---

- name: "Validate CERTBOT_DNS_API_TOKEN"
  fail:
    msg: >
      The variable "CERTBOT_DNS_API_TOKEN" must be defined and cannot be empty!
  when: (CERTBOT_DNS_API_TOKEN | default('') | trim) == ''

- name: "Ensure all CAA records are present"
  community.general.cloudflare_dns:
    api_token: "{{ CERTBOT_DNS_API_TOKEN }}"
    zone:     "{{ item.0 }}"
    record:   "@"
    type:     CAA
    flag:     0
    tag:      "{{ item.1.tag }}"
    value:    "{{ item.1.value }}"
    ttl:      1
    state:    present
  loop: "{{ base_sld_domains | product(caa_entries) | list }}"
  loop_control:
    label: "{{ item.0 }} → {{ item.1.tag }}"