# Zone resources for each domain
resource "cloudflare_zone" "domains" {
  for_each   = var.domains
  account_id = local.account_id
  zone       = each.key
  plan       = each.value.plan
  jump_start = each.value.jump_start
}

# Enable DNSSEC on all zones
resource "cloudflare_zone_dnssec" "domains" {
  for_each = cloudflare_zone.domains
  zone_id  = each.value.id
}

# Zone settings - TLS, security, etc.
resource "cloudflare_zone_settings_override" "domains" {
  for_each = cloudflare_zone.domains
  zone_id  = each.value.id

  settings {
    # TLS Settings
    ssl                      = "strict"
    min_tls_version          = "1.2"
    tls_1_3                  = "on"
    automatic_https_rewrites = "on"
    always_use_https         = "on"

    # Security
    security_level = "medium"
    browser_check  = "on"

    # Performance
    minify {
      css  = "on"
      js   = "on"
      html = "on"
    }
    brotli = "on"

    # Caching
    browser_cache_ttl = 14400

    # Privacy
    email_obfuscation   = "on"
    server_side_exclude = "on"
  }
}