Add Dynu Terraform brownfield DNS documentation layer

infrastructure/terraform/dynu/README.md

@@ -0,0 +1,67 @@
+# Dynu Terraform Layer (Brownfield DNS Reconciliation)
+
+This Terraform root is for **Dynu DNS brownfield import/reconciliation** and documentation outputs.
+
+Dynu remains the authoritative DNS provider for existing records. Terraform here is used to mirror and reconcile existing DNS state incrementally, not to casually recreate production DNS from scratch.
+
+## Provider
+
+- Source: `beatz174-bit/dynu`
+- Version constraint: `>= 0.1.0`
+
+Authentication is local-only and must not be committed.
+
+## Credentials and auth
+
+Use local `terraform.tfvars` (or environment variables if supported by the provider release you use).
+
+Variables included:
+
+- `dynu_api_key` (sensitive)
+- `dynu_username` (optional, sensitive)
+- `dynu_password` (optional, sensitive)
+
+> Keep real values out of git and out of shared logs.
+
+## Safety
+
+- Do not commit `terraform.tfvars`, `.tfstate*`, or `.terraform/`.
+- Import/reconcile one domain or record at a time.
+- Treat generated config as draft input, not final truth.
+
+## Safe validation commands
+
+```bash
+cd infrastructure/terraform/dynu
+
+terraform fmt -check -recursive
+terraform init -backend=false -input=false
+terraform validate
+```
+
+## Local workflow
+
+```bash
+cp terraform.tfvars.example terraform.tfvars
+$EDITOR terraform.tfvars
+terraform init
+terraform plan
+```
+
+## Import workflow (placeholder examples)
+
+```bash
+terraform import dynu_dns_domain.lan_ddnsgeek_com '<provider-specific-domain-import-id>'
+terraform state show dynu_dns_domain.lan_ddnsgeek_com
+terraform plan
+```
+
+Or with import blocks:
+
+```bash
+cp imports.tf.example imports.tf
+$EDITOR imports.tf
+terraform plan -generate-config-out=generated-dynu.tf
+```
+
+Confirm exact resource types and import ID formats from the provider docs before running imports.