Skip to content

fix(clb): [123123123]tencentcloud_clb_listener_rule support multi_cert_info #3082

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Jan 21, 2025
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .changelog/3082.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:enhancement
resource/tencentcloud_clb_listener_rule: support `multi_cert_info`
```
2 changes: 1 addition & 1 deletion tencentcloud/services/clb/resource_tc_clb_listener.go
Original file line number Diff line number Diff line change
Expand Up @@ -383,7 +383,7 @@ func resourceTencentCloudClbListenerCreate(d *schema.ResourceData, meta interfac
if vv {
vvv = 1
} else {
if !certificateSetFlag {
if !certificateSetFlag && !multiCertificateSetFlag {
return fmt.Errorf("[CHECK][CLB listener][Create] check: certificated need to be set when protocol is HTTPS")
}
}
Expand Down
109 changes: 94 additions & 15 deletions tencentcloud/services/clb/resource_tc_clb_listener_rule.go
Original file line number Diff line number Diff line change
Expand Up @@ -134,21 +134,48 @@ func ResourceTencentCloudClbListenerRule() *schema.Resource {
Description: "Methods of health check. NOTES: Only supports listeners of `HTTP` and `HTTPS` protocol. The default is `HEAD`, the available value are `HEAD` and `GET`.",
},
"certificate_ssl_mode": {
Type: schema.TypeString,
Optional: true,
ForceNew: true,
ValidateFunc: tccommon.ValidateAllowedStringValue(CERT_SSL_MODE),
Description: "Type of certificate. Valid values: `UNIDIRECTIONAL`, `MUTUAL`. NOTES: Only supports listeners of HTTPS protocol.",
Type: schema.TypeString,
Optional: true,
ForceNew: true,
ConflictsWith: []string{"multi_cert_info"},
ValidateFunc: tccommon.ValidateAllowedStringValue(CERT_SSL_MODE),
Description: "Type of certificate. Valid values: `UNIDIRECTIONAL`, `MUTUAL`. NOTES: Only supports listeners of HTTPS protocol.",
},
"certificate_id": {
Type: schema.TypeString,
Optional: true,
Description: "ID of the server certificate. NOTES: Only supports listeners of HTTPS protocol.",
Type: schema.TypeString,
Optional: true,
ConflictsWith: []string{"multi_cert_info"},
Description: "ID of the server certificate. NOTES: Only supports listeners of HTTPS protocol.",
},
"certificate_ca_id": {
Type: schema.TypeString,
Optional: true,
Description: "ID of the client certificate. NOTES: Only supports listeners of HTTPS protocol.",
Type: schema.TypeString,
Optional: true,
ConflictsWith: []string{"multi_cert_info"},
Description: "ID of the client certificate. NOTES: Only supports listeners of HTTPS protocol.",
},
"multi_cert_info": {
Type: schema.TypeList,
Optional: true,
MaxItems: 1,
ConflictsWith: []string{"certificate_ssl_mode", "certificate_id", "certificate_ca_id"},
Description: "Certificate information. You can specify multiple server-side certificates with different algorithm types. This parameter is only applicable to HTTPS listeners with the SNI feature not enabled. Certificate and MultiCertInfo cannot be specified at the same time.",
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"ssl_mode": {
Type: schema.TypeString,
Required: true,
ForceNew: true,
ValidateFunc: tccommon.ValidateAllowedStringValue(CERT_SSL_MODE),
Description: "Authentication type. Values: UNIDIRECTIONAL (one-way authentication), MUTUAL (two-way authentication).",
},
"cert_id_list": {
Type: schema.TypeSet,
Required: true,
Description: "List of server certificate ID.",
Elem: &schema.Schema{Type: schema.TypeString},
},
},
},
},
"session_expire_time": {
Type: schema.TypeInt,
Expand Down Expand Up @@ -332,6 +359,19 @@ func resourceTencentCloudClbListenerRuleCreate(d *schema.ResourceData, meta inte
rule.Certificate = certificateInput
}

multiCertificateSetFlag, multiCertInput, certErr := checkMultiCertificateInputPara(ctx, d, meta)
if certErr != nil {
return certErr
}

if multiCertificateSetFlag {
rule.MultiCertInfo = multiCertInput
} else {
if protocol == CLB_LISTENER_PROTOCOL_TCPSSL {
return fmt.Errorf("[CHECK][CLB listener][Create] check: certificated need to be set when protocol is HTTPS")
}
}

if v, ok := d.GetOkExists("quic"); ok {
rule.Quic = helper.Bool(v.(bool))
}
Expand Down Expand Up @@ -576,12 +616,35 @@ func resourceTencentCloudClbListenerRuleRead(d *schema.ResourceData, meta interf
}

if instance.Certificate != nil {
_ = d.Set("certificate_ssl_mode", instance.Certificate.SSLMode)
_ = d.Set("certificate_id", instance.Certificate.CertId)
if instance.Certificate.CertCaId != nil {
_ = d.Set("certificate_ca_id", instance.Certificate.CertCaId)
// check single cert or multi cert
if instance.Certificate.ExtCertIds != nil && len(instance.Certificate.ExtCertIds) > 0 {
multiCertInfo := make([]map[string]interface{}, 0, 1)
multiCert := make(map[string]interface{}, 0)
certIds := make([]string, 0)
if instance.Certificate.SSLMode != nil {
multiCert["ssl_mode"] = *instance.Certificate.SSLMode
}

if instance.Certificate.CertId != nil {
certIds = append(certIds, *instance.Certificate.CertId)
}

for _, item := range instance.Certificate.ExtCertIds {
certIds = append(certIds, *item)
}

multiCert["cert_id_list"] = certIds
multiCertInfo = append(multiCertInfo, multiCert)
_ = d.Set("multi_cert_info", multiCertInfo)
} else {
_ = d.Set("certificate_ssl_mode", instance.Certificate.SSLMode)
_ = d.Set("certificate_id", instance.Certificate.CertId)
if instance.Certificate.CertCaId != nil {
_ = d.Set("certificate_ca_id", instance.Certificate.CertCaId)
}
}
}

if instance.OAuth != nil {
oath := make(map[string]interface{})
if instance.OAuth.OAuthEnable != nil {
Expand Down Expand Up @@ -767,6 +830,22 @@ func resourceTencentCloudClbListenerRuleUpdate(d *schema.ResourceData, meta inte
}
}

if d.HasChange("multi_cert_info") {
domainChanged = true
multiCertificateSetFlag, multiCertInput, certErr := checkMultiCertificateInputPara(ctx, d, meta)
if certErr != nil {
return certErr
}

if multiCertificateSetFlag {
domainRequest.MultiCertInfo = multiCertInput
} else {
if protocol == CLB_LISTENER_PROTOCOL_TCPSSL {
return fmt.Errorf("[CHECK][CLB listener][Create] check: certificated need to be set when protocol is HTTPS")
}
}
}

if d.HasChange("http2_switch") {
if v, ok := d.GetOkExists("http2_switch"); ok {
if !(protocol == CLB_LISTENER_PROTOCOL_HTTPS) {
Expand Down
7 changes: 7 additions & 0 deletions tencentcloud/services/clb/resource_tc_clb_listener_rule.md
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,13 @@ resource "tencentcloud_clb_listener_rule" "example" {
health_check_http_domain = "check.com"
health_check_http_method = "GET"
scheduler = "WRR"
multi_cert_info {
ssl_mode = "UNIDIRECTIONAL"
cert_id_list = [
"LCYouprI",
"JVO1alRN",
]
}
}
```

Expand Down
13 changes: 13 additions & 0 deletions website/docs/r/clb_listener_rule.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,13 @@ resource "tencentcloud_clb_listener_rule" "example" {
health_check_http_domain = "check.com"
health_check_http_method = "GET"
scheduler = "WRR"
multi_cert_info {
ssl_mode = "UNIDIRECTIONAL"
cert_id_list = [
"LCYouprI",
"JVO1alRN",
]
}
}
```

Expand Down Expand Up @@ -87,12 +94,18 @@ The following arguments are supported:
* `health_check_type` - (Optional, String) Type of health check. Valid value is `CUSTOM`, `PING`, `TCP`, `HTTP`, `HTTPS`, `GRPC`, `GRPCS`.
* `health_check_unhealth_num` - (Optional, Int) Unhealthy threshold of health check, and the default is `3`. If the unhealthy result is returned 3 consecutive times, indicates that the forwarding is abnormal. The value range is [2-10]. NOTES: TCP/UDP/TCP_SSL listener allows direct configuration, HTTP/HTTPS listener needs to be configured in `tencentcloud_clb_listener_rule`.
* `http2_switch` - (Optional, Bool) Indicate to apply HTTP2.0 protocol or not.
* `multi_cert_info` - (Optional, List) Certificate information. You can specify multiple server-side certificates with different algorithm types. This parameter is only applicable to HTTPS listeners with the SNI feature not enabled. Certificate and MultiCertInfo cannot be specified at the same time.
* `oauth` - (Optional, List) OAuth configuration information.
* `quic` - (Optional, Bool) Whether to enable QUIC. Note: QUIC can be enabled only for HTTPS domain names.
* `scheduler` - (Optional, String) Scheduling method of the CLB listener rules. Valid values: `WRR`, `IP HASH`, `LEAST_CONN`. The default is `WRR`. NOTES: TCP/UDP/TCP_SSL listener allows direct configuration, HTTP/HTTPS listener needs to be configured in `tencentcloud_clb_listener_rule`.
* `session_expire_time` - (Optional, Int) Time of session persistence within the CLB listener. NOTES: Available when scheduler is specified as `WRR`, and not available when listener protocol is `TCP_SSL`. NOTES: TCP/UDP/TCP_SSL listener allows direct configuration, HTTP/HTTPS listener needs to be configured in `tencentcloud_clb_listener_rule`.
* `target_type` - (Optional, String, ForceNew) Backend target type. Valid values: `NODE`, `TARGETGROUP`. `NODE` means to bind ordinary nodes, `TARGETGROUP` means to bind target group.

The `multi_cert_info` object supports the following:

* `cert_id_list` - (Required, Set) List of server certificate ID.
* `ssl_mode` - (Required, String, ForceNew) Authentication type. Values: UNIDIRECTIONAL (one-way authentication), MUTUAL (two-way authentication).

The `oauth` object supports the following:

* `oauth_enable` - (Optional, Bool) Enable or disable authentication. True: Enabled; False: Disabled.
Expand Down
Loading