diff --git a/.changelog/2581.txt b/.changelog/2581.txt
new file mode 100644
index 0000000000..5ba9a67bdf
--- /dev/null
+++ b/.changelog/2581.txt
@@ -0,0 +1,3 @@
+```release-note:new-resource
+tencentcloud_tse_cngw_network_access_control
+```
\ No newline at end of file
diff --git a/tencentcloud/provider.go b/tencentcloud/provider.go
index 337b38e604..4eb7e3c2b4 100644
--- a/tencentcloud/provider.go
+++ b/tencentcloud/provider.go
@@ -1845,6 +1845,7 @@ func Provider() *schema.Provider {
"tencentcloud_tse_waf_protection": tse.ResourceTencentCloudTseWafProtection(),
"tencentcloud_tse_waf_domains": tse.ResourceTencentCloudTseWafDomains(),
"tencentcloud_tse_cngw_network": tse.ResourceTencentCloudTseCngwNetwork(),
+ "tencentcloud_tse_cngw_network_access_control": tse.ResourceTencentCloudTseCngwNetworkAccessControl(),
"tencentcloud_tse_cngw_strategy": tse.ResourceTencentCloudTseCngwStrategy(),
"tencentcloud_tse_cngw_strategy_bind_group": tse.ResourceTencentCloudTseCngwStrategyBindGroup(),
"tencentcloud_clickhouse_instance": cdwch.ResourceTencentCloudClickhouseInstance(),
diff --git a/tencentcloud/provider.md b/tencentcloud/provider.md
index 3da5667232..8c3a168325 100644
--- a/tencentcloud/provider.md
+++ b/tencentcloud/provider.md
@@ -1930,6 +1930,7 @@ Tencent Cloud Service Engine(TSE)
tencentcloud_tse_cngw_network
tencentcloud_tse_cngw_strategy
tencentcloud_tse_cngw_strategy_bind_group
+ tencentcloud_tse_cngw_network_access_control
ClickHouse(CDWCH)
Data Source
diff --git a/tencentcloud/services/tse/resource_tc_tse_cngw_network_access_control.go b/tencentcloud/services/tse/resource_tc_tse_cngw_network_access_control.go
new file mode 100644
index 0000000000..4624830126
--- /dev/null
+++ b/tencentcloud/services/tse/resource_tc_tse_cngw_network_access_control.go
@@ -0,0 +1,235 @@
+package tse
+
+import (
+ "context"
+ "fmt"
+ "log"
+ "strings"
+ "time"
+
+ "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+ "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+ tse "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tse/v20201207"
+ tccommon "github.com/tencentcloudstack/terraform-provider-tencentcloud/tencentcloud/common"
+ "github.com/tencentcloudstack/terraform-provider-tencentcloud/tencentcloud/internal/helper"
+)
+
+func ResourceTencentCloudTseCngwNetworkAccessControl() *schema.Resource {
+ return &schema.Resource{
+ Create: resourceTencentCloudTseCngwNetworkAccessControlCreate,
+ Read: resourceTencentCloudTseCngwNetworkAccessControlRead,
+ Update: resourceTencentCloudTseCngwNetworkAccessControlUpdate,
+ Delete: resourceTencentCloudTseCngwNetworkAccessControlDelete,
+ Importer: &schema.ResourceImporter{
+ State: schema.ImportStatePassthrough,
+ },
+ Schema: map[string]*schema.Schema{
+ "gateway_id": {
+ Required: true,
+ ForceNew: true,
+ Type: schema.TypeString,
+ Description: "gateway ID.",
+ },
+
+ "group_id": {
+ Required: true,
+ ForceNew: true,
+ Type: schema.TypeString,
+ Description: "gateway group ID.",
+ },
+
+ "network_id": {
+ Required: true,
+ ForceNew: true,
+ Type: schema.TypeString,
+ Description: "network id.",
+ },
+
+ "access_control": {
+ Type: schema.TypeList,
+ MaxItems: 1,
+ Optional: true,
+ Description: "access control policy.",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "mode": {
+ Type: schema.TypeString,
+ Optional: true,
+ Computed: true,
+ Description: "Access mode: `Whitelist`, `Blacklist`.",
+ },
+ "cidr_white_list": {
+ Type: schema.TypeList,
+ Optional: true,
+ Elem: &schema.Schema{Type: schema.TypeString},
+ Description: "White list.",
+ },
+ "cidr_black_list": {
+ Type: schema.TypeList,
+ Optional: true,
+ Elem: &schema.Schema{Type: schema.TypeString},
+ Description: "Black list.",
+ },
+ },
+ },
+ },
+ },
+ }
+}
+
+func resourceTencentCloudTseCngwNetworkAccessControlCreate(d *schema.ResourceData, meta interface{}) error {
+ defer tccommon.LogElapsed("resource.tencentcloud_tse_cngw_network_access_control.create")()
+ defer tccommon.InconsistentCheck(d, meta)()
+
+ var (
+ gatewayId string
+ groupId string
+ networkId string
+ )
+ if v, ok := d.GetOk("gateway_id"); ok {
+ gatewayId = v.(string)
+ }
+ if v, ok := d.GetOk("group_id"); ok {
+ groupId = v.(string)
+ }
+ if v, ok := d.GetOk("network_id"); ok {
+ networkId = v.(string)
+ }
+ d.SetId(gatewayId + tccommon.FILED_SP + groupId + tccommon.FILED_SP + networkId)
+
+ return resourceTencentCloudTseCngwNetworkAccessControlUpdate(d, meta)
+}
+
+func resourceTencentCloudTseCngwNetworkAccessControlRead(d *schema.ResourceData, meta interface{}) error {
+ defer tccommon.LogElapsed("resource.tencentcloud_tse_cngw_network_access_control.read")()
+ defer tccommon.InconsistentCheck(d, meta)()
+
+ logId := tccommon.GetLogId(tccommon.ContextNil)
+ ctx := context.WithValue(context.TODO(), tccommon.LogIdKey, logId)
+
+ service := TseService{client: meta.(tccommon.ProviderMeta).GetAPIV3Conn()}
+
+ idSplit := strings.Split(d.Id(), tccommon.FILED_SP)
+ if len(idSplit) != 3 {
+ return fmt.Errorf("id is broken,%s", d.Id())
+ }
+ gatewayId := idSplit[0]
+ groupId := idSplit[1]
+ networkId := idSplit[2]
+
+ cngwNetwork, err := service.DescribeTseCngwNetworkById(ctx, gatewayId, groupId, networkId)
+ if err != nil {
+ return err
+ }
+
+ if cngwNetwork == nil {
+ d.SetId("")
+ log.Printf("[WARN]%s resource `TseCngwNetworkAccessControl` [%s] not found, please check if it has been deleted.\n", logId, d.Id())
+ return nil
+ }
+
+ _ = d.Set("gateway_id", gatewayId)
+ _ = d.Set("group_id", groupId)
+ _ = d.Set("network_id", networkId)
+
+ if cngwNetwork.PublicNetwork != nil {
+ internetConfig := cngwNetwork.PublicNetwork
+ if internetConfig.AccessControl != nil {
+ accessControlMap := map[string]interface{}{}
+
+ accessControl := internetConfig.AccessControl
+ if accessControl.Mode != nil {
+ accessControlMap["mode"] = accessControl.Mode
+ }
+ if accessControl.Mode != nil {
+ accessControlMap["cidr_white_list"] = accessControl.CidrWhiteList
+ }
+ if accessControl.Mode != nil {
+ accessControlMap["cidr_black_list"] = accessControl.CidrBlackList
+ }
+ _ = d.Set("access_control", []interface{}{accessControlMap})
+ }
+ }
+
+ return nil
+}
+
+func resourceTencentCloudTseCngwNetworkAccessControlUpdate(d *schema.ResourceData, meta interface{}) error {
+ defer tccommon.LogElapsed("resource.tencentcloud_tse_cngw_network_access_control.update")()
+ defer tccommon.InconsistentCheck(d, meta)()
+
+ logId := tccommon.GetLogId(tccommon.ContextNil)
+ ctx := context.WithValue(context.TODO(), tccommon.LogIdKey, logId)
+
+ request := tse.NewModifyNetworkAccessStrategyRequest()
+
+ idSplit := strings.Split(d.Id(), tccommon.FILED_SP)
+ if len(idSplit) != 3 {
+ return fmt.Errorf("id is broken,%s", d.Id())
+ }
+ gatewayId := idSplit[0]
+ groupId := idSplit[1]
+ networkId := idSplit[2]
+
+ service := TseService{client: meta.(tccommon.ProviderMeta).GetAPIV3Conn()}
+ cngwNetwork, err := service.DescribeTseCngwNetworkById(ctx, gatewayId, groupId, networkId)
+ if err != nil {
+ return err
+ }
+ if cngwNetwork == nil {
+ return fmt.Errorf("[WARN]%s resource `TseCngwNetworkAccessControl` [%s] not found, please check if it has been deleted.\n", logId, d.Id())
+ }
+
+ request.GatewayId = helper.String(gatewayId)
+ request.GroupId = helper.String(groupId)
+ // The interface only supports public network
+ request.NetworkType = helper.String("Open")
+ request.Vip = cngwNetwork.PublicNetwork.Vip
+
+ if d.HasChange("access_control") {
+ if dMap, ok := helper.InterfacesHeadMap(d, "access_control"); ok {
+ accessControl := tse.NetworkAccessControl{}
+ if v, ok := dMap["mode"]; ok {
+ accessControl.Mode = helper.String(v.(string))
+ }
+ if v, ok := dMap["cidr_white_list"]; ok {
+ whitelist := v.([]interface{})
+ accessControl.CidrWhiteList = helper.InterfacesStringsPoint(whitelist)
+ }
+ if v, ok := dMap["cidr_black_list"]; ok {
+ blacklist := v.([]interface{})
+ accessControl.CidrBlackList = helper.InterfacesStringsPoint(blacklist)
+ }
+ request.AccessControl = &accessControl
+ }
+ }
+
+ err = resource.Retry(tccommon.WriteRetryTimeout, func() *resource.RetryError {
+ result, e := meta.(tccommon.ProviderMeta).GetAPIV3Conn().UseTseClient().ModifyNetworkAccessStrategy(request)
+ if e != nil {
+ return tccommon.RetryError(e)
+ } else {
+ log.Printf("[DEBUG]%s api[%s] success, request body [%s], response body [%s]\n", logId, request.GetAction(), request.ToJsonString(), result.ToJsonString())
+ }
+ return nil
+ })
+ if err != nil {
+ log.Printf("[CRITAL]%s update tse cngwNetworkAccessStrategy failed, reason:%+v", logId, err)
+ return err
+ }
+
+ conf := tccommon.BuildStateChangeConf([]string{}, []string{"Open"}, 5*tccommon.ReadRetryTimeout, time.Second, service.TseCngwNetworkStateRefreshFunc(gatewayId, groupId, networkId, []string{}))
+
+ if _, e := conf.WaitForState(); e != nil {
+ return e
+ }
+
+ return resourceTencentCloudTseCngwNetworkAccessControlRead(d, meta)
+}
+
+func resourceTencentCloudTseCngwNetworkAccessControlDelete(d *schema.ResourceData, meta interface{}) error {
+ defer tccommon.LogElapsed("resource.tencentcloud_tse_cngw_network_access_control.delete")()
+ defer tccommon.InconsistentCheck(d, meta)()
+
+ return nil
+}
diff --git a/tencentcloud/services/tse/resource_tc_tse_cngw_network_access_control.md b/tencentcloud/services/tse/resource_tc_tse_cngw_network_access_control.md
new file mode 100644
index 0000000000..802be65882
--- /dev/null
+++ b/tencentcloud/services/tse/resource_tc_tse_cngw_network_access_control.md
@@ -0,0 +1,23 @@
+Provides a resource to create a tse cngw_network_access_control
+
+Example Usage
+
+```hcl
+resource "tencentcloud_tse_cngw_network_access_control" "cngw_network_access_control" {
+ gateway_id = "gateway-cf8c99c3"
+ group_id = "group-a160d123"
+ network_id = "network-372b1e84"
+ access_control {
+ mode = "Whitelist"
+ cidr_white_list = ["1.1.1.0"]
+ }
+}
+```
+
+Import
+
+tse cngw_route_rate_limit can be imported using the id, e.g.
+
+```
+terraform import tencentcloud_tse_cngw_network_access_control.cngw_network_access_control gatewayId#groupId#networkId
+```
\ No newline at end of file
diff --git a/tencentcloud/services/tse/resource_tc_tse_cngw_network_access_control_test.go b/tencentcloud/services/tse/resource_tc_tse_cngw_network_access_control_test.go
new file mode 100644
index 0000000000..2697bd8101
--- /dev/null
+++ b/tencentcloud/services/tse/resource_tc_tse_cngw_network_access_control_test.go
@@ -0,0 +1,48 @@
+package tse_test
+
+import (
+ "testing"
+
+ "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+ tcacctest "github.com/tencentcloudstack/terraform-provider-tencentcloud/tencentcloud/acctest"
+)
+
+func TestAccTencentCloudNeedFixTseCngwNetworkAccessControlResource_basic(t *testing.T) {
+ t.Parallel()
+ resource.Test(t, resource.TestCase{
+ PreCheck: func() {
+ tcacctest.AccPreCheck(t)
+ },
+ Providers: tcacctest.AccProviders,
+ Steps: []resource.TestStep{
+ {
+ Config: testAccTseCngwNetworkAccessControl,
+ Check: resource.ComposeTestCheckFunc(
+ resource.TestCheckResourceAttrSet("tencentcloud_tse_cngw_network_access_control.cngw_network_access_control", "id"),
+ resource.TestCheckResourceAttr("tencentcloud_tse_cngw_network_access_control.cngw_network_access_control", "access_control.#", "1"),
+ resource.TestCheckResourceAttr("tencentcloud_tse_cngw_network_access_control.cngw_network_access_control", "access_control.0.mode", "Whitelist"),
+ resource.TestCheckResourceAttr("tencentcloud_tse_cngw_network_access_control.cngw_network_access_control", "access_control.0.cidr_white_list.#", "1"),
+ ),
+ },
+ {
+ ResourceName: "tencentcloud_tse_cngw_network_access_control.cngw_network_access_control",
+ ImportState: true,
+ ImportStateVerify: true,
+ },
+ },
+ })
+}
+
+const testAccTseCngwNetworkAccessControl = `
+
+resource "tencentcloud_tse_cngw_network_access_control" "cngw_network_access_control" {
+ gateway_id = "gateway-cf1790c7"
+ group_id = "group-d8d99615"
+ network_id = "network-9cd9821f"
+ access_control {
+ mode = "Whitelist"
+ cidr_white_list = ["1.1.1.0"]
+ }
+ }
+
+`
diff --git a/website/docs/r/tse_cngw_network_access_control.html.markdown b/website/docs/r/tse_cngw_network_access_control.html.markdown
new file mode 100644
index 0000000000..bdf84b4e7d
--- /dev/null
+++ b/website/docs/r/tse_cngw_network_access_control.html.markdown
@@ -0,0 +1,58 @@
+---
+subcategory: "Tencent Cloud Service Engine(TSE)"
+layout: "tencentcloud"
+page_title: "TencentCloud: tencentcloud_tse_cngw_network_access_control"
+sidebar_current: "docs-tencentcloud-resource-tse_cngw_network_access_control"
+description: |-
+ Provides a resource to create a tse cngw_network_access_control
+---
+
+# tencentcloud_tse_cngw_network_access_control
+
+Provides a resource to create a tse cngw_network_access_control
+
+## Example Usage
+
+```hcl
+resource "tencentcloud_tse_cngw_network_access_control" "cngw_network_access_control" {
+ gateway_id = "gateway-cf8c99c3"
+ group_id = "group-a160d123"
+ network_id = "network-372b1e84"
+ access_control {
+ mode = "Whitelist"
+ cidr_white_list = ["1.1.1.0"]
+ }
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `gateway_id` - (Required, String, ForceNew) gateway ID.
+* `group_id` - (Required, String, ForceNew) gateway group ID.
+* `network_id` - (Required, String, ForceNew) network id.
+* `access_control` - (Optional, List) access control policy.
+
+The `access_control` object supports the following:
+
+* `cidr_black_list` - (Optional, List) Black list.
+* `cidr_white_list` - (Optional, List) White list.
+* `mode` - (Optional, String) Access mode: `Whitelist`, `Blacklist`.
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `id` - ID of the resource.
+
+
+
+## Import
+
+tse cngw_route_rate_limit can be imported using the id, e.g.
+
+```
+terraform import tencentcloud_tse_cngw_network_access_control.cngw_network_access_control gatewayId#groupId#networkId
+```
+
diff --git a/website/tencentcloud.erb b/website/tencentcloud.erb
index 92074bdab9..c99fd73d39 100644
--- a/website/tencentcloud.erb
+++ b/website/tencentcloud.erb
@@ -4397,6 +4397,9 @@
tencentcloud_tse_cngw_network
+
+ tencentcloud_tse_cngw_network_access_control
+
tencentcloud_tse_cngw_route