Terraform Workflow
Load fact-infra for Terranix syntax and structure.
Required Inputs
- • Resource type (DNS record, Azure resource, etc.)
- • Provider (cloudflare, celestia/Azure, tonatiuh/GCP)
- • Resource details
Safety Rules
- •❌ NEVER write raw
.tffiles — use Terranix Nix - •❌ NEVER use
${...}interpolation — useconfig.resource.X.Y "attr" - •❌ NEVER apply without reviewing plan
- •⚠️ ESCALATE IAM/credential changes
Commands
bash
nix run .#tfmgr -- validate # Check syntax nix run .#tfmgr -- plan # Preview (safe) nix run .#tfmgr -- apply # Apply (requires approval) nix run .#tfmgr -- shell # Interactive terraform CLI
Procedure: Add DNS Record
1. Create File
bash
touch packages/terraform-config/cloudflare/zones/codgician-me/records/<name>.nix
2. Write Terranix
nix
{ config, ... }:
let
zone_id = config.resource.cloudflare_zone.codgician-me "id";
zone_name = config.resource.cloudflare_zone.codgician-me.name;
in {
resource.cloudflare_dns_record.<name>-cname = {
name = "<name>.${zone_name}";
type = "CNAME";
content = "paimon.codgician.me";
proxied = false;
ttl = 1;
inherit zone_id;
};
}
3. Plan and Review
bash
nix run .#tfmgr -- plan
| Symbol | Meaning |
|---|---|
+ | Create |
~ | Update |
- | ⚠️ Destroy |
-/+ | ⚠️ Replace |
4. Apply (User Approval Required)
bash
nix run .#tfmgr -- apply
5. Verify
bash
dig <name>.codgician.me
Exit Criteria
- • Terranix
.nixfile created - •
tfmgr planshows expected changes - • No unexpected destroys
- •
tfmgr applycompletes - • Resource verified
Reference: See packages/terraform-config/cloudflare/ for DNS examples.
Note: Do not commit — present changes to user.