alicloud_kvstore_instance / alicloud_redis_tair_instance: Expose SSL certificate metadata from DescribeInstanceSSL API

[Melonbun233]

Summary

The alicloud_kvstore_instance and alicloud_redis_tair_instance resources call the DescribeInstanceSSL API during Read, but only use the SSLEnabled field from the response. The API also returns CertDownloadURL, SSLExpiredTime, and CertCommonName, which are discarded.

---

Missing computed fields for SSL certificate metadata

Terraform resources

• alicloud_kvstore_instance (ssl_enable field)
• alicloud_redis_tair_instance (ssl_enabled field)

Community impact

Users who enable TLS on Redis instances need the CA certificate to configure their client applications. Currently the only way to obtain the certificate URL is through the AliCloud console or by making a separate SDK call outside of Terraform. This is especially painful for Crossplane/Kubernetes users who need to automate TLS setup end-to-end.

Current behavior

The Read function calls DescribeInstanceSSL but only sets ssl_enable/ssl_enabled:

kvstore_instance Read:

describeInstanceSSLObject, err := r_kvstoreService.DescribeInstanceSSL(d.Id())
// ...
d.Set("ssl_enable", describeInstanceSSLObject.SSLEnabled)
// CertDownloadURL, SSLExpiredTime, CertCommonName are available but discarded

redis_tair_instance Read:

objectRaw, err = redisServiceV2.DescribeTairInstanceDescribeInstanceSSL(d.Id())
// ...
d.Set("ssl_enabled", objectRaw["SSLEnabled"])
// CertDownloadURL, SSLExpiredTime, CertCommonName are available but discarded

Expected behavior

Three new computed-only attributes should be added and populated from the existing API response:

Attribute	Type	Description
cert_download_url	string	The download URL of the SSL certificate
ssl_expired_time	string	The expiration time of the SSL certificate
cert_common_name	string	The common name (CN) of the SSL certificate

The SDK response struct (DescribeInstanceSSLResponse) already contains these fields — no SDK changes are needed:

type DescribeInstanceSSLResponse struct {
    *responses.BaseResponse
    InstanceId      string `json:"InstanceId" xml:"InstanceId"`
    RequestId       string `json:"RequestId" xml:"RequestId"`
    SSLEnabled      string `json:"SSLEnabled" xml:"SSLEnabled"`
    SSLExpiredTime  string `json:"SSLExpiredTime" xml:"SSLExpiredTime"`
    CertCommonName  string `json:"CertCommonName" xml:"CertCommonName"`
    CertDownloadURL string `json:"CertDownloadURL" xml:"CertDownloadURL"`
}

Proposed change

For both resources, add the 3 computed fields to the schema and populate them in the Read function alongside the existing ssl_enable/ssl_enabled set:

"cert_download_url": {
    Type:        schema.TypeString,
    Computed:    true,
    Description: "The download URL of the SSL certificate.",
},
"ssl_expired_time": {
    Type:        schema.TypeString,
    Computed:    true,
    Description: "The expiration time of the SSL certificate.",
},
"cert_common_name": {
    Type:        schema.TypeString,
    Computed:    true,
    Description: "The common name (CN) of the SSL certificate.",
},

---

Note: ssl_enable / ssl_enabled "Update" value drift

The ssl_enable / ssl_enabled field accepts "Update" as a valid value to trigger certificate renewal. After the renewal completes, the API reads back "Enable" (the actual state), but the Terraform config still says "Update" — causing a perpetual plan diff on every subsequent terraform plan.

This does not block our usage since AliCloud auto-renews certificates 20 days before expiry and existing certificate files remain valid after renewal. However, it is worth noting as a potential bug: users who do use "Update" must manually revert the field to "Enable" afterward to avoid infinite drift.

---

References

• AliCloud API: DescribeInstanceSSL
• AliCloud API: ModifyInstanceSSL
• AliCloud docs: Configure TLS encryption
• Terraform provider version: 1.261.0
• Downstream Crossplane issue: Redis/Tair TLS: Missing certificate URL fields and SSLEnabled perpetual drift bug crossplane-contrib/provider-upjet-alibabacloud#78

[xuzhang3]

@Melonbun233 thanks for opening this issue, I have add this requirement to out backlog.

[Melonbun233]

Hi @xuzhang3 ,
I created a PR to expose the SSL fields: #9594
It asks the CLA agreement to be signed for the workflows. I signed it but the status check still doesn't pass.
Could you please take a look? Also I would be appreciated for a review of that PR.
Thanks a lot