tencentcloudstack · hellertang · May 29, 2025 · May 27, 2025 · May 27, 2025
diff --git a/.changelog/3382.txt b/.changelog/3382.txt
@@ -0,0 +1,7 @@
+```release-note:enhancement
+resource/tencentcloud_waf_cc: support `cel_rule`, `logical_op`
+```
+
+```release-note:enhancement
+resource/tencentcloud_waf_custom_white_rule: support `logical_op`
+```
diff --git a/go.mod b/go.mod
@@ -46,7 +46,7 @@ require (
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/clb v1.0.1107
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cloudaudit v1.0.1033
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cls v1.0.1148
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1164
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1170
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cvm v1.0.1153
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cwp v1.0.762
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cynosdb v1.0.1161
@@ -97,7 +97,7 @@ require (
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tsf v1.0.674
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/vod v1.0.860
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/vpc v1.0.1154
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/waf v1.0.1163
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/waf v1.0.1170
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/wedata v1.0.792
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/wss v1.0.199
 	github.com/tencentyun/cos-go-sdk-v5 v0.7.64

diff --git a/go.sum b/go.sum
@@ -979,6 +979,8 @@ github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1163 h1:RZs
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1163/go.mod h1:r5r4xbfxSaeR04b166HGsBa/R4U3SueirEUpXGuw+Q0=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1164 h1:qEzZCZf1sgvvrZ8ngws0gZlyW+sOdY0K9VXGm4AcvTE=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1164/go.mod h1:r5r4xbfxSaeR04b166HGsBa/R4U3SueirEUpXGuw+Q0=
+github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1170 h1:67TIDmxXDa73+7nFuyVVxtVswf83JPXiwBy1Xicv+xQ=
+github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1170/go.mod h1:r5r4xbfxSaeR04b166HGsBa/R4U3SueirEUpXGuw+Q0=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/controlcenter v1.0.993 h1:WlPgXldQCxt7qi5Xrc6j6zTrsXWzN5BcOGs7Irq7fwQ=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/controlcenter v1.0.993/go.mod h1:Z9U8zNtyuyKhjS0698wqsrG/kLx1TQ5CEixXBwVe7xY=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/csip v1.0.860 h1:F3esKBIT3HW9+7Gt8cVgf8X06VdGIczpgLBUECzSEzU=
@@ -1137,6 +1139,8 @@ github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/waf v1.0.1162 h1:gnmuUa
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/waf v1.0.1162/go.mod h1:bu3KAFeoJ1xDGQp72h9Le3FqbOcCcdomOUig3OqgcE4=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/waf v1.0.1163 h1:dR/VWftnsFH/O18MaaM4DXDkBgFMIZYSWR4/6moy78A=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/waf v1.0.1163/go.mod h1:RsiGONPLLzraDKCq1fs7bcm1OStioX7OWLXydoAmUf0=
+github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/waf v1.0.1170 h1:kcQCWuI9zOkZgL5CK66HNAJmSWCSJxRrDxXT+j02CeE=
+github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/waf v1.0.1170/go.mod h1:vTukVfThbBIc4lOf4eq/q51eEk78oZUJd2lAoJBOJwI=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/wedata v1.0.792 h1:NLgKNOIHWa38AmW7dyfI9Jlcp2Kr9VRD94f48pPNmxM=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/wedata v1.0.792/go.mod h1:Xz6vPV3gHlzPwtEcmWdWO1EUXJDgn2p7UMCXbJiVioQ=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/wss v1.0.199 h1:hMBLtiJPnZ9GvA677cTB6ELBR6B68wCR2QY1sNoGQc4=

diff --git a/tencentcloud/services/waf/resource_tc_waf_bot_scene_ucb_rule.go b/tencentcloud/services/waf/resource_tc_waf_bot_scene_ucb_rule.go
@@ -2,6 +2,7 @@ package waf
 
 import (
 	"context"
+	"encoding/base64"
 	"fmt"
 	"log"
 	"strings"
@@ -437,12 +438,16 @@ func resourceTencentCloudWafBotSceneUCBRuleCreate(d *schema.ResourceData, meta i
 			for _, item := range v.([]interface{}) {
 				if ruleMap, ok := item.(map[string]interface{}); ok && ruleMap != nil {
 					inOutputUCBRuleEntry := waf.InOutputUCBRuleEntry{}
+					var base46Flag bool
 					if v, ok := ruleMap["key"]; ok {
 						inOutputUCBRuleEntry.Key = helper.String(v.(string))
 					}
 
 					if v, ok := ruleMap["op"]; ok {
 						inOutputUCBRuleEntry.Op = helper.String(v.(string))
+						if v.(string) == "rematch" {
+							base46Flag = true
+						}
 					}
 
 					if valueMap, ok := helper.InterfaceToMap(ruleMap, "value"); ok {
@@ -471,10 +476,20 @@ func resourceTencentCloudWafBotSceneUCBRuleCreate(d *schema.ResourceData, meta i
 
 						if v, ok := valueMap["multi_value"]; ok {
 							multiValueSet := v.(*schema.Set).List()
-							for i := range multiValueSet {
-								if multiValueSet[i] != nil {
-									multiValue := multiValueSet[i].(string)
-									uCBEntryValue.MultiValue = append(uCBEntryValue.MultiValue, &multiValue)
+							if base46Flag {
+								for i := range multiValueSet {
+									if multiValueSet[i] != nil {
+										multiValue := multiValueSet[i].(string)
+										bs64Str := helper.String(base64.URLEncoding.EncodeToString([]byte(multiValue)))
+										uCBEntryValue.MultiValue = append(uCBEntryValue.MultiValue, bs64Str)
+									}
+								}
+							} else {
+								for i := range multiValueSet {
+									if multiValueSet[i] != nil {
+										multiValue := multiValueSet[i].(string)
+										uCBEntryValue.MultiValue = append(uCBEntryValue.MultiValue, &multiValue)
+									}
 								}
 							}
 						}
@@ -767,12 +782,16 @@ func resourceTencentCloudWafBotSceneUCBRuleRead(d *schema.ResourceData, meta int
 		tmpList := make([]map[string]interface{}, 0, len(respData.Rule))
 		for _, item := range respData.Rule {
 			dMap := make(map[string]interface{})
+			var base46Flag bool
 			if item.Key != nil {
 				dMap["key"] = item.Key
 			}
 
 			if item.Op != nil {
 				dMap["op"] = item.Op
+				if *item.Op == "rematch" {
+					base46Flag = true
+				}
 			}
 
 			if item.Value != nil {
@@ -795,7 +814,21 @@ func resourceTencentCloudWafBotSceneUCBRuleRead(d *schema.ResourceData, meta int
 				}
 
 				if item.Value.MultiValue != nil {
-					valueMap["multi_value"] = item.Value.MultiValue
+					if base46Flag {
+						tmpMvList := make([]string, 0, len(item.Value.MultiValue))
+						for _, item := range item.Value.MultiValue {
+							decoded, e := base64.StdEncoding.DecodeString(*item)
+							if e != nil {
+								return fmt.Errorf("[%s] base64 decode error: %s", *item, e.Error())
+							}
+
+							tmpMvList = append(tmpMvList, string(decoded))
+						}
+
+						valueMap["multi_value"] = tmpMvList
+					} else {
+						valueMap["multi_value"] = item.Value.MultiValue
+					}
 				}
 
 				valueList = append(valueList, valueMap)
@@ -1028,12 +1061,16 @@ func resourceTencentCloudWafBotSceneUCBRuleUpdate(d *schema.ResourceData, meta i
 			for _, item := range v.([]interface{}) {
 				if ruleMap, ok := item.(map[string]interface{}); ok && ruleMap != nil {
 					inOutputUCBRuleEntry := waf.InOutputUCBRuleEntry{}
+					var base46Flag bool
 					if v, ok := ruleMap["key"]; ok {
 						inOutputUCBRuleEntry.Key = helper.String(v.(string))
 					}
 
 					if v, ok := ruleMap["op"]; ok {
 						inOutputUCBRuleEntry.Op = helper.String(v.(string))
+						if v.(string) == "rematch" {
+							base46Flag = true
+						}
 					}
 
 					if valueMap, ok := helper.InterfaceToMap(ruleMap, "value"); ok {
@@ -1062,10 +1099,20 @@ func resourceTencentCloudWafBotSceneUCBRuleUpdate(d *schema.ResourceData, meta i
 
 						if v, ok := valueMap["multi_value"]; ok {
 							multiValueSet := v.(*schema.Set).List()
-							for i := range multiValueSet {
-								if multiValueSet[i] != nil {
-									multiValue := multiValueSet[i].(string)
-									uCBEntryValue.MultiValue = append(uCBEntryValue.MultiValue, &multiValue)
+							if base46Flag {
+								for i := range multiValueSet {
+									if multiValueSet[i] != nil {
+										multiValue := multiValueSet[i].(string)
+										bs64Str := helper.String(base64.URLEncoding.EncodeToString([]byte(multiValue)))
+										uCBEntryValue.MultiValue = append(uCBEntryValue.MultiValue, bs64Str)
+									}
+								}
+							} else {
+								for i := range multiValueSet {
+									if multiValueSet[i] != nil {
+										multiValue := multiValueSet[i].(string)
+										uCBEntryValue.MultiValue = append(uCBEntryValue.MultiValue, &multiValue)
+									}
 								}
 							}
 						}

diff --git a/tencentcloud/services/waf/resource_tc_waf_bot_scene_ucb_rule.md b/tencentcloud/services/waf/resource_tc_waf_bot_scene_ucb_rule.md
@@ -20,6 +20,18 @@ resource "tencentcloud_waf_bot_scene_ucb_rule" "example" {
       }
     }
 
+    rule {
+      key  = "url"
+      op   = "rematch"
+      lang = "cn"
+      value {
+        multi_value = [
+          "/prefix",
+          "/startwith"
+        ]
+      }
+    }
+
     action       = "monitor"
     on_off       = "on"
     rule_type    = 0

diff --git a/tencentcloud/services/waf/resource_tc_waf_cc.go b/tencentcloud/services/waf/resource_tc_waf_cc.go
@@ -120,6 +120,17 @@ func ResourceTencentCloudWafCc() *schema.Resource {
 				Computed:    true,
 				Description: "Frequency limiting method.",
 			},
+			"cel_rule": {
+				Optional:    true,
+				Type:        schema.TypeString,
+				Description: "Cel expression.",
+			},
+			"logical_op": {
+				Optional:    true,
+				Computed:    true,
+				Type:        schema.TypeString,
+				Description: "Logical operator of configuration mode, and/or.",
+			},
 			"rule_id": {
 				Computed:    true,
 				Type:        schema.TypeString,
@@ -218,6 +229,14 @@ func resourceTencentCloudWafCcCreate(d *schema.ResourceData, meta interface{}) e
 		request.LimitMethod = helper.String(v.(string))
 	}
 
+	if v, ok := d.GetOk("cel_rule"); ok {
+		request.CelRule = helper.String(v.(string))
+	}
+
+	if v, ok := d.GetOk("logical_op"); ok {
+		request.LogicalOp = helper.String(v.(string))
+	}
+
 	request.RuleId = helper.IntInt64(0)
 	err := resource.Retry(tccommon.WriteRetryTimeout, func() *resource.RetryError {
 		result, e := meta.(tccommon.ProviderMeta).GetAPIV3Conn().UseWafClient().UpsertCCRule(request)
@@ -337,6 +356,14 @@ func resourceTencentCloudWafCcRead(d *schema.ResourceData, meta interface{}) err
 		_ = d.Set("limit_method", cc.LimitMethod)
 	}
 
+	if cc.CelRule != nil {
+		_ = d.Set("cel_rule", cc.CelRule)
+	}
+
+	if cc.LogicalOp != nil {
+		_ = d.Set("logical_op", cc.LogicalOp)
+	}
+
 	if cc.RuleId != nil {
 		ruleIdStr := strconv.FormatUint(*cc.RuleId, 10)
 		_ = d.Set("rule_id", ruleIdStr)
@@ -439,6 +466,14 @@ func resourceTencentCloudWafCcUpdate(d *schema.ResourceData, meta interface{}) e
 		request.LimitMethod = helper.String(v.(string))
 	}
 
+	if v, ok := d.GetOk("cel_rule"); ok {
+		request.CelRule = helper.String(v.(string))
+	}
+
+	if v, ok := d.GetOk("logical_op"); ok {
+		request.LogicalOp = helper.String(v.(string))
+	}
+
 	err := resource.Retry(tccommon.WriteRetryTimeout, func() *resource.RetryError {
 		result, e := meta.(tccommon.ProviderMeta).GetAPIV3Conn().UseWafClient().UpsertCCRule(request)
 		if e != nil {

diff --git a/tencentcloud/services/waf/resource_tc_waf_cc.md b/tencentcloud/services/waf/resource_tc_waf_cc.md
@@ -2,10 +2,12 @@ Provides a resource to create a WAF cc
 
 Example Usage
 
+If advance is 0(IP model)
+
 ```hcl
 resource "tencentcloud_waf_cc" "example" {
   domain      = "www.demo.com"
-  name        = "terraform"
+  name        = "tf-example"
   status      = 1
   advance     = "0"
   limit       = "60"
@@ -17,15 +19,82 @@ resource "tencentcloud_waf_cc" "example" {
   valid_time  = 600
   edition     = "sparta-waf"
   type        = 1
+  logical_op  = "and"
   options_arr = jsonencode(
     [
+      {
+        "key" : "URL",
+        "args" : [
+          "=cHJlZml4"
+        ],
+        "match" : "2",
+        "encodeflag" : true
+      },
       {
         "key" : "Method",
-        "args" : ["=R0VU"],
+        "args" : [
+          "=POST"  # if encodeflag is false, parameter value needs to be prefixed with an = sign.
+        ],
+        "match" : "0",
+        "encodeflag" : false
+      },
+      {
+        "key" : "Post",
+        "args" : [
+          "S2V5=VmFsdWU"
+        ],
         "match" : "0",
         "encodeflag" : true
+      },
+      {
+        "key" : "Referer",
+        "args" : [
+          "="
+        ],
+        "match" : "12",
+        "encodeflag" : true
+      },
+      {
+        "key" : "Cookie",
+        "args" : [
+          "S2V5=VmFsdWU"
+        ],
+        "match" : "3",
+        "encodeflag" : true
+      },
+      {
+        "key" : "IPLocation",
+        "args" : [
+          "=eyJMYW5nIjoiY24iLCJBcmVhcyI6W3siQ291bnRyeSI6IuWbveWkliJ9XX0"
+        ],
+        "match" : "13",
+        "encodeflag" : true
       }
     ]
   )
 }
-```
+```
+
+If advance is 1(SESSION model)
+
+```hcl
+resource "tencentcloud_waf_cc" "example" {
+  domain          = "news.bots.icu"
+  name            = "tf-example"
+  status          = 1
+  advance         = "1"
+  limit           = "60"
+  interval        = "60"
+  url             = "/cc_demo"
+  match_func      = 0
+  action_type     = "22"
+  priority        = 50
+  valid_time      = 600
+  edition         = "sparta-waf"
+  type            = 1
+  session_applied = [0]
+  limit_method    = "only_limit"
+  logical_op      = "or"
+  cel_rule        = "(has(request.url) && request.url.startsWith('/prefix')) && (has(request.method) && request.method == 'POST')"
+}
+```