diff --git a/tencentcloud/basic_test.go b/tencentcloud/basic_test.go
index 4bb9f81e85..3ff1cbf47d 100644
--- a/tencentcloud/basic_test.go
+++ b/tencentcloud/basic_test.go
@@ -601,9 +601,9 @@ variable "tke_cidr_a" {
default = [
"10.31.0.0/23",
"10.31.2.0/24",
- "10.31.3.0/25",
- "10.31.3.128/26",
- "10.31.3.192/26"
+ "10.31.3.0/24",
+ "10.31.16.0/24",
+ "10.31.32.0/24"
]
}
diff --git a/tencentcloud/provider.go b/tencentcloud/provider.go
index e08d9063ea..0ee24d1d9c 100644
--- a/tencentcloud/provider.go
+++ b/tencentcloud/provider.go
@@ -370,6 +370,7 @@ Tencent Kubernetes Engine(TKE)
tencentcloud_eks_container_instance
tencentcloud_kubernetes_auth_attachment
tencentcloud_kubernetes_addon_attachment
+ tencentcloud_kubernetes_cluster_endpoint
TDMQ
Resource
@@ -977,6 +978,7 @@ func Provider() terraform.ResourceProvider {
"tencentcloud_container_cluster": resourceTencentCloudContainerCluster(),
"tencentcloud_container_cluster_instance": resourceTencentCloudContainerClusterInstance(),
"tencentcloud_kubernetes_cluster": resourceTencentCloudTkeCluster(),
+ "tencentcloud_kubernetes_cluster_endpoint": resourceTencentCloudTkeClusterEndpoint(),
"tencentcloud_eks_cluster": resourceTencentCloudEksCluster(),
"tencentcloud_eks_container_instance": resourceTencentCloudEksContainerInstance(),
"tencentcloud_kubernetes_addon_attachment": resourceTencentCloudTkeAddonAttachment(),
diff --git a/tencentcloud/resource_tc_kubernetes_cluster.go b/tencentcloud/resource_tc_kubernetes_cluster.go
index 8d460fa68f..02656025ca 100644
--- a/tencentcloud/resource_tc_kubernetes_cluster.go
+++ b/tencentcloud/resource_tc_kubernetes_cluster.go
@@ -2484,16 +2484,18 @@ func resourceTencentCloudTkeClusterRead(d *schema.ResourceData, meta interface{}
_ = d.Set("pgw_endpoint", emptyStrFunc(securityRet.Response.PgwEndpoint))
_ = d.Set("security_policy", policies)
- if emptyStrFunc(securityRet.Response.ClusterExternalEndpoint) == "" {
- _ = d.Set("cluster_internet", false)
- } else {
- _ = d.Set("cluster_internet", true)
- }
+ if v, ok := d.GetOk("worker_config"); ok && len(v.([]interface{})) > 0 {
+ if emptyStrFunc(securityRet.Response.ClusterExternalEndpoint) == "" {
+ _ = d.Set("cluster_internet", false)
+ } else {
+ _ = d.Set("cluster_internet", true)
+ }
- if emptyStrFunc(securityRet.Response.PgwEndpoint) == "" {
- _ = d.Set("cluster_intranet", false)
- } else {
- _ = d.Set("cluster_intranet", true)
+ if emptyStrFunc(securityRet.Response.PgwEndpoint) == "" {
+ _ = d.Set("cluster_intranet", false)
+ } else {
+ _ = d.Set("cluster_intranet", true)
+ }
}
var globalConfig *tke.ClusterAsGroupOption
@@ -2777,7 +2779,6 @@ func resourceTencentCloudTkeClusterUpdate(d *schema.ResourceData, meta interface
return err
}
}
- d.SetPartial("cluster_internet")
}
if clusterInternet {
@@ -2790,8 +2791,6 @@ func resourceTencentCloudTkeClusterUpdate(d *schema.ResourceData, meta interface
}
d.SetPartial("managed_cluster_internet_security_policies")
}
- } else {
- d.SetPartial("managed_cluster_internet_security_policies")
}
if d.HasChange("project_id") || d.HasChange("cluster_name") || d.HasChange("cluster_desc") || d.HasChange("cluster_level") || d.HasChange("auto_upgrade_cluster_level") {
diff --git a/tencentcloud/resource_tc_kubernetes_cluster_endpoint.go b/tencentcloud/resource_tc_kubernetes_cluster_endpoint.go
new file mode 100644
index 0000000000..74f510840c
--- /dev/null
+++ b/tencentcloud/resource_tc_kubernetes_cluster_endpoint.go
@@ -0,0 +1,428 @@
+/*
+Provide a resource to create a KubernetesClusterEndpoint.
+This resource allows you to create an empty cluster first without any workers. Only all attached node depends create complete, cluster endpoint will finally be enabled.
+
+~> **NOTE:** Recommend using `depends_on` to make sure endpoint create after node pools or workers does.
+
+Example Usage
+
+```hcl
+resource "tencentcloud_kubernetes_nodepool" "pool1" {}
+
+resource "tencentcloud_kubernetes_cluster_endpoint" "foo" {
+ cluster_id = "cls-xxxxxxxx"
+ cluster_internet = true
+ cluster_intranet = true
+ managed_cluster_internet_security_policies = [
+ "192.168.0.0/24"
+ ]
+ cluster_intranet_subnet_id = "subnet-xxxxxxxx"
+ depends_on [
+ tencentcloud_kubernetes_nodepool.pool1
+ ]
+}
+```
+
+
+Import
+
+KubernetesClusterEndpoint instance can be imported by passing cluster id, e.g.
+```
+$ terraform import tencentcloud_kubernetes_cluster_endpoint.test cluster-id
+```
+
+*/
+package tencentcloud
+
+import (
+ "context"
+ "fmt"
+
+ tke "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tke/v20180525"
+
+ "github.com/hashicorp/go-multierror"
+
+ "github.com/hashicorp/terraform-plugin-sdk/helper/resource"
+ "github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+ "github.com/tencentcloudstack/terraform-provider-tencentcloud/tencentcloud/internal/helper"
+)
+
+func resourceTencentCloudTkeClusterEndpoint() *schema.Resource {
+ return &schema.Resource{
+ Read: resourceTencentCloudTkeClusterEndpointRead,
+ Create: resourceTencentCloudTkeClusterEndpointCreate,
+ Update: resourceTencentCloudTkeClusterEndpointUpdate,
+ Delete: resourceTencentCloudTkeClusterEndpointDelete,
+ Importer: &schema.ResourceImporter{
+ State: schema.ImportStatePassthrough,
+ },
+ Schema: map[string]*schema.Schema{
+ "cluster_id": {
+ Type: schema.TypeString,
+ Required: true,
+ Description: "Specify cluster ID.",
+ },
+ "cluster_internet": {
+ Type: schema.TypeBool,
+ Default: false,
+ Optional: true,
+ Description: "Open internet access or not.",
+ },
+ "cluster_intranet": {
+ Type: schema.TypeBool,
+ Default: false,
+ Optional: true,
+ Description: "Open intranet access or not.",
+ },
+ "managed_cluster_internet_security_policies": {
+ Type: schema.TypeList,
+ Optional: true,
+ Elem: &schema.Schema{Type: schema.TypeString},
+ Description: "Security policies for managed cluster internet, like:'192.168.1.0/24' or '113.116.51.27', '0.0.0.0/0' means all." +
+ " This field can only set when field `cluster_deploy_type` is 'MANAGED_CLUSTER' and `cluster_internet` is true." +
+ " `managed_cluster_internet_security_policies` can not delete or empty once be set.",
+ },
+ "cluster_intranet_subnet_id": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Subnet id who can access this independent cluster, this field must and can only set when `cluster_intranet` is true." +
+ " `cluster_intranet_subnet_id` can not modify once be set.",
+ },
+ // Computed
+ "cluster_deploy_type": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Cluster deploy type of `MANAGED_CLUSTER` or `INDEPENDENT_CLUSTER`.",
+ },
+ "user_name": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "User name of account.",
+ },
+ "password": {
+ Type: schema.TypeString,
+ Computed: true,
+ Sensitive: true,
+ Description: "Password of account.",
+ },
+ "certification_authority": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "The certificate used for access.",
+ },
+ "cluster_external_endpoint": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "External network address to access.",
+ },
+ "domain": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Domain name for access.",
+ },
+ "pgw_endpoint": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "The Intranet address used for access.",
+ },
+ },
+ }
+}
+
+func resourceTencentCloudTkeClusterEndpointRead(d *schema.ResourceData, meta interface{}) error {
+ defer logElapsed("resource.tencentcloud_kubernetes_cluster_endpoint.read")()
+ defer inconsistentCheck(d, meta)()
+
+ logId := getLogId(contextNil)
+ ctx := context.WithValue(context.TODO(), logIdKey, logId)
+ client := meta.(*TencentCloudClient).apiV3Conn
+ service := TkeService{client}
+
+ id := d.Id()
+ info, has, err := service.DescribeCluster(ctx, id)
+ if err != nil {
+ d.SetId("")
+ return err
+ }
+ if !has {
+ d.SetId("")
+ return fmt.Errorf("cluster %s not found", id)
+ }
+
+ d.SetId(id)
+ _ = d.Set("cluster_id", id)
+
+ _ = d.Set("cluster_deploy_type", info.DeployType)
+
+ response, err := service.DescribeClusterSecurity(ctx, id)
+
+ if err != nil {
+ return err
+ }
+
+ var (
+ security = response.Response
+ clusterInternet = security.ClusterExternalEndpoint != nil && *security.ClusterExternalEndpoint != ""
+ clusterIntranet = security.PgwEndpoint != nil && *security.PgwEndpoint != ""
+ )
+
+ _ = d.Set("cluster_internet", clusterInternet)
+ _ = d.Set("cluster_intranet", clusterIntranet)
+ _ = d.Set("user_name", security.UserName)
+ _ = d.Set("password", security.Password)
+ _ = d.Set("certification_authority", security.CertificationAuthority)
+ _ = d.Set("cluster_external_endpoint", security.ClusterExternalEndpoint)
+ _ = d.Set("domain", security.Domain)
+ _ = d.Set("pgw_endpoint", security.PgwEndpoint)
+
+ if len(security.SecurityPolicy) > 0 {
+ _ = d.Set("managed_cluster_internet_security_policies", security.SecurityPolicy)
+ }
+
+ return nil
+}
+
+func resourceTencentCloudTkeClusterEndpointCreate(d *schema.ResourceData, meta interface{}) error {
+ defer logElapsed("resource.tencentcloud_kubernetes_cluster_endpoint.create")()
+
+ logId := getLogId(contextNil)
+ ctx := context.WithValue(context.TODO(), logIdKey, logId)
+ client := meta.(*TencentCloudClient).apiV3Conn
+ service := TkeService{client}
+
+ id := d.Get("cluster_id").(string)
+ var (
+ err error
+ isManagedCluster bool
+ securityPolicies []string
+ clusterInternet = d.Get("cluster_internet").(bool)
+ clusterIntranet = d.Get("cluster_intranet").(bool)
+ intranetSubnetId = d.Get("cluster_intranet_subnet_id").(string)
+ )
+
+ clusterInfo, has, err := service.DescribeCluster(ctx, id)
+ if err != nil {
+ return err
+ }
+ if !has {
+ return fmt.Errorf("cluster %s not found", id)
+ }
+ isManagedCluster = clusterInfo.DeployType == TKE_DEPLOY_TYPE_MANAGED
+
+ if v, ok := d.Get("managed_cluster_internet_security_policies").([]interface{}); ok && len(v) > 0 {
+ securityPolicies = helper.InterfacesStrings(v)
+ }
+
+ if clusterIntranet && intranetSubnetId == "" {
+ return fmt.Errorf("`cluster_intranet_subnet_id` must set when `cluster_intranet` is true")
+ }
+ if !clusterIntranet && intranetSubnetId != "" {
+ return fmt.Errorf("`cluster_intranet_subnet_id` can only set when `cluster_intranet` is true")
+ }
+
+ if !(clusterInternet && isManagedCluster) && len(securityPolicies) > 0 {
+ return fmt.Errorf("`managed_cluster_internet_security_policies` can only set when field `cluster_deploy_type` is 'MANAGED_CLUSTER' and `cluster_internet` is true.")
+ }
+
+ // Create Intranet(Private) Network
+ if clusterIntranet {
+ err := tencentCloudClusterIntranetSwitch(ctx, &service, id, intranetSubnetId, true)
+ if err != nil {
+ return err
+ }
+ }
+
+ //TKE_DEPLOY_TYPE_INDEPENDENT Open the internet
+ if clusterInternet {
+ err := tencentCloudClusterInternetSwitch(ctx, &service, id, true, isManagedCluster, securityPolicies)
+ if err != nil {
+ return err
+ }
+ err = waitForClusterEndpointFinish(ctx, &service, id, true, isManagedCluster)
+ if err != nil {
+ return err
+ }
+ }
+
+ d.SetId(id)
+
+ return resourceTencentCloudTkeClusterEndpointRead(d, meta)
+}
+
+func resourceTencentCloudTkeClusterEndpointUpdate(d *schema.ResourceData, meta interface{}) error {
+ defer logElapsed("resource.tencentcloud_kubernetes_cluster_endpoint.update")()
+
+ logId := getLogId(contextNil)
+ ctx := context.WithValue(context.TODO(), logIdKey, logId)
+ client := meta.(*TencentCloudClient).apiV3Conn
+ service := TkeService{client}
+ id := d.Id()
+
+ var (
+ isManagedCluster bool
+ err error
+ )
+ if v, ok := d.GetOk("cluster_deploy_type"); ok {
+ isManagedCluster = v.(string) == TKE_DEPLOY_TYPE_MANAGED
+ }
+
+ if d.HasChange("cluster_internet") {
+ clusterInternet := d.Get("cluster_internet").(bool)
+ policies := helper.InterfacesStrings(d.Get("managed_cluster_internet_security_policies").([]interface{}))
+ err = tencentCloudClusterInternetSwitch(ctx, &service, id, clusterInternet, isManagedCluster, policies)
+ if err != nil {
+ return err
+ }
+ err = waitForClusterEndpointFinish(ctx, &service, id, clusterInternet, isManagedCluster)
+ if err != nil {
+ return err
+ }
+ }
+
+ if d.HasChange("cluster_intranet") {
+ clusterIntranet := d.Get("cluster_intranet").(bool)
+ subnetId := d.Get("cluster_intranet_subnet_id").(string)
+ err = tencentCloudClusterIntranetSwitch(ctx, &service, id, subnetId, clusterIntranet)
+ if err != nil {
+ return err
+ }
+ }
+
+ return resourceTencentCloudTkeClusterEndpointRead(d, meta)
+}
+
+func resourceTencentCloudTkeClusterEndpointDelete(d *schema.ResourceData, meta interface{}) error {
+ defer logElapsed("resource.tencentcloud_kubernetes_cluster_endpoint.delete")()
+
+ logId := getLogId(contextNil)
+ ctx := context.WithValue(context.TODO(), logIdKey, logId)
+ client := meta.(*TencentCloudClient).apiV3Conn
+ service := TkeService{client}
+ var (
+ id = d.Id()
+ err error
+ isManagedCluster bool
+ )
+ if v, ok := d.GetOk("cluster_deploy_type"); ok {
+ isManagedCluster = v.(string) == TKE_DEPLOY_TYPE_MANAGED
+ }
+
+ response, err := service.DescribeClusterSecurity(ctx, id)
+
+ if err != nil {
+ return err
+ }
+
+ var (
+ security = response.Response
+ clusterInternet = security.ClusterExternalEndpoint != nil && *security.ClusterExternalEndpoint != ""
+ clusterIntranet = security.PgwEndpoint != nil && *security.PgwEndpoint != ""
+ errs multierror.Error
+ )
+
+ if clusterInternet {
+ err = tencentCloudClusterInternetSwitch(ctx, &service, id, false, isManagedCluster, nil)
+ if err != nil {
+ errs = *multierror.Append(err)
+ } else {
+ taskErr := waitForClusterEndpointFinish(ctx, &service, id, false, isManagedCluster)
+ if taskErr != nil {
+ errs = *multierror.Append(taskErr)
+ }
+ }
+ }
+
+ if clusterIntranet {
+ err = tencentCloudClusterIntranetSwitch(ctx, &service, id, "", false)
+ if err != nil {
+ errs = *multierror.Append(err)
+ }
+ }
+
+ return errs.ErrorOrNil()
+}
+
+func waitForClusterEndpointFinish(ctx context.Context, service *TkeService, id string, enabled bool, isManagedCluster bool) (err error) {
+ return resource.Retry(2*readRetryTimeout, func() *resource.RetryError {
+ var (
+ status string
+ message string
+ inErr error
+ retryableState = TkeInternetStatusCreating
+ finishStates = []string{TkeInternetStatusNotfound, TkeInternetStatusCreated}
+ )
+
+ if !enabled {
+ retryableState = TkeInternetStatusDeleting
+ finishStates = []string{TkeInternetStatusNotfound, TkeInternetStatusDeleted}
+ }
+
+ if isManagedCluster {
+ status, message, inErr = service.DescribeClusterEndpointVipStatus(ctx, id)
+ } else {
+ status, message, inErr = service.DescribeClusterEndpointStatus(ctx, id)
+ }
+ if inErr != nil {
+ return retryError(inErr)
+ }
+ if status == retryableState {
+ return resource.RetryableError(
+ fmt.Errorf("%s create cluster internet endpoint status still is %s", id, status))
+ }
+ if IsContains(finishStates, status) {
+ return nil
+ }
+ return resource.NonRetryableError(
+ fmt.Errorf("%s create cluster internet endpoint error ,status is %s,message is %s", id, status, message))
+ })
+}
+
+func tencentCloudClusterInternetSwitch(ctx context.Context, service *TkeService, id string, enable, isManagedCluster bool, policies []string) (err error) {
+ err = resource.Retry(writeRetryTimeout, func() *resource.RetryError {
+ if enable {
+ if isManagedCluster {
+ err = service.CreateClusterEndpointVip(ctx, id, policies)
+ } else {
+ err = service.CreateClusterEndpoint(ctx, id, "", true)
+ }
+ if err != nil {
+ return retryError(err, tke.RESOURCEUNAVAILABLE_CLUSTERSTATE)
+ }
+ } else {
+ if isManagedCluster {
+ err = service.DeleteClusterEndpointVip(ctx, id)
+ } else {
+ err = service.DeleteClusterEndpoint(ctx, id, true)
+ }
+ if err != nil {
+ return retryError(err)
+ }
+ }
+ return nil
+ })
+ if err != nil {
+ return err
+ }
+ return nil
+}
+
+func tencentCloudClusterIntranetSwitch(ctx context.Context, service *TkeService, id, subnetId string, enable bool) (err error) {
+ err = resource.Retry(writeRetryTimeout, func() *resource.RetryError {
+ if enable {
+ err = service.CreateClusterEndpoint(ctx, id, subnetId, false)
+ if err != nil {
+ return retryError(err, tke.RESOURCEUNAVAILABLE_CLUSTERSTATE)
+ }
+ } else {
+ err = service.DeleteClusterEndpoint(ctx, id, false)
+ if err != nil {
+ return retryError(err)
+ }
+ }
+ return nil
+ })
+ if err != nil {
+ return err
+ }
+ return nil
+}
diff --git a/tencentcloud/resource_tc_kubernetes_cluster_endpoint_test.go b/tencentcloud/resource_tc_kubernetes_cluster_endpoint_test.go
new file mode 100644
index 0000000000..c2582892b2
--- /dev/null
+++ b/tencentcloud/resource_tc_kubernetes_cluster_endpoint_test.go
@@ -0,0 +1,144 @@
+package tencentcloud
+
+import (
+ "testing"
+
+ "github.com/hashicorp/terraform-plugin-sdk/helper/resource"
+)
+
+func TestAccTencentCloudTkeClusterEndpoint(t *testing.T) {
+ t.Parallel()
+ resource.Test(t, resource.TestCase{
+ PreCheck: func() { testAccPreCheck(t) },
+ Providers: testAccProviders,
+ Steps: []resource.TestStep{
+ {
+ Config: testAccTkeClusterEndpointBasic,
+ Check: resource.ComposeAggregateTestCheckFunc(
+ testAccCheckTkeExists("tencentcloud_kubernetes_cluster.managed_cluster"),
+ resource.TestCheckResourceAttrSet("tencentcloud_kubernetes_cluster_endpoint.foo", "cluster_id"),
+ resource.TestCheckResourceAttr("tencentcloud_kubernetes_cluster_endpoint.foo", "cluster_internet", "true"),
+ resource.TestCheckResourceAttr("tencentcloud_kubernetes_cluster_endpoint.foo", "cluster_intranet", "true"),
+ resource.TestCheckResourceAttr("tencentcloud_kubernetes_cluster_endpoint.foo", "managed_cluster_internet_security_policies.#", "1"),
+ resource.TestCheckResourceAttr(
+ "tencentcloud_kubernetes_cluster_endpoint.foo",
+ "managed_cluster_internet_security_policies.0",
+ "192.168.0.0/24",
+ ),
+ resource.TestCheckResourceAttrSet("tencentcloud_kubernetes_cluster_endpoint.foo", "cluster_intranet_subnet_id"),
+ ),
+ },
+ {
+ ResourceName: "tencentcloud_kubernetes_cluster_endpoint.foo",
+ ImportState: true,
+ ImportStateVerify: true,
+ ImportStateVerifyIgnore: []string{"cluster_intranet_subnet_id"},
+ },
+ {
+ Config: testAccTkeClusterEndpointBasicUpdate,
+ Check: resource.ComposeAggregateTestCheckFunc(
+ testAccCheckTkeExists("tencentcloud_kubernetes_cluster.managed_cluster"),
+ resource.TestCheckResourceAttrSet("tencentcloud_kubernetes_cluster_endpoint.foo", "cluster_id"),
+ resource.TestCheckResourceAttr("tencentcloud_kubernetes_cluster_endpoint.foo", "cluster_internet", "false"),
+ resource.TestCheckResourceAttr("tencentcloud_kubernetes_cluster_endpoint.foo", "cluster_intranet", "true"),
+ ),
+ },
+ },
+ })
+}
+
+const testAccTkeClusterEndpointBasicDeps = TkeCIDRs + TkeDataSource + ClusterAttachmentInstanceType + defaultImages + `
+variable "availability_zone" {
+ default = "ap-guangzhou-3"
+}
+
+data "tencentcloud_vpc_instances" "vpcs" {
+ name = "keep_tke_exclusive_vpc"
+}
+
+data "tencentcloud_vpc_subnets" "sub" {
+ vpc_id = data.tencentcloud_vpc_instances.vpcs.instance_list.0.vpc_id
+}
+
+resource "tencentcloud_kubernetes_cluster" "managed_cluster" {
+ vpc_id = data.tencentcloud_vpc_subnets.sub.instance_list.0.vpc_id
+ cluster_cidr = var.tke_cidr_a.3
+ cluster_max_pod_num = 32
+ cluster_name = "for-endpoint"
+ cluster_version = "1.20.6"
+ cluster_max_service_num = 32
+ cluster_os = "tlinux2.2(tkernel3)x86_64"
+
+ cluster_deploy_type = "MANAGED_CLUSTER"
+}
+
+data "tencentcloud_security_groups" "sg" {
+ name = "default"
+}
+
+resource "tencentcloud_kubernetes_node_pool" "np_test" {
+ name = "test-endpoint-attachment"
+ cluster_id = tencentcloud_kubernetes_cluster.managed_cluster.id
+ max_size = 1
+ min_size = 1
+ vpc_id = data.tencentcloud_vpc_subnets.sub.instance_list.0.vpc_id
+ subnet_ids = [data.tencentcloud_vpc_subnets.sub.instance_list.0.subnet_id]
+ retry_policy = "INCREMENTAL_INTERVALS"
+ desired_capacity = 1
+ enable_auto_scale = true
+ scaling_group_name = "basic_group"
+ default_cooldown = 400
+ termination_policies = ["OLDEST_INSTANCE"]
+
+ auto_scaling_config {
+ instance_type = local.type1
+ system_disk_type = "CLOUD_PREMIUM"
+ system_disk_size = "50"
+ security_group_ids = [data.tencentcloud_security_groups.sg.security_groups[0].security_group_id]
+
+ cam_role_name = "TCB_QcsRole"
+ data_disk {
+ disk_type = "CLOUD_PREMIUM"
+ disk_size = 50
+ }
+
+ internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR"
+ internet_max_bandwidth_out = 10
+ public_ip_assigned = true
+ password = "test123#"
+ enhanced_security_service = false
+ enhanced_monitor_service = false
+
+ }
+ unschedulable = 0
+ node_os="Tencent tlinux release 2.2 (Final)"
+}
+
+`
+
+const testAccTkeClusterEndpointBasic = testAccTkeClusterEndpointBasicDeps + `
+resource "tencentcloud_kubernetes_cluster_endpoint" "foo" {
+ cluster_id = tencentcloud_kubernetes_cluster.managed_cluster.id
+ cluster_internet = true
+ cluster_intranet = true
+ managed_cluster_internet_security_policies = [
+ "192.168.0.0/24"
+ ]
+ cluster_intranet_subnet_id = data.tencentcloud_vpc_subnets.sub.instance_list.0.subnet_id
+ depends_on = [
+ tencentcloud_kubernetes_node_pool.np_test
+ ]
+}
+`
+
+const testAccTkeClusterEndpointBasicUpdate = testAccTkeClusterEndpointBasicDeps + `
+resource "tencentcloud_kubernetes_cluster_endpoint" "foo" {
+ cluster_id = tencentcloud_kubernetes_cluster.managed_cluster.id
+ cluster_internet = false
+ cluster_intranet = true
+ cluster_intranet_subnet_id = data.tencentcloud_vpc_subnets.sub.instance_list.0.subnet_id
+ depends_on = [
+ tencentcloud_kubernetes_node_pool.np_test
+ ]
+}
+`
diff --git a/website/docs/r/kubernetes_cluster_endpoint.html.markdown b/website/docs/r/kubernetes_cluster_endpoint.html.markdown
new file mode 100644
index 0000000000..a0f013b9c4
--- /dev/null
+++ b/website/docs/r/kubernetes_cluster_endpoint.html.markdown
@@ -0,0 +1,67 @@
+---
+subcategory: "Tencent Kubernetes Engine(TKE)"
+layout: "tencentcloud"
+page_title: "TencentCloud: tencentcloud_kubernetes_cluster_endpoint"
+sidebar_current: "docs-tencentcloud-resource-kubernetes_cluster_endpoint"
+description: |-
+ Provide a resource to create a KubernetesClusterEndpoint.
+This resource allows you to create an empty cluster first without any workers. Only all attached node depends create complete, cluster endpoint will finally be enabled.
+---
+
+# tencentcloud_kubernetes_cluster_endpoint
+
+Provide a resource to create a KubernetesClusterEndpoint.
+This resource allows you to create an empty cluster first without any workers. Only all attached node depends create complete, cluster endpoint will finally be enabled.
+
+~> **NOTE:** Recommend using `depends_on` to make sure endpoint create after node pools or workers does.
+
+## Example Usage
+
+```hcl
+resource "tencentcloud_kubernetes_nodepool" "pool1" {}
+
+resource "tencentcloud_kubernetes_cluster_endpoint" "foo" {
+ cluster_id = "cls-xxxxxxxx"
+ cluster_internet = true
+ cluster_intranet = true
+ managed_cluster_internet_security_policies = [
+ "192.168.0.0/24"
+ ]
+ cluster_intranet_subnet_id = "subnet-xxxxxxxx"
+ depends_on[
+ tencentcloud_kubernetes_nodepool.pool1
+ ]
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `cluster_id` - (Required) Specify cluster ID.
+* `cluster_internet` - (Optional) Open internet access or not.
+* `cluster_intranet_subnet_id` - (Optional) Subnet id who can access this independent cluster, this field must and can only set when `cluster_intranet` is true. `cluster_intranet_subnet_id` can not modify once be set.
+* `cluster_intranet` - (Optional) Open intranet access or not.
+* `managed_cluster_internet_security_policies` - (Optional) Security policies for managed cluster internet, like:'192.168.1.0/24' or '113.116.51.27', '0.0.0.0/0' means all. This field can only set when field `cluster_deploy_type` is 'MANAGED_CLUSTER' and `cluster_internet` is true. `managed_cluster_internet_security_policies` can not delete or empty once be set.
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `id` - ID of the resource.
+* `certification_authority` - The certificate used for access.
+* `cluster_deploy_type` - Cluster deploy type of `MANAGED_CLUSTER` or `INDEPENDENT_CLUSTER`.
+* `cluster_external_endpoint` - External network address to access.
+* `domain` - Domain name for access.
+* `password` - Password of account.
+* `pgw_endpoint` - The Intranet address used for access.
+* `user_name` - User name of account.
+
+
+## Import
+
+KubernetesClusterEndpoint instance can be imported by passing cluster id, e.g.
+```
+$ terraform import tencentcloud_kubernetes_cluster_endpoint.test cluster-id
+```
+
diff --git a/website/tencentcloud.erb b/website/tencentcloud.erb
index 41bb47d9bf..0a7d2e3c6e 100644
--- a/website/tencentcloud.erb
+++ b/website/tencentcloud.erb
@@ -1557,6 +1557,9 @@
tencentcloud_kubernetes_cluster_attachment
+
+ tencentcloud_kubernetes_cluster_endpoint
+
tencentcloud_kubernetes_node_pool