vm-cloudflare/terraform/dns.tf

# DNS Records for each zone
# Root A record (proxied) - points to tunnel or origin
resource "cloudflare_record" "root_a" {
  for_each = cloudflare_zone.domains
  zone_id  = each.value.id
  name     = "@"
  value    = var.origin_ip
  type     = "A"
  proxied  = true
  ttl      = 1 # Auto when proxied
}

# WWW CNAME
resource "cloudflare_record" "www" {
  for_each = cloudflare_zone.domains
  zone_id  = each.value.id
  name     = "www"
  value    = each.key
  type     = "CNAME"
  proxied  = true
  ttl      = 1
}

# SPF Record
resource "cloudflare_record" "spf" {
  for_each = cloudflare_zone.domains
  zone_id  = each.value.id
  name     = "@"
  content  = "v=spf1 include:_spf.mx.cloudflare.net -all"
  type     = "TXT"
  ttl      = 3600
}

# DMARC Record
resource "cloudflare_record" "dmarc" {
  for_each = cloudflare_zone.domains
  zone_id  = each.value.id
  name     = "_dmarc"
  value    = "v=DMARC1; p=reject; rua=mailto:dmarc@${each.key}"
  type     = "TXT"
  ttl      = 3600
}

# MX Records (using Cloudflare Email Routing or custom)
resource "cloudflare_record" "mx_primary" {
  for_each = cloudflare_zone.domains
  zone_id  = each.value.id
  name     = "@"
  value    = "route1.mx.cloudflare.net"
  type     = "MX"
  priority = 10
  ttl      = 3600
}

resource "cloudflare_record" "mx_secondary" {
  for_each = cloudflare_zone.domains
  zone_id  = each.value.id
  name     = "@"
  value    = "route2.mx.cloudflare.net"
  type     = "MX"
  priority = 20
  ttl      = 3600
}

resource "cloudflare_record" "mx_tertiary" {
  for_each = cloudflare_zone.domains
  zone_id  = each.value.id
  name     = "@"
  value    = "route3.mx.cloudflare.net"
  type     = "MX"
  priority = 30
  ttl      = 3600
}