# Terraform K3s Master Scaffold

## Purpose
This module provisions K3s control-plane virtual machines on vSphere. It only includes the provider bootstrap today; VM resources and data sources are added in future iterations.

## Required Inputs
| Variable | Description |
| --- | --- |
| `vsphere_user` / `vsphere_password` | Service account stored in CI secrets (never commit plaintext). |
| `vsphere_server` | vCenter hostname or IP. |
| `datacenter`, `cluster`, `resource_pool` | Target placement scope. |
| `datastore` | Datastore or datastore cluster for disks. |
| `template` | Hardened golden image for K3s masters. |
| `network` | Portgroup for primary NIC. |
| `vm_count`, `vm_cpu`, `vm_memory_mb` | Control-plane sizing knobs. |
| `tags` | Optional key/value metadata for governance. |

## Security Notes
- Inject credentials via Terraform Cloud/Enterprise variables, Vault, or Gitea Actions secrets.
- Rotate the vSphere service account per security policy; constrain RBAC to cloning and tagging only.
- Validate SSL certificates where possible; set `allow_unverified_ssl` only for lab use.
- Store generated Terraform state in a remote backend with encryption-at-rest (e.g., Consul, S3 compatible).

## Next Steps
1. Wire vSphere data sources (datacenter, datastore, network).
2. Define `vsphere_virtual_machine` resources aligned with K3s sizing guidance.
3. Emit provisioning outputs consumed by Ansible inventory generation.