fix: update playbook documentation with corrections

- Remove blue-green deployment references from production flow
- Mask thumbprint in security docs (show only last 4 chars)
- Add missing staging environment to secrets configuration
- Add production-specific networking with dedicated AWS account
- Add domain/URL configuration for all environments
- Update production URL to https://core.kainos-studio.com/

Author: nickmoyni

playbook/CICD_GUIDE.md

@@ -174,7 +174,7 @@ TF_VAR_session_secret
 5. Terraform plan
 6. Senior team approval gate
 7. Pre-deployment backup
-8. Blue-green deployment
+8. Standard deployment
 9. Health checks
 10. Smoke tests
 11. Traffic switching

playbook/NETWORKING_GUIDE.md

@@ -8,16 +8,87 @@ The Kainos Studio infrastructure implements a multi-tier network architecture wi
 
 ## 🟠 AWS Network Architecture
 
+### Domain and URL Configuration
+
+| Environment | Domain/URL | SSL Certificate | Purpose |
+|-------------|------------|-----------------|---------|
+| **Development** | `https://dev.core.kainos-studio.com/` | Wildcard SSL | Development testing |
+| **Staging** | `https://staging.core.kainos-studio.com/` | Wildcard SSL | Pre-production validation |
+| **Production** | `https://core.kainos-studio.com/` | Dedicated SSL | Live production service |
+
+#### DNS Configuration
+```hcl
+# Development
+resource "aws_route53_record" "dev" {
+  zone_id = var.hosted_zone_id
+  name    = "dev.core.kainos-studio.com"
+  type    = "A"
+  
+  alias {
+    name                   = aws_cloudfront_distribution.dev.domain_name
+    zone_id                = aws_cloudfront_distribution.dev.hosted_zone_id
+    evaluate_target_health = false
+  }
+}
+
+# Staging
+resource "aws_route53_record" "staging" {
+  zone_id = var.hosted_zone_id
+  name    = "staging.core.kainos-studio.com"
+  type    = "A"
+  
+  alias {
+    name                   = aws_cloudfront_distribution.staging.domain_name
+    zone_id                = aws_cloudfront_distribution.staging.hosted_zone_id
+    evaluate_target_health = false
+  }
+}
+
+# Production
+resource "aws_route53_record" "prod" {
+  zone_id = var.hosted_zone_id
+  name    = "core.kainos-studio.com"
+  type    = "A"
+  
+  alias {
+    name                   = aws_cloudfront_distribution.prod.domain_name
+    zone_id                = aws_cloudfront_distribution.prod.hosted_zone_id
+    evaluate_target_health = false
+  }
+}
+```
+
+### Account Structure
+
+| Environment | AWS Account | Purpose |
+|-------------|-------------|---------|
+| **Development** | Shared Account | Development and testing |
+| **Staging** | Shared Account | Pre-production validation |
+| **Production** | Dedicated Account | Production workloads with enhanced security |
+
 ### VPC Design
 
+#### Development and Staging (Shared Account)
 | Component | Configuration | Purpose |
 |-----------|---------------|---------|
 | **VPC CIDR** | 10.0.0.0/16 | Main network space |
-| **Availability Zones** | 3 AZs minimum | High availability |
+| **Availability Zones** | 2-3 AZs | High availability |
+| **DNS Resolution** | Enabled | Service discovery |
+| **DNS Hostnames** | Enabled | Resource naming |
+
+#### Production (Dedicated Account)
+| Component | Configuration | Purpose |
+|-----------|---------------|---------|
+| **VPC CIDR** | 10.1.0.0/16 | Isolated production network |
+| **Availability Zones** | 3 AZs minimum | Maximum availability |
 | **DNS Resolution** | Enabled | Service discovery |
 | **DNS Hostnames** | Enabled | Resource naming |
+| **Flow Logs** | Enabled to S3 | Enhanced monitoring |
+| **VPC Peering** | Cross-account if needed | Secure connectivity |
 
 #### VPC Configuration
+
+##### Development/Staging VPC
 ```hcl
 resource "aws_vpc" "kainos_core" {
   cidr_block           = "10.0.0.0/16"
@@ -27,18 +98,55 @@ resource "aws_vpc" "kainos_core" {
   tags = {
     Name        = "kainos-core-vpc-${var.environment}"
     Environment = var.environment
+    Account     = "shared"
+  }
+}
+```
+
+##### Production VPC
+```hcl
+resource "aws_vpc" "kainos_core_prod" {
+  cidr_block           = "10.1.0.0/16"
+  enable_dns_hostnames = true
+  enable_dns_support   = true
+  
+  tags = {
+    Name        = "kainos-core-vpc-prod"
+    Environment = "production"
+    Account     = "dedicated"
+  }
+}
+
+# Enhanced Flow Logs for Production
+resource "aws_flow_log" "prod_vpc" {
+  iam_role_arn    = aws_iam_role.flow_log.arn
+  log_destination = aws_s3_bucket.flow_logs.arn
+  traffic_type    = "ALL"
+  vpc_id          = aws_vpc.kainos_core_prod.id
+  
+  tags = {
+    Name = "kainos-core-prod-flow-logs"
   }
 }
 ```
 
 ### Subnet Architecture
 
+#### Development and Staging (Shared Account)
 | Subnet Type | CIDR Blocks | Purpose | Internet Access |
 |-------------|-------------|---------|-----------------|
 | **Public Subnets** | 10.0.1.0/24, 10.0.2.0/24, 10.0.3.0/24 | NAT Gateways, Load Balancers | Direct |
 | **Private Subnets** | 10.0.11.0/24, 10.0.12.0/24, 10.0.13.0/24 | Lambda functions, RDS | Via NAT |
 | **Database Subnets** | 10.0.21.0/24, 10.0.22.0/24, 10.0.23.0/24 | Database instances | None |
 
+#### Production (Dedicated Account)
+| Subnet Type | CIDR Blocks | Purpose | Internet Access |
+|-------------|-------------|---------|-----------------|
+| **Public Subnets** | 10.1.1.0/24, 10.1.2.0/24, 10.1.3.0/24 | NAT Gateways, Load Balancers | Direct |
+| **Private Subnets** | 10.1.11.0/24, 10.1.12.0/24, 10.1.13.0/24 | Lambda functions, RDS | Via NAT |
+| **Database Subnets** | 10.1.21.0/24, 10.1.22.0/24, 10.1.23.0/24 | Database instances | None |
+| **Management Subnets** | 10.1.31.0/24, 10.1.32.0/24, 10.1.33.0/24 | Bastion hosts, monitoring | Restricted |
+
 #### Subnet Configuration
 ```hcl
 # Public Subnets
@@ -431,13 +539,22 @@ resource "aws_flow_log" "vpc" {
 
 ### Pre-deployment Security
 
+#### Development and Staging
 - [ ] VPC/VNet CIDR doesn't overlap with existing networks
 - [ ] Security groups/NSGs follow least privilege principle
 - [ ] NACLs configured for defense in depth
 - [ ] VPC endpoints/Private endpoints configured for AWS/Azure services
 - [ ] Flow logs enabled for network monitoring
 - [ ] DNS resolution properly configured
 
+#### Production (Additional Requirements)
+- [ ] Dedicated AWS account with isolated networking
+- [ ] Enhanced VPC Flow Logs to S3 with encryption
+- [ ] Cross-account IAM roles configured securely
+- [ ] Network monitoring and alerting configured
+- [ ] Bastion host access properly configured
+- [ ] Management subnet access restricted to authorized personnel
+
 ### Post-deployment Security
 
 - [ ] Network connectivity tested from all subnets

playbook/diagrams/prod-deployment-flow.md

@@ -8,8 +8,8 @@ flowchart LR
     Security --> Plan[📋 Terraform Plan<br/>Production]
     Plan --> Senior[👔 Senior Team<br/>Approval]
     Senior --> Backup[💾 Pre-deployment<br/>Backup]
-    Backup --> BlueGreen[🔄 Blue-Green<br/>Deployment]
-    BlueGreen --> Health[❤️ Health Checks<br/>& Monitoring]
+    Backup --> Deploy[🚀 Deploy to<br/>Production]
+    Deploy --> Health[❤️ Health Checks<br/>& Monitoring]
     Health --> Smoke[🧪 Smoke Tests<br/>& Validation]
     Smoke --> Traffic[🔀 Traffic Switch<br/>to New Version]
     Traffic --> Live[🌟 Production<br/>Live]
@@ -40,7 +40,7 @@ flowchart LR
     classDef trigger fill:#6C757D,stroke:#fff,stroke-width:2px,color:#fff
     
     class Traffic,Live success
-    class GHA,BlueGreen,Health process
+    class GHA,Deploy,Health process
     class Security,Plan,Smoke validation
     class Senior,Backup approval
     class Rollback,Previous,Investigate,Review rollback
@@ -63,7 +63,7 @@ flowchart LR
 4. **Terraform Plan**: Generate production infrastructure changes
 5. **Senior Approval**: Senior team and management review
 6. **Pre-deployment Backup**: Create full system backup
-7. **Blue-Green Deployment**: Deploy to parallel environment
+7. **Deploy to Production**: Deploy directly to production environment
 8. **Health Checks**: Comprehensive system health validation
 9. **Smoke Tests**: Critical functionality validation
 10. **Traffic Switch**: Gradually shift traffic to new version
@@ -82,11 +82,10 @@ flowchart LR
 
 ### Deployment Strategy
 
-#### Blue-Green Deployment
-- **Blue Environment**: Current production version
-- **Green Environment**: New version being deployed
-- **Traffic Switching**: Gradual migration from blue to green
-- **Rollback Capability**: Instant switch back to blue if issues
+#### Direct Production Deployment
+- **Strategy**: Direct deployment to production environment
+- **Validation**: Comprehensive pre-deployment testing in staging
+- **Rollback Capability**: Terraform state rollback if issues occur
 
 #### Health Checks
 - **Application Health**: API endpoints responding correctly
@@ -104,7 +103,7 @@ flowchart LR
 - ✅ All security and compliance checks pass
 - ✅ Senior team approval obtained
 - ✅ Pre-deployment backup completed successfully
-- ✅ Blue-green deployment executes without errors
+- ✅ Production deployment executes without errors
 - ✅ All health checks pass
 - ✅ Smoke tests validate critical functionality
 - ✅ Traffic switch completes successfully

playbook/security/CLOUD_CONNECTIVITY_SECURITY.md

@@ -16,7 +16,7 @@ The project uses OpenID Connect (OIDC) for secure, keyless authentication from G
 |-----------|---------------|---------|
 | **OIDC Provider** | `https://token.actions.githubusercontent.com` | GitHub Actions identity provider |
 | **Audience** | `sts.amazonaws.com` | AWS STS service identifier |
-| **Thumbprint** | `6938fd4d98bab03faadb97b34396831e3780aea1` | GitHub's certificate thumbprint |
+| **Thumbprint** | `************************************aea1` | GitHub's certificate thumbprint |
 | **Subject Claims** | `repo:org/repo:ref:refs/heads/main` | Repository and branch restrictions |
 
 ### IAM Roles and Policies
@@ -175,6 +175,15 @@ AZURE_TENANT_ID: tenant-id
 AZURE_SUBSCRIPTION_ID: dev-subscription-id
 ```
 
+#### Staging Environment
+```yaml
+# GitHub Environment Secrets (with protection rules)
+AWS_ROLE_ARN: arn:aws:iam::ACCOUNT:role/GitHubActions-Staging-Role
+AZURE_CLIENT_ID: staging-client-id
+AZURE_TENANT_ID: tenant-id
+AZURE_SUBSCRIPTION_ID: staging-subscription-id
+```
+
 #### Production Environment
 ```yaml
 # GitHub Environment Secrets (with protection rules)