From f2b089e2678f88a40ce20c3fc98e6260a0d011b0 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Sat, 20 Jun 2026 19:12:29 +0000
Subject: [PATCH] rybbit: fix cloudflare_ruleset import id (zone/ 3-part form)
 + depends_on lists

v4.52.7 import id must be zone/<zone_id>/<ruleset_id>; add depends_on so the
crowdsec_ban/captcha lists exist before the WAF rules reference them.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 stacks/rybbit/crowdsec_edge.tf | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/stacks/rybbit/crowdsec_edge.tf b/stacks/rybbit/crowdsec_edge.tf
index 08683ff9..4c31b9d8 100644
--- a/stacks/rybbit/crowdsec_edge.tf
+++ b/stacks/rybbit/crowdsec_edge.tf
@@ -107,7 +107,7 @@ resource "cloudflare_list" "crowdsec_captcha" {
 # (currently disabled) skip rule preserved verbatim below it.
 import {
   to = cloudflare_ruleset.crowdsec
-  id = "fd2c5dd4efe8fe38958944e74d0ced6d/106a1342bc88454ea59c47ad3431fe0e"
+  id = "zone/fd2c5dd4efe8fe38958944e74d0ced6d/106a1342bc88454ea59c47ad3431fe0e"
 }
 
 resource "cloudflare_ruleset" "crowdsec" {
@@ -116,6 +116,10 @@ resource "cloudflare_ruleset" "crowdsec" {
   kind    = "zone"
   phase   = "http_request_firewall_custom"
 
+  # The WAF rules reference the IP lists by name ($crowdsec_ban / $crowdsec_captcha),
+  # so the lists must exist before this ruleset is created/updated.
+  depends_on = [cloudflare_list.crowdsec_ban, cloudflare_list.crowdsec_captcha]
+
   # CrowdSec ban — evaluated FIRST so a banned IP is blocked before anything else.
   rules {
     action      = "block"