fix(iam/group): use global CloudControl endpoint for global services

cofyc · cofyc · commit 9fe85df3584b · 2026-03-19T20:31:59.000+08:00
Global services like IAM Group must use cloudcontrol.volcengineapi.com
(no regional subdomain) instead of the regional endpoint. Sending any
request to cloudcontrol.cn-shanghai.volcengineapi.com causes:
  RegionNotSupport: service [iam] not support region [cn-shanghai]

Add GlobalCloudControlAPIClient to providerData and the Provider interface,
initialized with endpoint cloudcontrol.volcengineapi.com. genericResource
selects the global client when globalService=true.
diff --git a/internal/generic/resource.go b/internal/generic/resource.go
@@ -442,7 +442,7 @@ func (r *genericResource) Create(ctx context.Context, request resource.CreateReq
 
 	traceEntry(ctx, "Resource.Create")
 
-	cloudControlClient := r.provider.CloudControlAPIClient(ctx)
+	cloudControlClient := r.cloudControlClient(ctx)
 
 	tflog.Debug(ctx, "Request.Plan.Raw", map[string]interface{}{
 		"value": hclog.Fmt("%v", request.Plan.Raw),
@@ -551,7 +551,7 @@ func (r *genericResource) Read(ctx context.Context, request resource.ReadRequest
 		"value": hclog.Fmt("%v", request.State.Raw),
 	})
 
-	client := r.provider.CloudControlAPIClient(ctx)
+	client := r.cloudControlClient(ctx)
 
 	currentState := &request.State
 	id, err := r.getId(ctx, currentState)
@@ -625,7 +625,7 @@ func (r *genericResource) Update(ctx context.Context, request resource.UpdateReq
 
 	traceEntry(ctx, "Resource.Update")
 
-	cloudControlClient := r.provider.CloudControlAPIClient(ctx)
+	cloudControlClient := r.cloudControlClient(ctx)
 
 	currentState := &request.State
 	id, err := r.getId(ctx, currentState)
@@ -705,7 +705,7 @@ func (r *genericResource) Update(ctx context.Context, request resource.UpdateReq
 	}
 
 	//for update set ,get new resource
-	description, err := r.describeWithSysTag(ctx, r.provider.CloudControlAPIClient(ctx), id)
+	description, err := r.describeWithSysTag(ctx, r.cloudControlClient(ctx), id)
 
 	if tfresource.NotFound(err) {
 		response.Diagnostics.Append(ResourceNotFoundAfterWriteDiag(err))
@@ -842,7 +842,7 @@ func (r *genericResource) Delete(ctx context.Context, request resource.DeleteReq
 
 	traceEntry(ctx, "Resource.Delete")
 
-	conn := r.provider.CloudControlAPIClient(ctx)
+	conn := r.cloudControlClient(ctx)
 
 	id, err := r.getId(ctx, &request.State)
 
@@ -891,15 +891,23 @@ func (r *genericResource) ConfigValidators(context.Context) []resource.ConfigVal
 }
 
 // regionID returns the region string to pass to Cloud Control API calls.
-// Global services (e.g. IAM Group) must receive an empty string to avoid
-// "RegionNotSupport" errors from the regional Cloud Control endpoint.
+// Global services return an empty string since they use a global endpoint.
 func (r *genericResource) regionID(ctx context.Context) string {
 	if r.globalService {
 		return ""
 	}
 	return r.provider.Region(ctx)
 }
 
+// cloudControlClient returns the appropriate CloudControl API client for this resource.
+// Global services use a client pointed at the global endpoint to avoid "RegionNotSupport" errors.
+func (r *genericResource) cloudControlClient(ctx context.Context) *cloudcontrol.CloudControl {
+	if r.globalService {
+		return r.provider.GlobalCloudControlAPIClient(ctx)
+	}
+	return r.cloudControlClient(ctx)
+}
+
 // describe returns the live state of the specified resource.
 func (r *genericResource) describe(ctx context.Context, client *cloudcontrol.CloudControl, id string) (*cloudcontrol.GetResourceOutput, error) {
 	return tfcloudcontrol.FindResourceByTypeNameAndID(ctx, client, r.regionID(ctx), r.ccTypeName, id)
@@ -951,7 +959,7 @@ func (r *genericResource) populateUnknownValues(ctx context.Context, id string,
 		return nil
 	}
 
-	description, err := r.describe(ctx, r.provider.CloudControlAPIClient(ctx), id)
+	description, err := r.describe(ctx, r.cloudControlClient(ctx), id)
 
 	if tfresource.NotFound(err) {
 		diags.Append(ResourceNotFoundAfterWriteDiag(err))
diff --git a/internal/provider/provider.go b/internal/provider/provider.go
@@ -43,15 +43,22 @@ const (
 // providerData is returned from the provider's Configure method and
 // is passed to each resource and data source in their Configure methods.
 type providerData struct {
-	ccAPIClient *cloudcontrol.CloudControl
-	logger      baselogging.Logger
-	region      string
+	ccAPIClient       *cloudcontrol.CloudControl
+	globalCCAPIClient *cloudcontrol.CloudControl // client for global (non-regional) services
+	logger            baselogging.Logger
+	region            string
 }
 
 func (p *providerData) CloudControlAPIClient(_ context.Context) *cloudcontrol.CloudControl {
 	return p.ccAPIClient
 }
 
+// GlobalCloudControlAPIClient returns a CloudControl client configured with the
+// global (non-regional) endpoint for services like IAM that do not support regional routing.
+func (p *providerData) GlobalCloudControlAPIClient(_ context.Context) *cloudcontrol.CloudControl {
+	return p.globalCCAPIClient
+}
+
 func (p *providerData) Region(_ context.Context) string {
 	return p.region
 }
@@ -433,10 +440,21 @@ func newProviderData(ctx context.Context, c *configModel) (*providerData, diag.D
 		return nil, diags
 	}
 
+	// Create a second session with a global (non-regional) endpoint for services like IAM.
+	globalConfig := config.Copy()
+	globalConfig.WithEndpoint("cloudcontrol.volcengineapi.com")
+	globalSess, err := session.NewSession(globalConfig)
+	if err != nil {
+		diags.AddError(err.Error(), err.Error())
+		return nil, diags
+	}
+	globalCloudcontrolClient := cloudcontrol.New(globalSess)
+
 	providerData := &providerData{
-		ccAPIClient: cloudcontrolClient,
-		logger:      logger,
-		region:      c.Region.String(),
+		ccAPIClient:       cloudcontrolClient,
+		globalCCAPIClient: globalCloudcontrolClient,
+		logger:            logger,
+		region:            c.Region.String(),
 	}
 
 	return providerData, diags
diff --git a/internal/service/cloudcontrol/provider.go b/internal/service/cloudcontrol/provider.go
@@ -12,6 +12,9 @@ import (
 type Provider interface {
 	CloudControlAPIClient(context.Context) *cloudcontrol.CloudControl
 
+	// GlobalCloudControlAPIClient returns a client for global (non-regional) services.
+	GlobalCloudControlAPIClient(context.Context) *cloudcontrol.CloudControl
+
 	Region(ctx context.Context) string
 
 	RegisterLogger(ctx context.Context) context.Context
