fix(cdb): [125857688] tencentcloud_mysql_ssl support ro_group_id (#3445)

SevenEarth · web-flow · commit 3aa681db835a · 2025-07-22T19:29:16.000+08:00
* add

* add

* add
diff --git a/.changelog/3445.txt b/.changelog/3445.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/tencentcloud_mysql_ssl: support `ro_group_id`
+```
diff --git a/tencentcloud/services/cdb/resource_tc_mysql_ssl.go b/tencentcloud/services/cdb/resource_tc_mysql_ssl.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"log"
+	"strings"
 
 	tccommon "github.com/tencentcloudstack/terraform-provider-tencentcloud/tencentcloud/common"
 
@@ -25,15 +26,26 @@ func ResourceTencentCloudMysqlSsl() *schema.Resource {
 		},
 		Schema: map[string]*schema.Schema{
 			"instance_id": {
-				Required:    true,
-				Type:        schema.TypeString,
-				Description: "Instance ID. Example value: cdb-c1nl9rpv.",
+				Type:         schema.TypeString,
+				Optional:     true,
+				ForceNew:     true,
+				ExactlyOneOf: []string{"ro_group_id"},
+				Description:  "Instance ID. Example value: cdb-c1nl9rpv.",
+			},
+
+			"ro_group_id": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				ForceNew:     true,
+				ExactlyOneOf: []string{"instance_id"},
+				Description:  "RO group ID. Example value: cdbrg-k9a6gup3.",
 			},
 
 			"status": {
-				Required:    true,
-				Type:        schema.TypeString,
-				Description: "Whether to enable SSL. `ON` means enabled, `OFF` means not enabled.",
+				Type:         schema.TypeString,
+				Required:     true,
+				ValidateFunc: tccommon.ValidateAllowedStringValue([]string{"ON", "OFF"}),
+				Description:  "Whether to enable SSL. `ON` means enabled, `OFF` means not enabled.",
 			},
 
 			"url": {
@@ -49,7 +61,32 @@ func resourceTencentCloudMysqlSslCreate(d *schema.ResourceData, meta interface{}
 	defer tccommon.LogElapsed("resource.tencentcloud_mysql_ssl.create")()
 	defer tccommon.InconsistentCheck(d, meta)()
 
-	d.SetId(d.Get("instance_id").(string))
+	var (
+		instanceId string
+		roGroupId  string
+	)
+
+	if v, ok := d.GetOk("instance_id"); ok {
+		instanceId = v.(string)
+		if !strings.HasPrefix(instanceId, "cdb-") {
+			return fmt.Errorf("`instance_id` parameter value is invalid. Example value: cdb-c1nl9rpv.")
+		}
+	}
+
+	if v, ok := d.GetOk("ro_group_id"); ok {
+		roGroupId = v.(string)
+		if !strings.HasPrefix(roGroupId, "cdbrg-") {
+			return fmt.Errorf("`ro_group_id` parameter value is invalid. Example value: cdbrg-k9a6gup3.")
+		}
+	}
+
+	if instanceId != "" {
+		d.SetId(instanceId)
+	} else if roGroupId != "" {
+		d.SetId(roGroupId)
+	} else {
+		return fmt.Errorf("`instance_id` or `ro_group_id` must set one of.")
+	}
 
 	return resourceTencentCloudMysqlSslUpdate(d, meta)
 }
@@ -58,29 +95,34 @@ func resourceTencentCloudMysqlSslRead(d *schema.ResourceData, meta interface{})
 	defer tccommon.LogElapsed("resource.tencentcloud_mysql_ssl.read")()
 	defer tccommon.InconsistentCheck(d, meta)()
 
-	logId := tccommon.GetLogId(tccommon.ContextNil)
-
-	ctx := context.WithValue(context.TODO(), tccommon.LogIdKey, logId)
-
-	service := MysqlService{client: meta.(tccommon.ProviderMeta).GetAPIV3Conn()}
-
-	instanceId := d.Id()
+	var (
+		logId      = tccommon.GetLogId(tccommon.ContextNil)
+		ctx        = context.WithValue(context.TODO(), tccommon.LogIdKey, logId)
+		service    = MysqlService{client: meta.(tccommon.ProviderMeta).GetAPIV3Conn()}
+		resID      = d.Id()
+		instanceId string
+		roGroupId  string
+	)
+
+	if strings.HasPrefix(resID, "cdb-") {
+		instanceId = resID
+		_ = d.Set("instance_id", instanceId)
+	} else {
+		roGroupId = resID
+		_ = d.Set("ro_group_id", roGroupId)
+	}
 
-	ssl, err := service.DescribeMysqlSslById(ctx, instanceId)
+	ssl, err := service.DescribeMysqlSslById(ctx, instanceId, roGroupId)
 	if err != nil {
 		return err
 	}
 
 	if ssl == nil {
+		log.Printf("[WARN]%s resource `tencentcloud_mysql_ssl` [%s] not found, please check if it has been deleted.", logId, instanceId)
 		d.SetId("")
-		log.Printf("[WARN]%s resource `tencentcloud_mysql_ssl` [%s] not found, please check if it has been deleted.",
-			logId, instanceId,
-		)
 		return nil
 	}
 
-	_ = d.Set("instance_id", instanceId)
-
 	if ssl.Status != nil {
 		_ = d.Set("status", ssl.Status)
 	}
@@ -96,18 +138,32 @@ func resourceTencentCloudMysqlSslUpdate(d *schema.ResourceData, meta interface{}
 	defer tccommon.LogElapsed("resource.tencentcloud_mysql_ssl.update")()
 	defer tccommon.InconsistentCheck(d, meta)()
 
-	logId := tccommon.GetLogId(tccommon.ContextNil)
-
-	ctx := context.WithValue(context.TODO(), tccommon.LogIdKey, logId)
-
-	instanceId := d.Id()
+	var (
+		logId      = tccommon.GetLogId(tccommon.ContextNil)
+		ctx        = context.WithValue(context.TODO(), tccommon.LogIdKey, logId)
+		service    = MysqlService{client: meta.(tccommon.ProviderMeta).GetAPIV3Conn()}
+		resID      = d.Id()
+		instanceId string
+		roGroupId  string
+	)
+
+	if strings.HasPrefix(resID, "cdb-") {
+		instanceId = resID
+	} else {
+		roGroupId = resID
+	}
 
-	status := ""
 	if v, ok := d.GetOk("status"); ok {
-		status = v.(string)
+		status := v.(string)
 		if status == "ON" {
 			request := mysql.NewOpenSSLRequest()
-			request.InstanceId = helper.String(instanceId)
+			if instanceId != "" {
+				request.InstanceId = helper.String(instanceId)
+			}
+
+			if roGroupId != "" {
+				request.RoGroupId = helper.String(roGroupId)
+			}
 
 			err := resource.Retry(tccommon.WriteRetryTimeout, func() *resource.RetryError {
 				result, e := meta.(tccommon.ProviderMeta).GetAPIV3Conn().UseMysqlClient().OpenSSL(request)
@@ -116,15 +172,23 @@ func resourceTencentCloudMysqlSslUpdate(d *schema.ResourceData, meta interface{}
 				} else {
 					log.Printf("[DEBUG]%s api[%s] success, request body [%s], response body [%s]\n", logId, request.GetAction(), request.ToJsonString(), result.ToJsonString())
 				}
+
 				return nil
 			})
+
 			if err != nil {
-				log.Printf("[CRITAL]%s update mysql ssl failed, reason:%+v", logId, err)
+				log.Printf("[CRITAL]%s Open mysql ssl failed, reason:%+v", logId, err)
 				return err
 			}
 		} else if status == "OFF" {
 			request := mysql.NewCloseSSLRequest()
-			request.InstanceId = helper.String(instanceId)
+			if instanceId != "" {
+				request.InstanceId = helper.String(instanceId)
+			}
+
+			if roGroupId != "" {
+				request.RoGroupId = helper.String(roGroupId)
+			}
 
 			err := resource.Retry(tccommon.WriteRetryTimeout, func() *resource.RetryError {
 				result, e := meta.(tccommon.ProviderMeta).GetAPIV3Conn().UseMysqlClient().CloseSSL(request)
@@ -133,41 +197,45 @@ func resourceTencentCloudMysqlSslUpdate(d *schema.ResourceData, meta interface{}
 				} else {
 					log.Printf("[DEBUG]%s api[%s] success, request body [%s], response body [%s]\n", logId, request.GetAction(), request.ToJsonString(), result.ToJsonString())
 				}
+
 				return nil
 			})
+
 			if err != nil {
-				log.Printf("[CRITAL]%s update mysql ssl failed, reason:%+v", logId, err)
+				log.Printf("[CRITAL]%s Close mysql ssl failed, reason:%+v", logId, err)
 				return err
 			}
 		} else {
 			return fmt.Errorf("[CRITAL]%s update mysql ssl failed, reason:your status must be ON or OFF!", logId)
 		}
 
-		if status != "" {
-			service := MysqlService{client: meta.(tccommon.ProviderMeta).GetAPIV3Conn()}
-			err := resource.Retry(7*tccommon.ReadRetryTimeout, func() *resource.RetryError {
-				ssl, err := service.DescribeMysqlSslById(ctx, instanceId)
-				if err != nil {
-					return resource.NonRetryableError(err)
-				}
-				if ssl == nil {
-					err = fmt.Errorf("mysqlid %s instance ssl not exists", instanceId)
-					return resource.NonRetryableError(err)
-				}
-				if *ssl.Status != status {
-					return resource.RetryableError(fmt.Errorf("mysql ssl status is (%v)", *ssl.Status))
-				}
-				if *ssl.Status == status {
-					return nil
-				}
-				err = fmt.Errorf("mysql ssl status is %v,we won't wait for it finish", *ssl.Status)
+		// wait
+		err := resource.Retry(10*tccommon.ReadRetryTimeout, func() *resource.RetryError {
+			ssl, err := service.DescribeMysqlSslById(ctx, instanceId, roGroupId)
+			if err != nil {
 				return resource.NonRetryableError(err)
-			})
+			}
 
-			if err != nil {
-				log.Printf("[CRITAL]%s mysql switchForUpgrade fail, reason:%s\n ", logId, err.Error())
-				return err
+			if ssl == nil {
+				err = fmt.Errorf("mysqlid %s instance ssl not exists", instanceId)
+				return resource.NonRetryableError(err)
+			}
+
+			if *ssl.Status != status {
+				return resource.RetryableError(fmt.Errorf("mysql ssl status is (%v)", *ssl.Status))
 			}
+
+			if *ssl.Status == status {
+				return nil
+			}
+
+			err = fmt.Errorf("mysql ssl status is %v,we won't wait for it finish", *ssl.Status)
+			return resource.NonRetryableError(err)
+		})
+
+		if err != nil {
+			log.Printf("[CRITAL]%s mysql switchForUpgrade fail, reason:%s\n ", logId, err.Error())
+			return err
 		}
 	}
 
diff --git a/tencentcloud/services/cdb/resource_tc_mysql_ssl.md b/tencentcloud/services/cdb/resource_tc_mysql_ssl.md
@@ -1,18 +1,35 @@
-Provides a resource to create a mysql ssl
+Provides a resource to create a MySQL SSL
 
 Example Usage
 
+For mysql instance SSL
+
 ```hcl
-resource "tencentcloud_mysql_ssl" "ssl" {
+resource "tencentcloud_mysql_ssl" "example" {
   instance_id = "cdb-j5rprr8n"
   status      = "OFF"
 }
 ```
 
+For mysql RO group SSL
+
+```hcl
+resource "tencentcloud_mysql_ssl" "example" {
+  ro_group_id = "cdbrg-k9a6gup3"
+  status      = "ON"
+}
+```
+
 Import
 
-mysql ssl can be imported using the id, e.g.
+MySQL SSL can be imported using the id, e.g.
 
 ```
-terraform import tencentcloud_mysql_ssl.ssl instanceId
-```
+terraform import tencentcloud_mysql_ssl.example cdb-j5rprr8n
+```
+
+Or
+
+```
+terraform import tencentcloud_mysql_ssl.example cdbrg-k9a6gup3
+```
diff --git a/tencentcloud/services/cdb/service_tencentcloud_mysql.go b/tencentcloud/services/cdb/service_tencentcloud_mysql.go
@@ -1506,26 +1506,46 @@ func (me *MysqlService) DescribeMysqlTimeWindowById(ctx context.Context, instanc
 	return
 }
 
-func (me *MysqlService) DescribeMysqlSslById(ctx context.Context, instanceId string) (ssl *cdb.DescribeSSLStatusResponseParams, errRet error) {
+func (me *MysqlService) DescribeMysqlSslById(ctx context.Context, instanceId, roGroupId string) (ssl *cdb.DescribeSSLStatusResponseParams, errRet error) {
 	logId := tccommon.GetLogId(ctx)
 
 	request := cdb.NewDescribeSSLStatusRequest()
-	request.InstanceId = &instanceId
+	response := cdb.NewDescribeSSLStatusResponse()
+	if instanceId != "" {
+		request.InstanceId = &instanceId
+	}
+
+	if roGroupId != "" {
+		request.RoGroupId = &roGroupId
+	}
 
 	defer func() {
 		if errRet != nil {
 			log.Printf("[CRITAL]%s api[%s] fail, request body [%s], reason[%s]\n", logId, request.GetAction(), request.ToJsonString(), errRet.Error())
 		}
 	}()
 
-	ratelimit.Check(request.GetAction())
+	err := resource.Retry(tccommon.WriteRetryTimeout, func() *resource.RetryError {
+		ratelimit.Check(request.GetAction())
+		result, e := me.client.UseMysqlClient().DescribeSSLStatus(request)
+		if e != nil {
+			return tccommon.RetryError(e)
+		} else {
+			log.Printf("[DEBUG]%s api[%s] success, request body [%s], response body [%s]\n", logId, request.GetAction(), request.ToJsonString(), result.ToJsonString())
+		}
+
+		if result == nil || result.Response == nil {
+			return resource.NonRetryableError(fmt.Errorf("Describe ssl status failed, Response is nil."))
+		}
+
+		response = result
+		return nil
+	})
 
-	response, err := me.client.UseMysqlClient().DescribeSSLStatus(request)
 	if err != nil {
 		errRet = err
 		return
 	}
-	log.Printf("[DEBUG]%s api[%s] success, request body [%s], response body [%s]\n", logId, request.GetAction(), request.ToJsonString(), response.ToJsonString())
 
 	ssl = response.Response
 	return
diff --git a/website/docs/r/mysql_ssl.html.markdown b/website/docs/r/mysql_ssl.html.markdown

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:enhancement
	`2`	+resource/tencentcloud_mysql_ssl: support `ro_group_id`
	`3`	+```