Huawei Cloud module
Uploads a certificate to Huawei Cloud's native certificate store and attaches it to one or more ELB listeners, CDN domains, or WAF hosts. Uses AK/SK (access key + secret key) authentication scoped to the region where your resources live.
Overview
- Transport: Huawei Cloud REST APIs, signed with the SDK v4 signing algorithm.
- Auth: Access Key + Secret Key pair (AK/SK). Generated in My Credentials.
- Scope: one region per target. Multi-region deployments use separate targets.
- Supported services:
- ELB (Elastic Load Balance) — listener HTTPS cert.
- CDN — domain HTTPS configuration.
- WAF — host TLS certificate.
- Rollback: not supported. Old certificate IDs remain; the listener/domain/host just references the new one.
Prerequisites
- A Huawei Cloud account + IAM user with AK/SK and the minimum policies:
SCM Administrator(or a custom policy granting create/list/delete certificate).- One of:
ELB ReadOnlyAccess+ELB Update Listener, orCDN ReadOnlyAccess+CDN Domain HTTPS Config, orWAF ReadOnlyAccess+WAF Update Certificate— depending on which service(s) you target.
- The IDs of the ELB listener / CDN domain / WAF host you will update (looked up from the Huawei console or via CLI).
Create the module credential
- Settings → Distribution → Credentials → New → Huawei Cloud.
- Access Key + Secret Key. Stored envelope-encrypted.
- Save.
Create a Huawei Cloud target
- Settings → Distribution → Targets → New. Module: Huawei Cloud.
- Fields:
- Region — e.g.
ap-southeast-1,cn-north-4. Must match the region of the target resource. - Project ID — required for most services; shown in My Credentials → API Credentials.
- Credential.
- Service scope: pick one:
- ELB — listener ID list. We upload a cert, then update each listener's
default_tls_container_ref. - CDN — domain name list. We write HTTPS config with the new cert reference.
- WAF — host ID list. We patch the host's certificate.
- ELB — listener ID list. We upload a cert, then update each listener's
- Certificate name — optional. Empty = auto-generated per certificate as
cap-<token>-<domain>(token: 8-char hash derived from the certificate, stable across renewals; max 32 chars) — recommended so one target can serve multiple certificates, since ELB/WAF resolve certificates by exact name. Per certificate, the name (and ELB/WAFcertificate_idadoption or the CDN domain) can be overridden from the certificate's Distributions → Overrides drawer. :::note Pure-legacy targets Targets whose remote state predates per-certificate keying re-resolve by exact name/domain lookup once per run; a manual duplicate name created in the console surfaces as a Conflict — setcertificate_idin the override to disambiguate. :::
- Region — e.g.
- Save → health check calls
GET /v3/<project_id>/scm/certificates?limit=1.
Execution flow
- Resolve the certificate name — precedence is explicit target
certificate_name> per-distribution override > autocap-<token>-<domain>(max 32 chars). On first distribution the module creates the SCM object under that resolved name; on renewal it looks the same object up by name (or by an adoptedcertificate_id) and updates it in place rather than minting a new one. - For each resource ID in scope, PATCH its config to reference the resolved SCM cert ID.
- Old cert versions replaced in place; any stale cross-service reference is left untouched — Huawei rejects delete while a cert is referenced, and we never delete cross-service.
Rollback — not supported
Old SCM cert IDs remain. To revert, patch the resource back to the previous cert ID via the Huawei console or CLI. Because SCM keeps history, you can always find the old ID.
Troubleshooting
"Forbidden"
IAM user lacks a required policy. Check IAM → Users → Permissions and grant either the stock policy or a custom one covering the API call the module just made (visible in the backend logs).
"Resource not found in region X"
Target resource lives in a different region than the target config says. Huawei resources are regional — verify in the console.
"Invalid project ID"
Project IDs differ per region; you can't reuse one across regions. Look up the project ID for the resource's region.