tencentcloudstack · hellertang · Jan 21, 2025 · Jan 17, 2025 · Jan 17, 2025 · Jan 17, 2025
diff --git a/.changelog/3082.txt b/.changelog/3082.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/tencentcloud_clb_listener_rule: support `multi_cert_info`
+```
diff --git a/tencentcloud/services/clb/resource_tc_clb_listener.go b/tencentcloud/services/clb/resource_tc_clb_listener.go
@@ -383,7 +383,7 @@ func resourceTencentCloudClbListenerCreate(d *schema.ResourceData, meta interfac
 			if vv {
 				vvv = 1
 			} else {
-				if !certificateSetFlag {
+				if !certificateSetFlag && !multiCertificateSetFlag {
 					return fmt.Errorf("[CHECK][CLB listener][Create] check: certificated need to be set when protocol is HTTPS")
 				}
 			}

diff --git a/tencentcloud/services/clb/resource_tc_clb_listener_rule.go b/tencentcloud/services/clb/resource_tc_clb_listener_rule.go
@@ -134,21 +134,48 @@ func ResourceTencentCloudClbListenerRule() *schema.Resource {
 				Description:  "Methods of health check. NOTES: Only supports listeners of `HTTP` and `HTTPS` protocol. The default is `HEAD`, the available value are `HEAD` and `GET`.",
 			},
 			"certificate_ssl_mode": {
-				Type:         schema.TypeString,
-				Optional:     true,
-				ForceNew:     true,
-				ValidateFunc: tccommon.ValidateAllowedStringValue(CERT_SSL_MODE),
-				Description:  "Type of certificate. Valid values: `UNIDIRECTIONAL`, `MUTUAL`. NOTES: Only supports listeners of HTTPS protocol.",
+				Type:          schema.TypeString,
+				Optional:      true,
+				ForceNew:      true,
+				ConflictsWith: []string{"multi_cert_info"},
+				ValidateFunc:  tccommon.ValidateAllowedStringValue(CERT_SSL_MODE),
+				Description:   "Type of certificate. Valid values: `UNIDIRECTIONAL`, `MUTUAL`. NOTES: Only supports listeners of HTTPS protocol.",
 			},
 			"certificate_id": {
-				Type:        schema.TypeString,
-				Optional:    true,
-				Description: "ID of the server certificate. NOTES: Only supports listeners of HTTPS protocol.",
+				Type:          schema.TypeString,
+				Optional:      true,
+				ConflictsWith: []string{"multi_cert_info"},
+				Description:   "ID of the server certificate. NOTES: Only supports listeners of HTTPS protocol.",
 			},
 			"certificate_ca_id": {
-				Type:        schema.TypeString,
-				Optional:    true,
-				Description: "ID of the client certificate. NOTES: Only supports listeners of HTTPS protocol.",
+				Type:          schema.TypeString,
+				Optional:      true,
+				ConflictsWith: []string{"multi_cert_info"},
+				Description:   "ID of the client certificate. NOTES: Only supports listeners of HTTPS protocol.",
+			},
+			"multi_cert_info": {
+				Type:          schema.TypeList,
+				Optional:      true,
+				MaxItems:      1,
+				ConflictsWith: []string{"certificate_ssl_mode", "certificate_id", "certificate_ca_id"},
+				Description:   "Certificate information. You can specify multiple server-side certificates with different algorithm types. This parameter is only applicable to HTTPS listeners with the SNI feature not enabled. Certificate and MultiCertInfo cannot be specified at the same time.",
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"ssl_mode": {
+							Type:         schema.TypeString,
+							Required:     true,
+							ForceNew:     true,
+							ValidateFunc: tccommon.ValidateAllowedStringValue(CERT_SSL_MODE),
+							Description:  "Authentication type. Values: UNIDIRECTIONAL (one-way authentication), MUTUAL (two-way authentication).",
+						},
+						"cert_id_list": {
+							Type:        schema.TypeSet,
+							Required:    true,
+							Description: "List of server certificate ID.",
+							Elem:        &schema.Schema{Type: schema.TypeString},
+						},
+					},
+				},
 			},
 			"session_expire_time": {
 				Type:         schema.TypeInt,
@@ -332,6 +359,19 @@ func resourceTencentCloudClbListenerRuleCreate(d *schema.ResourceData, meta inte
 		rule.Certificate = certificateInput
 	}
 
+	multiCertificateSetFlag, multiCertInput, certErr := checkMultiCertificateInputPara(ctx, d, meta)
+	if certErr != nil {
+		return certErr
+	}
+
+	if multiCertificateSetFlag {
+		rule.MultiCertInfo = multiCertInput
+	} else {
+		if protocol == CLB_LISTENER_PROTOCOL_TCPSSL {
+			return fmt.Errorf("[CHECK][CLB listener][Create] check: certificated need to be set when protocol is HTTPS")
+		}
+	}
+
 	if v, ok := d.GetOkExists("quic"); ok {
 		rule.Quic = helper.Bool(v.(bool))
 	}
@@ -576,12 +616,35 @@ func resourceTencentCloudClbListenerRuleRead(d *schema.ResourceData, meta interf
 	}
 
 	if instance.Certificate != nil {
-		_ = d.Set("certificate_ssl_mode", instance.Certificate.SSLMode)
-		_ = d.Set("certificate_id", instance.Certificate.CertId)
-		if instance.Certificate.CertCaId != nil {
-			_ = d.Set("certificate_ca_id", instance.Certificate.CertCaId)
+		// check single cert or multi cert
+		if instance.Certificate.ExtCertIds != nil && len(instance.Certificate.ExtCertIds) > 0 {
+			multiCertInfo := make([]map[string]interface{}, 0, 1)
+			multiCert := make(map[string]interface{}, 0)
+			certIds := make([]string, 0)
+			if instance.Certificate.SSLMode != nil {
+				multiCert["ssl_mode"] = *instance.Certificate.SSLMode
+			}
+
+			if instance.Certificate.CertId != nil {
+				certIds = append(certIds, *instance.Certificate.CertId)
+			}
+
+			for _, item := range instance.Certificate.ExtCertIds {
+				certIds = append(certIds, *item)
+			}
+
+			multiCert["cert_id_list"] = certIds
+			multiCertInfo = append(multiCertInfo, multiCert)
+			_ = d.Set("multi_cert_info", multiCertInfo)
+		} else {
+			_ = d.Set("certificate_ssl_mode", instance.Certificate.SSLMode)
+			_ = d.Set("certificate_id", instance.Certificate.CertId)
+			if instance.Certificate.CertCaId != nil {
+				_ = d.Set("certificate_ca_id", instance.Certificate.CertCaId)
+			}
 		}
 	}
+
 	if instance.OAuth != nil {
 		oath := make(map[string]interface{})
 		if instance.OAuth.OAuthEnable != nil {
@@ -767,6 +830,22 @@ func resourceTencentCloudClbListenerRuleUpdate(d *schema.ResourceData, meta inte
 		}
 	}
 
+	if d.HasChange("multi_cert_info") {
+		domainChanged = true
+		multiCertificateSetFlag, multiCertInput, certErr := checkMultiCertificateInputPara(ctx, d, meta)
+		if certErr != nil {
+			return certErr
+		}
+
+		if multiCertificateSetFlag {
+			domainRequest.MultiCertInfo = multiCertInput
+		} else {
+			if protocol == CLB_LISTENER_PROTOCOL_TCPSSL {
+				return fmt.Errorf("[CHECK][CLB listener][Create] check: certificated need to be set when protocol is HTTPS")
+			}
+		}
+	}
+
 	if d.HasChange("http2_switch") {
 		if v, ok := d.GetOkExists("http2_switch"); ok {
 			if !(protocol == CLB_LISTENER_PROTOCOL_HTTPS) {

diff --git a/tencentcloud/services/clb/resource_tc_clb_listener_rule.md b/tencentcloud/services/clb/resource_tc_clb_listener_rule.md
@@ -48,6 +48,13 @@ resource "tencentcloud_clb_listener_rule" "example" {
   health_check_http_domain   = "check.com"
   health_check_http_method   = "GET"
   scheduler                  = "WRR"
+  multi_cert_info {
+    ssl_mode = "UNIDIRECTIONAL"
+    cert_id_list = [
+      "LCYouprI",
+      "JVO1alRN",
+    ]
+  }
 }
 ```
 

diff --git a/website/docs/r/clb_listener_rule.html.markdown b/website/docs/r/clb_listener_rule.html.markdown
@@ -59,6 +59,13 @@ resource "tencentcloud_clb_listener_rule" "example" {
   health_check_http_domain   = "check.com"
   health_check_http_method   = "GET"
   scheduler                  = "WRR"
+  multi_cert_info {
+    ssl_mode = "UNIDIRECTIONAL"
+    cert_id_list = [
+      "LCYouprI",
+      "JVO1alRN",
+    ]
+  }
 }
 ```
 
@@ -87,12 +94,18 @@ The following arguments are supported:
 * `health_check_type` - (Optional, String) Type of health check. Valid value is `CUSTOM`, `PING`, `TCP`, `HTTP`, `HTTPS`, `GRPC`, `GRPCS`.
 * `health_check_unhealth_num` - (Optional, Int) Unhealthy threshold of health check, and the default is `3`. If the unhealthy result is returned 3 consecutive times, indicates that the forwarding is abnormal. The value range is [2-10].  NOTES: TCP/UDP/TCP_SSL listener allows direct configuration, HTTP/HTTPS listener needs to be configured in `tencentcloud_clb_listener_rule`.
 * `http2_switch` - (Optional, Bool) Indicate to apply HTTP2.0 protocol or not.
+* `multi_cert_info` - (Optional, List) Certificate information. You can specify multiple server-side certificates with different algorithm types. This parameter is only applicable to HTTPS listeners with the SNI feature not enabled. Certificate and MultiCertInfo cannot be specified at the same time.
 * `oauth` - (Optional, List) OAuth configuration information.
 * `quic` - (Optional, Bool) Whether to enable QUIC. Note: QUIC can be enabled only for HTTPS domain names.
 * `scheduler` - (Optional, String) Scheduling method of the CLB listener rules. Valid values: `WRR`, `IP HASH`, `LEAST_CONN`. The default is `WRR`.  NOTES: TCP/UDP/TCP_SSL listener allows direct configuration, HTTP/HTTPS listener needs to be configured in `tencentcloud_clb_listener_rule`.
 * `session_expire_time` - (Optional, Int) Time of session persistence within the CLB listener. NOTES: Available when scheduler is specified as `WRR`, and not available when listener protocol is `TCP_SSL`.  NOTES: TCP/UDP/TCP_SSL listener allows direct configuration, HTTP/HTTPS listener needs to be configured in `tencentcloud_clb_listener_rule`.
 * `target_type` - (Optional, String, ForceNew) Backend target type. Valid values: `NODE`, `TARGETGROUP`. `NODE` means to bind ordinary nodes, `TARGETGROUP` means to bind target group.
 
+The `multi_cert_info` object supports the following:
+
+* `cert_id_list` - (Required, Set) List of server certificate ID.
+* `ssl_mode` - (Required, String, ForceNew) Authentication type. Values: UNIDIRECTIONAL (one-way authentication), MUTUAL (two-way authentication).
+
 The `oauth` object supports the following:
 
 * `oauth_enable` - (Optional, Bool) Enable or disable authentication. True: Enabled; False: Disabled.