# edge-only — Cloudflare tunnels + Access apps + tenant-router.
#
# Standalone edge stack — applies cleanly against any existing
# cluster. Useful when an operator wants to wire a fresh
# Cloudflare zone to an already-deployed cell without touching the
# cell's compute or data plane.

name: alphaswarm-edge-only
slug: edge-only
module_kind: edge_stack
description: |
  Standalone Cloudflare Zero Trust edge — tunnels + DNS + Access apps
  + the in-cluster tenant-router. Applies cleanly against an
  existing cluster; no compute / data plane changes.

cloud_provider: local
environment: sandbox

provider:
  kind: local

backend:
  kind: local
  config:
    path: data/terraform/state/edge-only.tfstate

variables:
  - name: tunnel_name
    type: string
    default: alphaswarm-edge
  - name: cloudflare_account_id
    type: string
    default: ""
    sensitive: true
    description: Resolved by the runner pod via CredentialResolver.
  - name: cloudflare_zone_id
    type: string
    default: ""
    sensitive: true
  - name: public_hostname
    type: string
    default: manage.alpha-swarm.ai
  - name: cell_name
    type: string
    default: alphaswarm
  - name: tenant_router_replicas
    type: number
    default: 2
  - name: cloudflared_replicas
    type: number
    default: 2
  - name: access_app_enabled
    type: bool
    default: true
  - name: access_session_duration
    type: string
    default: 24h

required_providers:
  cloudflare:
    source: cloudflare/cloudflare
    version: ~> 5.6
  kubernetes:
    source: hashicorp/kubernetes
    version: ~> 2.30

annotations:
  alphaswarm.io/template-name: edge-only
  alphaswarm.io/template-kind: edge_stack
  alphaswarm.io/composition: cloudflare_edge + cloudflared (in-cluster) + tenant-router
  alphaswarm.io/target-cost-monthly: "$5-$20"