tencentcloudstack · hellertang · Jun 10, 2025 · Jun 9, 2025 · Jun 9, 2025
diff --git a/.changelog/3402.txt b/.changelog/3402.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/tencentcloud_cos_bucket_domain_certificate_attachment: optmize code logic
+```
diff --git a/tencentcloud/services/cos/resource_tc_cos_bucket_domain_certificate_attachment.go b/tencentcloud/services/cos/resource_tc_cos_bucket_domain_certificate_attachment.go
@@ -46,34 +46,40 @@ func ResourceTencentCloudCosBucketDomainCertificateAttachment() *schema.Resource
 							Type:        schema.TypeList,
 							MaxItems:    1,
 							Required:    true,
+							ForceNew:    true,
 							Description: "Certificate info.",
 							Elem: &schema.Resource{
 								Schema: map[string]*schema.Schema{
 									"cert_type": {
 										Type:        schema.TypeString,
 										Required:    true,
+										ForceNew:    true,
 										Description: "Certificate type.",
 									},
 									"custom_cert": {
 										Type:        schema.TypeList,
 										MaxItems:    1,
 										Required:    true,
+										ForceNew:    true,
 										Description: "Custom certificate.",
 										Elem: &schema.Resource{
 											Schema: map[string]*schema.Schema{
 												"cert_id": {
 													Type:        schema.TypeString,
 													Optional:    true,
+													ForceNew:    true,
 													Description: "ID of certificate.",
 												},
 												"cert": {
 													Type:        schema.TypeString,
 													Required:    true,
+													ForceNew:    true,
 													Description: "Public key of certificate.",
 												},
 												"private_key": {
 													Type:        schema.TypeString,
 													Required:    true,
+													ForceNew:    true,
 													Description: "Private key of certificate.",
 												},
 											},
@@ -85,6 +91,7 @@ func ResourceTencentCloudCosBucketDomainCertificateAttachment() *schema.Resource
 						"domain": {
 							Type:        schema.TypeString,
 							Required:    true,
+							ForceNew:    true,
 							Description: "The name of domain.",
 						},
 					},
@@ -98,9 +105,11 @@ func resourceTencentCloudCosBucketDomainCertificateAttachmentCreate(d *schema.Re
 	defer tccommon.LogElapsed("resource.tencentcloud_cos_bucket_domain_certificate_attachment.create")()
 	defer tccommon.InconsistentCheck(d, meta)()
 
-	logId := tccommon.GetLogId(tccommon.ContextNil)
-	ctx := context.WithValue(context.TODO(), tccommon.LogIdKey, logId)
-	var bucket string
+	var (
+		logId  = tccommon.GetLogId(tccommon.ContextNil)
+		ctx    = context.WithValue(context.TODO(), tccommon.LogIdKey, logId)
+		bucket string
+	)
 
 	if v, ok := d.GetOk("bucket"); ok {
 		bucket = v.(string)
@@ -115,19 +124,24 @@ func resourceTencentCloudCosBucketDomainCertificateAttachmentCreate(d *schema.Re
 			if v, ok := certMap["cert_type"]; ok {
 				certificateInfo.CertType = v.(string)
 			}
+
 			if CustomCertMap, ok := helper.InterfaceToMap(certMap, "custom_cert"); ok {
 				customCert := cos.BucketDomainCustomCert{}
 				if v, ok := CustomCertMap["cert_id"]; ok {
 					customCert.CertId = v.(string)
 				}
+
 				if v, ok := CustomCertMap["cert"]; ok {
 					customCert.Cert = v.(string)
 				}
+
 				if v, ok := CustomCertMap["private_key"]; ok {
 					customCert.PrivateKey = v.(string)
 				}
+
 				certificateInfo.CustomCert = &customCert
 			}
+
 			option.CertificateInfo = &certificateInfo
 		}
 
@@ -141,10 +155,14 @@ func resourceTencentCloudCosBucketDomainCertificateAttachmentCreate(d *schema.Re
 		if e != nil {
 			return tccommon.RetryError(e)
 		} else {
+			if result == nil || result.Response == nil {
+				return resource.NonRetryableError(fmt.Errorf("Create cos domain certificate failed, Response is nil."))
+			}
+
 			request, _ := xml.Marshal(option)
-			log.Printf("[DEBUG]%s api[%s] success, request body [%s], response body [%s]\n",
-				logId, "PutDomainCertificate", request, result.Response.Body)
+			log.Printf("[DEBUG]%s api[%s] success, request body [%s], response body [%s]\n", logId, "PutDomainCertificate", request, result.Response.Body)
 		}
+
 		return nil
 	})
 
@@ -153,25 +171,23 @@ func resourceTencentCloudCosBucketDomainCertificateAttachmentCreate(d *schema.Re
 		return err
 	}
 
-	ids := strings.Join([]string{bucket, option.DomainList[0]}, tccommon.FILED_SP)
-	d.SetId(ids)
-
+	d.SetId(strings.Join([]string{bucket, option.DomainList[0]}, tccommon.FILED_SP))
 	return nil
 }
 
 func resourceTencentCloudCosBucketDomainCertificateAttachmentRead(d *schema.ResourceData, meta interface{}) error {
 	defer tccommon.LogElapsed("resource.tencentcloud_cos_bucket_domain_certificate_attachment.read")()
 	defer tccommon.InconsistentCheck(d, meta)()
 
-	logId := tccommon.GetLogId(tccommon.ContextNil)
-	ctx := context.WithValue(context.TODO(), tccommon.LogIdKey, logId)
-
-	service := CosService{client: meta.(tccommon.ProviderMeta).GetAPIV3Conn()}
-
-	id := d.Id()
+	var (
+		logId   = tccommon.GetLogId(tccommon.ContextNil)
+		ctx     = context.WithValue(context.TODO(), tccommon.LogIdKey, logId)
+		service = CosService{client: meta.(tccommon.ProviderMeta).GetAPIV3Conn()}
+		id      = d.Id()
+	)
 
 	certResult, bucket, err := service.DescribeCosBucketDomainCertificate(ctx, id)
-	log.Printf("[DEBUG] resource `bucketDomainCertificate certResult:%s`\n", certResult)
+	log.Printf("[DEBUG] resource `bucketDomainCertificate certResult: %s`\n", certResult)
 	if err != nil {
 		return err
 	}
@@ -187,14 +203,15 @@ func resourceTencentCloudCosBucketDomainCertificateAttachmentRead(d *schema.Reso
 }
 
 func resourceTencentCloudCosBucketDomainCertificateAttachmentDelete(d *schema.ResourceData, meta interface{}) error {
-	id := d.Id()
-	defer tccommon.LogElapsed("resource.tencentcloud_cos_bucket_domain_certificate_attachment.delete id:", id)()
+	defer tccommon.LogElapsed("resource.tencentcloud_cos_bucket_domain_certificate_attachment.delete")()
 	defer tccommon.InconsistentCheck(d, meta)()
 
-	logId := tccommon.GetLogId(tccommon.ContextNil)
-	ctx := context.WithValue(context.TODO(), tccommon.LogIdKey, logId)
-
-	service := CosService{client: meta.(tccommon.ProviderMeta).GetAPIV3Conn()}
+	var (
+		logId   = tccommon.GetLogId(tccommon.ContextNil)
+		ctx     = context.WithValue(context.TODO(), tccommon.LogIdKey, logId)
+		service = CosService{client: meta.(tccommon.ProviderMeta).GetAPIV3Conn()}
+		id      = d.Id()
+	)
 
 	if err := service.DeleteCosBucketDomainCertificate(ctx, id); err != nil {
 		return err

diff --git a/tencentcloud/services/cos/resource_tc_cos_bucket_domain_certificate_attachment.md b/tencentcloud/services/cos/resource_tc_cos_bucket_domain_certificate_attachment.md
@@ -5,6 +5,10 @@ Provides a resource to attach/detach the corresponding certificate for the domai
 Example Usage
 
 ```hcl
+variable "custom_origin_domain" {
+  default = "tf.example.com"
+}
+
 data "tencentcloud_user_info" "info" {}
 
 locals {
@@ -15,18 +19,41 @@ resource "tencentcloud_cos_bucket" "example" {
   bucket      = "private-bucket-${local.app_id}"
   acl         = "private"
   force_clean = true
+
+  origin_domain_rules {
+    domain = var.custom_origin_domain
+    status = "ENABLED"
+    type   = "REST"
+  }
 }
 
 resource "tencentcloud_cos_bucket_domain_certificate_attachment" "example" {
   bucket = tencentcloud_cos_bucket.example.id
   domain_certificate {
-    domain = "www.example.com"
+    domain = var.custom_origin_domain
     certificate {
       cert_type = "CustomCert"
       custom_cert {
-        cert_id     = "Mbx45wts"
-        cert        = "-----BEGIN CERTIFICATE-----"
-        private_key = "-----BEGIN RSA PRIVATE_KEY-----"
+        cert_id     = "JG65alUy"
+        cert        = <<-EOF
+-----BEGIN CERTIFICATE-----
+MIIGQjCCBSqgAwIBAgIQfTllN2vZr7vcoGF3ZTHwxjANBgkqhkiG9w0BAQsFADBA
+...
+...
+...
+9YSJrdvskqI3v/3SkVezzNiWQMuMTg==
+-----END CERTIFICATE-----
+EOF
+
+        private_key = <<-EOF
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAsmwAXXVh6N4fd281K0671jYBrSV2v/5+TCeewsNx6ys3kC8o
+...
+...
+...
+MgbOv6byAafSQWU+5+KFfK3Nj7eezx6yfQQM0Kxl4ZPm1w3Fb6gIFBc=
+-----END RSA PRIVATE KEY-----
+EOF
       }
     }
   }

diff --git a/tencentcloud/services/cos/service_tencentcloud_cos.go b/tencentcloud/services/cos/service_tencentcloud_cos.go
@@ -1618,7 +1618,7 @@ func (me *CosService) DeleteBucketReplication(ctx context.Context, bucket string
 	return
 }
 
-func (me *CosService) DescribeCosBucketDomainCertificate(ctx context.Context, certId string) (result *cos.BucketGetDomainCertificateResult, bucket string, errRet error) {
+func (me *CosService) DescribeCosBucketDomainCertificate(ctx context.Context, certId string) (res *cos.BucketGetDomainCertificateResult, bucket string, errRet error) {
 	logId := tccommon.GetLogId(ctx)
 
 	ids, err := me.parseCertId(certId)
@@ -1636,26 +1636,32 @@ func (me *CosService) DescribeCosBucketDomainCertificate(ctx context.Context, ce
 
 	defer func() {
 		if errRet != nil {
-			log.Printf("[CRITAL]%s api[%s] fail, request[%s], reason[%s]\n",
-				logId, "GetDomainCertificate", request, errRet.Error())
+			log.Printf("[CRITAL]%s api[%s] fail, request[%s], reason[%s]\n", logId, "GetDomainCertificate", request, errRet.Error())
 		}
 	}()
 
-	result, response, err := me.client.UseTencentCosClient(bucket).Bucket.GetDomainCertificate(ctx, option)
-	resp, _ := json.Marshal(response.Response.Body)
-	if response.StatusCode == 404 {
-		log.Printf("[WARN]%s, api[%s] returns %d", logId, "GetDomainCertificate", response.StatusCode)
-		return
-	}
+	errRet = resource.Retry(tccommon.ReadRetryTimeout, func() *resource.RetryError {
+		result, response, e := me.client.UseTencentCosClient(bucket).Bucket.GetDomainCertificate(ctx, option)
+		if e != nil {
+			return tccommon.RetryError(e)
+		} else {
+			if response.StatusCode == 404 {
+				log.Printf("[WARN]%s, api[%s] returns %d", logId, "GetDomainCertificate", response.StatusCode)
+				return resource.NonRetryableError(fmt.Errorf("Get domain certificate failed, Status code is 404."))
+			}
 
-	if err != nil {
-		errRet = err
+			resp, _ := json.Marshal(response.Response.Body)
+			log.Printf("[DEBUG]%s api[%s] success, request [%s], response body [%s], result [%s]\n", logId, "GetDomainCertificate", request, resp, result)
+			res = result
+		}
+
+		return nil
+	})
+
+	if errRet != nil {
 		return
 	}
 
-	log.Printf("[DEBUG]%s api[%s] success, request [%s], response body [%s], result [%s]\n",
-		logId, "GetDomainCertificate", request, resp, result)
-
 	return
 }
 
@@ -1676,23 +1682,30 @@ func (me *CosService) DeleteCosBucketDomainCertificate(ctx context.Context, cert
 
 	defer func() {
 		if errRet != nil {
-			log.Printf("[CRITAL]%s api[%s] fail, option [%s], reason[%s]\n",
-				logId, "DeleteDomainCertificate", option, errRet.Error())
+			log.Printf("[CRITAL]%s api[%s] fail, option [%s], reason[%s]\n", logId, "DeleteDomainCertificate", option, errRet.Error())
 		}
 	}()
 
-	ratelimit.Check("DeleteDomainCertificate")
-	response, err := me.client.UseTencentCosClient(bucket).Bucket.DeleteDomainCertificate(ctx, option)
+	errRet = resource.Retry(tccommon.WriteRetryTimeout, func() *resource.RetryError {
+		ratelimit.Check("DeleteDomainCertificate")
+		result, e := me.client.UseTencentCosClient(bucket).Bucket.DeleteDomainCertificate(ctx, option)
+		if e != nil {
+			return tccommon.RetryError(e)
+		} else {
+			if result == nil || result.Response == nil {
+				return resource.NonRetryableError(fmt.Errorf("Delete cos domain certificate failed, Response is nil."))
+			}
 
-	if err != nil {
-		errRet = err
-		return err
-	}
+			resp, _ := json.Marshal(result.Response.Body)
+			log.Printf("[DEBUG]%s api[%s] success, option [%s], response body [%s]\n", logId, "DeleteDomainCertificate", option, resp)
+		}
 
-	resp, _ := json.Marshal(response.Response.Body)
+		return nil
+	})
 
-	log.Printf("[DEBUG]%s api[%s] success, option [%s], response body [%s]\n",
-		logId, "DeleteDomainCertificate", option, resp)
+	if errRet != nil {
+		return
+	}
 
 	return
 }