# ─── Cloudflare WAF — restrict admin subdomains to admin IP ───────────────────

resource "cloudflare_ruleset" "admin_ip_allowlist" {
  zone_id     = data.cloudflare_zone.main.id
  name        = "Admin IP allowlist"
  description = "Block access to admin subdomains from non-admin IPs"
  kind        = "zone"
  phase       = "http_request_firewall_custom"

  rules {
    action      = "block"
    description = "Block non-admin IPs from admin subdomains"
    enabled     = true
    expression  = <<-EOT
      (
        http.host in {
          "vault.${var.domain}"
          "argocd.${var.domain}"
        }
        and not ip.src eq ${var.admin_ip}
      )
    EOT
  }
}