From 1483ac11c218749bc7347d2d9e693192218c3518 Mon Sep 17 00:00:00 2001
From: arunma <arunma@tencent.com>
Date: Wed, 17 Sep 2025 15:14:30 +0800
Subject: [PATCH 1/8] fix: support teo certificate upstream_cert_info

---
 go.mod                                        |   4 +-
 go.sum                                        |   4 +
 .../teo/resource_tc_teo_certificate_config.go |  70 ++++++++
 ...rce_tc_teo_certificate_config_extension.go |  93 ++++++++++
 .../tencentcloud/common/http/request.go       |   2 +-
 .../tencentcloud/teo/v20220901/client.go      |  52 ++++++
 .../tencentcloud/teo/v20220901/errors.go      |   3 +
 .../tencentcloud/teo/v20220901/models.go      | 169 ++++++++++++++++--
 vendor/modules.txt                            |   4 +-
 .../r/teo_certificate_config.html.markdown    |  26 +++
 10 files changed, 410 insertions(+), 17 deletions(-)

diff --git a/go.mod b/go.mod
index 4b8fd41d95..a63bad8100 100644
--- a/go.mod
+++ b/go.mod
@@ -46,7 +46,7 @@ require (
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/clb v1.0.1107
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cloudaudit v1.0.1033
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cls v1.0.1148
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.1.22
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.1.27
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cvm v1.0.1206
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cwp v1.0.762
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cynosdb v1.0.1161
@@ -90,7 +90,7 @@ require (
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tdcpg v1.0.533
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tdmq v1.0.955
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tem v1.0.578
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo v1.1.5
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo v1.1.27
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tke v1.1.14
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/trocket v1.1.0
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tse v1.0.857
diff --git a/go.sum b/go.sum
index 1529a461cc..88c04f1fd7 100644
--- a/go.sum
+++ b/go.sum
@@ -961,6 +961,8 @@ github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.1.14 h1:+I+n8
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.1.14/go.mod h1:r5r4xbfxSaeR04b166HGsBa/R4U3SueirEUpXGuw+Q0=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.1.22 h1:1unTmvNXynDN0mOZSWh9tL5Wp9Rb5paMGwFvua+HHoI=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.1.22/go.mod h1:r5r4xbfxSaeR04b166HGsBa/R4U3SueirEUpXGuw+Q0=
+github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.1.27 h1:FG3AiNSNW5tG+mtTSE+dBc5ZhHwlYUW0Z6oSkfAWV0A=
+github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.1.27/go.mod h1:r5r4xbfxSaeR04b166HGsBa/R4U3SueirEUpXGuw+Q0=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/controlcenter v1.0.993 h1:WlPgXldQCxt7qi5Xrc6j6zTrsXWzN5BcOGs7Irq7fwQ=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/controlcenter v1.0.993/go.mod h1:Z9U8zNtyuyKhjS0698wqsrG/kLx1TQ5CEixXBwVe7xY=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/csip v1.0.860 h1:F3esKBIT3HW9+7Gt8cVgf8X06VdGIczpgLBUECzSEzU=
@@ -1080,6 +1082,8 @@ github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo v1.0.1203 h1:oEpdN0
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo v1.0.1203/go.mod h1:/tuR/74u27UEv+a36Y1x1Zdgf2WqixNq+/1wfC0QQQc=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo v1.1.5 h1:ZLBuFek7n9ri1RNqrwG+2UbJJ/2U/tAQUkiNhamP82o=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo v1.1.5/go.mod h1:7tgthqW14nJik2A5huXBBQFldo27RFzPfDOVz9MarvE=
+github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo v1.1.27 h1:vcQitUadhSZi40x1cscUvNHId4Un2xnQFIE2IxvZU70=
+github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo v1.1.27/go.mod h1:2+6+xYfcJa8mO8tMljGjGCvhluPGjhRhlIv1jZK6y6c=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/thpc v1.0.998 h1:f4/n0dVKQTD06xJ84B5asHViNJHrZmGojdAWEPIsITM=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/thpc v1.0.998/go.mod h1:fyi/HUwCwVe2NCCCjz8k/C5GwPu3QazCZO+OBJ3MhLk=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tke v1.0.1196 h1:+Fz9UoC3II3H3+rz9UUOHeSp2ntGGmMLAnCjHTUYliU=
diff --git a/tencentcloud/services/teo/resource_tc_teo_certificate_config.go b/tencentcloud/services/teo/resource_tc_teo_certificate_config.go
index a06d80c3b1..ed90d466e3 100644
--- a/tencentcloud/services/teo/resource_tc_teo_certificate_config.go
+++ b/tencentcloud/services/teo/resource_tc_teo_certificate_config.go
@@ -88,6 +88,76 @@ func ResourceTencentCloudTeoCertificateConfig() *schema.Resource {
 				},
 			},
 
+			"upstream_cert_info": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				MaxItems:    1,
+				Description: "Configures the certificate presented by the EO node during origin-pull for mutual TLS authentication. Disabled by default; leaving the field blank will retain the current configuration. This feature is currently in beta testing. please [contact us](https://cloud.tencent.com/online-service) to request access.",
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"upstream_mutual_tls": {
+							Type:        schema.TypeList,
+							Optional:    true,
+							MaxItems:    1,
+							Description: "In the origin-pull mutual authentication scenario, this field represents the certificate (including the public and private keys) carried during EO node origin-pull, which is deployed in the EO node for the origin server to authenticate the EO node. When used as an input parameter, it is left blank to indicate retaining the original configuration.",
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"switch": {
+										Type:        schema.TypeString,
+										Required:    true,
+										Description: "Mutual authentication configuration switch, the values are: `on`: enable; `off`: disable.",
+									},
+									"cert_infos": {
+										Type:        schema.TypeList,
+										Optional:    true,
+										Description: "Mutual authentication certificate list.\nNote: When using MutualTLS as an input parameter in ModifyHostsCertificate, you only need to provide the CertId of the corresponding certificate. You can check the CertId from the [SSL Certificate List](https://console.cloud.tencent.com/ssl).",
+										Elem: &schema.Resource{
+											Schema: map[string]*schema.Schema{
+												"cert_id": {
+													Type:        schema.TypeString,
+													Required:    true,
+													Description: "Certificate ID, which originates from the SSL side. You can check the CertId from the [SSL Certificate List](https://console.cloud.tencent.com/ssl).",
+												},
+												"alias": {
+													Type:        schema.TypeString,
+													Optional:    true,
+													Description: "Alias of the certificate.",
+												},
+												"type": {
+													Type:        schema.TypeString,
+													Optional:    true,
+													Description: "Type of the certificate. Values: `default`: Default certificate `upload`: Specified certificate `managed`: Tencent Cloud-managed certificate.",
+												},
+												"expire_time": {
+													Type:        schema.TypeString,
+													Optional:    true,
+													Description: "The certificate expiration time.",
+												},
+												"deploy_time": {
+													Type:        schema.TypeString,
+													Optional:    true,
+													Description: "Time when the certificate is deployed.",
+												},
+												"sign_algo": {
+													Type:        schema.TypeString,
+													Optional:    true,
+													Description: "Signature algorithm.",
+												},
+												"status": {
+													Type:        schema.TypeString,
+													Optional:    true,
+													Description: "Status of the certificate. Values:\n`deployed`: The deployment has completed\n`processing`: Deployment in progress\n`applying`: Application in progress\n`failed`: Application rejected\n`issued`: Binding failed.",
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+
 			"mode": {
 				Type:        schema.TypeString,
 				Optional:    true,
diff --git a/tencentcloud/services/teo/resource_tc_teo_certificate_config_extension.go b/tencentcloud/services/teo/resource_tc_teo_certificate_config_extension.go
index a54a63fdfe..ed07a03464 100644
--- a/tencentcloud/services/teo/resource_tc_teo_certificate_config_extension.go
+++ b/tencentcloud/services/teo/resource_tc_teo_certificate_config_extension.go
@@ -72,6 +72,59 @@ func resourceTencentCloudTeoCertificateConfigReadPostHandleResponse0(ctx context
 
 		_ = d.Set("server_cert_info", serverCertInfoList)
 
+		upstreamCertInfoMap := map[string]interface{}{}
+		if accelerationDomain.Certificate.UpstreamCertInfo != nil {
+			upstreamMutualTLSMap := map[string]interface{}{}
+
+			if accelerationDomain.Certificate.UpstreamCertInfo.UpstreamMutualTLS != nil {
+				if accelerationDomain.Certificate.UpstreamCertInfo.UpstreamMutualTLS.Switch != nil {
+					upstreamMutualTLSMap["switch"] = accelerationDomain.Certificate.UpstreamCertInfo.UpstreamMutualTLS.Switch
+				}
+
+				certInfosList := make([]map[string]interface{}, 0, len(accelerationDomain.Certificate.UpstreamCertInfo.UpstreamMutualTLS.CertInfos))
+				if accelerationDomain.Certificate.UpstreamCertInfo.UpstreamMutualTLS.CertInfos != nil {
+					for _, certInfos := range accelerationDomain.Certificate.UpstreamCertInfo.UpstreamMutualTLS.CertInfos {
+						certInfosMap := map[string]interface{}{}
+
+						if certInfos.CertId != nil {
+							certInfosMap["cert_id"] = certInfos.CertId
+						}
+
+						if certInfos.Alias != nil {
+							certInfosMap["alias"] = certInfos.Alias
+						}
+
+						if certInfos.Type != nil {
+							certInfosMap["type"] = certInfos.Type
+						}
+
+						if certInfos.ExpireTime != nil {
+							certInfosMap["expire_time"] = certInfos.ExpireTime
+						}
+
+						if certInfos.DeployTime != nil {
+							certInfosMap["deploy_time"] = certInfos.DeployTime
+						}
+
+						if certInfos.SignAlgo != nil {
+							certInfosMap["sign_algo"] = certInfos.SignAlgo
+						}
+
+						if certInfos.Status != nil {
+							certInfosMap["status"] = certInfos.Status
+						}
+
+						certInfosList = append(certInfosList, certInfosMap)
+					}
+
+					upstreamMutualTLSMap["cert_infos"] = certInfosList
+				}
+				upstreamCertInfoMap["upstream_mutual_tls"] = []interface{}{upstreamMutualTLSMap}
+			}
+
+			_ = d.Set("upstream_cert_info", []interface{}{upstreamCertInfoMap})
+		}
+
 		if certificate.Mode != nil {
 			_ = d.Set("mode", certificate.Mode)
 		}
@@ -155,6 +208,46 @@ func resourceTencentCloudTeoCertificateConfigUpdateOnStart(ctx context.Context)
 		}
 	}
 
+	if upstreamCertInfoMap, ok := helper.InterfacesHeadMap(d, "upstream_cert_info"); ok {
+		upstreamCertInfo := teo.UpstreamCertInfo{}
+		if upstreamMutualTLSMap, ok := helper.ConvertInterfacesHeadToMap(upstreamCertInfoMap["upstream_mutual_tls"]); ok {
+			mutualTLS2 := teo.MutualTLS{}
+			if v, ok := upstreamMutualTLSMap["switch"].(string); ok && v != "" {
+				mutualTLS2.Switch = helper.String(v)
+			}
+			if v, ok := upstreamMutualTLSMap["cert_infos"]; ok {
+				for _, item := range v.([]interface{}) {
+					certInfosMap := item.(map[string]interface{})
+					certificateInfo := teo.CertificateInfo{}
+					if v, ok := certInfosMap["cert_id"].(string); ok && v != "" {
+						certificateInfo.CertId = helper.String(v)
+					}
+					if v, ok := certInfosMap["alias"].(string); ok && v != "" {
+						certificateInfo.Alias = helper.String(v)
+					}
+					if v, ok := certInfosMap["type"].(string); ok && v != "" {
+						certificateInfo.Type = helper.String(v)
+					}
+					if v, ok := certInfosMap["expire_time"].(string); ok && v != "" {
+						certificateInfo.ExpireTime = helper.String(v)
+					}
+					if v, ok := certInfosMap["deploy_time"].(string); ok && v != "" {
+						certificateInfo.DeployTime = helper.String(v)
+					}
+					if v, ok := certInfosMap["sign_algo"].(string); ok && v != "" {
+						certificateInfo.SignAlgo = helper.String(v)
+					}
+					if v, ok := certInfosMap["status"].(string); ok && v != "" {
+						certificateInfo.Status = helper.String(v)
+					}
+					mutualTLS2.CertInfos = append(mutualTLS2.CertInfos, &certificateInfo)
+				}
+			}
+			upstreamCertInfo.UpstreamMutualTLS = &mutualTLS2
+		}
+		request.UpstreamCertInfo = &upstreamCertInfo
+	}
+
 	if v, ok := d.GetOk("mode"); ok {
 		request.Mode = helper.String(v.(string))
 	}
diff --git a/vendor/github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/http/request.go b/vendor/github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/http/request.go
index 47080ca054..8642154009 100644
--- a/vendor/github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/http/request.go
+++ b/vendor/github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/http/request.go
@@ -265,7 +265,7 @@ func CompleteCommonParams(request Request, region string, requestClient string)
 	params["Action"] = request.GetAction()
 	params["Timestamp"] = strconv.FormatInt(time.Now().Unix(), 10)
 	params["Nonce"] = strconv.Itoa(rand.Int())
-	params["RequestClient"] = "SDK_GO_1.1.22"
+	params["RequestClient"] = "SDK_GO_1.1.27"
 	if requestClient != "" {
 		params["RequestClient"] += ": " + requestClient
 	}
diff --git a/vendor/github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo/v20220901/client.go b/vendor/github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo/v20220901/client.go
index 47b2c607a3..0f564298fb 100644
--- a/vendor/github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo/v20220901/client.go
+++ b/vendor/github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo/v20220901/client.go
@@ -8827,6 +8827,58 @@ func (c *Client) DescribeTimingL7CacheDataWithContext(ctx context.Context, reque
     return
 }
 
+func NewDescribeTimingL7OriginPullDataRequest() (request *DescribeTimingL7OriginPullDataRequest) {
+    request = &DescribeTimingL7OriginPullDataRequest{
+        BaseRequest: &tchttp.BaseRequest{},
+    }
+    
+    request.Init().WithApiInfo("teo", APIVersion, "DescribeTimingL7OriginPullData")
+    
+    
+    return
+}
+
+func NewDescribeTimingL7OriginPullDataResponse() (response *DescribeTimingL7OriginPullDataResponse) {
+    response = &DescribeTimingL7OriginPullDataResponse{
+        BaseResponse: &tchttp.BaseResponse{},
+    } 
+    return
+
+}
+
+// DescribeTimingL7OriginPullData
+// 本接口用以查询七层域名业务的回源时序数据。
+//
+// 可能返回的错误码:
+//  LIMITEXCEEDED_QUERYTIMELIMITEXCEEDED = "LimitExceeded.QueryTimeLimitExceeded"
+//  OPERATIONDENIED_ORIGINPULLDATANOTSUPPORTED = "OperationDenied.OriginPullDataNotSupported"
+func (c *Client) DescribeTimingL7OriginPullData(request *DescribeTimingL7OriginPullDataRequest) (response *DescribeTimingL7OriginPullDataResponse, err error) {
+    return c.DescribeTimingL7OriginPullDataWithContext(context.Background(), request)
+}
+
+// DescribeTimingL7OriginPullData
+// 本接口用以查询七层域名业务的回源时序数据。
+//
+// 可能返回的错误码:
+//  LIMITEXCEEDED_QUERYTIMELIMITEXCEEDED = "LimitExceeded.QueryTimeLimitExceeded"
+//  OPERATIONDENIED_ORIGINPULLDATANOTSUPPORTED = "OperationDenied.OriginPullDataNotSupported"
+func (c *Client) DescribeTimingL7OriginPullDataWithContext(ctx context.Context, request *DescribeTimingL7OriginPullDataRequest) (response *DescribeTimingL7OriginPullDataResponse, err error) {
+    if request == nil {
+        request = NewDescribeTimingL7OriginPullDataRequest()
+    }
+    c.InitBaseRequest(&request.BaseRequest, "teo", APIVersion, "DescribeTimingL7OriginPullData")
+    
+    if c.GetCredential() == nil {
+        return nil, errors.New("DescribeTimingL7OriginPullData require credential")
+    }
+
+    request.SetContext(ctx)
+    
+    response = NewDescribeTimingL7OriginPullDataResponse()
+    err = c.Send(request, response)
+    return
+}
+
 func NewDescribeTopL7AnalysisDataRequest() (request *DescribeTopL7AnalysisDataRequest) {
     request = &DescribeTopL7AnalysisDataRequest{
         BaseRequest: &tchttp.BaseRequest{},
diff --git a/vendor/github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo/v20220901/errors.go b/vendor/github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo/v20220901/errors.go
index 401215c4ab..7a717ca173 100644
--- a/vendor/github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo/v20220901/errors.go
+++ b/vendor/github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo/v20220901/errors.go
@@ -1142,6 +1142,9 @@ const (
 	// 规则引擎使用中，无法删除。
 	OPERATIONDENIED_ORIGINGROUPRULEENGINEUSED = "OperationDenied.OriginGroupRuleEngineUsed"
 
+	// 当前主账号不具备回源数据查询接口权限，请联系售后服务。
+	OPERATIONDENIED_ORIGINPULLDATANOTSUPPORTED = "OperationDenied.OriginPullDataNotSupported"
+
 	// 归属权校验未通过，请先完成站点归属权校验。
 	OPERATIONDENIED_OWNERSHIPVERIFICATIONNOTPASSED = "OperationDenied.OwnershipVerificationNotPassed"
 
diff --git a/vendor/github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo/v20220901/models.go b/vendor/github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo/v20220901/models.go
index c9ca1b48e1..b93aae6525 100644
--- a/vendor/github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo/v20220901/models.go
+++ b/vendor/github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo/v20220901/models.go
@@ -1535,7 +1535,7 @@ type ClientAttester struct {
 	Type *string `json:"Type,omitnil,omitempty" name:"Type"`
 
 	// 认证方法。取值有：
-	// <li>TC-RCE: 使用全栈式风控引擎进行认证；</li>
+	// <li>TC-RCE: 使用风险识别 RCE 进行认证；</li>
 	// <li>TC-CAPTCHA: 使用天御验证码进行认证。</li>
 	AttesterSource *string `json:"AttesterSource,omitnil,omitempty" name:"AttesterSource"`
 
@@ -3563,6 +3563,9 @@ type CreateOriginGroupRequestParams struct {
 	// 站点 ID
 	ZoneId *string `json:"ZoneId,omitnil,omitempty" name:"ZoneId"`
 
+	// 源站记录信息，此参数必填。
+	Records []*OriginRecord `json:"Records,omitnil,omitempty" name:"Records"`
+
 	// 源站组名称，可输入1 - 200个字符，允许的字符为 a - z, A - Z, 0 - 9, _, - 。
 	Name *string `json:"Name,omitnil,omitempty" name:"Name"`
 
@@ -3571,9 +3574,6 @@ type CreateOriginGroupRequestParams struct {
 	// <li>HTTP： HTTP 专用型源站组，支持添加 IP/域名、对象存储源站作为源站，无法被四层代理引用，仅支持被添加加速域名、规则引擎-修改源站、HTTP 专用型负载均衡引用。</li>
 	Type *string `json:"Type,omitnil,omitempty" name:"Type"`
 
-	// 源站记录信息，此参数必填。
-	Records []*OriginRecord `json:"Records,omitnil,omitempty" name:"Records"`
-
 	// 回源 Host Header，仅 Type = HTTP 时传入生效，规则引擎修改 Host Header 配置优先级高于源站组的 Host Header。
 	HostHeader *string `json:"HostHeader,omitnil,omitempty" name:"HostHeader"`
 }
@@ -3584,6 +3584,9 @@ type CreateOriginGroupRequest struct {
 	// 站点 ID
 	ZoneId *string `json:"ZoneId,omitnil,omitempty" name:"ZoneId"`
 
+	// 源站记录信息，此参数必填。
+	Records []*OriginRecord `json:"Records,omitnil,omitempty" name:"Records"`
+
 	// 源站组名称，可输入1 - 200个字符，允许的字符为 a - z, A - Z, 0 - 9, _, - 。
 	Name *string `json:"Name,omitnil,omitempty" name:"Name"`
 
@@ -3592,9 +3595,6 @@ type CreateOriginGroupRequest struct {
 	// <li>HTTP： HTTP 专用型源站组，支持添加 IP/域名、对象存储源站作为源站，无法被四层代理引用，仅支持被添加加速域名、规则引擎-修改源站、HTTP 专用型负载均衡引用。</li>
 	Type *string `json:"Type,omitnil,omitempty" name:"Type"`
 
-	// 源站记录信息，此参数必填。
-	Records []*OriginRecord `json:"Records,omitnil,omitempty" name:"Records"`
-
 	// 回源 Host Header，仅 Type = HTTP 时传入生效，规则引擎修改 Host Header 配置优先级高于源站组的 Host Header。
 	HostHeader *string `json:"HostHeader,omitnil,omitempty" name:"HostHeader"`
 }
@@ -3612,9 +3612,9 @@ func (r *CreateOriginGroupRequest) FromJsonString(s string) error {
 		return err
 	}
 	delete(f, "ZoneId")
+	delete(f, "Records")
 	delete(f, "Name")
 	delete(f, "Type")
-	delete(f, "Records")
 	delete(f, "HostHeader")
 	if len(f) > 0 {
 		return tcerr.NewTencentCloudSDKError("ClientError.BuildRequestError", "CreateOriginGroupRequest has unknown keys!", "")
@@ -11955,6 +11955,121 @@ func (r *DescribeTimingL7CacheDataResponse) FromJsonString(s string) error {
 	return json.Unmarshal([]byte(s), &r)
 }
 
+// Predefined struct for user
+type DescribeTimingL7OriginPullDataRequestParams struct {
+	// 开始时间。
+	StartTime *string `json:"StartTime,omitnil,omitempty" name:"StartTime"`
+
+	// 结束时间。查询时间范围（`EndTime` - `StartTime`）需小于等于 31 天。
+	EndTime *string `json:"EndTime,omitnil,omitempty" name:"EndTime"`
+
+	// 指标列表，取值有:
+	// <li>l7Flow_outFlux_hy: EdgeOne 节点至源站方向的请求流量，单位：Byte；</li>
+	// <li>l7Flow_outBandwidth_hy: EdgeOne 节点至源站方向的请求带宽，单位：bps；</li>
+	// <li>l7Flow_request_hy: EdgeOne 节点至源站方向的请求数，单位：次。</li>
+	// <li>l7Flow_inFlux_hy: 源站至 EdgeOne 节点方向的响应流量，单位：Byte；</li>
+	// <li>l7Flow_inBandwidth_hy: 源站至 EdgeOne 节点方向的响应带宽，单位：bps；</li>
+	MetricNames []*string `json:"MetricNames,omitnil,omitempty" name:"MetricNames"`
+
+	// 站点 ID 集合，此参数必填。最多传入 100 个站点 ID。若需查询腾讯云主账号下所有站点数据，请用 `*` 代替，查询账号级别数据需具备本接口全部站点资源权限。
+	ZoneIds []*string `json:"ZoneIds,omitnil,omitempty" name:"ZoneIds"`
+
+	// 查询时间粒度，取值有：
+	// <li>min: 1分钟；</li>
+	// <li>5min: 5分钟；</li>
+	// <li>hour: 1小时；</li>
+	// <li>day: 1天。</li>不填将根据开始时间跟结束时间的间距自动推算粒度，具体为：2 小时范围内以 min 粒度查询，2 天范围内以 5min 粒度查询，7 天范围内以 hour 粒度查询，超过 7 天以 day 粒度查询。
+	Interval *string `json:"Interval,omitnil,omitempty" name:"Interval"`
+
+	// 过滤条件，详细的过滤条件如下：
+	// <li>domain：客户端请求的域名。若按泛域名接入 EdgeOne，则数据中记录为泛域名，而不是具体域名。</li>
+	Filters []*QueryCondition `json:"Filters,omitnil,omitempty" name:"Filters"`
+}
+
+type DescribeTimingL7OriginPullDataRequest struct {
+	*tchttp.BaseRequest
+	
+	// 开始时间。
+	StartTime *string `json:"StartTime,omitnil,omitempty" name:"StartTime"`
+
+	// 结束时间。查询时间范围（`EndTime` - `StartTime`）需小于等于 31 天。
+	EndTime *string `json:"EndTime,omitnil,omitempty" name:"EndTime"`
+
+	// 指标列表，取值有:
+	// <li>l7Flow_outFlux_hy: EdgeOne 节点至源站方向的请求流量，单位：Byte；</li>
+	// <li>l7Flow_outBandwidth_hy: EdgeOne 节点至源站方向的请求带宽，单位：bps；</li>
+	// <li>l7Flow_request_hy: EdgeOne 节点至源站方向的请求数，单位：次。</li>
+	// <li>l7Flow_inFlux_hy: 源站至 EdgeOne 节点方向的响应流量，单位：Byte；</li>
+	// <li>l7Flow_inBandwidth_hy: 源站至 EdgeOne 节点方向的响应带宽，单位：bps；</li>
+	MetricNames []*string `json:"MetricNames,omitnil,omitempty" name:"MetricNames"`
+
+	// 站点 ID 集合，此参数必填。最多传入 100 个站点 ID。若需查询腾讯云主账号下所有站点数据，请用 `*` 代替，查询账号级别数据需具备本接口全部站点资源权限。
+	ZoneIds []*string `json:"ZoneIds,omitnil,omitempty" name:"ZoneIds"`
+
+	// 查询时间粒度，取值有：
+	// <li>min: 1分钟；</li>
+	// <li>5min: 5分钟；</li>
+	// <li>hour: 1小时；</li>
+	// <li>day: 1天。</li>不填将根据开始时间跟结束时间的间距自动推算粒度，具体为：2 小时范围内以 min 粒度查询，2 天范围内以 5min 粒度查询，7 天范围内以 hour 粒度查询，超过 7 天以 day 粒度查询。
+	Interval *string `json:"Interval,omitnil,omitempty" name:"Interval"`
+
+	// 过滤条件，详细的过滤条件如下：
+	// <li>domain：客户端请求的域名。若按泛域名接入 EdgeOne，则数据中记录为泛域名，而不是具体域名。</li>
+	Filters []*QueryCondition `json:"Filters,omitnil,omitempty" name:"Filters"`
+}
+
+func (r *DescribeTimingL7OriginPullDataRequest) ToJsonString() string {
+    b, _ := json.Marshal(r)
+    return string(b)
+}
+
+// FromJsonString It is highly **NOT** recommended to use this function
+// because it has no param check, nor strict type check
+func (r *DescribeTimingL7OriginPullDataRequest) FromJsonString(s string) error {
+	f := make(map[string]interface{})
+	if err := json.Unmarshal([]byte(s), &f); err != nil {
+		return err
+	}
+	delete(f, "StartTime")
+	delete(f, "EndTime")
+	delete(f, "MetricNames")
+	delete(f, "ZoneIds")
+	delete(f, "Interval")
+	delete(f, "Filters")
+	if len(f) > 0 {
+		return tcerr.NewTencentCloudSDKError("ClientError.BuildRequestError", "DescribeTimingL7OriginPullDataRequest has unknown keys!", "")
+	}
+	return json.Unmarshal([]byte(s), &r)
+}
+
+// Predefined struct for user
+type DescribeTimingL7OriginPullDataResponseParams struct {
+	// 查询结果的总条数。
+	TotalCount *uint64 `json:"TotalCount,omitnil,omitempty" name:"TotalCount"`
+
+	// 回源时序数据列表。
+	TimingDataRecords []*TimingDataRecord `json:"TimingDataRecords,omitnil,omitempty" name:"TimingDataRecords"`
+
+	// 唯一请求 ID，由服务端生成，每次请求都会返回（若请求因其他原因未能抵达服务端，则该次请求不会获得 RequestId）。定位问题时需要提供该次请求的 RequestId。
+	RequestId *string `json:"RequestId,omitnil,omitempty" name:"RequestId"`
+}
+
+type DescribeTimingL7OriginPullDataResponse struct {
+	*tchttp.BaseResponse
+	Response *DescribeTimingL7OriginPullDataResponseParams `json:"Response"`
+}
+
+func (r *DescribeTimingL7OriginPullDataResponse) ToJsonString() string {
+    b, _ := json.Marshal(r)
+    return string(b)
+}
+
+// FromJsonString It is highly **NOT** recommended to use this function
+// because it has no param check, nor strict type check
+func (r *DescribeTimingL7OriginPullDataResponse) FromJsonString(s string) error {
+	return json.Unmarshal([]byte(s), &r)
+}
+
 // Predefined struct for user
 type DescribeTopL7AnalysisDataRequestParams struct {
 	// 开始时间。
@@ -13621,6 +13736,26 @@ type ForceRedirectHTTPSParameters struct {
 	RedirectStatusCode *int64 `json:"RedirectStatusCode,omitnil,omitempty" name:"RedirectStatusCode"`
 }
 
+type FrequentScanningProtection struct {
+	// 高频扫描防护规则是否开启。取值有：<li>on：开启，高频扫描防护规则生效；</li><li>off：关闭，高频扫描防护规则不生效。</li>	
+	Enabled *string `json:"Enabled,omitnil,omitempty" name:"Enabled"`
+
+	// 高频扫描防护的处置动作。 当 Enabled 为 on 时，此字段必填。SecurityAction 的 Name 取值支持：<li>Deny：拦截，响应拦截页面；</li><li>Monitor：观察，不处理请求记录安全事件到日志中；</li><li>JSChallenge：JavaScript 挑战，响应 JavaScript 挑战页面。</li>
+	Action *SecurityAction `json:"Action,omitnil,omitempty" name:"Action"`
+
+	// 请求统计的匹配方式，当 Enabled 为 on 时，此字段必填。取值有：<li>http.request.xff_header_ip：客户端 IP（优先匹配 XFF 头部）；</li><li>http.request.ip：客户端 IP。</li> 
+	CountBy *string `json:"CountBy,omitnil,omitempty" name:"CountBy"`
+
+	// 此参数指定高频扫描防护的阈值，即在 CountingPeriod 所设置时间范围内命中「配置为拦截」的托管规则时的累计拦截次数，取值范围 1 ~ 4294967294，例如 100，当超过此统计值时，后续请求将触发 Action 所设置的处置动作。当 Enabled 为 on 时，此字段必填。
+	BlockThreshold *int64 `json:"BlockThreshold,omitnil,omitempty" name:"BlockThreshold"`
+
+	// 此参数指定高频扫描防护所统计的时间窗口，即命中「配置为拦截」的托管规则的请求的统计时间窗口，取值 5 ~ 1800，单位仅支持秒（s），例如 5s。 当 Enabled 为 on 时，此字段必填。
+	CountingPeriod *string `json:"CountingPeriod,omitnil,omitempty" name:"CountingPeriod"`
+
+	// 此参数指定高频扫描防护 Action 参数所设置处置动作的持续时长，取值范围 60 ~ 86400，单位仅支持秒（s），例如 60s。当 Enabled 为 on 时，此字段必填。
+	ActionDuration *string `json:"ActionDuration,omitnil,omitempty" name:"ActionDuration"`
+}
+
 type Function struct {
 	// 函数 ID。
 	FunctionId *string `json:"FunctionId,omitnil,omitempty" name:"FunctionId"`
@@ -14794,6 +14929,9 @@ type ManagedRules struct {
 
 	// 托管规则组的配置。如果此结构传空数组或 GroupId 未包含在列表内将按照默认方式处理。
 	ManagedRuleGroups []*ManagedRuleGroup `json:"ManagedRuleGroups,omitnil,omitempty" name:"ManagedRuleGroups"`
+
+	// 高频扫描防护配置选项，当某一访客的请求频繁命中「配置为拦截」的托管规则时，在一段时间内封禁该访客所有请求。
+	FrequentScanningProtection *FrequentScanningProtection `json:"FrequentScanningProtection,omitnil,omitempty" name:"FrequentScanningProtection"`
 }
 
 type MaxAge struct {
@@ -16189,6 +16327,9 @@ type ModifyHostsCertificateRequestParams struct {
 
 	// 在边缘双向认证场景下，该字段为客户端的 CA 证书，部署在 EO 节点内，用于客户端对 EO 节点进行认证。默认关闭，不填写表示保持原有配置。
 	ClientCertInfo *MutualTLS `json:"ClientCertInfo,omitnil,omitempty" name:"ClientCertInfo"`
+
+	// 用于配置 EO 节点回源时携带的证书，用于回源双向认证握手，默认关闭，不填写表示保持原有配置。该配置当前为白名单内测中，如需使用，请[联系我们](https://cloud.tencent.com/online-service)。
+	UpstreamCertInfo *UpstreamCertInfo `json:"UpstreamCertInfo,omitnil,omitempty" name:"UpstreamCertInfo"`
 }
 
 type ModifyHostsCertificateRequest struct {
@@ -16218,6 +16359,9 @@ type ModifyHostsCertificateRequest struct {
 
 	// 在边缘双向认证场景下，该字段为客户端的 CA 证书，部署在 EO 节点内，用于客户端对 EO 节点进行认证。默认关闭，不填写表示保持原有配置。
 	ClientCertInfo *MutualTLS `json:"ClientCertInfo,omitnil,omitempty" name:"ClientCertInfo"`
+
+	// 用于配置 EO 节点回源时携带的证书，用于回源双向认证握手，默认关闭，不填写表示保持原有配置。该配置当前为白名单内测中，如需使用，请[联系我们](https://cloud.tencent.com/online-service)。
+	UpstreamCertInfo *UpstreamCertInfo `json:"UpstreamCertInfo,omitnil,omitempty" name:"UpstreamCertInfo"`
 }
 
 func (r *ModifyHostsCertificateRequest) ToJsonString() string {
@@ -16238,6 +16382,7 @@ func (r *ModifyHostsCertificateRequest) FromJsonString(s string) error {
 	delete(f, "ServerCertInfo")
 	delete(f, "ApplyType")
 	delete(f, "ClientCertInfo")
+	delete(f, "UpstreamCertInfo")
 	if len(f) > 0 {
 		return tcerr.NewTencentCloudSDKError("ClientError.BuildRequestError", "ModifyHostsCertificateRequest has unknown keys!", "")
 	}
@@ -18962,7 +19107,7 @@ type OriginRecord struct {
 	// 源站记录ID。
 	RecordId *string `json:"RecordId,omitnil,omitempty" name:"RecordId"`
 
-	// 源站权重，取值为0-100, 不填表示不设置权重，由系统自由调度，填0表示权重为0, 流量将不会调度到此源站。
+	// 【源站权重】：用于控制流量分配优先级的参数，取值范围：0-100（整数）：<li>空值：不设置权重，系统按默认策略调度；</li><li>0 值：明确设置权重为0，流量将不会分配到该源站，注意事项：必须确保至少有一个源站的权重值大于0；</li><li>正常值：数值越大分配流量越多 ；</li>
 	// 注意：此字段可能返回 null，表示取不到有效值。
 	Weight *uint64 `json:"Weight,omitnil,omitempty" name:"Weight"`
 
@@ -19699,8 +19844,8 @@ type Resource struct {
 	PlanId *string `json:"PlanId,omitnil,omitempty" name:"PlanId"`
 
 	// 地域，取值有：
-	// <li>mainland：国内；</li>
-	// <li>overseas：海外。</li>
+	// <li>mainland：中国大陆境内；</li>
+	// <li>overseas：中国大陆境外。</li>
 	// <li>global：全球。</li>
 	Area *string `json:"Area,omitnil,omitempty" name:"Area"`
 
@@ -20663,7 +20808,7 @@ type Task struct {
 	// <li>originPullFailed：回源失败。</li>
 	FailType *string `json:"FailType,omitnil,omitempty" name:"FailType"`
 
-	// 刷新、预热失败描述。
+	// 清除缓存、预热缓存的失败原因描述。
 	FailMessage *string `json:"FailMessage,omitnil,omitempty" name:"FailMessage"`
 }
 
diff --git a/vendor/modules.txt b/vendor/modules.txt
index e9e150a405..91d94d6fa7 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -1170,7 +1170,7 @@ github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cloudaudit/v20190319
 # github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cls v1.0.1148
 ## explicit; go 1.14
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cls/v20201016
-# github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.1.22
+# github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.1.27
 ## explicit; go 1.11
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/errors
@@ -1331,7 +1331,7 @@ github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tdmq/v20200217
 # github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tem v1.0.578
 ## explicit; go 1.14
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tem/v20210701
-# github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo v1.1.5
+# github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo v1.1.27
 ## explicit; go 1.14
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo/v20220901
 # github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/thpc v1.0.998
diff --git a/website/docs/r/teo_certificate_config.html.markdown b/website/docs/r/teo_certificate_config.html.markdown
index 7fdf0c5f32..53da41df7e 100644
--- a/website/docs/r/teo_certificate_config.html.markdown
+++ b/website/docs/r/teo_certificate_config.html.markdown
@@ -43,6 +43,22 @@ The following arguments are supported:
 * `zone_id` - (Required, String, ForceNew) Site ID.
 * `mode` - (Optional, String) Mode of configuring the certificate, the values are: `disable`: Do not configure the certificate; `eofreecert`: Configure EdgeOne free certificate; `sslcert`: Configure SSL certificate. If not filled in, the default value is `disable`.
 * `server_cert_info` - (Optional, List) SSL certificate configuration, this parameter takes effect only when mode = sslcert, just enter the corresponding CertId. You can go to the SSL certificate list to view the CertId.
+* `upstream_cert_info` - (Optional, List) Configures the certificate presented by the EO node during origin-pull for mutual TLS authentication. Disabled by default; leaving the field blank will retain the current configuration. This feature is currently in beta testing. please [contact us](https://cloud.tencent.com/online-service) to request access.
+
+The `cert_infos` object of `upstream_mutual_tls` supports the following:
+
+* `cert_id` - (Required, String) Certificate ID, which originates from the SSL side. You can check the CertId from the [SSL Certificate List](https://console.cloud.tencent.com/ssl).
+* `alias` - (Optional, String) Alias of the certificate.
+* `deploy_time` - (Optional, String) Time when the certificate is deployed.
+* `expire_time` - (Optional, String) The certificate expiration time.
+* `sign_algo` - (Optional, String) Signature algorithm.
+* `status` - (Optional, String) Status of the certificate. Values:
+`deployed`: The deployment has completed
+`processing`: Deployment in progress
+`applying`: Application in progress
+`failed`: Application rejected
+`issued`: Binding failed.
+* `type` - (Optional, String) Type of the certificate. Values: `default`: Default certificate `upload`: Specified certificate `managed`: Tencent Cloud-managed certificate.
 
 The `server_cert_info` object supports the following:
 
@@ -54,6 +70,16 @@ The `server_cert_info` object supports the following:
 * `sign_algo` - (Optional, String) Signature algorithm. Note: This field may return null, indicating that no valid values can be obtained.
 * `type` - (Optional, String) Type of the certificate. Values: `default`: Default certificate; `upload`: Specified certificate; `managed`: Tencent Cloud-managed certificate. Note: This field may return `null`, indicating that no valid value can be obtained.
 
+The `upstream_cert_info` object supports the following:
+
+* `upstream_mutual_tls` - (Optional, List) In the origin-pull mutual authentication scenario, this field represents the certificate (including the public and private keys) carried during EO node origin-pull, which is deployed in the EO node for the origin server to authenticate the EO node. When used as an input parameter, it is left blank to indicate retaining the original configuration.
+
+The `upstream_mutual_tls` object of `upstream_cert_info` supports the following:
+
+* `switch` - (Required, String) Mutual authentication configuration switch, the values are: `on`: enable; `off`: disable.
+* `cert_infos` - (Optional, List) Mutual authentication certificate list.
+Note: When using MutualTLS as an input parameter in ModifyHostsCertificate, you only need to provide the CertId of the corresponding certificate. You can check the CertId from the [SSL Certificate List](https://console.cloud.tencent.com/ssl).
+
 ## Attributes Reference
 
 In addition to all arguments above, the following attributes are exported:

From 30229ea4be74101db1bb9aba5c5c59bb9997432a Mon Sep 17 00:00:00 2001
From: arunma <arunma@tencent.com>
Date: Wed, 17 Sep 2025 16:26:27 +0800
Subject: [PATCH 2/8] fix: support teo certificate upstream_cert_info

---
 .../services/teo/resource_tc_teo_certificate_config.go | 10 ++++------
 .../resource_tc_teo_certificate_config_extension.go    |  9 ---------
 website/docs/r/teo_certificate_config.html.markdown    |  7 -------
 3 files changed, 4 insertions(+), 22 deletions(-)

diff --git a/tencentcloud/services/teo/resource_tc_teo_certificate_config.go b/tencentcloud/services/teo/resource_tc_teo_certificate_config.go
index ed90d466e3..e41145d858 100644
--- a/tencentcloud/services/teo/resource_tc_teo_certificate_config.go
+++ b/tencentcloud/services/teo/resource_tc_teo_certificate_config.go
@@ -126,28 +126,26 @@ func ResourceTencentCloudTeoCertificateConfig() *schema.Resource {
 												"type": {
 													Type:        schema.TypeString,
 													Optional:    true,
+													Computed:    true,
 													Description: "Type of the certificate. Values: `default`: Default certificate `upload`: Specified certificate `managed`: Tencent Cloud-managed certificate.",
 												},
 												"expire_time": {
 													Type:        schema.TypeString,
 													Optional:    true,
+													Computed:    true,
 													Description: "The certificate expiration time.",
 												},
 												"deploy_time": {
 													Type:        schema.TypeString,
-													Optional:    true,
+													Computed:    true,
 													Description: "Time when the certificate is deployed.",
 												},
 												"sign_algo": {
 													Type:        schema.TypeString,
 													Optional:    true,
+													Computed:    true,
 													Description: "Signature algorithm.",
 												},
-												"status": {
-													Type:        schema.TypeString,
-													Optional:    true,
-													Description: "Status of the certificate. Values:\n`deployed`: The deployment has completed\n`processing`: Deployment in progress\n`applying`: Application in progress\n`failed`: Application rejected\n`issued`: Binding failed.",
-												},
 											},
 										},
 									},
diff --git a/tencentcloud/services/teo/resource_tc_teo_certificate_config_extension.go b/tencentcloud/services/teo/resource_tc_teo_certificate_config_extension.go
index ed07a03464..f14282e810 100644
--- a/tencentcloud/services/teo/resource_tc_teo_certificate_config_extension.go
+++ b/tencentcloud/services/teo/resource_tc_teo_certificate_config_extension.go
@@ -110,10 +110,6 @@ func resourceTencentCloudTeoCertificateConfigReadPostHandleResponse0(ctx context
 							certInfosMap["sign_algo"] = certInfos.SignAlgo
 						}
 
-						if certInfos.Status != nil {
-							certInfosMap["status"] = certInfos.Status
-						}
-
 						certInfosList = append(certInfosList, certInfosMap)
 					}
 
@@ -193,11 +189,6 @@ func resourceTencentCloudTeoCertificateConfigUpdateOnStart(ctx context.Context)
 			} else {
 				serverCertInfo.ExpireTime = nil
 			}
-			if v, ok := dMap["deploy_time"]; ok && v.(string) != "" {
-				serverCertInfo.DeployTime = helper.String(v.(string))
-			} else {
-				serverCertInfo.DeployTime = nil
-			}
 			if v, ok := dMap["sign_algo"]; ok && v.(string) != "" {
 				serverCertInfo.SignAlgo = helper.String(v.(string))
 			}
diff --git a/website/docs/r/teo_certificate_config.html.markdown b/website/docs/r/teo_certificate_config.html.markdown
index 53da41df7e..4c389b01cb 100644
--- a/website/docs/r/teo_certificate_config.html.markdown
+++ b/website/docs/r/teo_certificate_config.html.markdown
@@ -49,15 +49,8 @@ The `cert_infos` object of `upstream_mutual_tls` supports the following:
 
 * `cert_id` - (Required, String) Certificate ID, which originates from the SSL side. You can check the CertId from the [SSL Certificate List](https://console.cloud.tencent.com/ssl).
 * `alias` - (Optional, String) Alias of the certificate.
-* `deploy_time` - (Optional, String) Time when the certificate is deployed.
 * `expire_time` - (Optional, String) The certificate expiration time.
 * `sign_algo` - (Optional, String) Signature algorithm.
-* `status` - (Optional, String) Status of the certificate. Values:
-`deployed`: The deployment has completed
-`processing`: Deployment in progress
-`applying`: Application in progress
-`failed`: Application rejected
-`issued`: Binding failed.
 * `type` - (Optional, String) Type of the certificate. Values: `default`: Default certificate `upload`: Specified certificate `managed`: Tencent Cloud-managed certificate.
 
 The `server_cert_info` object supports the following:

From 9fb76ac7e899c2cc4556d98fef54ff9f6fa9e25f Mon Sep 17 00:00:00 2001
From: arunma <arunma@tencent.com>
Date: Wed, 17 Sep 2025 16:33:36 +0800
Subject: [PATCH 3/8] fix: add changelog

---
 .changelog/3524.txt | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 .changelog/3524.txt

diff --git a/.changelog/3524.txt b/.changelog/3524.txt
new file mode 100644
index 0000000000..9e4535f196
--- /dev/null
+++ b/.changelog/3524.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/tencentcloud_teo_certificate_config: support `upstream_cert_info` fields
+```

From e7041e40987cb72975d6c89aeb70a4eb4cce7f7c Mon Sep 17 00:00:00 2001
From: arunma <arunma@tencent.com>
Date: Wed, 17 Sep 2025 16:41:40 +0800
Subject: [PATCH 4/8] fix: modify properties

---
 .../services/teo/resource_tc_teo_certificate_config.go       | 5 +----
 website/docs/r/teo_certificate_config.html.markdown          | 4 ----
 2 files changed, 1 insertion(+), 8 deletions(-)

diff --git a/tencentcloud/services/teo/resource_tc_teo_certificate_config.go b/tencentcloud/services/teo/resource_tc_teo_certificate_config.go
index e41145d858..fa2a891b66 100644
--- a/tencentcloud/services/teo/resource_tc_teo_certificate_config.go
+++ b/tencentcloud/services/teo/resource_tc_teo_certificate_config.go
@@ -120,18 +120,16 @@ func ResourceTencentCloudTeoCertificateConfig() *schema.Resource {
 												},
 												"alias": {
 													Type:        schema.TypeString,
-													Optional:    true,
+													Computed:    true,
 													Description: "Alias of the certificate.",
 												},
 												"type": {
 													Type:        schema.TypeString,
-													Optional:    true,
 													Computed:    true,
 													Description: "Type of the certificate. Values: `default`: Default certificate `upload`: Specified certificate `managed`: Tencent Cloud-managed certificate.",
 												},
 												"expire_time": {
 													Type:        schema.TypeString,
-													Optional:    true,
 													Computed:    true,
 													Description: "The certificate expiration time.",
 												},
@@ -142,7 +140,6 @@ func ResourceTencentCloudTeoCertificateConfig() *schema.Resource {
 												},
 												"sign_algo": {
 													Type:        schema.TypeString,
-													Optional:    true,
 													Computed:    true,
 													Description: "Signature algorithm.",
 												},
diff --git a/website/docs/r/teo_certificate_config.html.markdown b/website/docs/r/teo_certificate_config.html.markdown
index 4c389b01cb..35e199e99b 100644
--- a/website/docs/r/teo_certificate_config.html.markdown
+++ b/website/docs/r/teo_certificate_config.html.markdown
@@ -48,10 +48,6 @@ The following arguments are supported:
 The `cert_infos` object of `upstream_mutual_tls` supports the following:
 
 * `cert_id` - (Required, String) Certificate ID, which originates from the SSL side. You can check the CertId from the [SSL Certificate List](https://console.cloud.tencent.com/ssl).
-* `alias` - (Optional, String) Alias of the certificate.
-* `expire_time` - (Optional, String) The certificate expiration time.
-* `sign_algo` - (Optional, String) Signature algorithm.
-* `type` - (Optional, String) Type of the certificate. Values: `default`: Default certificate `upload`: Specified certificate `managed`: Tencent Cloud-managed certificate.
 
 The `server_cert_info` object supports the following:
 

From 85b621f4137d8b7fc2a519e7fa934b737458f9f7 Mon Sep 17 00:00:00 2001
From: arunma <arunma@tencent.com>
Date: Wed, 17 Sep 2025 16:47:11 +0800
Subject: [PATCH 5/8] fix: modify properties

---
 ...ource_tc_teo_certificate_config_extension.go | 17 -----------------
 1 file changed, 17 deletions(-)

diff --git a/tencentcloud/services/teo/resource_tc_teo_certificate_config_extension.go b/tencentcloud/services/teo/resource_tc_teo_certificate_config_extension.go
index f14282e810..83c998fa52 100644
--- a/tencentcloud/services/teo/resource_tc_teo_certificate_config_extension.go
+++ b/tencentcloud/services/teo/resource_tc_teo_certificate_config_extension.go
@@ -178,23 +178,6 @@ func resourceTencentCloudTeoCertificateConfigUpdateOnStart(ctx context.Context)
 			if v, ok := dMap["cert_id"]; ok {
 				serverCertInfo.CertId = helper.String(v.(string))
 			}
-			if v, ok := dMap["alias"]; ok && v.(string) != "" {
-				serverCertInfo.Alias = helper.String(v.(string))
-			}
-			if v, ok := dMap["type"]; ok && v.(string) != "" {
-				serverCertInfo.Type = helper.String(v.(string))
-			}
-			if v, ok := dMap["expire_time"]; ok && v.(string) != "" {
-				serverCertInfo.ExpireTime = helper.String(v.(string))
-			} else {
-				serverCertInfo.ExpireTime = nil
-			}
-			if v, ok := dMap["sign_algo"]; ok && v.(string) != "" {
-				serverCertInfo.SignAlgo = helper.String(v.(string))
-			}
-			if v, ok := dMap["common_name"]; ok && v.(string) != "" {
-				serverCertInfo.CommonName = helper.String(v.(string))
-			}
 			request.ServerCertInfo = append(request.ServerCertInfo, &serverCertInfo)
 		}
 	}

From 57c1760fb9fdf06f45b710948901559de40ff787 Mon Sep 17 00:00:00 2001
From: arunma <arunma@tencent.com>
Date: Wed, 17 Sep 2025 16:47:51 +0800
Subject: [PATCH 6/8] fix: modify properties

---
 ...rce_tc_teo_certificate_config_extension.go | 35 +++++++++----------
 1 file changed, 17 insertions(+), 18 deletions(-)

diff --git a/tencentcloud/services/teo/resource_tc_teo_certificate_config_extension.go b/tencentcloud/services/teo/resource_tc_teo_certificate_config_extension.go
index 83c998fa52..660bd01cc0 100644
--- a/tencentcloud/services/teo/resource_tc_teo_certificate_config_extension.go
+++ b/tencentcloud/services/teo/resource_tc_teo_certificate_config_extension.go
@@ -178,6 +178,23 @@ func resourceTencentCloudTeoCertificateConfigUpdateOnStart(ctx context.Context)
 			if v, ok := dMap["cert_id"]; ok {
 				serverCertInfo.CertId = helper.String(v.(string))
 			}
+			if v, ok := dMap["alias"]; ok && v.(string) != "" {
+				serverCertInfo.Alias = helper.String(v.(string))
+			}
+			if v, ok := dMap["type"]; ok && v.(string) != "" {
+				serverCertInfo.Type = helper.String(v.(string))
+			}
+			if v, ok := dMap["expire_time"]; ok && v.(string) != "" {
+				serverCertInfo.ExpireTime = helper.String(v.(string))
+			} else {
+				serverCertInfo.ExpireTime = nil
+			}
+			if v, ok := dMap["sign_algo"]; ok && v.(string) != "" {
+				serverCertInfo.SignAlgo = helper.String(v.(string))
+			}
+			if v, ok := dMap["common_name"]; ok && v.(string) != "" {
+				serverCertInfo.CommonName = helper.String(v.(string))
+			}
 			request.ServerCertInfo = append(request.ServerCertInfo, &serverCertInfo)
 		}
 	}
@@ -196,24 +213,6 @@ func resourceTencentCloudTeoCertificateConfigUpdateOnStart(ctx context.Context)
 					if v, ok := certInfosMap["cert_id"].(string); ok && v != "" {
 						certificateInfo.CertId = helper.String(v)
 					}
-					if v, ok := certInfosMap["alias"].(string); ok && v != "" {
-						certificateInfo.Alias = helper.String(v)
-					}
-					if v, ok := certInfosMap["type"].(string); ok && v != "" {
-						certificateInfo.Type = helper.String(v)
-					}
-					if v, ok := certInfosMap["expire_time"].(string); ok && v != "" {
-						certificateInfo.ExpireTime = helper.String(v)
-					}
-					if v, ok := certInfosMap["deploy_time"].(string); ok && v != "" {
-						certificateInfo.DeployTime = helper.String(v)
-					}
-					if v, ok := certInfosMap["sign_algo"].(string); ok && v != "" {
-						certificateInfo.SignAlgo = helper.String(v)
-					}
-					if v, ok := certInfosMap["status"].(string); ok && v != "" {
-						certificateInfo.Status = helper.String(v)
-					}
 					mutualTLS2.CertInfos = append(mutualTLS2.CertInfos, &certificateInfo)
 				}
 			}

From dbff3c5c6cd8fd13f0895447571b61a9d3baa027 Mon Sep 17 00:00:00 2001
From: arunma <arunma@tencent.com>
Date: Wed, 17 Sep 2025 16:48:56 +0800
Subject: [PATCH 7/8] fix: modify properties

---
 .../teo/resource_tc_teo_certificate_config_extension.go      | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/tencentcloud/services/teo/resource_tc_teo_certificate_config_extension.go b/tencentcloud/services/teo/resource_tc_teo_certificate_config_extension.go
index 660bd01cc0..30b6c4f592 100644
--- a/tencentcloud/services/teo/resource_tc_teo_certificate_config_extension.go
+++ b/tencentcloud/services/teo/resource_tc_teo_certificate_config_extension.go
@@ -189,6 +189,11 @@ func resourceTencentCloudTeoCertificateConfigUpdateOnStart(ctx context.Context)
 			} else {
 				serverCertInfo.ExpireTime = nil
 			}
+			if v, ok := dMap["deploy_time"]; ok && v.(string) != "" {
+				serverCertInfo.DeployTime = helper.String(v.(string))
+			} else {
+				serverCertInfo.DeployTime = nil
+			}
 			if v, ok := dMap["sign_algo"]; ok && v.(string) != "" {
 				serverCertInfo.SignAlgo = helper.String(v.(string))
 			}

From 687833aaceceb90cd2b3115ae90825ec7d490947 Mon Sep 17 00:00:00 2001
From: arunma <arunma@tencent.com>
Date: Fri, 19 Sep 2025 15:30:28 +0800
Subject: [PATCH 8/8] fix: modify upstream_cert_info

---
 .../services/teo/resource_tc_teo_certificate_config.go         | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tencentcloud/services/teo/resource_tc_teo_certificate_config.go b/tencentcloud/services/teo/resource_tc_teo_certificate_config.go
index fa2a891b66..9f3a4a65f5 100644
--- a/tencentcloud/services/teo/resource_tc_teo_certificate_config.go
+++ b/tencentcloud/services/teo/resource_tc_teo_certificate_config.go
@@ -91,6 +91,7 @@ func ResourceTencentCloudTeoCertificateConfig() *schema.Resource {
 			"upstream_cert_info": {
 				Type:        schema.TypeList,
 				Optional:    true,
+				Computed:    true,
 				MaxItems:    1,
 				Description: "Configures the certificate presented by the EO node during origin-pull for mutual TLS authentication. Disabled by default; leaving the field blank will retain the current configuration. This feature is currently in beta testing. please [contact us](https://cloud.tencent.com/online-service) to request access.",
 				Elem: &schema.Resource{
@@ -98,6 +99,7 @@ func ResourceTencentCloudTeoCertificateConfig() *schema.Resource {
 						"upstream_mutual_tls": {
 							Type:        schema.TypeList,
 							Optional:    true,
+							Computed:    true,
 							MaxItems:    1,
 							Description: "In the origin-pull mutual authentication scenario, this field represents the certificate (including the public and private keys) carried during EO node origin-pull, which is deployed in the EO node for the origin server to authenticate the EO node. When used as an input parameter, it is left blank to indicate retaining the original configuration.",
 							Elem: &schema.Resource{
@@ -110,6 +112,7 @@ func ResourceTencentCloudTeoCertificateConfig() *schema.Resource {
 									"cert_infos": {
 										Type:        schema.TypeList,
 										Optional:    true,
+										Computed:    true,
 										Description: "Mutual authentication certificate list.\nNote: When using MutualTLS as an input parameter in ModifyHostsCertificate, you only need to provide the CertId of the corresponding certificate. You can check the CertId from the [SSL Certificate List](https://console.cloud.tencent.com/ssl).",
 										Elem: &schema.Resource{
 											Schema: map[string]*schema.Schema{