chore: initialize k3s master iac skeleton

terraform/README.md

@@ -0,0 +1,27 @@
+# Terraform K3s Master Scaffold
+
+## Purpose
+This module provisions K3s control-plane virtual machines on vSphere. It only includes the provider bootstrap today; VM resources and data sources are added in future iterations.
+
+## Required Inputs
+| Variable | Description |
+| --- | --- |
+| `vsphere_user` / `vsphere_password` | Service account stored in CI secrets (never commit plaintext). |
+| `vsphere_server` | vCenter hostname or IP. |
+| `datacenter`, `cluster`, `resource_pool` | Target placement scope. |
+| `datastore` | Datastore or datastore cluster for disks. |
+| `template` | Hardened golden image for K3s masters. |
+| `network` | Portgroup for primary NIC. |
+| `vm_count`, `vm_cpu`, `vm_memory_mb` | Control-plane sizing knobs. |
+| `tags` | Optional key/value metadata for governance. |
+
+## Security Notes
+- Inject credentials via Terraform Cloud/Enterprise variables, Vault, or Gitea Actions secrets.
+- Rotate the vSphere service account per security policy; constrain RBAC to cloning and tagging only.
+- Validate SSL certificates where possible; set `allow_unverified_ssl` only for lab use.
+- Store generated Terraform state in a remote backend with encryption-at-rest (e.g., Consul, S3 compatible).
+
+## Next Steps
+1. Wire vSphere data sources (datacenter, datastore, network).
+2. Define `vsphere_virtual_machine` resources aligned with K3s sizing guidance.
+3. Emit provisioning outputs consumed by Ansible inventory generation.