Detailed knowledge of HOLE Foundation's Cloudflare infrastructure (387 resources across 15 production zones)
Manages HOLE Foundation's 387 Cloudflare resources via Terraform for DNS, Workers, KV, and Zero Trust.
/plugin marketplace add The-HOLE-Foundation/claude-plugins/plugin install the-hole-foundation-hole-infrastructure-hole-infrastructure@The-HOLE-Foundation/claude-pluginsThis skill inherits all available tools. When active, it can use any tool Claude has access to.
HOLE Foundation's primary web infrastructure provider with 387 resources managed via Terraform.
Terraform Workspace: cloudflare-foundation-prod
Organization: theholetruth
Location: /Volumes/HOLE-RAID-DRIVE/Projects/hole-terraformer/terraform/cloudflare/foundation/
Account ID: 1a25a792e801e687b9fe4932030cf6a6
| Zone | Zone ID | DNS Records | Primary Use |
|---|---|---|---|
| theholetruth.org | 22894f8f0e2944b35929d4f506a81bb3 | 77 | Primary website |
| theholefoundation.org | ce99080b4f42c513a8a41067bda22073 | 50 | Foundation site |
| holefoundation.org | f8c9bffaae6ba758c391ff55e87a1e6a | 39 | Foundation variant |
| holetruth.org | f0266fcef2ed7b357b77b43c1615cebe | 32 | Main variant |
| joeherrmann.com | 5e36943c9381ade355b8c757fcd2dfdf | 24 | Personal domain |
| hole-truth.org | 9af4b3cdd657218bd10a9762bd9d0052 | 20 | Variant |
| ai-watch.org | 2763b19bae6546edb169d1cf62e271e5 | 18 | AI monitoring |
| holetruthproject.org | 706ae46bbc8561ef6f3378018a5d5e59 | 12 | Project domain |
| drjth.net | 0cf46a1e78469699dfb4e1045d5c9413 | 10 | Personal |
| theholetruthelpaso.org | ad6f15d32c575f9e5bd99931b9770e17 | 8 | El Paso chapter |
| holeoversight.org | 8a2a6cd4732c2171f0a94a4fbdb055bd | 8 | Oversight |
| realjusticematters.org | 12867983899d5cfaca56b75e2aebe1c1 | 7 | Justice project |
| holetrust.org | eeb99e470d38fae25509fc04a7672614 | 3 | Trust domain |
| herrmann.consulting | 1a547f1f8478edb1b9a7e21bd9eac260 | 0 | Consulting |
| thepublicsinfo.org | 374a3c5d693764a646900b8908b8d93c | 1 | Public info |
Total DNS Records: 309 across all zones
KV namespaces for caching, configuration, and data storage used by Workers and Pages projects.
File: cloudflare_workers_kv_namespace.tf (165 lines)
Files:
cloudflare_access_application.tf (1,507 lines)cloudflare_access_group.tf (13 lines)cloudflare_access_identity_provider.tf (72 lines)File: cloudflare_logpush_job.tf
terraform/cloudflare/foundation/
├── main.tf # Provider configuration
├── backend.tf # Terraform Cloud backend
├── .gitignore # Protect secrets
│
├── tf-with-dotenvx.sh ⭐ # Terraform wrapper (auto-loads secrets)
├── import-all.sh # Import automation
├── import-with-dotenvx.sh # Import with secrets
│
├── cloudflare_zone.tf # 15 zones
├── cloudflare_workers_kv_namespace.tf # 33 KV namespaces
├── cloudflare_access_application.tf # 26 Access apps
├── cloudflare_access_group.tf # 2 Access groups
├── cloudflare_access_identity_provider.tf # 1 IdP
├── cloudflare_logpush_job.tf # 1 logpush job
├── page-rules.tf # Page rules (if any)
│
├── theholetruth-org.tf # 77 DNS records
├── theholefoundation-org.tf # 50 DNS records
├── holefoundation-org.tf # 39 DNS records
├── holetruth-org.tf # 32 DNS records
├── joeherrmann-com.tf # 24 DNS records
├── [10 more zone DNS files]
│
├── imports/ # Import scripts
└── README.md # Workspace documentation
When user asks to modify Cloudflare infrastructure:
1. Navigate to workspace:
cd /Volumes/HOLE-RAID-DRIVE/Projects/hole-terraformer/terraform/cloudflare/foundation
2. Use dotenvx wrapper (auto-loads CLOUDFLARE_API_TOKEN):
./tf-with-dotenvx.sh <command>
3. Common operations:
Add DNS record:
# Edit the appropriate zone file (e.g., theholetruth-org.tf)
# Add resource block
# Run plan
./tf-with-dotenvx.sh plan
# If approved, apply
./tf-with-dotenvx.sh apply
Deploy Worker:
# Edit cloudflare_worker_script.tf or create new file
# Add worker resource with script content
./tf-with-dotenvx.sh plan
./tf-with-dotenvx.sh apply
Create KV namespace:
# Edit cloudflare_workers_kv_namespace.tf
# Add namespace resource
./tf-with-dotenvx.sh plan
./tf-with-dotenvx.sh apply
Update Access policy:
# Edit cloudflare_access_application.tf
# Modify application configuration
./tf-with-dotenvx.sh plan
./tf-with-dotenvx.sh apply
Each zone has its own file named <zone-with-dashes>.tf:
theholetruth-org.tf - 77 recordsholefoundation-org.tf - 39 recordsTemplate:
resource "cloudflare_record" "<descriptive_name>" {
zone_id = "<zone-id>"
name = "<subdomain-or-@-for-root>"
type = "<A|AAAA|CNAME|MX|TXT>"
value = "<ip-or-hostname>"
ttl = 1 # Auto (or 3600 for manual)
proxied = true # For A/AAAA (enables CDN)
}
Example - Add api.theholetruth.org:
resource "cloudflare_record" "api_theholetruth_org" {
zone_id = "22894f8f0e2944b35929d4f506a81bb3"
name = "api"
type = "A"
value = "1.2.3.4"
ttl = 1
proxied = true
}
Workers are defined in cloudflare_worker_script.tf or separate files.
Template:
resource "cloudflare_worker_script" "my_worker" {
account_id = var.account_id
name = "my-worker"
content = file("${path.module}/workers/my-worker.js")
# Optional: KV namespace bindings
kv_namespace_binding {
name = "MY_KV"
namespace_id = cloudflare_workers_kv_namespace.my_kv.id
}
# Optional: R2 bucket bindings
r2_bucket_binding {
name = "MY_BUCKET"
bucket_name = "my-r2-bucket"
}
}
# Worker route
resource "cloudflare_worker_route" "my_worker_route" {
zone_id = "<zone-id>"
pattern = "api.theholetruth.org/*"
script_name = cloudflare_worker_script.my_worker.name
}
workers/ subdirectorywrangler dev before Terraform deployDefined in cloudflare_workers_kv_namespace.tf.
resource "cloudflare_workers_kv_namespace" "my_cache" {
account_id = var.account_id
title = "My Cache"
}
# Bind to Worker
resource "cloudflare_worker_script" "my_worker" {
# ...
kv_namespace_binding {
name = "CACHE"
namespace_id = cloudflare_workers_kv_namespace.my_cache.id
}
}
resource "cloudflare_pages_project" "my_site" {
account_id = var.account_id
name = "my-site"
production_branch = "main"
build_config {
build_command = "npm run build"
destination_dir = "dist"
root_dir = ""
}
source {
type = "github"
config {
owner = "The-HOLE-Foundation"
repo_name = "my-repo"
production_branch = "main"
deployments_enabled = true
production_deployment_enabled = true
}
}
}
# Custom domain
resource "cloudflare_pages_domain" "my_site" {
account_id = var.account_id
project_name = cloudflare_pages_project.my_site.name
domain = "site.theholetruth.org"
}
# DNS record for Pages
resource "cloudflare_record" "my_site_dns" {
zone_id = "<zone-id>"
name = "site"
type = "CNAME"
value = cloudflare_pages_project.my_site.subdomain
proxied = true
}
Protected internal services requiring authentication.
File: cloudflare_access_application.tf (1,507 lines)
Permission groups for role-based access control.
File: cloudflare_access_group.tf
Stored in dotenvx: CLOUDFLARE_API_TOKEN
Loading:
cd /Volumes/HOLE-RAID-DRIVE/dotenvx
dotenvx get CLOUDFLARE_API_TOKEN
# Returns: Nrgt3EdfAj5JbnEu-AH_79Qg5LiKpRu8TZNwh8aj
Auto-loaded by:
tf-with-dotenvx.sh wrapper scriptimport-with-dotenvx.sh import scriptEnvironment Variables:
CF_API_TOKEN - Used by cf-terraforming toolTF_VAR_cloudflare_api_token - Used by Terraform providerWorker environment variables/secrets should be:
User: "Add api.theholetruth.org pointing to 1.2.3.4"
Steps:
cd terraform/cloudflare/foundation/theholetruth-org.tf./tf-with-dotenvx.sh plan./tf-with-dotenvx.sh applyUser: "Deploy this Worker script"
Steps:
workers/my-worker.js)cloudflare_worker_script.tf or create new filecontent = file("workers/my-worker.js")User: "Create a KV namespace for caching"
Steps:
cloudflare_workers_kv_namespace.tfUser: "Enable DNSSEC for theholetruth.org"
Steps:
cloudflare_zone.tf or create settings overrideCurrent (cf-terraforming generated):
cloudflare_zone.terraform_managed_resource_<zone-id>_<index>cloudflare_record.terraform_managed_resource_<record-id>_<index>cloudflare_workers_kv_namespace.terraform_managed_resource_<namespace-id>_<index>Recommended (future refactoring):
cloudflare_zone.theholetruth_orgcloudflare_record.api_theholetruth_orgcloudflare_workers_kv_namespace.api_cachePattern: Cloudflare Zero Trust Access uses Azure Entra ID for authentication
# Cloudflare Access app
resource "cloudflare_access_application" "internal_dashboard" {
# ...
# Uses Azure Entra ID as identity provider
}
Azure side: Managed in terraform/production/ (Entra ID configuration)
Pattern: Cloudflare Worker calls AWS Lambda/Bedrock for AI processing
User Request → Cloudflare Worker → AWS Lambda → Bedrock
↓
Cloudflare KV (cache)
Terraform Changes:
Use for:
Location: Runs on Cloudflare's global edge network
Use for:
Features: Automatic deployments from Git, preview URLs, custom domains
Use for:
Pricing: S3-compatible, much lower cost than S3
Use for:
Features: Global replication, low latency, Workers integration
Use for:
Features: Integrates with Azure Entra ID for SSO
Issue: Terraform wants to modify resources you didn't change
Causes:
Solutions:
terraform refresh to sync statelifecycle { ignore_changes = [...] } for computed valuesIssue: Worker script shows changes on every plan
Cause: Content hash changes
Solution:
lifecycle {
ignore_changes = [content]
}
Issue: Policy format errors
Cause: cf-terraforming generated incomplete/deprecated format
Solution: Manually fix policy blocks or recreate with current format
Cloudflare Zero Trust Access applications use Azure Entra ID as the identity provider. The identity provider configuration is in cloudflare_access_identity_provider.tf.
Cross-provider coordination: Changes to Azure Entra ID may require updates to Cloudflare Access policies.
Cloudflare Workers can call AWS Lambda functions or directly access AWS services:
Common Pattern:
Terraform changes:
Account: 1a25a792e801e687b9fe4932030cf6a6 Workspace: cloudflare-foundation-prod Location: terraform/cloudflare/foundation/ Wrapper Script: ./tf-with-dotenvx.sh Total Resources: 387
Key Files:
Never go to dashboard - Everything manageable via Terraform!
This skill should be used when the user asks to "create a hookify rule", "write a hook rule", "configure hookify", "add a hookify rule", or needs guidance on hookify rule syntax and patterns.
Create distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.