Multi-Layer Protection:
  1. NACLs: Subnet-level stateless filtering
  2. Security Groups: Instance-level stateful filtering
  3. WAF: Application layer protection (ALB/CloudFront)
  4. Shield Standard: DDoS protection (all accounts)
  5. VPC Flow Logs: Network traffic analysis

Repository Structure:
  terraform-live/
    ├── management/
    ├── production/
    │   ├── eu-west-1/
    │   │   ├── vpc/
    │   │   ├── eks/
    │   │   ├── rds/
    │   │   └── security/
    │   └── eu-west-2/
    ├── staging/
    └── modules/
        ├── vpc/
        ├── eks/
        ├── rds-aurora/
        └── security-baseline/

Terraform Stack:
  - 1000+ AWS resources managed
  - Terragrunt for DRY configuration
  - Remote state: S3 + DynamoDB locking
  - State encryption with KMS
  - Module versioning and testing

Security Scanning:
  - Checkov: Compliance and security checks
  - tfsec: Terraform security scanning
  - Terrascan: Policy as code enforcement
  - Automated in CI/CD before apply
  - Drift detection and remediation

Pipeline Stages:
  1. Validate:
     - terraform validate
     - terraform fmt check
     - Module version verification

  2. Security Scan:
     - Checkov (CIS, PCI DSS policies)
     - tfsec (AWS security best practices)
     - Secret detection (gitleaks)

  3. Plan:
     - terraform plan
     - Cost estimation (Infracost)
     - Plan review and approval

  4. Apply:
     - Manual approval gate
     - terraform apply
     - Drift detection scheduling

Landing Zone Features:
  Account Factory:
    - Automated account provisioning
    - Baseline security configuration
    - IAM Identity Center (SSO) integration
    - CloudTrail and Config enabled by default

  Guardrails (SCPs):
    Mandatory:
      - Deny disabling CloudTrail
      - Deny modifying Config rules
      - Deny root user access keys
      - Enforce MFA for root user

    Strongly Recommended:
      - Deny leaving organization
      - Deny disabling EBS encryption
      - Deny public S3 buckets
      - Enforce encrypted volumes

    Custom (PCI DSS):
      - Deny non-approved regions
      - Enforce KMS encryption
      - Restrict instance types
      - Deny IMDSv1 (require IMDSv2)

Account Baseline:
  - VPC with private subnets
  - NAT Gateway for outbound
  - VPC endpoints for AWS services
  - CloudWatch log groups
  - SNS topics for alerts
  - Systems Manager access

Production EKS Clusters:
  Primary (eu-west-1):
    - 3 Availability Zones
    - Managed node groups (on-demand)
    - Spot instances for batch jobs
    - Fargate for serverless workloads

  DR (eu-west-2):
    - Pilot-light configuration
    - Minimal capacity (cost-optimized)
    - Automated scale-up on failover

Node Configuration:
  - Instance types: m5.xlarge, r5.xlarge
  - Auto Scaling: Cluster Autoscaler
  - OS: Amazon Linux 2
  - Container runtime: containerd
  - IRSA for pod-level IAM permissions

Control Plane:
  - Control plane logging to CloudWatch
  - Private endpoint (VPC-only access)
  - Kubernetes version: 1.27+
  - Encryption: KMS for secrets

Deployment Strategy:
  - ArgoCD deployed in EKS
  - Git as single source of truth
  - 80+ microservices managed
  - Application-per-repo pattern
  - Automated sync (with approval for prod)

Progressive Delivery (Argo Rollouts):
  Strategies:
    - Blue-Green deployments
    - Canary releases (10% → 50% → 100%)
    - Automated rollback on metrics

  Analysis:
    - Prometheus metrics integration
    - Success rate, latency, error rate
    - Automated promotion or rollback

Prometheus Architecture:
  - Thanos for long-term storage (S3)
  - Multi-cluster monitoring
  - 7-day local retention
  - 1-year Thanos retention
  - AlertManager for notifications

Grafana Dashboards:
  Infrastructure:
    - EKS cluster health
    - Node and pod metrics
    - Network performance
    - Storage utilization

  Application:
    - Service-level metrics
    - Payment processing metrics
    - API response times
    - Error rates and SLIs

  Security:
    - GuardDuty findings
    - WAF blocked requests
    - Failed authentication attempts
    - Compliance posture

  Cost:
    - Per-service costs (Kubecost)
    - AWS Cost Explorer integration
    - Budget vs actual tracking

OpenSearch (ELK):
  - Centralized log aggregation
  - 30-day retention in hot tier
  - 1-year retention in S3 (cold tier)
  - Vector for log collection
  - Kibana for visualization

Loki + Promtail:
  - Kubernetes-native logging
  - Label-based log queries
  - Grafana integration
  - Lower storage costs vs ELK
  - Real-time log streaming

Log Sources:
  - Application logs (stdout/stderr)
  - AWS CloudTrail (API calls)
  - VPC Flow Logs (network traffic)
  - EKS control plane logs
  - Load balancer access logs
  - WAF logs

Configuration:
  - Centralized user management
  - Azure AD integration (SAML)
  - MFA enforcement
  - Permission sets per role:
    * Admin: Full access (break-glass only)
    * DevOps: Infrastructure management
    * Developer: Application deployment
    * ReadOnly: Audit and compliance
    * Security: Security tools access

  Access Patterns:
    - Time-limited sessions (8 hours)
    - JIT access for production
    - Approval workflow for sensitive accounts
    - Audit logging of all access

HashiCorp Vault:
  Deployment:
    - HA cluster on EKS
    - Auto-unseal with AWS KMS
    - Consul storage backend
    - Cross-region replication

  Use Cases:
    - Database credentials (dynamic)
    - API keys and tokens
    - TLS certificates (PKI engine)
    - Encryption as a service

  Authentication:
    - Kubernetes auth for pods
    - AWS IAM for services
    - OIDC for users

AWS Secrets Manager:
  - RDS password rotation
  - Cross-account secret sharing
  - Lambda rotation functions
  - Backup to Vault for redundancy

Amazon Aurora PostgreSQL:
  Configuration:
    - Multi-AZ deployment
    - Read replicas (3x)
    - Cross-region read replica (DR)
    - Performance Insights enabled

  Security:
    - Encryption at rest (KMS)
    - Encryption in transit (TLS 1.3)
    - IAM database authentication
    - Private subnet deployment
    - Security group restrictions

  Backup:
    - Automated daily snapshots
    - 35-day retention
    - Cross-region snapshot copy
    - Point-in-time recovery (PITR)

MongoDB Atlas:
  - Managed service (AWS VPC peering)
  - Replica set configuration
  - Automated backups
  - Performance monitoring

ElastiCache Redis:
  - Cluster mode enabled
  - Multi-AZ automatic failover
  - Encryption in-transit and at-rest
  - Session storage and caching

Multi-Region Strategy:
  Primary: eu-west-1 (Ireland)
  DR: eu-west-2 (London)

  Approach: Pilot Light
    - Network infrastructure pre-deployed
    - EKS cluster in standby (minimal nodes)
    - Database read replica in DR region
    - S3 cross-region replication
    - Route 53 health checks and failover

Automation:
  - Lambda-based failover orchestration
  - Automated DNS cutover (Route 53)
  - EKS cluster scale-up automation
  - Database promotion scripts
  - Runbooks in Confluence

Testing:
  - Quarterly DR drills
  - Documented runbooks
  - Automated validation scripts
  - RTO: 4 hours
  - RPO: 15 minutes

Backup Strategy:
  - Velero for EKS (daily)
  - RDS automated snapshots
  - S3 versioning enabled
  - Configuration backups in Git
  - 3-2-1 backup rule adherence