# Dynu Terraform Layer (Brownfield DNS Reconciliation)

This Terraform root is for **Dynu DNS brownfield import/reconciliation** and documentation outputs.

Dynu remains the authoritative DNS provider for existing records. Terraform here is used to mirror and reconcile existing DNS state incrementally, not to casually recreate production DNS from scratch.

## Provider

- Source: `beatz174-bit/dynu`
- Provider version is intentionally unpinned in this root to use the latest published release.
- Provider block uses `api_key` auth argument from the published provider schema.

## Credentials and auth

Use local `terraform.tfvars` (or provider-supported environment variables).

- Required variable: `dynu_api_key`
- Optional placeholders for future provider auth changes: `dynu_username`, `dynu_password`

Never commit:

- `terraform.tfvars`
- `.terraform/`
- `*.tfstate*`
- credentials/secrets

## Safe validation commands

```bash
cd infrastructure/terraform/dynu
terraform fmt -check -recursive
terraform init -backend=false -input=false
terraform validate
```

## Local workflow

```bash
cp terraform.tfvars.example terraform.tfvars
$EDITOR terraform.tfvars
terraform init
terraform plan
```

## Import workflow (one object at a time)

```bash
terraform import dynu_domain.lan_ddnsgeek_com '<provider-specific-domain-import-id>'
terraform state show dynu_domain.lan_ddnsgeek_com
terraform plan
```

Or with import blocks:

```bash
cp imports.tf.example imports.tf
$EDITOR imports.tf
terraform plan -generate-config-out=generated-dynu.tf
```

Notes:

1. Confirm exact import ID formats from the provider docs.
2. For DNS records, add one `dynu_dns_record` resource at a time after confirming required arguments (`hostname`, `record_type`) from `terraform providers schema`.
3. Treat generated config as draft input; keep only stable, meaningful attributes in hand-maintained `.tf`.