HOLE Foundation Multi-Cloud Infrastructure

Overview

The HOLE Foundation manages ~422 infrastructure resources across 3 cloud providers using Terraform:

Provider	Resources	% of Total	Primary Use
Cloudflare	387	92%	Web hosting, DNS, CDN, edge compute
Azure	~10	2%	SSO and enterprise authentication
AWS	~5	1%	AI services (Bedrock)
Personal	~20	5%	Personal projects

Terraform Root: /Volumes/HOLE-RAID-DRIVE/Projects/hole-terraformer/terraform/ Terraform Cloud Organization: theholetruth Secret Management: dotenvx at /Volumes/HOLE-RAID-DRIVE/dotenvx

---

Infrastructure by Provider

Cloudflare (Web/Edge Infrastructure - 387 resources)

Workspaces:

• cloudflare-foundation-prod - 387 resources ✅ Imported
• cloudflare-personal-prod - ~20 resources ⏳ Ready

Infrastructure:

• 15 production zones: theholetruth.org, holefoundation.org, theholefoundation.org, holetruth.org, hole-truth.org, ai-watch.org, drjth.net, herrmann.consulting, holeoversight.org, holetrust.org, holetruthproject.org, joeherrmann.com, realjusticematters.org, theholetruthelpaso.org, thepublicsinfo.org
• 309 DNS records: A, AAAA, CNAME, MX, TXT records
• 33 Workers KV namespaces: Cache, config, data stores
• 26 Zero Trust Access applications: SSO-protected services
• 2 Access groups: Permission management
• 1 Identity provider: Authentication
• 1 Logpush job: Analytics to R2
• Workers scripts: Serverless functions
• Pages projects: Static site hosting
• R2 buckets: Object storage

Location: terraform/cloudflare/foundation/

Use Cases:

• Web hosting (Pages/Workers)
• DNS management (all HOLE domains)
• CDN and caching
• Zero Trust security
• Email routing
• Analytics and monitoring
• Edge compute
• Object and KV storage

Azure (SSO Infrastructure - ~10 resources)

Workspace: azure-hole-general-services-prod Subscription: de602062-dafa-4c8b-91b7-98a75bcd7cff

Infrastructure:

• 1 Resource group: hole-entra-domain-services
• Entra ID (Azure AD): Enterprise authentication
• 22 SSO integrations powered by this infrastructure

Location: terraform/production/

SSO Services Integrated (22 total):

1. Cloudflare (4 applications) - Dashboard access, SCIM, OAuth
2. GitHub Enterprise - Organization and enterprise SSO
3. AWS IAM Identity Center - AWS console access
4. Google Cloud / G Suite (2 connectors) - Workspace and Cloud Console
5. Terraform Cloud - Organization access
6. Notion, Perplexity AI, Clerk - Productivity and AI tools
7. And 14 more - Complete enterprise SSO

Use Cases:

• Single sign-on across all services
• Enterprise authentication
• User management
• Access control and permissions

CRITICAL: This is the authentication backbone - changes can affect access to all 22 services!

AWS (AI Infrastructure - ~5 resources)

Workspace: aws-foundation-prod Account: 420073135340 Region: us-east-1

Infrastructure:

• IAM roles: terraform-bedrock-foundation
• Bedrock AI: Access to Claude and other models
• KMS keys: Encryption for Bedrock
• Future: Lambda, S3, DynamoDB, etc.

Location: terraform/aws/foundation/

Bedrock Models Available:

• claude-3-5-sonnet-20241022 (fast, cost-effective)
• claude-3-opus-20250219 (most capable)
• claude-3-haiku-20240307 (fastest)
• Other AWS Bedrock models

Use Cases:

• AI model inference
• Serverless compute (Lambda)
• Large object storage (S3)
• NoSQL databases (DynamoDB)
• ML services

---

Making Infrastructure Changes (Any Provider)

Unified Workflow for All Providers

When the user asks to create, update, or delete infrastructure:

Step 1: Identify Provider

• DNS/Web/Workers/CDN → Cloudflare
• SSO/Authentication → Azure
• AI/Bedrock → AWS
• Ambiguous (storage, compute) → Ask user

Step 2: Navigate to Workspace

# Cloudflare
cd /Volumes/HOLE-RAID-DRIVE/Projects/hole-terraformer/terraform/cloudflare/foundation

# Azure
cd /Volumes/HOLE-RAID-DRIVE/Projects/hole-terraformer/terraform/production

# AWS
cd /Volumes/HOLE-RAID-DRIVE/Projects/hole-terraformer/terraform/aws/foundation

Step 3: Load Secrets (provider-specific)

# Cloudflare - Use wrapper script (auto-loads)
./tf-with-dotenvx.sh <command>

# Azure - Use Azure CLI (already authenticated)
terraform <command>

# AWS - Load from dotenvx
export AWS_ACCESS_KEY_ID=$(cd /Volumes/HOLE-RAID-DRIVE/dotenvx && dotenvx get AWS_ACCESS_KEY_ID)
export AWS_SECRET_ACCESS_KEY=$(cd /Volumes/HOLE-RAID-DRIVE/dotenvx && dotenvx get AWS_SECRET_ACCESS_KEY)
terraform <command>

Step 4: Make Changes

• Edit relevant .tf files
• Add/modify/delete resources

Step 5: Plan and Apply

terraform plan    # Preview changes
terraform apply   # Deploy changes

---

Provider Selection Logic

When user requests infrastructure, choose provider based on this matrix:

Request	Primary Provider	Alternative	Reason
"Deploy web app"	Cloudflare Pages	-	Primary web hosting
"Deploy API"	Cloudflare Workers	AWS Lambda	Edge performance
"Add DNS record"	Cloudflare	-	Primary DNS provider
"Create storage bucket"	Cloudflare R2	AWS S3	Ask user (both viable)
"Deploy serverless function"	Cloudflare Workers	AWS Lambda	Ask user (edge vs regional)
"AI inference"	AWS Bedrock	Cloudflare AI	Model selection
"Configure SSO"	Azure Entra ID	-	Only SSO provider
"Add user"	Azure Entra ID	-	Authentication provider
"Container deployment"	Cloudflare Containers	AWS ECS	Simplicity
"NoSQL database"	-	AWS DynamoDB	No current provider

Default Preferences (HOLE Foundation):

• Web/DNS → Cloudflare (established infrastructure)
• Auth/SSO → Azure (enterprise backbone)
• AI → AWS (Bedrock primary)

ALWAYS explain provider choice and offer alternatives when applicable!

---

Multi-Cloud Deployment Scenarios

Scenario 1: Full-Stack Application

Frontend → Cloudflare Pages
API → Cloudflare Workers
Database → Neon PostgreSQL (external)
Auth → Azure Entra ID (existing)
AI Features → AWS Bedrock
CDN → Cloudflare (automatic)

Terraform Changes Required:

• terraform/cloudflare/foundation/ - Pages, Workers, DNS
• terraform/aws/foundation/ - Lambda for AI processing
• terraform/production/ - No changes (SSO already configured)

Scenario 2: AI-Enhanced Service

User Requests → Cloudflare Worker (entry point)
AI Processing → AWS Lambda + Bedrock
Caching → Cloudflare KV
Results → Cloudflare R2
Auth → Azure Entra ID

Multi-Provider Orchestration: 2 providers (Cloudflare + AWS)

Scenario 3: Enterprise Website

Website → Cloudflare Pages
DNS → Cloudflare (theholetruth.org)
Access Control → Cloudflare Zero Trust
SSO → Azure Entra ID
Analytics → Cloudflare Analytics Engine

Single Provider: Cloudflare (Azure SSO already configured)

---

When to Use Each Provider

Use Cloudflare For

Primary Use Cases:

• ✅ Web hosting (Pages)
• ✅ Serverless APIs (Workers)
• ✅ DNS management (all zones)
• ✅ CDN and edge caching
• ✅ DDoS protection
• ✅ Object storage (R2) - cost-effective
• ✅ Key-value storage (KV) - simple caching
• ✅ Email routing
• ✅ Zero Trust security
• ✅ Analytics

When NOT to Use:

• ❌ AI model inference (use AWS Bedrock)
• ❌ Enterprise SSO backend (use Azure)
• ❌ Large-scale relational databases (use external like Neon)

Use Azure For

Primary Use Cases:

• ✅ Enterprise SSO (22 integrations)
• ✅ User authentication (Entra ID)
• ✅ Access control and permissions
• ✅ Identity management

When NOT to Use:

• ❌ Web hosting (use Cloudflare)
• ❌ Serverless compute (use Cloudflare/AWS)
• ❌ Object storage (use Cloudflare R2 or AWS S3)

Critical: Azure is the authentication backbone - changes here affect all 22 services!

Use AWS For

Primary Use Cases:

• ✅ AI model inference (Bedrock)
• ✅ Advanced serverless (Lambda with complex triggers)
• ✅ Large object storage (S3)
• ✅ NoSQL databases (DynamoDB)
• ✅ ML services (SageMaker)
• ✅ Message queues (SQS)
• ✅ Event-driven architecture

When NOT to Use:

• ❌ Simple web hosting (use Cloudflare Pages)
• ❌ DNS management (use Cloudflare)
• ❌ Edge compute (use Cloudflare Workers)

---

Terraform Cloud Workspaces

All workspaces managed under organization: theholetruth

Workspace	Provider	Path	Resources	State
cloudflare-foundation-prod	Cloudflare	terraform/cloudflare/foundation/	387	✅ Active
cloudflare-personal-prod	Cloudflare	terraform/cloudflare/personal/	~20	⏳ Ready
azure-hole-general-services-prod	Azure	terraform/production/	~10	✅ Active
aws-foundation-prod	AWS	terraform/aws/foundation/	~5	⏳ Configured

One Terraform Cloud org → All providers → Unified management

---

Secret Management (All Providers)

ALL cloud provider credentials stored in dotenvx:

Location: /Volumes/HOLE-RAID-DRIVE/dotenvx

Provider	Secret Name	Type
Cloudflare	CLOUDFLARE_API_TOKEN	API token (40 chars)
AWS	AWS_ACCESS_KEY_ID	Access key ID
AWS	AWS_SECRET_ACCESS_KEY	Secret access key
Azure	N/A	Uses Azure CLI auth
Terraform Cloud	TF_CLOUD_TOKEN	API token

Loading Secrets:

cd /Volumes/HOLE-RAID-DRIVE/dotenvx
dotenvx get SECRET_NAME

---

Critical Rules for Multi-Cloud Operations

Provider Safety Rules

Cloudflare:

1. ALWAYS run plan before apply
2. Test DNS changes on non-critical zones first
3. Be careful with Zero Trust Access (can lock out users)
4. Proxy A/AAAA records by default (CDN benefits)

Azure:

1. ⚠️ CRITICAL: Changes can break all 22 SSO integrations!
2. ALWAYS test SSO after Azure changes
3. NEVER delete Entra ID resources without full understanding
4. Verify authentication works before finishing

AWS:

1. Monitor Bedrock costs (per-token pricing)
2. Use IAM least privilege
3. Enable KMS encryption for sensitive data
4. Test Lambda functions before production

General Rules (All Providers)

1. ALWAYS run terraform plan first
2. ALWAYS show user what will change
3. NEVER commit secrets to git
4. ALWAYS use dotenvx for secrets
5. VERIFY changes match user intent
6. TEST in dev/personal before production
7. EXPLAIN provider choice to user

---

Never Say "Go to Dashboard"

You have COMPLETE Terraform and API access for:

Cloudflare Dashboard → Terraform:

• ✅ Zone management → Edit cloudflare_zone.tf
• ✅ DNS records → Edit zone DNS .tf files
• ✅ Worker deployment → Edit cloudflare_worker_script.tf
• ✅ KV namespaces → Edit cloudflare_workers_kv_namespace.tf
• ✅ Pages projects → Add cloudflare_pages_project resource
• ✅ Access policies → Edit cloudflare_access_application.tf

Azure Portal → Terraform:

• ✅ Resource groups → Edit main.tf
• ✅ Entra ID config → Edit Azure resources
• ✅ Network settings → Edit network resources

AWS Console → Terraform:

• ✅ Lambda functions → Add aws_lambda_function resource
• ✅ IAM roles → Edit IAM resources
• ✅ S3 buckets → Add aws_s3_bucket resource
• ✅ Bedrock access → Edit IAM policies

ALL infrastructure changes via Terraform - NO dashboard operations required!

---

Cross-Provider Integration Patterns

Pattern 1: Web App with AI

1. Cloudflare Pages (frontend) → theholetruth.org
2. Cloudflare Worker (API) → api.theholetruth.org/*
3. AWS Lambda (AI processing) → Bedrock inference
4. Cloudflare KV (caching) → Reduce API calls
5. Azure Entra ID (auth) → SSO login

Providers Used: Cloudflare + AWS + Azure Terraform Workspaces: cloudflare-foundation-prod + aws-foundation-prod

Pattern 2: Static Website

1. Cloudflare Pages (hosting)
2. Cloudflare DNS (records)
3. Cloudflare CDN (automatic)
4. Azure Entra ID (if auth needed)

Providers Used: Cloudflare + (optional) Azure Terraform Workspaces: cloudflare-foundation-prod

Pattern 3: AI Service

1. AWS Lambda (compute)
2. AWS Bedrock (AI models)
3. Cloudflare Worker (API wrapper)
4. Cloudflare DNS (endpoint)
5. Cloudflare KV (cache)

Providers Used: AWS + Cloudflare Terraform Workspaces: aws-foundation-prod + cloudflare-foundation-prod

---

Adding New Providers (Future)

The architecture makes adding providers trivial:

Example: Add Google Cloud Platform

Step 1: Create Terraform workspace

mkdir -p /Volumes/HOLE-RAID-DRIVE/Projects/hole-terraformer/terraform/gcp/foundation
# Create main.tf with google provider

Step 2: Create provider skill

# Create skills/providers/gcp/SKILL.md with GCP infrastructure knowledge

Step 3: Update this overview skill

• Add GCP to provider list
• Add GCP use cases
• Add GCP to multi-cloud patterns

Total Time: 10-15 minutes Plugin Changes: None (purely additive)

Example: Add Vercel

Same pattern:

1. Create terraform/vercel/foundation/
2. Create skills/providers/vercel/SKILL.md
3. Update overview
4. Done!

---

Infrastructure Decision Tree

When user asks for infrastructure, use this logic:

User request
    │
    ├─ DNS record? → Cloudflare
    │
    ├─ Web hosting?
    │   ├─ Static site → Cloudflare Pages
    │   ├─ Dynamic app → Cloudflare Pages + Workers
    │   └─ Complex backend → Cloudflare + AWS
    │
    ├─ Serverless function?
    │   ├─ Edge compute → Cloudflare Workers
    │   ├─ Regional compute → AWS Lambda
    │   └─ Ask user preference
    │
    ├─ Storage?
    │   ├─ Object storage → Cloudflare R2 (default) or AWS S3
    │   ├─ Key-value → Cloudflare KV
    │   └─ Database → External (Neon, etc.)
    │
    ├─ AI inference? → AWS Bedrock
    │
    ├─ Authentication?
    │   ├─ SSO integration → Azure Entra ID
    │   └─ App auth → Auth0 (external)
    │
    └─ Other → Check provider capabilities, ask user

---

Example Interactions

Example 1: Multi-Cloud Deployment

User: "Deploy this AI-powered website"

Claude:
"I'll deploy across multiple providers:

**Cloudflare** (Web layer):
- Pages: Static frontend
- Worker: API endpoint
- DNS: app.theholetruth.org
- KV: Response caching

**AWS** (AI layer):
- Lambda: AI processing
- Bedrock: Claude 3.5 Sonnet
- IAM: Execution role

**Azure** (Auth layer):
- Entra ID: Already configured (no changes)

Let me create Terraform configurations:
[Updates terraform/cloudflare/foundation/]
[Updates terraform/aws/foundation/]

Planned resources:
- Cloudflare: +1 Pages, +1 Worker, +1 KV, +1 DNS
- AWS: +1 Lambda, +1 IAM role
- Total: 6 new resources across 2 providers

Shall I apply these changes?"

Example 2: Provider Selection

User: "Create a storage bucket for backups"

Claude:
"I can create this in multiple providers:

**Option 1: Cloudflare R2** (recommended)
- Lower cost ($0.015/GB)
- Better integration with Workers
- Workspace: cloudflare-foundation-prod

**Option 2: AWS S3**
- More features (lifecycle, versioning)
- Higher cost
- Workspace: aws-foundation-prod

Which would you prefer? I recommend R2 for cost-effectiveness."

Example 3: Cross-Provider Query

User: "Show me all our infrastructure"

Claude:
"HOLE Foundation Multi-Cloud Infrastructure (422 resources):

**Cloudflare** (387 resources - 92%):
├── Zones: 15 production domains
├── DNS: 309 records
├── KV: 33 namespaces
├── Access: 26 applications
└── Workers, Pages, R2 buckets

**Azure** (~10 resources - 2%):
├── Entra ID SSO (22 integrations)
└── Resource group: hole-entra-domain-services

**AWS** (~5 resources - 1%):
├── Bedrock AI access
├── IAM roles
└── KMS encryption

**Cloudflare Personal** (~20 resources - 5%):
└── Personal projects (not yet imported)

All managed via Terraform Cloud (org: theholetruth)

Which provider would you like details on?"

---

Important Notes

This Skill Provides

✅ Multi-cloud awareness - Knowledge of all 3 providers ✅ Provider selection logic - When to use which provider ✅ Unified workflow - Same Terraform process for all ✅ Cross-provider patterns - How to integrate multiple clouds ✅ Complete resource inventory - All 422 resources documented

This Skill Does NOT Provide

❌ Provider-specific details - See individual provider skills ❌ Detailed resource configurations - See provider skills ❌ Terraform syntax - See terraform-operations skill ❌ Secret management - See secret-management skill

This is an OVERVIEW skill - for details, refer to provider-specific skills!

---

Quick Reference

Terraform Workspaces:

• Cloudflare Foundation: terraform/cloudflare/foundation/
• Cloudflare Personal: terraform/cloudflare/personal/
• Azure Production: terraform/production/
• AWS Foundation: terraform/aws/foundation/

Secrets Location: /Volumes/HOLE-RAID-DRIVE/dotenvx

Terraform Cloud: Organization theholetruth, 4 workspaces

Total Resources: ~422 across 3 providers (4 workspaces)

---

Version History

• 1.0.0 (2026-01-09) - Initial multi-cloud infrastructure overview
  • Cloudflare: 387 resources imported
  • Azure: ~10 resources imported
  • AWS: Configured, ready for use
  • Provider-agnostic architecture established