computer-playbook/roles/letsencrypt/tasks/set-caa-records.yml

---
- name: "Ensure all CAA records are present"
  community.general.cloudflare_dns:
    api_token: "{{ certbot_dns_api_token }}"
    zone:     "{{ item.0 }}"
    record:   "@"
    type:     CAA
    flag:     0
    tag:      "{{ item.1.tag }}"
    value:    "{{ item.1.value }}"
    ttl:      1
    state:    present
  loop: "{{ base_sld_domains | product(caa_entries) | list }}"
  loop_control:
    label: "{{ item.0 }} → {{ item.1.tag }}"