diff --git a/.changelog/3082.txt b/.changelog/3082.txt new file mode 100644 index 0000000000..4c00709760 --- /dev/null +++ b/.changelog/3082.txt @@ -0,0 +1,3 @@ +```release-note:enhancement +resource/tencentcloud_clb_listener_rule: support `multi_cert_info` +``` diff --git a/tencentcloud/services/clb/resource_tc_clb_listener.go b/tencentcloud/services/clb/resource_tc_clb_listener.go index 2152238607..34c07aab51 100644 --- a/tencentcloud/services/clb/resource_tc_clb_listener.go +++ b/tencentcloud/services/clb/resource_tc_clb_listener.go @@ -383,7 +383,7 @@ func resourceTencentCloudClbListenerCreate(d *schema.ResourceData, meta interfac if vv { vvv = 1 } else { - if !certificateSetFlag { + if !certificateSetFlag && !multiCertificateSetFlag { return fmt.Errorf("[CHECK][CLB listener][Create] check: certificated need to be set when protocol is HTTPS") } } diff --git a/tencentcloud/services/clb/resource_tc_clb_listener_rule.go b/tencentcloud/services/clb/resource_tc_clb_listener_rule.go index 323b8c1e22..a5e5f912a5 100644 --- a/tencentcloud/services/clb/resource_tc_clb_listener_rule.go +++ b/tencentcloud/services/clb/resource_tc_clb_listener_rule.go @@ -134,21 +134,48 @@ func ResourceTencentCloudClbListenerRule() *schema.Resource { Description: "Methods of health check. NOTES: Only supports listeners of `HTTP` and `HTTPS` protocol. The default is `HEAD`, the available value are `HEAD` and `GET`.", }, "certificate_ssl_mode": { - Type: schema.TypeString, - Optional: true, - ForceNew: true, - ValidateFunc: tccommon.ValidateAllowedStringValue(CERT_SSL_MODE), - Description: "Type of certificate. Valid values: `UNIDIRECTIONAL`, `MUTUAL`. NOTES: Only supports listeners of HTTPS protocol.", + Type: schema.TypeString, + Optional: true, + ForceNew: true, + ConflictsWith: []string{"multi_cert_info"}, + ValidateFunc: tccommon.ValidateAllowedStringValue(CERT_SSL_MODE), + Description: "Type of certificate. Valid values: `UNIDIRECTIONAL`, `MUTUAL`. NOTES: Only supports listeners of HTTPS protocol.", }, "certificate_id": { - Type: schema.TypeString, - Optional: true, - Description: "ID of the server certificate. NOTES: Only supports listeners of HTTPS protocol.", + Type: schema.TypeString, + Optional: true, + ConflictsWith: []string{"multi_cert_info"}, + Description: "ID of the server certificate. NOTES: Only supports listeners of HTTPS protocol.", }, "certificate_ca_id": { - Type: schema.TypeString, - Optional: true, - Description: "ID of the client certificate. NOTES: Only supports listeners of HTTPS protocol.", + Type: schema.TypeString, + Optional: true, + ConflictsWith: []string{"multi_cert_info"}, + Description: "ID of the client certificate. NOTES: Only supports listeners of HTTPS protocol.", + }, + "multi_cert_info": { + Type: schema.TypeList, + Optional: true, + MaxItems: 1, + ConflictsWith: []string{"certificate_ssl_mode", "certificate_id", "certificate_ca_id"}, + Description: "Certificate information. You can specify multiple server-side certificates with different algorithm types. This parameter is only applicable to HTTPS listeners with the SNI feature not enabled. Certificate and MultiCertInfo cannot be specified at the same time.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "ssl_mode": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + ValidateFunc: tccommon.ValidateAllowedStringValue(CERT_SSL_MODE), + Description: "Authentication type. Values: UNIDIRECTIONAL (one-way authentication), MUTUAL (two-way authentication).", + }, + "cert_id_list": { + Type: schema.TypeSet, + Required: true, + Description: "List of server certificate ID.", + Elem: &schema.Schema{Type: schema.TypeString}, + }, + }, + }, }, "session_expire_time": { Type: schema.TypeInt, @@ -332,6 +359,19 @@ func resourceTencentCloudClbListenerRuleCreate(d *schema.ResourceData, meta inte rule.Certificate = certificateInput } + multiCertificateSetFlag, multiCertInput, certErr := checkMultiCertificateInputPara(ctx, d, meta) + if certErr != nil { + return certErr + } + + if multiCertificateSetFlag { + rule.MultiCertInfo = multiCertInput + } else { + if protocol == CLB_LISTENER_PROTOCOL_TCPSSL { + return fmt.Errorf("[CHECK][CLB listener][Create] check: certificated need to be set when protocol is HTTPS") + } + } + if v, ok := d.GetOkExists("quic"); ok { rule.Quic = helper.Bool(v.(bool)) } @@ -576,12 +616,35 @@ func resourceTencentCloudClbListenerRuleRead(d *schema.ResourceData, meta interf } if instance.Certificate != nil { - _ = d.Set("certificate_ssl_mode", instance.Certificate.SSLMode) - _ = d.Set("certificate_id", instance.Certificate.CertId) - if instance.Certificate.CertCaId != nil { - _ = d.Set("certificate_ca_id", instance.Certificate.CertCaId) + // check single cert or multi cert + if instance.Certificate.ExtCertIds != nil && len(instance.Certificate.ExtCertIds) > 0 { + multiCertInfo := make([]map[string]interface{}, 0, 1) + multiCert := make(map[string]interface{}, 0) + certIds := make([]string, 0) + if instance.Certificate.SSLMode != nil { + multiCert["ssl_mode"] = *instance.Certificate.SSLMode + } + + if instance.Certificate.CertId != nil { + certIds = append(certIds, *instance.Certificate.CertId) + } + + for _, item := range instance.Certificate.ExtCertIds { + certIds = append(certIds, *item) + } + + multiCert["cert_id_list"] = certIds + multiCertInfo = append(multiCertInfo, multiCert) + _ = d.Set("multi_cert_info", multiCertInfo) + } else { + _ = d.Set("certificate_ssl_mode", instance.Certificate.SSLMode) + _ = d.Set("certificate_id", instance.Certificate.CertId) + if instance.Certificate.CertCaId != nil { + _ = d.Set("certificate_ca_id", instance.Certificate.CertCaId) + } } } + if instance.OAuth != nil { oath := make(map[string]interface{}) if instance.OAuth.OAuthEnable != nil { @@ -767,6 +830,22 @@ func resourceTencentCloudClbListenerRuleUpdate(d *schema.ResourceData, meta inte } } + if d.HasChange("multi_cert_info") { + domainChanged = true + multiCertificateSetFlag, multiCertInput, certErr := checkMultiCertificateInputPara(ctx, d, meta) + if certErr != nil { + return certErr + } + + if multiCertificateSetFlag { + domainRequest.MultiCertInfo = multiCertInput + } else { + if protocol == CLB_LISTENER_PROTOCOL_TCPSSL { + return fmt.Errorf("[CHECK][CLB listener][Create] check: certificated need to be set when protocol is HTTPS") + } + } + } + if d.HasChange("http2_switch") { if v, ok := d.GetOkExists("http2_switch"); ok { if !(protocol == CLB_LISTENER_PROTOCOL_HTTPS) { diff --git a/tencentcloud/services/clb/resource_tc_clb_listener_rule.md b/tencentcloud/services/clb/resource_tc_clb_listener_rule.md index bca927ffd2..14f2bcc2d3 100644 --- a/tencentcloud/services/clb/resource_tc_clb_listener_rule.md +++ b/tencentcloud/services/clb/resource_tc_clb_listener_rule.md @@ -48,6 +48,13 @@ resource "tencentcloud_clb_listener_rule" "example" { health_check_http_domain = "check.com" health_check_http_method = "GET" scheduler = "WRR" + multi_cert_info { + ssl_mode = "UNIDIRECTIONAL" + cert_id_list = [ + "LCYouprI", + "JVO1alRN", + ] + } } ``` diff --git a/website/docs/r/clb_listener_rule.html.markdown b/website/docs/r/clb_listener_rule.html.markdown index f7ab9e0fa8..1b93e48a07 100644 --- a/website/docs/r/clb_listener_rule.html.markdown +++ b/website/docs/r/clb_listener_rule.html.markdown @@ -59,6 +59,13 @@ resource "tencentcloud_clb_listener_rule" "example" { health_check_http_domain = "check.com" health_check_http_method = "GET" scheduler = "WRR" + multi_cert_info { + ssl_mode = "UNIDIRECTIONAL" + cert_id_list = [ + "LCYouprI", + "JVO1alRN", + ] + } } ``` @@ -87,12 +94,18 @@ The following arguments are supported: * `health_check_type` - (Optional, String) Type of health check. Valid value is `CUSTOM`, `PING`, `TCP`, `HTTP`, `HTTPS`, `GRPC`, `GRPCS`. * `health_check_unhealth_num` - (Optional, Int) Unhealthy threshold of health check, and the default is `3`. If the unhealthy result is returned 3 consecutive times, indicates that the forwarding is abnormal. The value range is [2-10]. NOTES: TCP/UDP/TCP_SSL listener allows direct configuration, HTTP/HTTPS listener needs to be configured in `tencentcloud_clb_listener_rule`. * `http2_switch` - (Optional, Bool) Indicate to apply HTTP2.0 protocol or not. +* `multi_cert_info` - (Optional, List) Certificate information. You can specify multiple server-side certificates with different algorithm types. This parameter is only applicable to HTTPS listeners with the SNI feature not enabled. Certificate and MultiCertInfo cannot be specified at the same time. * `oauth` - (Optional, List) OAuth configuration information. * `quic` - (Optional, Bool) Whether to enable QUIC. Note: QUIC can be enabled only for HTTPS domain names. * `scheduler` - (Optional, String) Scheduling method of the CLB listener rules. Valid values: `WRR`, `IP HASH`, `LEAST_CONN`. The default is `WRR`. NOTES: TCP/UDP/TCP_SSL listener allows direct configuration, HTTP/HTTPS listener needs to be configured in `tencentcloud_clb_listener_rule`. * `session_expire_time` - (Optional, Int) Time of session persistence within the CLB listener. NOTES: Available when scheduler is specified as `WRR`, and not available when listener protocol is `TCP_SSL`. NOTES: TCP/UDP/TCP_SSL listener allows direct configuration, HTTP/HTTPS listener needs to be configured in `tencentcloud_clb_listener_rule`. * `target_type` - (Optional, String, ForceNew) Backend target type. Valid values: `NODE`, `TARGETGROUP`. `NODE` means to bind ordinary nodes, `TARGETGROUP` means to bind target group. +The `multi_cert_info` object supports the following: + +* `cert_id_list` - (Required, Set) List of server certificate ID. +* `ssl_mode` - (Required, String, ForceNew) Authentication type. Values: UNIDIRECTIONAL (one-way authentication), MUTUAL (two-way authentication). + The `oauth` object supports the following: * `oauth_enable` - (Optional, Bool) Enable or disable authentication. True: Enabled; False: Disabled.