bump version to v0.3.16

new providers

.github/workflows/release.yml

@@ -23,11 +23,11 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
-      
-      - name: Install upx (optional)
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y upx
+
+      # - name: Install upx (optional)
+      #   run: |
+      #     sudo apt-get update
+      #     sudo apt-get install -y upx
 
       - name: Build WebUI
         run: |
@@ -49,3 +49,4 @@ jobs:
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+

.goreleaser.yml

@@ -30,8 +30,8 @@ builds:
       - goos: darwin
         goarch: arm
 
-upx:
-  - enabled: true
+# upx:
+#   - enabled: true
 
 release:
   draft: true

README.md

@@ -22,7 +22,7 @@
 
 做个人产品或者在中小企业里负责运维的同学，会遇到要管理多个域名的情况，需要给域名申请证书。但是手动申请证书有以下缺点：
 
-- 😱 麻烦：申请证书并部署到服务的流程虽不复杂，但也挺麻烦的，犹其是你有多个域名需要维护的时候。
+- 😱 麻烦：申请证书并部署到服务的流程虽不复杂，但也挺麻烦的，尤其是你有多个域名需要维护的时候。
 - 😭 易忘：另外当前免费证书的有效期只有 90 天，这就要求你定期的操作，增加了工作量的同时，你也很容易忘掉续期，从而导致网站访问不了。
 
 Certimate 就是为了解决上述问题而产生的，它具有以下优势：

go.mod

@@ -85,6 +85,7 @@ require (
 	github.com/alibabacloud-go/tea-oss-utils v1.1.0 // indirect
 	github.com/alibabacloud-go/tea-utils/v2 v2.0.7 // indirect
 	github.com/avast/retry-go v3.0.0+incompatible // indirect
+	github.com/aws/aws-sdk-go-v2/service/iam v1.42.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/route53 v1.50.0 // indirect
 	github.com/buger/goterm v1.0.4 // indirect
 	github.com/diskfs/go-diskfs v1.5.0 // indirect

go.sum

@@ -235,6 +235,8 @@ github.com/aws/aws-sdk-go-v2/service/acm v1.32.0/go.mod h1:3sKYAgRbuBa2QMYGh/WEc
 github.com/aws/aws-sdk-go-v2/service/cloudfront v1.46.1 h1:6xZNYtuVwzBs8k+TmraERt0vL68Ppg9aUi+aTQmPaVM=
 github.com/aws/aws-sdk-go-v2/service/cloudfront v1.46.1/go.mod h1:FIBJ48TS+qJb+Ne4qJ+0NeIhtPTVXItXooTeNeVI4Po=
 github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.8.1/go.mod h1:CM+19rL1+4dFWnOQKwDc7H1KwXTz+h61oUSHyhV0b3o=
+github.com/aws/aws-sdk-go-v2/service/iam v1.42.0 h1:G6+UzGvubaet9QOh0664E9JeT+b6Zvop3AChozRqkrA=
+github.com/aws/aws-sdk-go-v2/service/iam v1.42.0/go.mod h1:mPJkGQzeCoPs82ElNILor2JzZgYENr4UaSKUT8K27+c=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 h1:eAh2A4b5IzM/lum78bZ590jy36+d/aFLgKF/4Vd1xPE=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3/go.mod h1:0yKJC/kb8sAnmlYa6Zs3QVYqaC8ug2AbnNChv5Ox3uA=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 h1:dM9/92u2F1JbDaGooxTq18wmmFzbJRfXfVfy96/1CXM=

internal/applicant/applicant.go

@@ -53,35 +53,35 @@ func NewWithWorkflowNode(config ApplicantWithWorkflowNodeConfig) (Applicant, err
 		return nil, fmt.Errorf("node type is not '%s'", string(domain.WorkflowNodeTypeApply))
 	}
 
-	nodeConfig := config.Node.GetConfigForApply()
+	nodeCfg := config.Node.GetConfigForApply()
 	options := &applicantProviderOptions{
-		Domains:                 sliceutil.Filter(strings.Split(nodeConfig.Domains, ";"), func(s string) bool { return s != "" }),
-		ContactEmail:            nodeConfig.ContactEmail,
-		Provider:                domain.ACMEDns01ProviderType(nodeConfig.Provider),
+		Domains:                 sliceutil.Filter(strings.Split(nodeCfg.Domains, ";"), func(s string) bool { return s != "" }),
+		ContactEmail:            nodeCfg.ContactEmail,
+		Provider:                domain.ACMEDns01ProviderType(nodeCfg.Provider),
 		ProviderAccessConfig:    make(map[string]any),
-		ProviderServiceConfig:   nodeConfig.ProviderConfig,
-		CAProvider:              domain.CAProviderType(nodeConfig.CAProvider),
+		ProviderServiceConfig:   nodeCfg.ProviderConfig,
+		CAProvider:              domain.CAProviderType(nodeCfg.CAProvider),
 		CAProviderAccessConfig:  make(map[string]any),
-		CAProviderServiceConfig: nodeConfig.CAProviderConfig,
-		KeyAlgorithm:            nodeConfig.KeyAlgorithm,
-		Nameservers:             sliceutil.Filter(strings.Split(nodeConfig.Nameservers, ";"), func(s string) bool { return s != "" }),
-		DnsPropagationWait:      nodeConfig.DnsPropagationWait,
-		DnsPropagationTimeout:   nodeConfig.DnsPropagationTimeout,
-		DnsTTL:                  nodeConfig.DnsTTL,
-		DisableFollowCNAME:      nodeConfig.DisableFollowCNAME,
+		CAProviderServiceConfig: nodeCfg.CAProviderConfig,
+		KeyAlgorithm:            nodeCfg.KeyAlgorithm,
+		Nameservers:             sliceutil.Filter(strings.Split(nodeCfg.Nameservers, ";"), func(s string) bool { return s != "" }),
+		DnsPropagationWait:      nodeCfg.DnsPropagationWait,
+		DnsPropagationTimeout:   nodeCfg.DnsPropagationTimeout,
+		DnsTTL:                  nodeCfg.DnsTTL,
+		DisableFollowCNAME:      nodeCfg.DisableFollowCNAME,
 	}
 
 	accessRepo := repository.NewAccessRepository()
-	if nodeConfig.ProviderAccessId != "" {
-		if access, err := accessRepo.GetById(context.Background(), nodeConfig.ProviderAccessId); err != nil {
-			return nil, fmt.Errorf("failed to get access #%s record: %w", nodeConfig.ProviderAccessId, err)
+	if nodeCfg.ProviderAccessId != "" {
+		if access, err := accessRepo.GetById(context.Background(), nodeCfg.ProviderAccessId); err != nil {
+			return nil, fmt.Errorf("failed to get access #%s record: %w", nodeCfg.ProviderAccessId, err)
 		} else {
 			options.ProviderAccessConfig = access.Config
 		}
 	}
-	if nodeConfig.CAProviderAccessId != "" {
-		if access, err := accessRepo.GetById(context.Background(), nodeConfig.CAProviderAccessId); err != nil {
-			return nil, fmt.Errorf("failed to get access #%s record: %w", nodeConfig.CAProviderAccessId, err)
+	if nodeCfg.CAProviderAccessId != "" {
+		if access, err := accessRepo.GetById(context.Background(), nodeCfg.CAProviderAccessId); err != nil {
+			return nil, fmt.Errorf("failed to get access #%s record: %w", nodeCfg.CAProviderAccessId, err)
 		} else {
 			options.CAProviderAccessId = access.Id
 			options.CAProviderAccessConfig = access.Config

internal/applicant/providers.go

@@ -16,6 +16,7 @@ import (
 	pCloudflare "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/cloudflare"
 	pClouDNS "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/cloudns"
 	pCMCCCloud "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/cmcccloud"
+	pConstellix "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/constellix"
 	pDeSEC "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/desec"
 	pDigitalOcean "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/digitalocean"
 	pDNSLA "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/dnsla"
@@ -38,6 +39,7 @@ import (
 	pRainYun "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/rainyun"
 	pTencentCloud "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/tencentcloud"
 	pTencentCloudEO "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/tencentcloud-eo"
+	pUCloudUDNR "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/ucloud-udnr"
 	pVercel "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/vercel"
 	pVolcEngine "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/volcengine"
 	pWestcn "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/westcn"
@@ -234,6 +236,22 @@ func createApplicantProvider(options *applicantProviderOptions) (challenge.Provi
 			return applicant, err
 		}
 
+	case domain.ACMEDns01ProviderTypeConstellix:
+		{
+			access := domain.AccessConfigForConstellix{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pConstellix.NewChallengeProvider(&pConstellix.ChallengeProviderConfig{
+				ApiKey:                access.ApiKey,
+				SecretKey:             access.SecretKey,
+				DnsPropagationTimeout: options.DnsPropagationTimeout,
+				DnsTTL:                options.DnsTTL,
+			})
+			return applicant, err
+		}
+
 	case domain.ACMEDns01ProviderTypeDeSEC:
 		{
 			access := domain.AccessConfigForDeSEC{}
@@ -579,6 +597,22 @@ func createApplicantProvider(options *applicantProviderOptions) (challenge.Provi
 			}
 		}
 
+	case domain.ACMEDns01ProviderTypeUCloudUDNR:
+		{
+			access := domain.AccessConfigForUCloud{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pUCloudUDNR.NewChallengeProvider(&pUCloudUDNR.ChallengeProviderConfig{
+				PrivateKey:            access.PrivateKey,
+				PublicKey:             access.PublicKey,
+				DnsPropagationTimeout: options.DnsPropagationTimeout,
+				DnsTTL:                options.DnsTTL,
+			})
+			return applicant, err
+		}
+
 	case domain.ACMEDns01ProviderTypeVercel:
 		{
 			access := domain.AccessConfigForVercel{}

internal/deployer/deployer.go

@@ -29,18 +29,18 @@ func NewWithWorkflowNode(config DeployerWithWorkflowNodeConfig) (Deployer, error
 		return nil, fmt.Errorf("node type is not '%s'", string(domain.WorkflowNodeTypeDeploy))
 	}
 
-	nodeConfig := config.Node.GetConfigForDeploy()
+	nodeCfg := config.Node.GetConfigForDeploy()
 	options := &deployerProviderOptions{
-		Provider:              domain.DeploymentProviderType(nodeConfig.Provider),
+		Provider:              domain.DeploymentProviderType(nodeCfg.Provider),
 		ProviderAccessConfig:  make(map[string]any),
-		ProviderServiceConfig: nodeConfig.ProviderConfig,
+		ProviderServiceConfig: nodeCfg.ProviderConfig,
 	}
 
 	accessRepo := repository.NewAccessRepository()
-	if nodeConfig.ProviderAccessId != "" {
-		access, err := accessRepo.GetById(context.Background(), nodeConfig.ProviderAccessId)
+	if nodeCfg.ProviderAccessId != "" {
+		access, err := accessRepo.GetById(context.Background(), nodeCfg.ProviderAccessId)
 		if err != nil {
-			return nil, fmt.Errorf("failed to get access #%s record: %w", nodeConfig.ProviderAccessId, err)
+			return nil, fmt.Errorf("failed to get access #%s record: %w", nodeCfg.ProviderAccessId, err)
 		} else {
 			options.ProviderAccessConfig = access.Config
 		}

internal/deployer/providers.go

@@ -27,6 +27,7 @@ import (
 	pAliyunWAF "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/aliyun-waf"
 	pAWSACM "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/aws-acm"
 	pAWSCloudFront "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/aws-cloudfront"
+	pAWSIAM "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/aws-iam"
 	pAzureKeyVault "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/azure-keyvault"
 	pBaiduCloudAppBLB "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/baiducloud-appblb"
 	pBaiduCloudBLB "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/baiducloud-blb"
@@ -157,6 +158,7 @@ func createDeployerProvider(options *deployerProviderOptions) (deployer.Deployer
 				deployer, err := pAliyunALB.NewDeployer(&pAliyunALB.DeployerConfig{
 					AccessKeyId:     access.AccessKeyId,
 					AccessKeySecret: access.AccessKeySecret,
+					ResourceGroupId: access.ResourceGroupId,
 					Region:          maputil.GetString(options.ProviderServiceConfig, "region"),
 					ResourceType:    pAliyunALB.ResourceType(maputil.GetString(options.ProviderServiceConfig, "resourceType")),
 					LoadbalancerId:  maputil.GetString(options.ProviderServiceConfig, "loadbalancerId"),
@@ -169,6 +171,7 @@ func createDeployerProvider(options *deployerProviderOptions) (deployer.Deployer
 				deployer, err := pAliyunAPIGW.NewDeployer(&pAliyunAPIGW.DeployerConfig{
 					AccessKeyId:     access.AccessKeyId,
 					AccessKeySecret: access.AccessKeySecret,
+					ResourceGroupId: access.ResourceGroupId,
 					Region:          maputil.GetString(options.ProviderServiceConfig, "region"),
 					ServiceType:     pAliyunAPIGW.ServiceType(maputil.GetString(options.ProviderServiceConfig, "serviceType")),
 					GatewayId:       maputil.GetString(options.ProviderServiceConfig, "gatewayId"),
@@ -181,6 +184,7 @@ func createDeployerProvider(options *deployerProviderOptions) (deployer.Deployer
 				deployer, err := pAliyunCAS.NewDeployer(&pAliyunCAS.DeployerConfig{
 					AccessKeyId:     access.AccessKeyId,
 					AccessKeySecret: access.AccessKeySecret,
+					ResourceGroupId: access.ResourceGroupId,
 					Region:          maputil.GetString(options.ProviderServiceConfig, "region"),
 				})
 				return deployer, err
@@ -189,6 +193,7 @@ func createDeployerProvider(options *deployerProviderOptions) (deployer.Deployer
 				deployer, err := pAliyunCASDeploy.NewDeployer(&pAliyunCASDeploy.DeployerConfig{
 					AccessKeyId:     access.AccessKeyId,
 					AccessKeySecret: access.AccessKeySecret,
+					ResourceGroupId: access.ResourceGroupId,
 					Region:          maputil.GetString(options.ProviderServiceConfig, "region"),
 					ResourceIds:     sliceutil.Filter(strings.Split(maputil.GetString(options.ProviderServiceConfig, "resourceIds"), ";"), func(s string) bool { return s != "" }),
 					ContactIds:      sliceutil.Filter(strings.Split(maputil.GetString(options.ProviderServiceConfig, "contactIds"), ";"), func(s string) bool { return s != "" }),
@@ -199,6 +204,7 @@ func createDeployerProvider(options *deployerProviderOptions) (deployer.Deployer
 				deployer, err := pAliyunCDN.NewDeployer(&pAliyunCDN.DeployerConfig{
 					AccessKeyId:     access.AccessKeyId,
 					AccessKeySecret: access.AccessKeySecret,
+					ResourceGroupId: access.ResourceGroupId,
 					Domain:          maputil.GetString(options.ProviderServiceConfig, "domain"),
 				})
 				return deployer, err
@@ -207,6 +213,7 @@ func createDeployerProvider(options *deployerProviderOptions) (deployer.Deployer
 				deployer, err := pAliyunCLB.NewDeployer(&pAliyunCLB.DeployerConfig{
 					AccessKeyId:     access.AccessKeyId,
 					AccessKeySecret: access.AccessKeySecret,
+					ResourceGroupId: access.ResourceGroupId,
 					Region:          maputil.GetString(options.ProviderServiceConfig, "region"),
 					ResourceType:    pAliyunCLB.ResourceType(maputil.GetString(options.ProviderServiceConfig, "resourceType")),
 					LoadbalancerId:  maputil.GetString(options.ProviderServiceConfig, "loadbalancerId"),
@@ -219,6 +226,7 @@ func createDeployerProvider(options *deployerProviderOptions) (deployer.Deployer
 				deployer, err := pAliyunDCDN.NewDeployer(&pAliyunDCDN.DeployerConfig{
 					AccessKeyId:     access.AccessKeyId,
 					AccessKeySecret: access.AccessKeySecret,
+					ResourceGroupId: access.ResourceGroupId,
 					Domain:          maputil.GetString(options.ProviderServiceConfig, "domain"),
 				})
 				return deployer, err
@@ -227,6 +235,7 @@ func createDeployerProvider(options *deployerProviderOptions) (deployer.Deployer
 				deployer, err := pAliyunDDoS.NewDeployer(&pAliyunDDoS.DeployerConfig{
 					AccessKeyId:     access.AccessKeyId,
 					AccessKeySecret: access.AccessKeySecret,
+					ResourceGroupId: access.ResourceGroupId,
 					Region:          maputil.GetString(options.ProviderServiceConfig, "region"),
 					Domain:          maputil.GetString(options.ProviderServiceConfig, "domain"),
 				})
@@ -245,6 +254,7 @@ func createDeployerProvider(options *deployerProviderOptions) (deployer.Deployer
 				deployer, err := pAliyunFC.NewDeployer(&pAliyunFC.DeployerConfig{
 					AccessKeyId:     access.AccessKeyId,
 					AccessKeySecret: access.AccessKeySecret,
+					ResourceGroupId: access.ResourceGroupId,
 					Region:          maputil.GetString(options.ProviderServiceConfig, "region"),
 					ServiceVersion:  maputil.GetOrDefaultString(options.ProviderServiceConfig, "serviceVersion", "3.0"),
 					Domain:          maputil.GetString(options.ProviderServiceConfig, "domain"),
@@ -255,6 +265,7 @@ func createDeployerProvider(options *deployerProviderOptions) (deployer.Deployer
 				deployer, err := pAliyunGA.NewDeployer(&pAliyunGA.DeployerConfig{
 					AccessKeyId:     access.AccessKeyId,
 					AccessKeySecret: access.AccessKeySecret,
+					ResourceGroupId: access.ResourceGroupId,
 					ResourceType:    pAliyunGA.ResourceType(maputil.GetString(options.ProviderServiceConfig, "resourceType")),
 					AcceleratorId:   maputil.GetString(options.ProviderServiceConfig, "acceleratorId"),
 					ListenerId:      maputil.GetString(options.ProviderServiceConfig, "listenerId"),
@@ -275,6 +286,7 @@ func createDeployerProvider(options *deployerProviderOptions) (deployer.Deployer
 				deployer, err := pAliyunNLB.NewDeployer(&pAliyunNLB.DeployerConfig{
 					AccessKeyId:     access.AccessKeyId,
 					AccessKeySecret: access.AccessKeySecret,
+					ResourceGroupId: access.ResourceGroupId,
 					Region:          maputil.GetString(options.ProviderServiceConfig, "region"),
 					ResourceType:    pAliyunNLB.ResourceType(maputil.GetString(options.ProviderServiceConfig, "resourceType")),
 					LoadbalancerId:  maputil.GetString(options.ProviderServiceConfig, "loadbalancerId"),
@@ -286,6 +298,7 @@ func createDeployerProvider(options *deployerProviderOptions) (deployer.Deployer
 				deployer, err := pAliyunOSS.NewDeployer(&pAliyunOSS.DeployerConfig{
 					AccessKeyId:     access.AccessKeyId,
 					AccessKeySecret: access.AccessKeySecret,
+					ResourceGroupId: access.ResourceGroupId,
 					Region:          maputil.GetString(options.ProviderServiceConfig, "region"),
 					Bucket:          maputil.GetString(options.ProviderServiceConfig, "bucket"),
 					Domain:          maputil.GetString(options.ProviderServiceConfig, "domain"),
@@ -296,6 +309,7 @@ func createDeployerProvider(options *deployerProviderOptions) (deployer.Deployer
 				deployer, err := pAliyunVOD.NewDeployer(&pAliyunVOD.DeployerConfig{
 					AccessKeyId:     access.AccessKeyId,
 					AccessKeySecret: access.AccessKeySecret,
+					ResourceGroupId: access.ResourceGroupId,
 					Region:          maputil.GetString(options.ProviderServiceConfig, "region"),
 					Domain:          maputil.GetString(options.ProviderServiceConfig, "domain"),
 				})
@@ -305,6 +319,7 @@ func createDeployerProvider(options *deployerProviderOptions) (deployer.Deployer
 				deployer, err := pAliyunWAF.NewDeployer(&pAliyunWAF.DeployerConfig{
 					AccessKeyId:     access.AccessKeyId,
 					AccessKeySecret: access.AccessKeySecret,
+					ResourceGroupId: access.ResourceGroupId,
 					Region:          maputil.GetString(options.ProviderServiceConfig, "region"),
 					ServiceVersion:  maputil.GetOrDefaultString(options.ProviderServiceConfig, "serviceVersion", "3.0"),
 					InstanceId:      maputil.GetString(options.ProviderServiceConfig, "instanceId"),
@@ -317,7 +332,7 @@ func createDeployerProvider(options *deployerProviderOptions) (deployer.Deployer
 			}
 		}
 
-	case domain.DeploymentProviderTypeAWSACM, domain.DeploymentProviderTypeAWSCloudFront:
+	case domain.DeploymentProviderTypeAWSACM, domain.DeploymentProviderTypeAWSCloudFront, domain.DeploymentProviderTypeAWSIAM:
 		{
 			access := domain.AccessConfigForAWS{}
 			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
@@ -336,10 +351,20 @@ func createDeployerProvider(options *deployerProviderOptions) (deployer.Deployer
 
 			case domain.DeploymentProviderTypeAWSCloudFront:
 				deployer, err := pAWSCloudFront.NewDeployer(&pAWSCloudFront.DeployerConfig{
+					AccessKeyId:       access.AccessKeyId,
+					SecretAccessKey:   access.SecretAccessKey,
+					Region:            maputil.GetString(options.ProviderServiceConfig, "region"),
+					DistributionId:    maputil.GetString(options.ProviderServiceConfig, "distributionId"),
+					CertificateSource: maputil.GetOrDefaultString(options.ProviderServiceConfig, "certificateSource", "ACM"),
+				})
+				return deployer, err
+
+			case domain.DeploymentProviderTypeAWSIAM:
+				deployer, err := pAWSIAM.NewDeployer(&pAWSIAM.DeployerConfig{
 					AccessKeyId:     access.AccessKeyId,
 					SecretAccessKey: access.SecretAccessKey,
 					Region:          maputil.GetString(options.ProviderServiceConfig, "region"),
-					DistributionId:  maputil.GetString(options.ProviderServiceConfig, "distributionId"),
+					CertificatePath: maputil.GetOrDefaultString(options.ProviderServiceConfig, "certificatePath", "/"),
 				})
 				return deployer, err
 
@@ -676,40 +701,44 @@ func createDeployerProvider(options *deployerProviderOptions) (deployer.Deployer
 			switch options.Provider {
 			case domain.DeploymentProviderTypeHuaweiCloudCDN:
 				deployer, err := pHuaweiCloudCDN.NewDeployer(&pHuaweiCloudCDN.DeployerConfig{
-					AccessKeyId:     access.AccessKeyId,
-					SecretAccessKey: access.SecretAccessKey,
-					Region:          maputil.GetString(options.ProviderServiceConfig, "region"),
-					Domain:          maputil.GetString(options.ProviderServiceConfig, "domain"),
+					AccessKeyId:         access.AccessKeyId,
+					SecretAccessKey:     access.SecretAccessKey,
+					EnterpriseProjectId: access.EnterpriseProjectId,
+					Region:              maputil.GetString(options.ProviderServiceConfig, "region"),
+					Domain:              maputil.GetString(options.ProviderServiceConfig, "domain"),
 				})
 				return deployer, err
 
 			case domain.DeploymentProviderTypeHuaweiCloudELB:
 				deployer, err := pHuaweiCloudELB.NewDeployer(&pHuaweiCloudELB.DeployerConfig{
-					AccessKeyId:     access.AccessKeyId,
-					SecretAccessKey: access.SecretAccessKey,
-					Region:          maputil.GetString(options.ProviderServiceConfig, "region"),
-					ResourceType:    pHuaweiCloudELB.ResourceType(maputil.GetString(options.ProviderServiceConfig, "resourceType")),
-					CertificateId:   maputil.GetString(options.ProviderServiceConfig, "certificateId"),
-					LoadbalancerId:  maputil.GetString(options.ProviderServiceConfig, "loadbalancerId"),
-					ListenerId:      maputil.GetString(options.ProviderServiceConfig, "listenerId"),
+					AccessKeyId:         access.AccessKeyId,
+					SecretAccessKey:     access.SecretAccessKey,
+					EnterpriseProjectId: access.EnterpriseProjectId,
+					Region:              maputil.GetString(options.ProviderServiceConfig, "region"),
+					ResourceType:        pHuaweiCloudELB.ResourceType(maputil.GetString(options.ProviderServiceConfig, "resourceType")),
+					CertificateId:       maputil.GetString(options.ProviderServiceConfig, "certificateId"),
+					LoadbalancerId:      maputil.GetString(options.ProviderServiceConfig, "loadbalancerId"),
+					ListenerId:          maputil.GetString(options.ProviderServiceConfig, "listenerId"),
 				})
 				return deployer, err
 
 			case domain.DeploymentProviderTypeHuaweiCloudSCM:
 				deployer, err := pHuaweiCloudSCM.NewDeployer(&pHuaweiCloudSCM.DeployerConfig{
-					AccessKeyId:     access.AccessKeyId,
-					SecretAccessKey: access.SecretAccessKey,
+					AccessKeyId:         access.AccessKeyId,
+					SecretAccessKey:     access.SecretAccessKey,
+					EnterpriseProjectId: access.EnterpriseProjectId,
 				})
 				return deployer, err
 
 			case domain.DeploymentProviderTypeHuaweiCloudWAF:
 				deployer, err := pHuaweiCloudWAF.NewDeployer(&pHuaweiCloudWAF.DeployerConfig{
-					AccessKeyId:     access.AccessKeyId,
-					SecretAccessKey: access.SecretAccessKey,
-					Region:          maputil.GetString(options.ProviderServiceConfig, "region"),
-					ResourceType:    pHuaweiCloudWAF.ResourceType(maputil.GetString(options.ProviderServiceConfig, "resourceType")),
-					CertificateId:   maputil.GetString(options.ProviderServiceConfig, "certificateId"),
-					Domain:          maputil.GetString(options.ProviderServiceConfig, "domain"),
+					AccessKeyId:         access.AccessKeyId,
+					SecretAccessKey:     access.SecretAccessKey,
+					EnterpriseProjectId: access.EnterpriseProjectId,
+					Region:              maputil.GetString(options.ProviderServiceConfig, "region"),
+					ResourceType:        pHuaweiCloudWAF.ResourceType(maputil.GetString(options.ProviderServiceConfig, "resourceType")),
+					CertificateId:       maputil.GetString(options.ProviderServiceConfig, "certificateId"),
+					Domain:              maputil.GetString(options.ProviderServiceConfig, "domain"),
 				})
 				return deployer, err
 
@@ -968,6 +997,7 @@ func createDeployerProvider(options *deployerProviderOptions) (deployer.Deployer
 				jumpServers[i] = pSSH.JumpServerConfig{
 					SshHost:          jumpServer.Host,
 					SshPort:          jumpServer.Port,
+					SshAuthMethod:    jumpServer.AuthMethod,
 					SshUsername:      jumpServer.Username,
 					SshPassword:      jumpServer.Password,
 					SshKey:           jumpServer.Key,
@@ -978,6 +1008,7 @@ func createDeployerProvider(options *deployerProviderOptions) (deployer.Deployer
 			deployer, err := pSSH.NewDeployer(&pSSH.DeployerConfig{
 				SshHost:                  access.Host,
 				SshPort:                  access.Port,
+				SshAuthMethod:            access.AuthMethod,
 				SshUsername:              access.Username,
 				SshPassword:              access.Password,
 				SshKey:                   access.Key,

internal/domain/access.go

@@ -38,6 +38,7 @@ type AccessConfigForACMEHttpReq struct {
 type AccessConfigForAliyun struct {
 	AccessKeyId     string `json:"accessKeyId"`
 	AccessKeySecret string `json:"accessKeySecret"`
+	ResourceGroupId string `json:"resourceGroupId,omitempty"`
 }
 
 type AccessConfigForAWS struct {
@@ -108,6 +109,11 @@ type AccessConfigForCMCCCloud struct {
 	AccessKeySecret string `json:"accessKeySecret"`
 }
 
+type AccessConfigForConstellix struct {
+	ApiKey    string `json:"apiKey"`
+	SecretKey string `json:"secretKey"`
+}
+
 type AccessConfigForDeSEC struct {
 	Token string `json:"token"`
 }
@@ -199,8 +205,9 @@ type AccessConfigForHetzner struct {
 }
 
 type AccessConfigForHuaweiCloud struct {
-	AccessKeyId     string `json:"accessKeyId"`
-	SecretAccessKey string `json:"secretAccessKey"`
+	AccessKeyId         string `json:"accessKeyId"`
+	SecretAccessKey     string `json:"secretAccessKey"`
+	EnterpriseProjectId string `json:"enterpriseProjectId,omitempty"`
 }
 
 type AccessConfigForJDCloud struct {
@@ -308,14 +315,16 @@ type AccessConfigForSlackBot struct {
 type AccessConfigForSSH struct {
 	Host          string `json:"host"`
 	Port          int32  `json:"port"`
-	Username      string `json:"username"`
+	AuthMethod    string `json:"authMethod,omitempty"`
+	Username      string `json:"username,omitempty"`
 	Password      string `json:"password,omitempty"`
 	Key           string `json:"key,omitempty"`
 	KeyPassphrase string `json:"keyPassphrase,omitempty"`
 	JumpServers   []struct {
 		Host          string `json:"host"`
 		Port          int32  `json:"port"`
-		Username      string `json:"username"`
+		AuthMethod    string `json:"authMethod,omitempty"`
+		Username      string `json:"username,omitempty"`
 		Password      string `json:"password,omitempty"`
 		Key           string `json:"key,omitempty"`
 		KeyPassphrase string `json:"keyPassphrase,omitempty"`
@@ -384,7 +393,7 @@ type AccessConfigForWeComBot struct {
 
 type AccessConfigForWestcn struct {
 	Username    string `json:"username"`
-	ApiPassword string `json:"password"`
+	ApiPassword string `json:"apiPassword"`
 }
 
 type AccessConfigForZeroSSL struct {

internal/domain/expr/expr.go

@@ -0,0 +1,630 @@
+package expr
+
+import (
+	"encoding/json"
+	"fmt"
+	"strconv"
+)
+
+type (
+	ExprType               string
+	ExprComparisonOperator string
+	ExprLogicalOperator    string
+	ExprValueType          string
+)
+
+const (
+	GreaterThan    ExprComparisonOperator = "gt"
+	GreaterOrEqual ExprComparisonOperator = "gte"
+	LessThan       ExprComparisonOperator = "lt"
+	LessOrEqual    ExprComparisonOperator = "lte"
+	Equal          ExprComparisonOperator = "eq"
+	NotEqual       ExprComparisonOperator = "neq"
+
+	And ExprLogicalOperator = "and"
+	Or  ExprLogicalOperator = "or"
+	Not ExprLogicalOperator = "not"
+
+	Number  ExprValueType = "number"
+	String  ExprValueType = "string"
+	Boolean ExprValueType = "boolean"
+
+	ConstantExprType   ExprType = "const"
+	VariantExprType    ExprType = "var"
+	ComparisonExprType ExprType = "comparison"
+	LogicalExprType    ExprType = "logical"
+	NotExprType        ExprType = "not"
+)
+
+type EvalResult struct {
+	Type  ExprValueType
+	Value any
+}
+
+func (e *EvalResult) GetFloat64() (float64, error) {
+	if e.Type != Number {
+		return 0, fmt.Errorf("type mismatch: %s", e.Type)
+	}
+
+	stringValue, ok := e.Value.(string)
+	if !ok {
+		return 0, fmt.Errorf("value is not a string: %v", e.Value)
+	}
+
+	floatValue, err := strconv.ParseFloat(stringValue, 64)
+	if err != nil {
+		return 0, fmt.Errorf("failed to parse float64: %v", err)
+	}
+	return floatValue, nil
+}
+
+func (e *EvalResult) GetBool() (bool, error) {
+	if e.Type != Boolean {
+		return false, fmt.Errorf("type mismatch: %s", e.Type)
+	}
+
+	strValue, ok := e.Value.(string)
+	if ok {
+		if strValue == "true" {
+			return true, nil
+		} else if strValue == "false" {
+			return false, nil
+		}
+		return false, fmt.Errorf("value is not a boolean: %v", e.Value)
+	}
+
+	boolValue, ok := e.Value.(bool)
+	if !ok {
+		return false, fmt.Errorf("value is not a boolean: %v", e.Value)
+	}
+
+	return boolValue, nil
+}
+
+func (e *EvalResult) GreaterThan(other *EvalResult) (*EvalResult, error) {
+	if e.Type != other.Type {
+		return nil, fmt.Errorf("type mismatch: %s vs %s", e.Type, other.Type)
+	}
+
+	switch e.Type {
+	case String:
+		return &EvalResult{
+			Type:  Boolean,
+			Value: e.Value.(string) > other.Value.(string),
+		}, nil
+
+	case Number:
+		left, err := e.GetFloat64()
+		if err != nil {
+			return nil, err
+		}
+
+		right, err := other.GetFloat64()
+		if err != nil {
+			return nil, err
+		}
+
+		return &EvalResult{
+			Type:  Boolean,
+			Value: left > right,
+		}, nil
+
+	default:
+		return nil, fmt.Errorf("unsupported value type: %s", e.Type)
+	}
+}
+
+func (e *EvalResult) GreaterOrEqual(other *EvalResult) (*EvalResult, error) {
+	if e.Type != other.Type {
+		return nil, fmt.Errorf("type mismatch: %s vs %s", e.Type, other.Type)
+	}
+
+	switch e.Type {
+	case String:
+		return &EvalResult{
+			Type:  Boolean,
+			Value: e.Value.(string) >= other.Value.(string),
+		}, nil
+
+	case Number:
+		left, err := e.GetFloat64()
+		if err != nil {
+			return nil, err
+		}
+
+		right, err := other.GetFloat64()
+		if err != nil {
+			return nil, err
+		}
+
+		return &EvalResult{
+			Type:  Boolean,
+			Value: left >= right,
+		}, nil
+
+	default:
+		return nil, fmt.Errorf("unsupported value type: %s", e.Type)
+	}
+}
+
+func (e *EvalResult) LessThan(other *EvalResult) (*EvalResult, error) {
+	if e.Type != other.Type {
+		return nil, fmt.Errorf("type mismatch: %s vs %s", e.Type, other.Type)
+	}
+
+	switch e.Type {
+	case String:
+		return &EvalResult{
+			Type:  Boolean,
+			Value: e.Value.(string) < other.Value.(string),
+		}, nil
+
+	case Number:
+		left, err := e.GetFloat64()
+		if err != nil {
+			return nil, err
+		}
+
+		right, err := other.GetFloat64()
+		if err != nil {
+			return nil, err
+		}
+
+		return &EvalResult{
+			Type:  Boolean,
+			Value: left < right,
+		}, nil
+
+	default:
+		return nil, fmt.Errorf("unsupported value type: %s", e.Type)
+	}
+}
+
+func (e *EvalResult) LessOrEqual(other *EvalResult) (*EvalResult, error) {
+	if e.Type != other.Type {
+		return nil, fmt.Errorf("type mismatch: %s vs %s", e.Type, other.Type)
+	}
+
+	switch e.Type {
+	case String:
+		return &EvalResult{
+			Type:  Boolean,
+			Value: e.Value.(string) <= other.Value.(string),
+		}, nil
+
+	case Number:
+		left, err := e.GetFloat64()
+		if err != nil {
+			return nil, err
+		}
+
+		right, err := other.GetFloat64()
+		if err != nil {
+			return nil, err
+		}
+
+		return &EvalResult{
+			Type:  Boolean,
+			Value: left <= right,
+		}, nil
+
+	default:
+		return nil, fmt.Errorf("unsupported value type: %s", e.Type)
+	}
+}
+
+func (e *EvalResult) Equal(other *EvalResult) (*EvalResult, error) {
+	if e.Type != other.Type {
+		return nil, fmt.Errorf("type mismatch: %s vs %s", e.Type, other.Type)
+	}
+
+	switch e.Type {
+	case String:
+		return &EvalResult{
+			Type:  Boolean,
+			Value: e.Value.(string) == other.Value.(string),
+		}, nil
+
+	case Number:
+		left, err := e.GetFloat64()
+		if err != nil {
+			return nil, err
+		}
+
+		right, err := other.GetFloat64()
+		if err != nil {
+			return nil, err
+		}
+
+		return &EvalResult{
+			Type:  Boolean,
+			Value: left == right,
+		}, nil
+
+	case Boolean:
+		left, err := e.GetBool()
+		if err != nil {
+			return nil, err
+		}
+
+		right, err := other.GetBool()
+		if err != nil {
+			return nil, err
+		}
+
+		return &EvalResult{
+			Type:  Boolean,
+			Value: left == right,
+		}, nil
+
+	default:
+		return nil, fmt.Errorf("unsupported value type: %s", e.Type)
+	}
+}
+
+func (e *EvalResult) NotEqual(other *EvalResult) (*EvalResult, error) {
+	if e.Type != other.Type {
+		return nil, fmt.Errorf("type mismatch: %s vs %s", e.Type, other.Type)
+	}
+
+	switch e.Type {
+	case String:
+		return &EvalResult{
+			Type:  Boolean,
+			Value: e.Value.(string) != other.Value.(string),
+		}, nil
+
+	case Number:
+		left, err := e.GetFloat64()
+		if err != nil {
+			return nil, err
+		}
+
+		right, err := other.GetFloat64()
+		if err != nil {
+			return nil, err
+		}
+
+		return &EvalResult{
+			Type:  Boolean,
+			Value: left != right,
+		}, nil
+
+	case Boolean:
+		left, err := e.GetBool()
+		if err != nil {
+			return nil, err
+		}
+
+		right, err := other.GetBool()
+		if err != nil {
+			return nil, err
+		}
+
+		return &EvalResult{
+			Type:  Boolean,
+			Value: left != right,
+		}, nil
+
+	default:
+		return nil, fmt.Errorf("unsupported value type: %s", e.Type)
+	}
+}
+
+func (e *EvalResult) And(other *EvalResult) (*EvalResult, error) {
+	if e.Type != other.Type {
+		return nil, fmt.Errorf("type mismatch: %s vs %s", e.Type, other.Type)
+	}
+
+	switch e.Type {
+	case Boolean:
+		left, err := e.GetBool()
+		if err != nil {
+			return nil, err
+		}
+
+		right, err := other.GetBool()
+		if err != nil {
+			return nil, err
+		}
+
+		return &EvalResult{
+			Type:  Boolean,
+			Value: left && right,
+		}, nil
+
+	default:
+		return nil, fmt.Errorf("unsupported value type: %s", e.Type)
+	}
+}
+
+func (e *EvalResult) Or(other *EvalResult) (*EvalResult, error) {
+	if e.Type != other.Type {
+		return nil, fmt.Errorf("type mismatch: %s vs %s", e.Type, other.Type)
+	}
+
+	switch e.Type {
+	case Boolean:
+		left, err := e.GetBool()
+		if err != nil {
+			return nil, err
+		}
+
+		right, err := other.GetBool()
+		if err != nil {
+			return nil, err
+		}
+
+		return &EvalResult{
+			Type:  Boolean,
+			Value: left || right,
+		}, nil
+	default:
+		return nil, fmt.Errorf("unsupported value type: %s", e.Type)
+	}
+}
+
+func (e *EvalResult) Not() (*EvalResult, error) {
+	if e.Type != Boolean {
+		return nil, fmt.Errorf("type mismatch: %s", e.Type)
+	}
+
+	boolValue, err := e.GetBool()
+	if err != nil {
+		return nil, err
+	}
+
+	return &EvalResult{
+		Type:  Boolean,
+		Value: !boolValue,
+	}, nil
+}
+
+type Expr interface {
+	GetType() ExprType
+	Eval(variables map[string]map[string]any) (*EvalResult, error)
+}
+
+type ExprValueSelector struct {
+	Id   string        `json:"id"`
+	Name string        `json:"name"`
+	Type ExprValueType `json:"type"`
+}
+
+type ConstantExpr struct {
+	Type      ExprType      `json:"type"`
+	Value     string        `json:"value"`
+	ValueType ExprValueType `json:"valueType"`
+}
+
+func (c ConstantExpr) GetType() ExprType { return c.Type }
+
+func (c ConstantExpr) Eval(variables map[string]map[string]any) (*EvalResult, error) {
+	return &EvalResult{
+		Type:  c.ValueType,
+		Value: c.Value,
+	}, nil
+}
+
+type VariantExpr struct {
+	Type     ExprType          `json:"type"`
+	Selector ExprValueSelector `json:"selector"`
+}
+
+func (v VariantExpr) GetType() ExprType { return v.Type }
+
+func (v VariantExpr) Eval(variables map[string]map[string]any) (*EvalResult, error) {
+	if v.Selector.Id == "" {
+		return nil, fmt.Errorf("node id is empty")
+	}
+	if v.Selector.Name == "" {
+		return nil, fmt.Errorf("name is empty")
+	}
+
+	if _, ok := variables[v.Selector.Id]; !ok {
+		return nil, fmt.Errorf("node %s not found", v.Selector.Id)
+	}
+
+	if _, ok := variables[v.Selector.Id][v.Selector.Name]; !ok {
+		return nil, fmt.Errorf("variable %s not found in node %s", v.Selector.Name, v.Selector.Id)
+	}
+	return &EvalResult{
+		Type:  v.Selector.Type,
+		Value: variables[v.Selector.Id][v.Selector.Name],
+	}, nil
+}
+
+type ComparisonExpr struct {
+	Type     ExprType               `json:"type"` // compare
+	Operator ExprComparisonOperator `json:"operator"`
+	Left     Expr                   `json:"left"`
+	Right    Expr                   `json:"right"`
+}
+
+func (c ComparisonExpr) GetType() ExprType { return c.Type }
+
+func (c ComparisonExpr) Eval(variables map[string]map[string]any) (*EvalResult, error) {
+	left, err := c.Left.Eval(variables)
+	if err != nil {
+		return nil, err
+	}
+	right, err := c.Right.Eval(variables)
+	if err != nil {
+		return nil, err
+	}
+
+	switch c.Operator {
+	case GreaterThan:
+		return left.GreaterThan(right)
+	case LessThan:
+		return left.LessThan(right)
+	case GreaterOrEqual:
+		return left.GreaterOrEqual(right)
+	case LessOrEqual:
+		return left.LessOrEqual(right)
+	case Equal:
+		return left.Equal(right)
+	case NotEqual:
+		return left.NotEqual(right)
+	default:
+		return nil, fmt.Errorf("unknown expression operator: %s", c.Operator)
+	}
+}
+
+type LogicalExpr struct {
+	Type     ExprType            `json:"type"` // logical
+	Operator ExprLogicalOperator `json:"operator"`
+	Left     Expr                `json:"left"`
+	Right    Expr                `json:"right"`
+}
+
+func (l LogicalExpr) GetType() ExprType { return l.Type }
+
+func (l LogicalExpr) Eval(variables map[string]map[string]any) (*EvalResult, error) {
+	left, err := l.Left.Eval(variables)
+	if err != nil {
+		return nil, err
+	}
+	right, err := l.Right.Eval(variables)
+	if err != nil {
+		return nil, err
+	}
+
+	switch l.Operator {
+	case And:
+		return left.And(right)
+	case Or:
+		return left.Or(right)
+	default:
+		return nil, fmt.Errorf("unknown expression operator: %s", l.Operator)
+	}
+}
+
+type NotExpr struct {
+	Type ExprType `json:"type"` // not
+	Expr Expr     `json:"expr"`
+}
+
+func (n NotExpr) GetType() ExprType { return n.Type }
+
+func (n NotExpr) Eval(variables map[string]map[string]any) (*EvalResult, error) {
+	inner, err := n.Expr.Eval(variables)
+	if err != nil {
+		return nil, err
+	}
+	return inner.Not()
+}
+
+type rawExpr struct {
+	Type ExprType `json:"type"`
+}
+
+func MarshalExpr(e Expr) ([]byte, error) {
+	return json.Marshal(e)
+}
+
+func UnmarshalExpr(data []byte) (Expr, error) {
+	var typ rawExpr
+	if err := json.Unmarshal(data, &typ); err != nil {
+		return nil, err
+	}
+
+	switch typ.Type {
+	case ConstantExprType:
+		var e ConstantExpr
+		if err := json.Unmarshal(data, &e); err != nil {
+			return nil, err
+		}
+		return e, nil
+	case VariantExprType:
+		var e VariantExpr
+		if err := json.Unmarshal(data, &e); err != nil {
+			return nil, err
+		}
+		return e, nil
+	case ComparisonExprType:
+		var e ComparisonExprRaw
+		if err := json.Unmarshal(data, &e); err != nil {
+			return nil, err
+		}
+		return e.ToComparisonExpr()
+	case LogicalExprType:
+		var e LogicalExprRaw
+		if err := json.Unmarshal(data, &e); err != nil {
+			return nil, err
+		}
+		return e.ToLogicalExpr()
+	case NotExprType:
+		var e NotExprRaw
+		if err := json.Unmarshal(data, &e); err != nil {
+			return nil, err
+		}
+		return e.ToNotExpr()
+	default:
+		return nil, fmt.Errorf("unknown expression type: %s", typ.Type)
+	}
+}
+
+type ComparisonExprRaw struct {
+	Type     ExprType               `json:"type"`
+	Operator ExprComparisonOperator `json:"operator"`
+	Left     json.RawMessage        `json:"left"`
+	Right    json.RawMessage        `json:"right"`
+}
+
+func (r ComparisonExprRaw) ToComparisonExpr() (ComparisonExpr, error) {
+	leftExpr, err := UnmarshalExpr(r.Left)
+	if err != nil {
+		return ComparisonExpr{}, err
+	}
+	rightExpr, err := UnmarshalExpr(r.Right)
+	if err != nil {
+		return ComparisonExpr{}, err
+	}
+	return ComparisonExpr{
+		Type:     r.Type,
+		Operator: r.Operator,
+		Left:     leftExpr,
+		Right:    rightExpr,
+	}, nil
+}
+
+type LogicalExprRaw struct {
+	Type     ExprType            `json:"type"`
+	Operator ExprLogicalOperator `json:"operator"`
+	Left     json.RawMessage     `json:"left"`
+	Right    json.RawMessage     `json:"right"`
+}
+
+func (r LogicalExprRaw) ToLogicalExpr() (LogicalExpr, error) {
+	left, err := UnmarshalExpr(r.Left)
+	if err != nil {
+		return LogicalExpr{}, err
+	}
+	right, err := UnmarshalExpr(r.Right)
+	if err != nil {
+		return LogicalExpr{}, err
+	}
+	return LogicalExpr{
+		Type:     r.Type,
+		Operator: r.Operator,
+		Left:     left,
+		Right:    right,
+	}, nil
+}
+
+type NotExprRaw struct {
+	Type ExprType        `json:"type"`
+	Expr json.RawMessage `json:"expr"`
+}
+
+func (r NotExprRaw) ToNotExpr() (NotExpr, error) {
+	inner, err := UnmarshalExpr(r.Expr)
+	if err != nil {
+		return NotExpr{}, err
+	}
+	return NotExpr{
+		Type: r.Type,
+		Expr: inner,
+	}, nil
+}

internal/domain/expr/expr_test.go

@@ -0,0 +1,127 @@
+package expr
+
+import (
+	"testing"
+)
+
+func TestLogicalEval(t *testing.T) {
+	// 测试逻辑表达式 and
+	logicalExpr := LogicalExpr{
+		Left: ConstantExpr{
+			Type:      "const",
+			Value:     "true",
+			ValueType: "boolean",
+		},
+		Operator: And,
+		Right: ConstantExpr{
+			Type:      "const",
+			Value:     "true",
+			ValueType: "boolean",
+		},
+	}
+	result, err := logicalExpr.Eval(nil)
+	if err != nil {
+		t.Errorf("failed to evaluate logical expression: %v", err)
+	}
+	if result.Value != true {
+		t.Errorf("expected true, got %v", result)
+	}
+
+	// 测试逻辑表达式 or
+	orExpr := LogicalExpr{
+		Left: ConstantExpr{
+			Type:      "const",
+			Value:     "true",
+			ValueType: "boolean",
+		},
+		Operator: Or,
+		Right: ConstantExpr{
+			Type:      "const",
+			Value:     "true",
+			ValueType: "boolean",
+		},
+	}
+	result, err = orExpr.Eval(nil)
+	if err != nil {
+		t.Errorf("failed to evaluate logical expression: %v", err)
+	}
+	if result.Value != true {
+		t.Errorf("expected true, got %v", result)
+	}
+}
+
+func TestUnmarshalExpr(t *testing.T) {
+	type args struct {
+		data []byte
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    Expr
+		wantErr bool
+	}{
+		{
+			name: "test1",
+			args: args{
+				data: []byte(`{"left":{"left":{"selector":{"id":"ODnYSOXB6HQP2_vz6JcZE","name":"certificate.validity","type":"boolean"},"type":"var"},"operator":"is","right":{"type":"const","value":true,"valueType":"boolean"},"type":"comparison"},"operator":"and","right":{"left":{"selector":{"id":"ODnYSOXB6HQP2_vz6JcZE","name":"certificate.daysLeft","type":"number"},"type":"var"},"operator":"eq","right":{"type":"const","value":2,"valueType":"number"},"type":"comparison"},"type":"logical"}`),
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := UnmarshalExpr(tt.args.data)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("UnmarshalExpr() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if got == nil {
+				t.Errorf("UnmarshalExpr() got = nil, want %v", tt.want)
+				return
+			}
+		})
+	}
+}
+
+func TestExpr_Eval(t *testing.T) {
+	type args struct {
+		variables map[string]map[string]any
+		data      []byte
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    *EvalResult
+		wantErr bool
+	}{
+		{
+			name: "test1",
+			args: args{
+				variables: map[string]map[string]any{
+					"ODnYSOXB6HQP2_vz6JcZE": {
+						"certificate.validity": true,
+						"certificate.daysLeft": 2,
+					},
+				},
+				data: []byte(`{"left":{"left":{"selector":{"id":"ODnYSOXB6HQP2_vz6JcZE","name":"certificate.validity","type":"boolean"},"type":"var"},"operator":"is","right":{"type":"const","value":true,"valueType":"boolean"},"type":"comparison"},"operator":"and","right":{"left":{"selector":{"id":"ODnYSOXB6HQP2_vz6JcZE","name":"certificate.daysLeft","type":"number"},"type":"var"},"operator":"eq","right":{"type":"const","value":2,"valueType":"number"},"type":"comparison"},"type":"logical"}`),
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c, err := UnmarshalExpr(tt.args.data)
+			if err != nil {
+				t.Errorf("UnmarshalExpr() error = %v", err)
+				return
+			}
+			got, err := c.Eval(tt.args.variables)
+			t.Log("got:", got)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("ConstExpr.Eval() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if got.Value != true {
+				t.Errorf("ConstExpr.Eval() got = %v, want %v", got.Value, true)
+			}
+		})
+	}
+}

internal/domain/provider.go

@@ -28,6 +28,7 @@ const (
 	AccessProviderTypeCloudflare          = AccessProviderType("cloudflare")
 	AccessProviderTypeClouDNS             = AccessProviderType("cloudns")
 	AccessProviderTypeCMCCCloud           = AccessProviderType("cmcccloud")
+	AccessProviderTypeConstellix          = AccessProviderType("constellix")
 	AccessProviderTypeCTCCCloud           = AccessProviderType("ctcccloud") // 天翼云（预留）
 	AccessProviderTypeCUCCCloud           = AccessProviderType("cucccloud") // 联通云（预留）
 	AccessProviderTypeDeSEC               = AccessProviderType("desec")
@@ -131,6 +132,7 @@ const (
 	ACMEDns01ProviderTypeCloudflare      = ACMEDns01ProviderType(AccessProviderTypeCloudflare)
 	ACMEDns01ProviderTypeClouDNS         = ACMEDns01ProviderType(AccessProviderTypeClouDNS)
 	ACMEDns01ProviderTypeCMCCCloud       = ACMEDns01ProviderType(AccessProviderTypeCMCCCloud)
+	ACMEDns01ProviderTypeConstellix      = ACMEDns01ProviderType(AccessProviderTypeConstellix)
 	ACMEDns01ProviderTypeDeSEC           = ACMEDns01ProviderType(AccessProviderTypeDeSEC)
 	ACMEDns01ProviderTypeDigitalOcean    = ACMEDns01ProviderType(AccessProviderTypeDigitalOcean)
 	ACMEDns01ProviderTypeDNSLA           = ACMEDns01ProviderType(AccessProviderTypeDNSLA)
@@ -156,6 +158,7 @@ const (
 	ACMEDns01ProviderTypeTencentCloud    = ACMEDns01ProviderType(AccessProviderTypeTencentCloud) // 兼容旧值，等同于 [ACMEDns01ProviderTypeTencentCloudDNS]
 	ACMEDns01ProviderTypeTencentCloudDNS = ACMEDns01ProviderType(AccessProviderTypeTencentCloud + "-dns")
 	ACMEDns01ProviderTypeTencentCloudEO  = ACMEDns01ProviderType(AccessProviderTypeTencentCloud + "-eo")
+	ACMEDns01ProviderTypeUCloudUDNR      = ACMEDns01ProviderType(AccessProviderTypeUCloud + "-udnr")
 	ACMEDns01ProviderTypeVercel          = ACMEDns01ProviderType(AccessProviderTypeVercel)
 	ACMEDns01ProviderTypeVolcEngine      = ACMEDns01ProviderType(AccessProviderTypeVolcEngine) // 兼容旧值，等同于 [ACMEDns01ProviderTypeVolcEngineDNS]
 	ACMEDns01ProviderTypeVolcEngineDNS   = ACMEDns01ProviderType(AccessProviderTypeVolcEngine + "-dns")
@@ -192,6 +195,7 @@ const (
 	DeploymentProviderTypeAliyunWAF             = DeploymentProviderType(AccessProviderTypeAliyun + "-waf")
 	DeploymentProviderTypeAWSACM                = DeploymentProviderType(AccessProviderTypeAWS + "-acm")
 	DeploymentProviderTypeAWSCloudFront         = DeploymentProviderType(AccessProviderTypeAWS + "-cloudfront")
+	DeploymentProviderTypeAWSIAM                = DeploymentProviderType(AccessProviderTypeAWS + "-iam")
 	DeploymentProviderTypeAzureKeyVault         = DeploymentProviderType(AccessProviderTypeAzure + "-keyvault")
 	DeploymentProviderTypeBaiduCloudAppBLB      = DeploymentProviderType(AccessProviderTypeBaiduCloud + "-appblb")
 	DeploymentProviderTypeBaiduCloudBLB         = DeploymentProviderType(AccessProviderTypeBaiduCloud + "-blb")

internal/domain/workflow.go

@@ -1,8 +1,10 @@
 package domain
 
 import (
+	"encoding/json"
 	"time"
 
+	"github.com/usual2970/certimate/internal/domain/expr"
 	maputil "github.com/usual2970/certimate/internal/pkg/utils/map"
 )
 
@@ -30,6 +32,7 @@ const (
 	WorkflowNodeTypeEnd                 = WorkflowNodeType("end")
 	WorkflowNodeTypeApply               = WorkflowNodeType("apply")
 	WorkflowNodeTypeUpload              = WorkflowNodeType("upload")
+	WorkflowNodeTypeMonitor             = WorkflowNodeType("monitor")
 	WorkflowNodeTypeDeploy              = WorkflowNodeType("deploy")
 	WorkflowNodeTypeNotify              = WorkflowNodeType("notify")
 	WorkflowNodeTypeBranch              = WorkflowNodeType("branch")
@@ -68,23 +71,30 @@ type WorkflowNodeConfigForApply struct {
 	Provider              string         `json:"provider"`                        // DNS 提供商
 	ProviderAccessId      string         `json:"providerAccessId"`                // DNS 提供商授权记录 ID
 	ProviderConfig        map[string]any `json:"providerConfig"`                  // DNS 提供商额外配置
-	CAProvider            string         `json:"caProvider,omitempty"`            // CA 提供商（零值将使用全局配置）
+	CAProvider            string         `json:"caProvider,omitempty"`            // CA 提供商（零值时使用全局配置）
 	CAProviderAccessId    string         `json:"caProviderAccessId,omitempty"`    // CA 提供商授权记录 ID
 	CAProviderConfig      map[string]any `json:"caProviderConfig,omitempty"`      // CA 提供商额外配置
 	KeyAlgorithm          string         `json:"keyAlgorithm"`                    // 证书算法
 	Nameservers           string         `json:"nameservers,omitempty"`           // DNS 服务器列表，以半角分号分隔
 	DnsPropagationWait    int32          `json:"dnsPropagationWait,omitempty"`    // DNS 传播等待时间，等同于 lego 的 `--dns-propagation-wait` 参数
-	DnsPropagationTimeout int32          `json:"dnsPropagationTimeout,omitempty"` // DNS 传播检查超时时间（零值取决于提供商的默认值）
-	DnsTTL                int32          `json:"dnsTTL,omitempty"`                // DNS 解析记录 TTL（零值取决于提供商的默认值）
+	DnsPropagationTimeout int32          `json:"dnsPropagationTimeout,omitempty"` // DNS 传播检查超时时间（零值时使用提供商的默认值）
+	DnsTTL                int32          `json:"dnsTTL,omitempty"`                // DNS 解析记录 TTL（零值时使用提供商的默认值）
 	DisableFollowCNAME    bool           `json:"disableFollowCNAME,omitempty"`    // 是否关闭 CNAME 跟随
 	DisableARI            bool           `json:"disableARI,omitempty"`            // 是否关闭 ARI
-	SkipBeforeExpiryDays  int32          `json:"skipBeforeExpiryDays,omitempty"`  // 证书到期前多少天前跳过续期（零值将使用默认值 30）
+	SkipBeforeExpiryDays  int32          `json:"skipBeforeExpiryDays,omitempty"`  // 证书到期前多少天前跳过续期（零值时默认值 30）
 }
 
 type WorkflowNodeConfigForUpload struct {
-	Certificate string `json:"certificate"`
-	PrivateKey  string `json:"privateKey"`
-	Domains     string `json:"domains"`
+	Certificate string `json:"certificate"` // 证书 PEM 内容
+	PrivateKey  string `json:"privateKey"`  // 私钥 PEM 内容
+	Domains     string `json:"domains,omitempty"`
+}
+
+type WorkflowNodeConfigForMonitor struct {
+	Host        string `json:"host"`                  // 主机地址
+	Port        int32  `json:"port,omitempty"`        // 端口（零值时默认值 443）
+	Domain      string `json:"domain,omitempty"`      // 域名（零值时默认值 [Host]）
+	RequestPath string `json:"requestPath,omitempty"` // 请求路径
 }
 
 type WorkflowNodeConfigForDeploy struct {
@@ -104,6 +114,10 @@ type WorkflowNodeConfigForNotify struct {
 	Message          string         `json:"message"`                  // 通知内容
 }
 
+type WorkflowNodeConfigForCondition struct {
+	Expression expr.Expr `json:"expression"` // 条件表达式
+}
+
 func (n *WorkflowNode) GetConfigForApply() WorkflowNodeConfigForApply {
 	return WorkflowNodeConfigForApply{
 		Domains:               maputil.GetString(n.Config, "domains"),
@@ -133,6 +147,16 @@ func (n *WorkflowNode) GetConfigForUpload() WorkflowNodeConfigForUpload {
 	}
 }
 
+func (n *WorkflowNode) GetConfigForMonitor() WorkflowNodeConfigForMonitor {
+	host := maputil.GetString(n.Config, "host")
+	return WorkflowNodeConfigForMonitor{
+		Host:        host,
+		Port:        maputil.GetOrDefaultInt32(n.Config, "port", 443),
+		Domain:      maputil.GetOrDefaultString(n.Config, "domain", host),
+		RequestPath: maputil.GetString(n.Config, "path"),
+	}
+}
+
 func (n *WorkflowNode) GetConfigForDeploy() WorkflowNodeConfigForDeploy {
 	return WorkflowNodeConfigForDeploy{
 		Certificate:         maputil.GetString(n.Config, "certificate"),
@@ -154,6 +178,23 @@ func (n *WorkflowNode) GetConfigForNotify() WorkflowNodeConfigForNotify {
 	}
 }
 
+func (n *WorkflowNode) GetConfigForCondition() WorkflowNodeConfigForCondition {
+	expression := n.Config["expression"]
+	if expression == nil {
+		return WorkflowNodeConfigForCondition{}
+	}
+
+	exprRaw, _ := json.Marshal(expression)
+	expr, err := expr.UnmarshalExpr([]byte(exprRaw))
+	if err != nil {
+		return WorkflowNodeConfigForCondition{}
+	}
+
+	return WorkflowNodeConfigForCondition{
+		Expression: expr,
+	}
+}
+
 type WorkflowNodeIO struct {
 	Label         string                      `json:"label"`
 	Name          string                      `json:"name"`
@@ -163,9 +204,6 @@ type WorkflowNodeIO struct {
 	ValueSelector WorkflowNodeIOValueSelector `json:"valueSelector"`
 }
 
-type WorkflowNodeIOValueSelector struct {
-	Id   string `json:"id"`
-	Name string `json:"name"`
-}
+type WorkflowNodeIOValueSelector = expr.ExprValueSelector
 
 const WorkflowNodeIONameCertificate string = "certificate"

internal/notify/notifier.go

@@ -29,18 +29,18 @@ func NewWithWorkflowNode(config NotifierWithWorkflowNodeConfig) (Notifier, error
 		return nil, fmt.Errorf("node type is not '%s'", string(domain.WorkflowNodeTypeNotify))
 	}
 
-	nodeConfig := config.Node.GetConfigForNotify()
+	nodeCfg := config.Node.GetConfigForNotify()
 	options := &notifierProviderOptions{
-		Provider:              domain.NotificationProviderType(nodeConfig.Provider),
+		Provider:              domain.NotificationProviderType(nodeCfg.Provider),
 		ProviderAccessConfig:  make(map[string]any),
-		ProviderServiceConfig: nodeConfig.ProviderConfig,
+		ProviderServiceConfig: nodeCfg.ProviderConfig,
 	}
 
 	accessRepo := repository.NewAccessRepository()
-	if nodeConfig.ProviderAccessId != "" {
-		access, err := accessRepo.GetById(context.Background(), nodeConfig.ProviderAccessId)
+	if nodeCfg.ProviderAccessId != "" {
+		access, err := accessRepo.GetById(context.Background(), nodeCfg.ProviderAccessId)
 		if err != nil {
-			return nil, fmt.Errorf("failed to get access #%s record: %w", nodeConfig.ProviderAccessId, err)
+			return nil, fmt.Errorf("failed to get access #%s record: %w", nodeCfg.ProviderAccessId, err)
 		} else {
 			options.ProviderAccessConfig = access.Config
 		}

internal/pkg/core/applicant/acme-dns-01/lego-providers/aliyun-esa/internal/lego.go

@@ -1,9 +1,8 @@
-package lego_aliyunesa
+package internal
 
 import (
 	"errors"
 	"fmt"
-	"strings"
 	"sync"
 	"time"
 
@@ -102,13 +101,13 @@ func (d *DNSProvider) Present(domain, token, keyAuth string) error {
 		return fmt.Errorf("alicloud-esa: could not find zone for domain %q: %w", domain, err)
 	}
 
-	siteName := strings.TrimRight(authZone, ".")
+	siteName := dns01.UnFqdn(authZone)
 	siteId, err := d.getSiteId(siteName)
 	if err != nil {
 		return fmt.Errorf("alicloud-esa: could not find site for zone %q: %w", siteName, err)
 	}
 
-	if err := d.addOrUpdateDNSRecord(siteId, strings.TrimRight(info.EffectiveFQDN, "."), info.Value); err != nil {
+	if err := d.addOrUpdateDNSRecord(siteId, dns01.UnFqdn(info.EffectiveFQDN), info.Value); err != nil {
 		return fmt.Errorf("alicloud-esa: %w", err)
 	}
 
@@ -123,13 +122,13 @@ func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
 		return fmt.Errorf("alicloud-esa: could not find zone for domain %q: %w", domain, err)
 	}
 
-	siteName := strings.TrimRight(authZone, ".")
+	siteName := dns01.UnFqdn(authZone)
 	siteId, err := d.getSiteId(siteName)
 	if err != nil {
 		return fmt.Errorf("alicloud-esa: could not find site for zone %q: %w", siteName, err)
 	}
 
-	if err := d.removeDNSRecord(siteId, strings.TrimRight(info.EffectiveFQDN, ".")); err != nil {
+	if err := d.removeDNSRecord(siteId, dns01.UnFqdn(info.EffectiveFQDN)); err != nil {
 		return fmt.Errorf("alicloud-esa: %w", err)
 	}
 

internal/pkg/core/applicant/acme-dns-01/lego-providers/baiducloud/internal/lego.go

@@ -1,4 +1,4 @@
-package lego_baiducloud
+package internal
 
 import (
 	"errors"

internal/pkg/core/applicant/acme-dns-01/lego-providers/constellix/constellix.go

@@ -0,0 +1,38 @@
+package cloudns
+
+import (
+	"time"
+
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/providers/dns/constellix"
+)
+
+type ChallengeProviderConfig struct {
+	ApiKey                string `json:"apiKey"`
+	SecretKey             string `json:"secretKey"`
+	DnsPropagationTimeout int32  `json:"dnsPropagationTimeout,omitempty"`
+	DnsTTL                int32  `json:"dnsTTL,omitempty"`
+}
+
+func NewChallengeProvider(config *ChallengeProviderConfig) (challenge.Provider, error) {
+	if config == nil {
+		panic("config is nil")
+	}
+
+	providerConfig := constellix.NewDefaultConfig()
+	providerConfig.APIKey = config.ApiKey
+	providerConfig.SecretKey = config.SecretKey
+	if config.DnsPropagationTimeout != 0 {
+		providerConfig.PropagationTimeout = time.Duration(config.DnsPropagationTimeout) * time.Second
+	}
+	if config.DnsTTL != 0 {
+		providerConfig.TTL = int(config.DnsTTL)
+	}
+
+	provider, err := constellix.NewDNSProviderConfig(providerConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return provider, nil
+}

internal/pkg/core/applicant/acme-dns-01/lego-providers/dnsla/internal/lego.go

@@ -1,4 +1,4 @@
-package lego_dnsla
+package internal
 
 import (
 	"errors"

internal/pkg/core/applicant/acme-dns-01/lego-providers/dynv6/internal/lego.go

@@ -1,4 +1,4 @@
-package lego_dynv6
+package internal
 
 import (
 	"context"

internal/pkg/core/applicant/acme-dns-01/lego-providers/gname/internal/lego.go

@@ -1,4 +1,4 @@
-package lego_gname
+package internal
 
 import (
 	"errors"

internal/pkg/core/applicant/acme-dns-01/lego-providers/jdcloud/internal/lego.go

@@ -1,4 +1,4 @@
-package lego_jdcloud
+package internal
 
 import (
 	"errors"

internal/pkg/core/applicant/acme-dns-01/lego-providers/powerdns/powerdns.go

@@ -29,6 +29,7 @@ func NewChallengeProvider(config *ChallengeProviderConfig) (challenge.Provider,
 	providerConfig.APIKey = config.ApiKey
 	if config.AllowInsecureConnections {
 		providerConfig.HTTPClient.Transport = &http.Transport{
+			Proxy: http.ProxyFromEnvironment,
 			TLSClientConfig: &tls.Config{
 				InsecureSkipVerify: true,
 			},

internal/pkg/core/applicant/acme-dns-01/lego-providers/tencentcloud-eo/internal/lego.go

@@ -1,10 +1,9 @@
-package lego_tencentcloudeo
+package internal
 
 import (
 	"errors"
 	"fmt"
 	"math"
-	"strings"
 	"time"
 
 	"github.com/go-acme/lego/v4/challenge"
@@ -91,7 +90,7 @@ func NewDNSProviderConfig(config *Config) (*DNSProvider, error) {
 func (d *DNSProvider) Present(domain, token, keyAuth string) error {
 	info := dns01.GetChallengeInfo(domain, keyAuth)
 
-	if err := d.addOrUpdateDNSRecord(strings.TrimRight(info.EffectiveFQDN, "."), info.Value); err != nil {
+	if err := d.addOrUpdateDNSRecord(dns01.UnFqdn(info.EffectiveFQDN), info.Value); err != nil {
 		return fmt.Errorf("tencentcloud-eo: %w", err)
 	}
 
@@ -101,7 +100,7 @@ func (d *DNSProvider) Present(domain, token, keyAuth string) error {
 func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
 	info := dns01.GetChallengeInfo(domain, keyAuth)
 
-	if err := d.removeDNSRecord(strings.TrimRight(info.EffectiveFQDN, ".")); err != nil {
+	if err := d.removeDNSRecord(dns01.UnFqdn(info.EffectiveFQDN)); err != nil {
 		return fmt.Errorf("tencentcloud-eo: %w", err)
 	}
 

internal/pkg/core/applicant/acme-dns-01/lego-providers/ucloud-udnr/internal/lego.go

@@ -0,0 +1,165 @@
+package internal
+
+import (
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/challenge/dns01"
+	"github.com/go-acme/lego/v4/platform/config/env"
+	"github.com/ucloud/ucloud-sdk-go/ucloud"
+	"github.com/ucloud/ucloud-sdk-go/ucloud/auth"
+
+	"github.com/usual2970/certimate/internal/pkg/sdk3rd/ucloud/udnr"
+)
+
+const (
+	envNamespace = "UCLOUDUDNR_"
+
+	EnvPublicKey  = envNamespace + "PUBLIC_KEY"
+	EnvPrivateKey = envNamespace + "PRIVATE_KEY"
+
+	EnvTTL                = envNamespace + "TTL"
+	EnvPropagationTimeout = envNamespace + "PROPAGATION_TIMEOUT"
+	EnvPollingInterval    = envNamespace + "POLLING_INTERVAL"
+	EnvHTTPTimeout        = envNamespace + "HTTP_TIMEOUT"
+)
+
+var _ challenge.ProviderTimeout = (*DNSProvider)(nil)
+
+type Config struct {
+	PrivateKey string
+	PublicKey  string
+
+	PropagationTimeout time.Duration
+	PollingInterval    time.Duration
+	TTL                int32
+	HTTPTimeout        time.Duration
+}
+
+type DNSProvider struct {
+	client *udnr.UDNRClient
+	config *Config
+}
+
+func NewDefaultConfig() *Config {
+	return &Config{
+		TTL:                int32(env.GetOrDefaultInt(EnvTTL, 300)),
+		PropagationTimeout: env.GetOrDefaultSecond(EnvPropagationTimeout, 2*time.Minute),
+		PollingInterval:    env.GetOrDefaultSecond(EnvPollingInterval, dns01.DefaultPollingInterval),
+		HTTPTimeout:        env.GetOrDefaultSecond(EnvHTTPTimeout, 30*time.Second),
+	}
+}
+
+func NewDNSProvider() (*DNSProvider, error) {
+	values, err := env.Get(EnvPrivateKey, EnvPublicKey)
+	if err != nil {
+		return nil, fmt.Errorf("ucloud-udnr: %w", err)
+	}
+
+	config := NewDefaultConfig()
+	config.PrivateKey = values[EnvPrivateKey]
+	config.PublicKey = values[EnvPublicKey]
+
+	return NewDNSProviderConfig(config)
+}
+
+func NewDNSProviderConfig(config *Config) (*DNSProvider, error) {
+	if config == nil {
+		return nil, errors.New("ucloud-udnr: the configuration of the DNS provider is nil")
+	}
+
+	cfg := ucloud.NewConfig()
+	credential := auth.NewCredential()
+	credential.PrivateKey = config.PrivateKey
+	credential.PublicKey = config.PublicKey
+	client := udnr.NewClient(&cfg, &credential)
+
+	return &DNSProvider{
+		client: client,
+		config: config,
+	}, nil
+}
+
+func (d *DNSProvider) Present(domain, token, keyAuth string) error {
+	info := dns01.GetChallengeInfo(domain, keyAuth)
+
+	authZone, err := dns01.FindZoneByFqdn(info.EffectiveFQDN)
+	if err != nil {
+		return fmt.Errorf("ucloud-udnr: could not find zone for domain %q: %w", domain, err)
+	}
+
+	subDomain, err := dns01.ExtractSubDomain(info.EffectiveFQDN, authZone)
+	if err != nil {
+		return fmt.Errorf("ucloud-udnr: %w", err)
+	}
+
+	udnrDomainDNSQueryReq := d.client.NewQueryDomainDNSRequest()
+	udnrDomainDNSQueryReq.Dn = ucloud.String(authZone)
+	if udnrDomainDNSQueryResp, err := d.client.QueryDomainDNS(udnrDomainDNSQueryReq); err != nil {
+		return fmt.Errorf("ucloud-udnr: %w", err)
+	} else {
+		for _, record := range udnrDomainDNSQueryResp.Data {
+			if record.DnsType == "TXT" && record.RecordName == subDomain {
+				udnrDomainDNSDeleteReq := d.client.NewDeleteDomainDNSRequest()
+				udnrDomainDNSDeleteReq.Dn = ucloud.String(authZone)
+				udnrDomainDNSDeleteReq.DnsType = ucloud.String(record.DnsType)
+				udnrDomainDNSDeleteReq.RecordName = ucloud.String(record.RecordName)
+				udnrDomainDNSDeleteReq.Content = ucloud.String(record.Content)
+				d.client.DeleteDomainDNS(udnrDomainDNSDeleteReq)
+				break
+			}
+		}
+	}
+
+	udnrDomainDNSAddReq := d.client.NewAddDomainDNSRequest()
+	udnrDomainDNSAddReq.Dn = ucloud.String(authZone)
+	udnrDomainDNSAddReq.DnsType = ucloud.String("TXT")
+	udnrDomainDNSAddReq.RecordName = ucloud.String(subDomain)
+	udnrDomainDNSAddReq.Content = ucloud.String(info.Value)
+	udnrDomainDNSAddReq.TTL = ucloud.Int(int(d.config.TTL))
+	if _, err := d.client.AddDomainDNS(udnrDomainDNSAddReq); err != nil {
+		return fmt.Errorf("ucloud-udnr: %w", err)
+	}
+
+	return nil
+}
+
+func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
+	info := dns01.GetChallengeInfo(domain, keyAuth)
+
+	authZone, err := dns01.FindZoneByFqdn(info.EffectiveFQDN)
+	if err != nil {
+		return fmt.Errorf("ucloud-udnr: could not find zone for domain %q: %w", domain, err)
+	}
+
+	subDomain, err := dns01.ExtractSubDomain(info.EffectiveFQDN, authZone)
+	if err != nil {
+		return fmt.Errorf("ucloud-udnr: %w", err)
+	}
+
+	udnrDomainDNSQueryReq := d.client.NewQueryDomainDNSRequest()
+	udnrDomainDNSQueryReq.Dn = ucloud.String(authZone)
+	if udnrDomainDNSQueryResp, err := d.client.QueryDomainDNS(udnrDomainDNSQueryReq); err != nil {
+		return fmt.Errorf("ucloud-udnr: %w", err)
+	} else {
+		for _, record := range udnrDomainDNSQueryResp.Data {
+			if record.DnsType == "TXT" && record.RecordName == subDomain {
+				udnrDomainDNSDeleteReq := d.client.NewDeleteDomainDNSRequest()
+				udnrDomainDNSDeleteReq.Dn = ucloud.String(authZone)
+				udnrDomainDNSDeleteReq.DnsType = ucloud.String(record.DnsType)
+				udnrDomainDNSDeleteReq.RecordName = ucloud.String(record.RecordName)
+				udnrDomainDNSDeleteReq.Content = ucloud.String(record.Content)
+				d.client.DeleteDomainDNS(udnrDomainDNSDeleteReq)
+				break
+			}
+		}
+	}
+
+	return nil
+}
+
+func (d *DNSProvider) Timeout() (timeout, interval time.Duration) {
+	return d.config.PropagationTimeout, d.config.PollingInterval
+}

internal/pkg/core/applicant/acme-dns-01/lego-providers/ucloud-udnr/ucloud_udnr.go

@@ -0,0 +1,40 @@
+package ucloududnr
+
+import (
+	"errors"
+	"time"
+
+	"github.com/go-acme/lego/v4/challenge"
+
+	"github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/ucloud-udnr/internal"
+)
+
+type ChallengeProviderConfig struct {
+	PrivateKey            string `json:"privateKey"`
+	PublicKey             string `json:"publicKey"`
+	DnsPropagationTimeout int32  `json:"dnsPropagationTimeout,omitempty"`
+	DnsTTL                int32  `json:"dnsTTL,omitempty"`
+}
+
+func NewChallengeProvider(config *ChallengeProviderConfig) (challenge.Provider, error) {
+	if config == nil {
+		return nil, errors.New("config is nil")
+	}
+
+	providerConfig := internal.NewDefaultConfig()
+	providerConfig.PrivateKey = config.PrivateKey
+	providerConfig.PublicKey = config.PublicKey
+	if config.DnsTTL != 0 {
+		providerConfig.TTL = config.DnsTTL
+	}
+	if config.DnsPropagationTimeout != 0 {
+		providerConfig.PropagationTimeout = time.Duration(config.DnsPropagationTimeout) * time.Second
+	}
+
+	provider, err := internal.NewDNSProviderConfig(providerConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return provider, nil
+}

internal/pkg/core/deployer/deployer.go

@@ -20,7 +20,7 @@ type Deployer interface {
 	// 出参：
 	//   - res：部署结果。
 	//   - err: 错误。
-	Deploy(ctx context.Context, certPEM string, privkeyPEM string) (res *DeployResult, err error)
+	Deploy(ctx context.Context, certPEM string, privkeyPEM string) (_res *DeployResult, _err error)
 }
 
 // 表示证书部署结果的数据结构。

internal/pkg/core/deployer/providers/1panel-console/1panel_console.go

@@ -53,7 +53,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/1panel-site/1panel_site.go

@@ -74,7 +74,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/aliyun-alb/aliyun_alb.go

@@ -25,6 +25,8 @@ type DeployerConfig struct {
 	AccessKeyId string `json:"accessKeyId"`
 	// 阿里云 AccessKeySecret。
 	AccessKeySecret string `json:"accessKeySecret"`
+	// 阿里云资源组 ID。
+	ResourceGroupId string `json:"resourceGroupId,omitempty"`
 	// 阿里云地域。
 	Region string `json:"region"`
 	// 部署资源类型。
@@ -64,7 +66,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 		return nil, fmt.Errorf("failed to create sdk clients: %w", err)
 	}
 
-	uploader, err := createSslUploader(config.AccessKeyId, config.AccessKeySecret, config.Region)
+	uploader, err := createSslUploader(config.AccessKeyId, config.AccessKeySecret, config.ResourceGroupId, config.Region)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create ssl uploader: %w", err)
 	}
@@ -79,7 +81,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}
@@ -423,7 +425,7 @@ func createSdkClients(accessKeyId, accessKeySecret, region string) (*wSdkClients
 	// 接入点一览 https://api.aliyun.com/product/Alb
 	var albEndpoint string
 	switch region {
-	case "cn-hangzhou-finance":
+	case "", "cn-hangzhou-finance":
 		albEndpoint = "alb.cn-hangzhou.aliyuncs.com"
 	default:
 		albEndpoint = fmt.Sprintf("alb.%s.aliyuncs.com", region)
@@ -463,7 +465,7 @@ func createSdkClients(accessKeyId, accessKeySecret, region string) (*wSdkClients
 	}, nil
 }
 
-func createSslUploader(accessKeyId, accessKeySecret, region string) (uploader.Uploader, error) {
+func createSslUploader(accessKeyId, accessKeySecret, resourceGroupId, region string) (uploader.Uploader, error) {
 	casRegion := region
 	if casRegion != "" {
 		// 阿里云 CAS 服务接入点是独立于 ALB 服务的
@@ -479,6 +481,7 @@ func createSslUploader(accessKeyId, accessKeySecret, region string) (uploader.Up
 	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
 		AccessKeyId:     accessKeyId,
 		AccessKeySecret: accessKeySecret,
+		ResourceGroupId: resourceGroupId,
 		Region:          casRegion,
 	})
 	return uploader, err

internal/pkg/core/deployer/providers/aliyun-apigw/aliyun_apigw.go

@@ -16,6 +16,7 @@ import (
 	"github.com/usual2970/certimate/internal/pkg/core/deployer"
 	"github.com/usual2970/certimate/internal/pkg/core/uploader"
 	uploadersp "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/aliyun-cas"
+	typeutil "github.com/usual2970/certimate/internal/pkg/utils/type"
 )
 
 type DeployerConfig struct {
@@ -23,6 +24,8 @@ type DeployerConfig struct {
 	AccessKeyId string `json:"accessKeyId"`
 	// 阿里云 AccessKeySecret。
 	AccessKeySecret string `json:"accessKeySecret"`
+	// 阿里云资源组 ID。
+	ResourceGroupId string `json:"resourceGroupId,omitempty"`
 	// 阿里云地域。
 	Region string `json:"region"`
 	// 服务类型。
@@ -61,7 +64,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 		return nil, fmt.Errorf("failed to create sdk clients: %w", err)
 	}
 
-	uploader, err := createSslUploader(config.AccessKeyId, config.AccessKeySecret, config.Region)
+	uploader, err := createSslUploader(config.AccessKeyId, config.AccessKeySecret, config.ResourceGroupId, config.Region)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create ssl uploader: %w", err)
 	}
@@ -76,7 +79,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}
@@ -149,10 +152,11 @@ func (d *DeployerProvider) deployToCloudNative(ctx context.Context, certPEM stri
 		}
 
 		listDomainsReq := &aliapig.ListDomainsRequest{
-			GatewayId:  tea.String(d.config.GatewayId),
-			NameLike:   tea.String(d.config.Domain),
-			PageNumber: tea.Int32(listDomainsPageNumber),
-			PageSize:   tea.Int32(listDomainsPageSize),
+			ResourceGroupId: typeutil.ToPtrOrZeroNil(d.config.ResourceGroupId),
+			GatewayId:       tea.String(d.config.GatewayId),
+			NameLike:        tea.String(d.config.Domain),
+			PageNumber:      tea.Int32(listDomainsPageNumber),
+			PageSize:        tea.Int32(listDomainsPageSize),
 		}
 		listDomainsResp, err := d.sdkClients.CloudNativeAPIGateway.ListDomains(listDomainsReq)
 		d.logger.Debug("sdk request 'apig.ListDomains'", slog.Any("request", listDomainsReq), slog.Any("response", listDomainsResp))
@@ -223,7 +227,7 @@ func (d *DeployerProvider) deployToCloudNative(ctx context.Context, certPEM stri
 
 func createSdkClients(accessKeyId, accessKeySecret, region string) (*wSdkClients, error) {
 	// 接入点一览 https://api.aliyun.com/product/APIG
-	cloudNativeAPIGEndpoint := fmt.Sprintf("apig.%s.aliyuncs.com", region)
+	cloudNativeAPIGEndpoint := strings.ReplaceAll(fmt.Sprintf("apig.%s.aliyuncs.com", region), "..", ".")
 	cloudNativeAPIGConfig := &aliopen.Config{
 		AccessKeyId:     tea.String(accessKeyId),
 		AccessKeySecret: tea.String(accessKeySecret),
@@ -235,7 +239,7 @@ func createSdkClients(accessKeyId, accessKeySecret, region string) (*wSdkClients
 	}
 
 	// 接入点一览 https://api.aliyun.com/product/CloudAPI
-	traditionalAPIGEndpoint := fmt.Sprintf("apigateway.%s.aliyuncs.com", region)
+	traditionalAPIGEndpoint := strings.ReplaceAll(fmt.Sprintf("apigateway.%s.aliyuncs.com", region), "..", ".")
 	traditionalAPIGConfig := &aliopen.Config{
 		AccessKeyId:     tea.String(accessKeyId),
 		AccessKeySecret: tea.String(accessKeySecret),
@@ -252,7 +256,7 @@ func createSdkClients(accessKeyId, accessKeySecret, region string) (*wSdkClients
 	}, nil
 }
 
-func createSslUploader(accessKeyId, accessKeySecret, region string) (uploader.Uploader, error) {
+func createSslUploader(accessKeyId, accessKeySecret, resourceGroupId, region string) (uploader.Uploader, error) {
 	casRegion := region
 	if casRegion != "" {
 		// 阿里云 CAS 服务接入点是独立于 APIGateway 服务的
@@ -268,6 +272,7 @@ func createSslUploader(accessKeyId, accessKeySecret, region string) (uploader.Up
 	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
 		AccessKeyId:     accessKeyId,
 		AccessKeySecret: accessKeySecret,
+		ResourceGroupId: resourceGroupId,
 		Region:          casRegion,
 	})
 	return uploader, err

internal/pkg/core/deployer/providers/aliyun-cas-deploy/aliyun_cas_deploy.go

@@ -22,12 +22,14 @@ type DeployerConfig struct {
 	AccessKeyId string `json:"accessKeyId"`
 	// 阿里云 AccessKeySecret。
 	AccessKeySecret string `json:"accessKeySecret"`
+	// 阿里云资源组 ID。
+	ResourceGroupId string `json:"resourceGroupId,omitempty"`
 	// 阿里云地域。
 	Region string `json:"region"`
 	// 阿里云云产品资源 ID 数组。
 	ResourceIds []string `json:"resourceIds"`
 	// 阿里云云联系人 ID 数组。
-	// 零值时默认使用账号下第一个联系人。
+	// 零值时使用账号下第一个联系人。
 	ContactIds []string `json:"contactIds"`
 }
 
@@ -50,11 +52,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 		return nil, fmt.Errorf("failed to create sdk client: %w", err)
 	}
 
-	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		AccessKeyId:     config.AccessKeyId,
-		AccessKeySecret: config.AccessKeySecret,
-		Region:          config.Region,
-	})
+	uploader, err := createSslUploader(config.AccessKeyId, config.AccessKeySecret, config.ResourceGroupId, config.Region)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create ssl uploader: %w", err)
 	}
@@ -69,7 +67,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}
@@ -94,9 +92,10 @@ func (d *DeployerProvider) Deploy(ctx context.Context, certPEM string, privkeyPE
 	if len(contactIds) == 0 {
 		// 获取联系人列表
 		// REF: https://help.aliyun.com/zh/ssl-certificate/developer-reference/api-cas-2020-04-07-listcontact
-		listContactReq := &alicas.ListContactRequest{}
-		listContactReq.ShowSize = tea.Int32(1)
-		listContactReq.CurrentPage = tea.Int32(1)
+		listContactReq := &alicas.ListContactRequest{
+			ShowSize:    tea.Int32(1),
+			CurrentPage: tea.Int32(1),
+		}
 		listContactResp, err := d.sdkClient.ListContact(listContactReq)
 		d.logger.Debug("sdk request 'cas.ListContact'", slog.Any("request", listContactReq), slog.Any("response", listContactResp))
 		if err != nil {
@@ -157,14 +156,10 @@ func (d *DeployerProvider) Deploy(ctx context.Context, certPEM string, privkeyPE
 }
 
 func createSdkClient(accessKeyId, accessKeySecret, region string) (*alicas.Client, error) {
-	if region == "" {
-		region = "cn-hangzhou" // CAS 服务默认区域：华东一杭州
-	}
-
 	// 接入点一览 https://api.aliyun.com/product/cas
 	var endpoint string
 	switch region {
-	case "cn-hangzhou":
+	case "", "cn-hangzhou":
 		endpoint = "cas.aliyuncs.com"
 	default:
 		endpoint = fmt.Sprintf("cas.%s.aliyuncs.com", region)
@@ -183,3 +178,25 @@ func createSdkClient(accessKeyId, accessKeySecret, region string) (*alicas.Clien
 
 	return client, nil
 }
+
+func createSslUploader(accessKeyId, accessKeySecret, resourceGroupId, region string) (uploader.Uploader, error) {
+	casRegion := region
+	if casRegion != "" {
+		// 阿里云 CAS 服务接入点是独立于其他服务的
+		// 国内版固定接入点：华东一杭州
+		// 国际版固定接入点：亚太东南一新加坡
+		if !strings.HasPrefix(casRegion, "cn-") {
+			casRegion = "ap-southeast-1"
+		} else {
+			casRegion = "cn-hangzhou"
+		}
+	}
+
+	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
+		AccessKeyId:     accessKeyId,
+		AccessKeySecret: accessKeySecret,
+		ResourceGroupId: resourceGroupId,
+		Region:          casRegion,
+	})
+	return uploader, err
+}

internal/pkg/core/deployer/providers/aliyun-cas/aliyun_cas.go

@@ -15,6 +15,8 @@ type DeployerConfig struct {
 	AccessKeyId string `json:"accessKeyId"`
 	// 阿里云 AccessKeySecret。
 	AccessKeySecret string `json:"accessKeySecret"`
+	// 阿里云资源组 ID。
+	ResourceGroupId string `json:"resourceGroupId,omitempty"`
 	// 阿里云地域。
 	Region string `json:"region"`
 }
@@ -35,6 +37,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
 		AccessKeyId:     config.AccessKeyId,
 		AccessKeySecret: config.AccessKeySecret,
+		ResourceGroupId: config.ResourceGroupId,
 		Region:          config.Region,
 	})
 	if err != nil {
@@ -50,7 +53,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/aliyun-cdn/aliyun_cdn.go

@@ -19,6 +19,8 @@ type DeployerConfig struct {
 	AccessKeyId string `json:"accessKeyId"`
 	// 阿里云 AccessKeySecret。
 	AccessKeySecret string `json:"accessKeySecret"`
+	// 阿里云资源组 ID。
+	ResourceGroupId string `json:"resourceGroupId,omitempty"`
 	// 加速域名（支持泛域名）。
 	Domain string `json:"domain"`
 }
@@ -50,7 +52,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/aliyun-clb/aliyun_clb.go

@@ -20,6 +20,8 @@ type DeployerConfig struct {
 	AccessKeyId string `json:"accessKeyId"`
 	// 阿里云 AccessKeySecret。
 	AccessKeySecret string `json:"accessKeySecret"`
+	// 阿里云资源组 ID。
+	ResourceGroupId string `json:"resourceGroupId,omitempty"`
 	// 阿里云地域。
 	Region string `json:"region"`
 	// 部署资源类型。
@@ -54,7 +56,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 		return nil, fmt.Errorf("failed to create sdk client: %w", err)
 	}
 
-	uploader, err := createSslUploader(config.AccessKeyId, config.AccessKeySecret, config.Region)
+	uploader, err := createSslUploader(config.AccessKeyId, config.AccessKeySecret, config.ResourceGroupId, config.Region)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create ssl uploader: %w", err)
 	}
@@ -69,7 +71,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}
@@ -283,7 +285,7 @@ func createSdkClient(accessKeyId, accessKeySecret, region string) (*alislb.Clien
 	// 接入点一览 https://api.aliyun.com/product/Slb
 	var endpoint string
 	switch region {
-	case
+	case "",
 		"cn-hangzhou",
 		"cn-hangzhou-finance",
 		"cn-shanghai-finance-1",
@@ -307,10 +309,11 @@ func createSdkClient(accessKeyId, accessKeySecret, region string) (*alislb.Clien
 	return client, nil
 }
 
-func createSslUploader(accessKeyId, accessKeySecret, region string) (uploader.Uploader, error) {
+func createSslUploader(accessKeyId, accessKeySecret, resourceGroupId, region string) (uploader.Uploader, error) {
 	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
 		AccessKeyId:     accessKeyId,
 		AccessKeySecret: accessKeySecret,
+		ResourceGroupId: resourceGroupId,
 		Region:          region,
 	})
 	return uploader, err

internal/pkg/core/deployer/providers/aliyun-dcdn/aliyun_dcdn.go

@@ -19,6 +19,8 @@ type DeployerConfig struct {
 	AccessKeyId string `json:"accessKeyId"`
 	// 阿里云 AccessKeySecret。
 	AccessKeySecret string `json:"accessKeySecret"`
+	// 阿里云资源组 ID。
+	ResourceGroupId string `json:"resourceGroupId,omitempty"`
 	// 加速域名（支持泛域名）。
 	Domain string `json:"domain"`
 }
@@ -50,7 +52,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/aliyun-ddos/aliyun_ddos.go

@@ -22,6 +22,8 @@ type DeployerConfig struct {
 	AccessKeyId string `json:"accessKeyId"`
 	// 阿里云 AccessKeySecret。
 	AccessKeySecret string `json:"accessKeySecret"`
+	// 阿里云资源组 ID。
+	ResourceGroupId string `json:"resourceGroupId,omitempty"`
 	// 阿里云地域。
 	Region string `json:"region"`
 	// 网站域名（支持泛域名）。
@@ -47,7 +49,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 		return nil, fmt.Errorf("failed to create sdk client: %w", err)
 	}
 
-	uploader, err := createSslUploader(config.AccessKeyId, config.AccessKeySecret, config.Region)
+	uploader, err := createSslUploader(config.AccessKeyId, config.AccessKeySecret, config.ResourceGroupId, config.Region)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create ssl uploader: %w", err)
 	}
@@ -62,7 +64,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}
@@ -104,7 +106,7 @@ func createSdkClient(accessKeyId, accessKeySecret, region string) (*aliddos.Clie
 	config := &aliopen.Config{
 		AccessKeyId:     tea.String(accessKeyId),
 		AccessKeySecret: tea.String(accessKeySecret),
-		Endpoint:        tea.String(fmt.Sprintf("ddoscoo.%s.aliyuncs.com", region)),
+		Endpoint:        tea.String(strings.ReplaceAll(fmt.Sprintf("ddoscoo.%s.aliyuncs.com", region), "..", ".")),
 	}
 
 	client, err := aliddos.NewClient(config)
@@ -115,7 +117,7 @@ func createSdkClient(accessKeyId, accessKeySecret, region string) (*aliddos.Clie
 	return client, nil
 }
 
-func createSslUploader(accessKeyId, accessKeySecret, region string) (uploader.Uploader, error) {
+func createSslUploader(accessKeyId, accessKeySecret, resourceGroupId, region string) (uploader.Uploader, error) {
 	casRegion := region
 	if casRegion != "" {
 		// 阿里云 CAS 服务接入点是独立于 Anti-DDoS 服务的
@@ -131,6 +133,7 @@ func createSslUploader(accessKeyId, accessKeySecret, region string) (uploader.Up
 	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
 		AccessKeyId:     accessKeyId,
 		AccessKeySecret: accessKeySecret,
+		ResourceGroupId: resourceGroupId,
 		Region:          casRegion,
 	})
 	return uploader, err

internal/pkg/core/deployer/providers/aliyun-esa/aliyun_esa.go

@@ -22,6 +22,8 @@ type DeployerConfig struct {
 	AccessKeyId string `json:"accessKeyId"`
 	// 阿里云 AccessKeySecret。
 	AccessKeySecret string `json:"accessKeySecret"`
+	// 阿里云资源组 ID。
+	ResourceGroupId string `json:"resourceGroupId,omitempty"`
 	// 阿里云地域。
 	Region string `json:"region"`
 	// 阿里云 ESA 站点 ID。
@@ -47,7 +49,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 		return nil, fmt.Errorf("failed to create sdk client: %w", err)
 	}
 
-	uploader, err := createSslUploader(config.AccessKeyId, config.AccessKeySecret, config.Region)
+	uploader, err := createSslUploader(config.AccessKeyId, config.AccessKeySecret, config.ResourceGroupId, config.Region)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create ssl uploader: %w", err)
 	}
@@ -62,7 +64,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}
@@ -105,7 +107,7 @@ func createSdkClient(accessKeyId, accessKeySecret, region string) (*aliesa.Clien
 	config := &aliopen.Config{
 		AccessKeyId:     tea.String(accessKeyId),
 		AccessKeySecret: tea.String(accessKeySecret),
-		Endpoint:        tea.String(fmt.Sprintf("esa.%s.aliyuncs.com", region)),
+		Endpoint:        tea.String(strings.ReplaceAll(fmt.Sprintf("esa.%s.aliyuncs.com", region), "..", ".")),
 	}
 
 	client, err := aliesa.NewClient(config)
@@ -116,7 +118,7 @@ func createSdkClient(accessKeyId, accessKeySecret, region string) (*aliesa.Clien
 	return client, nil
 }
 
-func createSslUploader(accessKeyId, accessKeySecret, region string) (uploader.Uploader, error) {
+func createSslUploader(accessKeyId, accessKeySecret, resourceGroupId, region string) (uploader.Uploader, error) {
 	casRegion := region
 	if casRegion != "" {
 		// 阿里云 CAS 服务接入点是独立于 ESA 服务的
@@ -132,6 +134,7 @@ func createSslUploader(accessKeyId, accessKeySecret, region string) (uploader.Up
 	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
 		AccessKeyId:     accessKeyId,
 		AccessKeySecret: accessKeySecret,
+		ResourceGroupId: resourceGroupId,
 		Region:          casRegion,
 	})
 	return uploader, err

internal/pkg/core/deployer/providers/aliyun-fc/aliyun_fc.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"log/slog"
+	"strings"
 	"time"
 
 	aliopen "github.com/alibabacloud-go/darabonba-openapi/v2/client"
@@ -19,6 +20,8 @@ type DeployerConfig struct {
 	AccessKeyId string `json:"accessKeyId"`
 	// 阿里云 AccessKeySecret。
 	AccessKeySecret string `json:"accessKeySecret"`
+	// 阿里云资源组 ID。
+	ResourceGroupId string `json:"resourceGroupId,omitempty"`
 	// 阿里云地域。
 	Region string `json:"region"`
 	// 服务版本。
@@ -60,7 +63,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}
@@ -108,6 +111,9 @@ func (d *DeployerProvider) deployToFC3(ctx context.Context, certPEM string, priv
 			TlsConfig: getCustomDomainResp.Body.TlsConfig,
 		},
 	}
+	if tea.StringValue(updateCustomDomainReq.Body.Protocol) == "HTTP" {
+		updateCustomDomainReq.Body.Protocol = tea.String("HTTP,HTTPS")
+	}
 	updateCustomDomainResp, err := d.sdkClients.FC3.UpdateCustomDomain(tea.String(d.config.Domain), updateCustomDomainReq)
 	d.logger.Debug("sdk request 'fc.UpdateCustomDomain'", slog.Any("request", updateCustomDomainReq), slog.Any("response", updateCustomDomainResp))
 	if err != nil {
@@ -137,6 +143,9 @@ func (d *DeployerProvider) deployToFC2(ctx context.Context, certPEM string, priv
 		Protocol:  getCustomDomainResp.Body.Protocol,
 		TlsConfig: getCustomDomainResp.Body.TlsConfig,
 	}
+	if tea.StringValue(updateCustomDomainReq.Protocol) == "HTTP" {
+		updateCustomDomainReq.Protocol = tea.String("HTTP,HTTPS")
+	}
 	updateCustomDomainResp, err := d.sdkClients.FC2.UpdateCustomDomain(tea.String(d.config.Domain), updateCustomDomainReq)
 	d.logger.Debug("sdk request 'fc.UpdateCustomDomain'", slog.Any("request", updateCustomDomainReq), slog.Any("response", updateCustomDomainResp))
 	if err != nil {
@@ -150,6 +159,8 @@ func createSdkClients(accessKeyId, accessKeySecret, region string) (*wSdkClients
 	// 接入点一览 https://api.aliyun.com/product/FC-Open
 	var fc2Endpoint string
 	switch region {
+	case "":
+		fc2Endpoint = "fc.aliyuncs.com"
 	case "cn-hangzhou-finance":
 		fc2Endpoint = fmt.Sprintf("%s.fc.aliyuncs.com", region)
 	default:
@@ -167,7 +178,7 @@ func createSdkClients(accessKeyId, accessKeySecret, region string) (*wSdkClients
 	}
 
 	// 接入点一览 https://api.aliyun.com/product/FC-Open
-	fc3Endpoint := fmt.Sprintf("fcv3.%s.aliyuncs.com", region)
+	fc3Endpoint := strings.ReplaceAll(fmt.Sprintf("fcv3.%s.aliyuncs.com", region), "..", ".")
 	fc3Config := &aliopen.Config{
 		AccessKeyId:     tea.String(accessKeyId),
 		AccessKeySecret: tea.String(accessKeySecret),

internal/pkg/core/deployer/providers/aliyun-ga/aliyun_ga.go

@@ -22,6 +22,8 @@ type DeployerConfig struct {
 	AccessKeyId string `json:"accessKeyId"`
 	// 阿里云 AccessKeySecret。
 	AccessKeySecret string `json:"accessKeySecret"`
+	// 阿里云资源组 ID。
+	ResourceGroupId string `json:"resourceGroupId,omitempty"`
 	// 部署资源类型。
 	ResourceType ResourceType `json:"resourceType"`
 	// 全球加速实例 ID。
@@ -53,7 +55,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 		return nil, fmt.Errorf("failed to create sdk client: %w", err)
 	}
 
-	uploader, err := createSslUploader(config.AccessKeyId, config.AccessKeySecret)
+	uploader, err := createSslUploader(config.AccessKeyId, config.AccessKeySecret, config.ResourceGroupId)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create ssl uploader: %w", err)
 	}
@@ -68,7 +70,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}
@@ -312,10 +314,11 @@ func createSdkClient(accessKeyId, accessKeySecret string) (*aliga.Client, error)
 	return client, nil
 }
 
-func createSslUploader(accessKeyId, accessKeySecret string) (uploader.Uploader, error) {
+func createSslUploader(accessKeyId, accessKeySecret, resourceGroupId string) (uploader.Uploader, error) {
 	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
 		AccessKeyId:     accessKeyId,
 		AccessKeySecret: accessKeySecret,
+		ResourceGroupId: resourceGroupId,
 		Region:          "cn-hangzhou",
 	})
 	return uploader, err

internal/pkg/core/deployer/providers/aliyun-live/aliyun_live.go

@@ -19,6 +19,8 @@ type DeployerConfig struct {
 	AccessKeyId string `json:"accessKeyId"`
 	// 阿里云 AccessKeySecret。
 	AccessKeySecret string `json:"accessKeySecret"`
+	// 阿里云资源组 ID。
+	ResourceGroupId string `json:"resourceGroupId,omitempty"`
 	// 阿里云地域。
 	Region string `json:"region"`
 	// 直播流域名（支持泛域名）。
@@ -52,7 +54,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}
@@ -86,7 +88,7 @@ func createSdkClient(accessKeyId, accessKeySecret, region string) (*alilive.Clie
 	// 接入点一览 https://api.aliyun.com/product/live
 	var endpoint string
 	switch region {
-	case
+	case "",
 		"cn-qingdao",
 		"cn-beijing",
 		"cn-shanghai",

internal/pkg/core/deployer/providers/aliyun-nlb/aliyun_nlb.go

@@ -21,6 +21,8 @@ type DeployerConfig struct {
 	AccessKeyId string `json:"accessKeyId"`
 	// 阿里云 AccessKeySecret。
 	AccessKeySecret string `json:"accessKeySecret"`
+	// 阿里云资源组 ID。
+	ResourceGroupId string `json:"resourceGroupId,omitempty"`
 	// 阿里云地域。
 	Region string `json:"region"`
 	// 部署资源类型。
@@ -52,7 +54,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 		return nil, fmt.Errorf("failed to create sdk client: %w", err)
 	}
 
-	uploader, err := createSslUploader(config.AccessKeyId, config.AccessKeySecret, config.Region)
+	uploader, err := createSslUploader(config.AccessKeyId, config.AccessKeySecret, config.ResourceGroupId, config.Region)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create ssl uploader: %w", err)
 	}
@@ -67,7 +69,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}
@@ -224,12 +226,7 @@ func (d *DeployerProvider) updateListenerCertificate(ctx context.Context, cloudL
 
 func createSdkClient(accessKeyId, accessKeySecret, region string) (*alinlb.Client, error) {
 	// 接入点一览 https://api.aliyun.com/product/Nlb
-	var endpoint string
-	switch region {
-	default:
-		endpoint = fmt.Sprintf("nlb.%s.aliyuncs.com", region)
-	}
-
+	endpoint := strings.ReplaceAll(fmt.Sprintf("nlb.%s.aliyuncs.com", region), "..", ".")
 	config := &aliopen.Config{
 		AccessKeyId:     tea.String(accessKeyId),
 		AccessKeySecret: tea.String(accessKeySecret),
@@ -244,7 +241,7 @@ func createSdkClient(accessKeyId, accessKeySecret, region string) (*alinlb.Clien
 	return client, nil
 }
 
-func createSslUploader(accessKeyId, accessKeySecret, region string) (uploader.Uploader, error) {
+func createSslUploader(accessKeyId, accessKeySecret, resourceGroupId, region string) (uploader.Uploader, error) {
 	casRegion := region
 	if casRegion != "" {
 		// 阿里云 CAS 服务接入点是独立于 NLB 服务的
@@ -260,6 +257,7 @@ func createSslUploader(accessKeyId, accessKeySecret, region string) (uploader.Up
 	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
 		AccessKeyId:     accessKeyId,
 		AccessKeySecret: accessKeySecret,
+		ResourceGroupId: resourceGroupId,
 		Region:          casRegion,
 	})
 	return uploader, err

internal/pkg/core/deployer/providers/aliyun-oss/aliyun_oss.go

@@ -16,6 +16,8 @@ type DeployerConfig struct {
 	AccessKeyId string `json:"accessKeyId"`
 	// 阿里云 AccessKeySecret。
 	AccessKeySecret string `json:"accessKeySecret"`
+	// 阿里云资源组 ID。
+	ResourceGroupId string `json:"resourceGroupId,omitempty"`
 	// 阿里云地域。
 	Region string `json:"region"`
 	// 存储桶名。
@@ -51,7 +53,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/aliyun-vod/aliyun_vod.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"log/slog"
+	"strings"
 	"time"
 
 	aliopen "github.com/alibabacloud-go/darabonba-openapi/v2/client"
@@ -18,6 +19,8 @@ type DeployerConfig struct {
 	AccessKeyId string `json:"accessKeyId"`
 	// 阿里云 AccessKeySecret。
 	AccessKeySecret string `json:"accessKeySecret"`
+	// 阿里云资源组 ID。
+	ResourceGroupId string `json:"resourceGroupId,omitempty"`
 	// 阿里云地域。
 	Region string `json:"region"`
 	// 点播加速域名（不支持泛域名）。
@@ -51,7 +54,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}
@@ -80,8 +83,7 @@ func (d *DeployerProvider) Deploy(ctx context.Context, certPEM string, privkeyPE
 
 func createSdkClient(accessKeyId, accessKeySecret, region string) (*alivod.Client, error) {
 	// 接入点一览 https://api.aliyun.com/product/vod
-	endpoint := fmt.Sprintf("vod.%s.aliyuncs.com", region)
-
+	endpoint := strings.ReplaceAll(fmt.Sprintf("vod.%s.aliyuncs.com", region), "..", ".")
 	config := &aliopen.Config{
 		AccessKeyId:     tea.String(accessKeyId),
 		AccessKeySecret: tea.String(accessKeySecret),

internal/pkg/core/deployer/providers/aliyun-waf/aliyun_waf.go

@@ -15,6 +15,7 @@ import (
 	"github.com/usual2970/certimate/internal/pkg/core/uploader"
 	uploadersp "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/aliyun-cas"
 	sliceutil "github.com/usual2970/certimate/internal/pkg/utils/slice"
+	typeutil "github.com/usual2970/certimate/internal/pkg/utils/type"
 )
 
 type DeployerConfig struct {
@@ -22,6 +23,8 @@ type DeployerConfig struct {
 	AccessKeyId string `json:"accessKeyId"`
 	// 阿里云 AccessKeySecret。
 	AccessKeySecret string `json:"accessKeySecret"`
+	// 阿里云资源组 ID。
+	ResourceGroupId string `json:"resourceGroupId,omitempty"`
 	// 阿里云地域。
 	Region string `json:"region"`
 	// 服务版本。
@@ -51,7 +54,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 		return nil, fmt.Errorf("failed to create sdk client: %w", err)
 	}
 
-	uploader, err := createSslUploader(config.AccessKeyId, config.AccessKeySecret, config.Region)
+	uploader, err := createSslUploader(config.AccessKeyId, config.AccessKeySecret, config.ResourceGroupId, config.Region)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create ssl uploader: %w", err)
 	}
@@ -66,7 +69,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}
@@ -107,8 +110,9 @@ func (d *DeployerProvider) deployToWAF3(ctx context.Context, certPEM string, pri
 		// 查询默认 SSL/TLS 设置
 		// REF: https://help.aliyun.com/zh/waf/web-application-firewall-3-0/developer-reference/api-waf-openapi-2021-10-01-describedefaulthttps
 		describeDefaultHttpsReq := &aliwaf.DescribeDefaultHttpsRequest{
-			InstanceId: tea.String(d.config.InstanceId),
-			RegionId:   tea.String(d.config.Region),
+			ResourceManagerResourceGroupId: typeutil.ToPtrOrZeroNil(d.config.ResourceGroupId),
+			InstanceId:                     tea.String(d.config.InstanceId),
+			RegionId:                       tea.String(d.config.Region),
 		}
 		describeDefaultHttpsResp, err := d.sdkClient.DescribeDefaultHttps(describeDefaultHttpsReq)
 		d.logger.Debug("sdk request 'waf.DescribeDefaultHttps'", slog.Any("request", describeDefaultHttpsReq), slog.Any("response", describeDefaultHttpsResp))
@@ -119,11 +123,12 @@ func (d *DeployerProvider) deployToWAF3(ctx context.Context, certPEM string, pri
 		// 修改默认 SSL/TLS 设置
 		// REF: https://help.aliyun.com/zh/waf/web-application-firewall-3-0/developer-reference/api-waf-openapi-2021-10-01-modifydefaulthttps
 		modifyDefaultHttpsReq := &aliwaf.ModifyDefaultHttpsRequest{
-			InstanceId:  tea.String(d.config.InstanceId),
-			RegionId:    tea.String(d.config.Region),
-			CertId:      tea.String(upres.CertId),
-			TLSVersion:  tea.String("tlsv1"),
-			EnableTLSv3: tea.Bool(false),
+			ResourceManagerResourceGroupId: typeutil.ToPtrOrZeroNil(d.config.ResourceGroupId),
+			InstanceId:                     tea.String(d.config.InstanceId),
+			RegionId:                       tea.String(d.config.Region),
+			CertId:                         tea.String(upres.CertId),
+			TLSVersion:                     tea.String("tlsv1"),
+			EnableTLSv3:                    tea.Bool(false),
 		}
 		if describeDefaultHttpsResp.Body != nil && describeDefaultHttpsResp.Body.DefaultHttps != nil {
 			modifyDefaultHttpsReq.TLSVersion = describeDefaultHttpsResp.Body.DefaultHttps.TLSVersion
@@ -172,10 +177,11 @@ func (d *DeployerProvider) deployToWAF3(ctx context.Context, certPEM string, pri
 
 func createSdkClient(accessKeyId, accessKeySecret, region string) (*aliwaf.Client, error) {
 	// 接入点一览：https://api.aliyun.com/product/waf-openapi
+	endpoint := strings.ReplaceAll(fmt.Sprintf("wafopenapi.%s.aliyuncs.com", region), "..", ".")
 	config := &aliopen.Config{
 		AccessKeyId:     tea.String(accessKeyId),
 		AccessKeySecret: tea.String(accessKeySecret),
-		Endpoint:        tea.String(fmt.Sprintf("wafopenapi.%s.aliyuncs.com", region)),
+		Endpoint:        tea.String(endpoint),
 	}
 
 	client, err := aliwaf.NewClient(config)
@@ -186,7 +192,7 @@ func createSdkClient(accessKeyId, accessKeySecret, region string) (*aliwaf.Clien
 	return client, nil
 }
 
-func createSslUploader(accessKeyId, accessKeySecret, region string) (uploader.Uploader, error) {
+func createSslUploader(accessKeyId, accessKeySecret, resourceGroupId, region string) (uploader.Uploader, error) {
 	casRegion := region
 	if casRegion != "" {
 		// 阿里云 CAS 服务接入点是独立于 WAF 服务的
@@ -202,6 +208,7 @@ func createSslUploader(accessKeyId, accessKeySecret, region string) (uploader.Up
 	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
 		AccessKeyId:     accessKeyId,
 		AccessKeySecret: accessKeySecret,
+		ResourceGroupId: resourceGroupId,
 		Region:          casRegion,
 	})
 	return uploader, err

internal/pkg/core/deployer/providers/aws-acm/aws_acm.go

@@ -66,7 +66,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/aws-cloudfront/aws_cloudfront.go

@@ -14,7 +14,8 @@ import (
 
 	"github.com/usual2970/certimate/internal/pkg/core/deployer"
 	"github.com/usual2970/certimate/internal/pkg/core/uploader"
-	uploadersp "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/aws-acm"
+	uploaderspacm "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/aws-acm"
+	uploaderspiam "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/aws-iam"
 )
 
 type DeployerConfig struct {
@@ -26,6 +27,9 @@ type DeployerConfig struct {
 	Region string `json:"region"`
 	// AWS CloudFront 分配 ID。
 	DistributionId string `json:"distributionId"`
+	// AWS CloudFront 证书来源。
+	// 可取值 "ACM"、"IAM"。
+	CertificateSource string `json:"certificateSource"`
 }
 
 type DeployerProvider struct {
@@ -47,13 +51,28 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 		return nil, fmt.Errorf("failed to create sdk client: %w", err)
 	}
 
-	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		AccessKeyId:     config.AccessKeyId,
-		SecretAccessKey: config.SecretAccessKey,
-		Region:          config.Region,
-	})
-	if err != nil {
-		return nil, fmt.Errorf("failed to create ssl uploader: %w", err)
+	var uploader uploader.Uploader
+	if config.CertificateSource == "ACM" {
+		uploader, err = uploaderspacm.NewUploader(&uploaderspacm.UploaderConfig{
+			AccessKeyId:     config.AccessKeyId,
+			SecretAccessKey: config.SecretAccessKey,
+			Region:          config.Region,
+		})
+		if err != nil {
+			return nil, fmt.Errorf("failed to create ssl uploader: %w", err)
+		}
+	} else if config.CertificateSource == "IAM" {
+		uploader, err = uploaderspiam.NewUploader(&uploaderspiam.UploaderConfig{
+			AccessKeyId:     config.AccessKeyId,
+			SecretAccessKey: config.SecretAccessKey,
+			Region:          config.Region,
+			CertificatePath: "/cloudfront/",
+		})
+		if err != nil {
+			return nil, fmt.Errorf("failed to create ssl uploader: %w", err)
+		}
+	} else {
+		return nil, fmt.Errorf("unsupported certificate source: '%s'", config.CertificateSource)
 	}
 
 	return &DeployerProvider{
@@ -66,7 +85,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}
@@ -79,7 +98,7 @@ func (d *DeployerProvider) Deploy(ctx context.Context, certPEM string, privkeyPE
 		return nil, errors.New("config `distribuitionId` is required")
 	}
 
-	// 上传证书到 ACM
+	// 上传证书到 ACM/IAM
 	upres, err := d.sslUploader.Upload(ctx, certPEM, privkeyPEM)
 	if err != nil {
 		return nil, fmt.Errorf("failed to upload certificate file: %w", err)
@@ -109,7 +128,19 @@ func (d *DeployerProvider) Deploy(ctx context.Context, certPEM string, privkeyPE
 		updateDistributionReq.DistributionConfig.ViewerCertificate = &types.ViewerCertificate{}
 	}
 	updateDistributionReq.DistributionConfig.ViewerCertificate.CloudFrontDefaultCertificate = aws.Bool(false)
-	updateDistributionReq.DistributionConfig.ViewerCertificate.ACMCertificateArn = aws.String(upres.CertId)
+	if d.config.CertificateSource == "ACM" {
+		updateDistributionReq.DistributionConfig.ViewerCertificate.ACMCertificateArn = aws.String(upres.CertId)
+		updateDistributionReq.DistributionConfig.ViewerCertificate.IAMCertificateId = nil
+	} else if d.config.CertificateSource == "IAM" {
+		updateDistributionReq.DistributionConfig.ViewerCertificate.ACMCertificateArn = nil
+		updateDistributionReq.DistributionConfig.ViewerCertificate.IAMCertificateId = aws.String(upres.CertId)
+		if updateDistributionReq.DistributionConfig.ViewerCertificate.MinimumProtocolVersion == "" {
+			updateDistributionReq.DistributionConfig.ViewerCertificate.MinimumProtocolVersion = types.MinimumProtocolVersionTLSv1
+		}
+		if updateDistributionReq.DistributionConfig.ViewerCertificate.SSLSupportMethod == "" {
+			updateDistributionReq.DistributionConfig.ViewerCertificate.SSLSupportMethod = types.SSLSupportMethodSniOnly
+		}
+	}
 	updateDistributionResp, err := d.sdkClient.UpdateDistribution(context.TODO(), updateDistributionReq)
 	d.logger.Debug("sdk request 'cloudfront.UpdateDistribution'", slog.Any("request", updateDistributionReq), slog.Any("response", updateDistributionResp))
 	if err != nil {

internal/pkg/core/deployer/providers/aws-iam/aws_iam.go

@@ -0,0 +1,75 @@
+package awsiam
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+
+	"github.com/usual2970/certimate/internal/pkg/core/deployer"
+	"github.com/usual2970/certimate/internal/pkg/core/uploader"
+	uploadersp "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/aws-iam"
+)
+
+type DeployerConfig struct {
+	// AWS AccessKeyId。
+	AccessKeyId string `json:"accessKeyId"`
+	// AWS SecretAccessKey。
+	SecretAccessKey string `json:"secretAccessKey"`
+	// AWS 区域。
+	Region string `json:"region"`
+	// IAM 证书路径。
+	// 选填。
+	CertificatePath string `json:"certificatePath,omitempty"`
+}
+
+type DeployerProvider struct {
+	config      *DeployerConfig
+	logger      *slog.Logger
+	sslUploader uploader.Uploader
+}
+
+var _ deployer.Deployer = (*DeployerProvider)(nil)
+
+func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
+	if config == nil {
+		panic("config is nil")
+	}
+
+	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
+		AccessKeyId:     config.AccessKeyId,
+		SecretAccessKey: config.SecretAccessKey,
+		Region:          config.Region,
+		CertificatePath: config.CertificatePath,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to create ssl uploader: %w", err)
+	}
+
+	return &DeployerProvider{
+		config:      config,
+		logger:      slog.Default(),
+		sslUploader: uploader,
+	}, nil
+}
+
+func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
+	if logger == nil {
+		d.logger = slog.New(slog.DiscardHandler)
+	} else {
+		d.logger = logger
+	}
+	d.sslUploader.WithLogger(logger)
+	return d
+}
+
+func (d *DeployerProvider) Deploy(ctx context.Context, certPEM string, privkeyPEM string) (*deployer.DeployResult, error) {
+	// 上传证书到 IAM
+	upres, err := d.sslUploader.Upload(ctx, certPEM, privkeyPEM)
+	if err != nil {
+		return nil, fmt.Errorf("failed to upload certificate file: %w", err)
+	} else {
+		d.logger.Info("ssl certificate uploaded", slog.Any("result", upres))
+	}
+
+	return &deployer.DeployResult{}, nil
+}

internal/pkg/core/deployer/providers/azure-keyvault/azure_keyvault.go

@@ -76,7 +76,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/baiducloud-appblb/baiducloud_appblb.go

@@ -74,7 +74,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/baiducloud-blb/baiducloud_blb.go

@@ -74,7 +74,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/baiducloud-cdn/baiducloud_cdn.go

@@ -48,7 +48,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/baiducloud-cert/baiducloud_cert.go

@@ -47,7 +47,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/baishan-cdn/baishan_cdn.go

@@ -51,7 +51,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/baotapanel-console/baotapanel_console.go

@@ -50,7 +50,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/baotapanel-site/baotapanel_site.go

@@ -55,7 +55,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/baotawaf-console/baotawaf_console.go

@@ -48,7 +48,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/baotawaf-site/baotawaf_site.go

@@ -23,7 +23,7 @@ type DeployerConfig struct {
 	// 网站名称。
 	SiteName string `json:"siteName"`
 	// 网站 SSL 端口。
-	// 零值时默认为 443。
+	// 零值时默认值 443。
 	SitePort int32 `json:"sitePort,omitempty"`
 }
 
@@ -54,7 +54,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}
@@ -116,7 +116,7 @@ func (d *DeployerProvider) Deploy(ctx context.Context, certPEM string, privkeyPE
 		SiteId: siteId,
 		Type:   typeutil.ToPtr("openCert"),
 		Server: &btsdk.SiteServerInfo{
-			ListenSSLPort: typeutil.ToPtr(d.config.SitePort),
+			ListenSSLPorts: typeutil.ToPtr([]int32{d.config.SitePort}),
 			SSL: &btsdk.SiteServerSSLInfo{
 				IsSSL:      typeutil.ToPtr(int32(1)),
 				FullChain:  typeutil.ToPtr(certPEM),

internal/pkg/core/deployer/providers/baotawaf-site/baotawaf_site_test.go

@@ -39,7 +39,7 @@ Shell command to run this test:
 	--CERTIMATE_DEPLOYER_BAOTAWAFSITE_INPUTKEYPATH="/path/to/your-input-key.pem" \
 	--CERTIMATE_DEPLOYER_BAOTAWAFSITE_SERVERURL="http://127.0.0.1:8888" \
 	--CERTIMATE_DEPLOYER_BAOTAWAFSITE_APIKEY="your-api-key" \
-	--CERTIMATE_DEPLOYER_BAOTAWAFSITE_SITENAME="your-site-name"\
+	--CERTIMATE_DEPLOYER_BAOTAWAFSITE_SITENAME="your-site-name" \
 	--CERTIMATE_DEPLOYER_BAOTAWAFSITE_SITEPORT=443
 */
 func TestDeploy(t *testing.T) {

internal/pkg/core/deployer/providers/bunny-cdn/bunny_cdn.go

@@ -41,7 +41,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/byteplus-cdn/byteplus_cdn.go

@@ -59,7 +59,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/cachefly/cachefly.go

@@ -42,7 +42,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/cdnfly/cdnfly.go

@@ -60,7 +60,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/dogecloud-cdn/dogecloud_cdn.go

@@ -55,7 +55,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/edgio-applications/edgio_applications.go

@@ -48,7 +48,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/flexcdn/flexcdn.go

@@ -61,7 +61,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/gcore-cdn/gcore_cdn.go

@@ -69,7 +69,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/goedge/goedge.go

@@ -61,7 +61,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/huaweicloud-cdn/huaweicloud_cdn.go

@@ -21,6 +21,8 @@ type DeployerConfig struct {
 	AccessKeyId string `json:"accessKeyId"`
 	// 华为云 SecretAccessKey。
 	SecretAccessKey string `json:"secretAccessKey"`
+	// 华为云企业项目 ID。
+	EnterpriseProjectId string `json:"enterpriseProjectId,omitempty"`
 	// 华为云区域。
 	Region string `json:"region"`
 	// 加速域名（不支持泛域名）。
@@ -51,8 +53,9 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 	}
 
 	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		AccessKeyId:     config.AccessKeyId,
-		SecretAccessKey: config.SecretAccessKey,
+		AccessKeyId:         config.AccessKeyId,
+		SecretAccessKey:     config.SecretAccessKey,
+		EnterpriseProjectId: config.EnterpriseProjectId,
 	})
 	if err != nil {
 		return nil, fmt.Errorf("failed to create ssl uploader: %w", err)
@@ -68,7 +71,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}
@@ -88,7 +91,8 @@ func (d *DeployerProvider) Deploy(ctx context.Context, certPEM string, privkeyPE
 	// 查询加速域名配置
 	// REF: https://support.huaweicloud.com/api-cdn/ShowDomainFullConfig.html
 	showDomainFullConfigReq := &hccdnmodel.ShowDomainFullConfigRequest{
-		DomainName: d.config.Domain,
+		EnterpriseProjectId: typeutil.ToPtrOrZeroNil(d.config.EnterpriseProjectId),
+		DomainName:          d.config.Domain,
 	}
 	showDomainFullConfigResp, err := d.sdkClient.ShowDomainFullConfig(showDomainFullConfigReq)
 	d.logger.Debug("sdk request 'cdn.ShowDomainFullConfig'", slog.Any("request", showDomainFullConfigReq), slog.Any("response", showDomainFullConfigResp))
@@ -107,6 +111,7 @@ func (d *DeployerProvider) Deploy(ctx context.Context, certPEM string, privkeyPE
 	updateDomainMultiCertificatesReqBodyContent.CertName = typeutil.ToPtr(upres.CertName)
 	updateDomainMultiCertificatesReqBodyContent = assign(updateDomainMultiCertificatesReqBodyContent, showDomainFullConfigResp.Configs)
 	updateDomainMultiCertificatesReq := &hccdnmodel.UpdateDomainMultiCertificatesRequest{
+		EnterpriseProjectId: typeutil.ToPtrOrZeroNil(d.config.EnterpriseProjectId),
 		Body: &hccdnmodel.UpdateDomainMultiCertificatesRequestBody{
 			Https: updateDomainMultiCertificatesReqBodyContent,
 		},

internal/pkg/core/deployer/providers/huaweicloud-elb/huaweicloud_elb.go

@@ -27,6 +27,8 @@ type DeployerConfig struct {
 	AccessKeyId string `json:"accessKeyId"`
 	// 华为云 SecretAccessKey。
 	SecretAccessKey string `json:"secretAccessKey"`
+	// 华为云企业项目 ID。
+	EnterpriseProjectId string `json:"enterpriseProjectId,omitempty"`
 	// 华为云区域。
 	Region string `json:"region"`
 	// 部署资源类型。
@@ -62,9 +64,10 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 	}
 
 	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		AccessKeyId:     config.AccessKeyId,
-		SecretAccessKey: config.SecretAccessKey,
-		Region:          config.Region,
+		AccessKeyId:         config.AccessKeyId,
+		SecretAccessKey:     config.SecretAccessKey,
+		EnterpriseProjectId: config.EnterpriseProjectId,
+		Region:              config.Region,
 	})
 	if err != nil {
 		return nil, fmt.Errorf("failed to create ssl uploader: %w", err)
@@ -80,7 +83,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}
@@ -172,6 +175,9 @@ func (d *DeployerProvider) deployToLoadbalancer(ctx context.Context, certPEM str
 			Protocol:       &[]string{"HTTPS", "TERMINATED_HTTPS"},
 			LoadbalancerId: &[]string{showLoadBalancerResp.Loadbalancer.Id},
 		}
+		if d.config.EnterpriseProjectId != "" {
+			listListenersReq.EnterpriseProjectId = typeutil.ToPtr([]string{d.config.EnterpriseProjectId})
+		}
 		listListenersResp, err := d.sdkClient.ListListeners(listListenersReq)
 		d.logger.Debug("sdk request 'elb.ListListeners'", slog.Any("request", listListenersReq), slog.Any("response", listListenersResp))
 		if err != nil {

internal/pkg/core/deployer/providers/huaweicloud-scm/huaweicloud_scm.go

@@ -15,6 +15,8 @@ type DeployerConfig struct {
 	AccessKeyId string `json:"accessKeyId"`
 	// 华为云 SecretAccessKey。
 	SecretAccessKey string `json:"secretAccessKey"`
+	// 华为云企业项目 ID。
+	EnterpriseProjectId string `json:"enterpriseProjectId,omitempty"`
 }
 
 type DeployerProvider struct {
@@ -31,8 +33,9 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 	}
 
 	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		AccessKeyId:     config.AccessKeyId,
-		SecretAccessKey: config.SecretAccessKey,
+		AccessKeyId:         config.AccessKeyId,
+		SecretAccessKey:     config.SecretAccessKey,
+		EnterpriseProjectId: config.EnterpriseProjectId,
 	})
 	if err != nil {
 		return nil, fmt.Errorf("failed to create ssl uploader: %w", err)
@@ -47,7 +50,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/huaweicloud-waf/huaweicloud_waf.go

@@ -27,6 +27,8 @@ type DeployerConfig struct {
 	AccessKeyId string `json:"accessKeyId"`
 	// 华为云 SecretAccessKey。
 	SecretAccessKey string `json:"secretAccessKey"`
+	// 华为云企业项目 ID。
+	EnterpriseProjectId string `json:"enterpriseProjectId,omitempty"`
 	// 华为云区域。
 	Region string `json:"region"`
 	// 部署资源类型。
@@ -59,9 +61,10 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 	}
 
 	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		AccessKeyId:     config.AccessKeyId,
-		SecretAccessKey: config.SecretAccessKey,
-		Region:          config.Region,
+		AccessKeyId:         config.AccessKeyId,
+		SecretAccessKey:     config.SecretAccessKey,
+		EnterpriseProjectId: config.EnterpriseProjectId,
+		Region:              config.Region,
 	})
 	if err != nil {
 		return nil, fmt.Errorf("failed to create ssl uploader: %w", err)
@@ -77,7 +80,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}
@@ -126,7 +129,8 @@ func (d *DeployerProvider) deployToCertificate(ctx context.Context, certPEM stri
 	// 查询证书
 	// REF: https://support.huaweicloud.com/api-waf/ShowCertificate.html
 	showCertificateReq := &hcwafmodel.ShowCertificateRequest{
-		CertificateId: d.config.CertificateId,
+		EnterpriseProjectId: typeutil.ToPtrOrZeroNil(d.config.EnterpriseProjectId),
+		CertificateId:       d.config.CertificateId,
 	}
 	showCertificateResp, err := d.sdkClient.ShowCertificate(showCertificateReq)
 	d.logger.Debug("sdk request 'waf.ShowCertificate'", slog.Any("request", showCertificateReq), slog.Any("response", showCertificateResp))
@@ -137,7 +141,8 @@ func (d *DeployerProvider) deployToCertificate(ctx context.Context, certPEM stri
 	// 更新证书
 	// REF: https://support.huaweicloud.com/api-waf/UpdateCertificate.html
 	updateCertificateReq := &hcwafmodel.UpdateCertificateRequest{
-		CertificateId: d.config.CertificateId,
+		EnterpriseProjectId: typeutil.ToPtrOrZeroNil(d.config.EnterpriseProjectId),
+		CertificateId:       d.config.CertificateId,
 		Body: &hcwafmodel.UpdateCertificateRequestBody{
 			Name:    *showCertificateResp.Name,
 			Content: typeutil.ToPtr(certPEM),
@@ -179,9 +184,10 @@ func (d *DeployerProvider) deployToCloudServer(ctx context.Context, certPEM stri
 		}
 
 		listHostReq := &hcwafmodel.ListHostRequest{
-			Hostname: typeutil.ToPtr(strings.TrimPrefix(d.config.Domain, "*")),
-			Page:     typeutil.ToPtr(listHostPage),
-			Pagesize: typeutil.ToPtr(listHostPageSize),
+			EnterpriseProjectId: typeutil.ToPtrOrZeroNil(d.config.EnterpriseProjectId),
+			Hostname:            typeutil.ToPtr(strings.TrimPrefix(d.config.Domain, "*")),
+			Page:                typeutil.ToPtr(listHostPage),
+			Pagesize:            typeutil.ToPtr(listHostPageSize),
 		}
 		listHostResp, err := d.sdkClient.ListHost(listHostReq)
 		d.logger.Debug("sdk request 'waf.ListHost'", slog.Any("request", listHostReq), slog.Any("response", listHostResp))
@@ -211,7 +217,8 @@ func (d *DeployerProvider) deployToCloudServer(ctx context.Context, certPEM stri
 	// 更新云模式防护域名的配置
 	// REF: https://support.huaweicloud.com/api-waf/UpdateHost.html
 	updateHostReq := &hcwafmodel.UpdateHostRequest{
-		InstanceId: hostId,
+		EnterpriseProjectId: typeutil.ToPtrOrZeroNil(d.config.EnterpriseProjectId),
+		InstanceId:          hostId,
 		Body: &hcwafmodel.UpdateHostRequestBody{
 			Certificateid:   typeutil.ToPtr(upres.CertId),
 			Certificatename: typeutil.ToPtr(upres.CertName),
@@ -252,9 +259,10 @@ func (d *DeployerProvider) deployToPremiumHost(ctx context.Context, certPEM stri
 		}
 
 		listPremiumHostReq := &hcwafmodel.ListPremiumHostRequest{
-			Hostname: typeutil.ToPtr(strings.TrimPrefix(d.config.Domain, "*")),
-			Page:     typeutil.ToPtr(fmt.Sprintf("%d", listPremiumHostPage)),
-			Pagesize: typeutil.ToPtr(fmt.Sprintf("%d", listPremiumHostPageSize)),
+			EnterpriseProjectId: typeutil.ToPtrOrZeroNil(d.config.EnterpriseProjectId),
+			Hostname:            typeutil.ToPtr(strings.TrimPrefix(d.config.Domain, "*")),
+			Page:                typeutil.ToPtr(fmt.Sprintf("%d", listPremiumHostPage)),
+			Pagesize:            typeutil.ToPtr(fmt.Sprintf("%d", listPremiumHostPageSize)),
 		}
 		listPremiumHostResp, err := d.sdkClient.ListPremiumHost(listPremiumHostReq)
 		d.logger.Debug("sdk request 'waf.ListPremiumHost'", slog.Any("request", listPremiumHostReq), slog.Any("response", listPremiumHostResp))
@@ -284,7 +292,8 @@ func (d *DeployerProvider) deployToPremiumHost(ctx context.Context, certPEM stri
 	// 修改独享模式域名配置
 	// REF: https://support.huaweicloud.com/api-waf/UpdatePremiumHost.html
 	updatePremiumHostReq := &hcwafmodel.UpdatePremiumHostRequest{
-		HostId: hostId,
+		EnterpriseProjectId: typeutil.ToPtrOrZeroNil(d.config.EnterpriseProjectId),
+		HostId:              hostId,
 		Body: &hcwafmodel.UpdatePremiumHostRequestBody{
 			Certificateid:   typeutil.ToPtr(upres.CertId),
 			Certificatename: typeutil.ToPtr(upres.CertName),

internal/pkg/core/deployer/providers/jdcloud-alb/jdcloud_alb.go

@@ -76,7 +76,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/jdcloud-cdn/jdcloud_cdn.go

@@ -60,7 +60,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/jdcloud-live/jdcloud_live.go

@@ -48,7 +48,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/jdcloud-vod/jdcloud_vod.go

@@ -51,7 +51,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/k8s-secret/k8s_secret.go

@@ -52,7 +52,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/lecdn/lecdn.go

@@ -73,7 +73,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/local/local.go

@@ -15,7 +15,7 @@ import (
 
 type DeployerConfig struct {
 	// Shell 执行环境。
-	// 零值时默认根据操作系统决定。
+	// 零值时根据操作系统决定。
 	ShellEnv ShellEnvType `json:"shellEnv,omitempty"`
 	// 前置命令。
 	PreCommand string `json:"preCommand,omitempty"`
@@ -67,7 +67,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/netlify-site/netlify_site.go

@@ -45,7 +45,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/proxmoxve/proxmoxve.go

@@ -13,6 +13,7 @@ import (
 	"github.com/luthermonson/go-proxmox"
 
 	"github.com/usual2970/certimate/internal/pkg/core/deployer"
+	httputil "github.com/usual2970/certimate/internal/pkg/utils/http"
 )
 
 type DeployerConfig struct {
@@ -57,7 +58,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}
@@ -101,15 +102,16 @@ func createSdkClient(serverUrl, apiToken, apiTokenSecret string, skipTlsVerify b
 	}
 
 	httpClient := &http.Client{
-		Transport: http.DefaultTransport,
+		Transport: httputil.NewDefaultTransport(),
 		Timeout:   http.DefaultClient.Timeout,
 	}
 	if skipTlsVerify {
-		httpClient.Transport = &http.Transport{
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: true,
-			},
+		transport := httputil.NewDefaultTransport()
+		if transport.TLSClientConfig == nil {
+			transport.TLSClientConfig = &tls.Config{}
 		}
+		transport.TLSClientConfig.InsecureSkipVerify = true
+		httpClient.Transport = transport
 	}
 	client := proxmox.NewClient(
 		strings.TrimRight(serverUrl, "/")+"/api2/json",

internal/pkg/core/deployer/providers/qiniu-cdn/qiniu_cdn.go

@@ -57,7 +57,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/qiniu-pili/qiniu_pili.go

@@ -57,7 +57,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/rainyun-rcdn/rainyun_rcdn.go

@@ -58,7 +58,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/ratpanel-console/ratpanel_console.go

@@ -50,7 +50,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/ratpanel-site/ratpanel_site.go

@@ -52,7 +52,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/safeline/safeline.go

@@ -53,7 +53,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/ssh/ssh.go

@@ -8,6 +8,7 @@ import (
 	"net"
 	"os"
 	"path/filepath"
+	"strings"
 
 	"github.com/pkg/sftp"
 	"github.com/povsister/scp"
@@ -19,12 +20,17 @@ import (
 
 type JumpServerConfig struct {
 	// SSH 主机。
-	// 零值时默认为 "localhost"。
+	// 零值时默认值 "localhost"。
 	SshHost string `json:"sshHost,omitempty"`
 	// SSH 端口。
-	// 零值时默认为 22。
+	// 零值时默认值 22。
 	SshPort int32 `json:"sshPort,omitempty"`
+	// SSH 认证方式。
+	// 可取值 "none"、"password"、"key"。
+	// 零值时根据有无密码或私钥字段决定。
+	SshAuthMethod string `json:"sshAuthMethod,omitempty"`
 	// SSH 登录用户名。
+	// 零值时默认值 "root"。
 	SshUsername string `json:"sshUsername,omitempty"`
 	// SSH 登录密码。
 	SshPassword string `json:"sshPassword,omitempty"`
@@ -36,12 +42,17 @@ type JumpServerConfig struct {
 
 type DeployerConfig struct {
 	// SSH 主机。
-	// 零值时默认为 "localhost"。
+	// 零值时默认值 "localhost"。
 	SshHost string `json:"sshHost,omitempty"`
 	// SSH 端口。
-	// 零值时默认为 22。
+	// 零值时默认值 22。
 	SshPort int32 `json:"sshPort,omitempty"`
+	// SSH 认证方式。
+	// 可取值 "none"、"password" 或 "key"。
+	// 零值时根据有无密码或私钥字段决定。
+	SshAuthMethod string `json:"sshAuthMethod,omitempty"`
 	// SSH 登录用户名。
+	// 零值时默认值 "root"。
 	SshUsername string `json:"sshUsername,omitempty"`
 	// SSH 登录密码。
 	SshPassword string `json:"sshPassword,omitempty"`
@@ -103,7 +114,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}
@@ -141,6 +152,7 @@ func (d *DeployerProvider) Deploy(ctx context.Context, certPEM string, privkeyPE
 				jumpConn,
 				jumpServerConf.SshHost,
 				jumpServerConf.SshPort,
+				jumpServerConf.SshAuthMethod,
 				jumpServerConf.SshUsername,
 				jumpServerConf.SshPassword,
 				jumpServerConf.SshKey,
@@ -174,6 +186,7 @@ func (d *DeployerProvider) Deploy(ctx context.Context, certPEM string, privkeyPE
 		targetConn,
 		d.config.SshHost,
 		d.config.SshPort,
+		d.config.SshAuthMethod,
 		d.config.SshUsername,
 		d.config.SshPassword,
 		d.config.SshKey,
@@ -262,7 +275,7 @@ func (d *DeployerProvider) Deploy(ctx context.Context, certPEM string, privkeyPE
 	return &deployer.DeployResult{}, nil
 }
 
-func createSshClient(conn net.Conn, host string, port int32, username string, password string, key string, keyPassphrase string) (*ssh.Client, error) {
+func createSshClient(conn net.Conn, host string, port int32, authMethod string, username, password, key, keyPassphrase string) (*ssh.Client, error) {
 	if host == "" {
 		host = "localhost"
 	}
@@ -271,28 +284,65 @@ func createSshClient(conn net.Conn, host string, port int32, username string, pa
 		port = 22
 	}
 
-	var authMethod ssh.AuthMethod
-	if key != "" {
-		var signer ssh.Signer
-		var err error
+	if username == "" {
+		username = "root"
+	}
 
-		if keyPassphrase != "" {
-			signer, err = ssh.ParsePrivateKeyWithPassphrase([]byte(key), []byte(keyPassphrase))
+	const AUTH_METHOD_NONE = "none"
+	const AUTH_METHOD_PASSWORD = "password"
+	const AUTH_METHOD_KEY = "key"
+	if authMethod == "" {
+		if key != "" {
+			authMethod = AUTH_METHOD_KEY
+		} else if password != "" {
+			authMethod = AUTH_METHOD_PASSWORD
 		} else {
-			signer, err = ssh.ParsePrivateKey([]byte(key))
+			authMethod = AUTH_METHOD_NONE
+		}
+	}
+
+	authentications := make([]ssh.AuthMethod, 0)
+	switch authMethod {
+	case AUTH_METHOD_NONE:
+		{
 		}
 
-		if err != nil {
-			return nil, err
+	case AUTH_METHOD_PASSWORD:
+		{
+			authentications = append(authentications, ssh.Password(password))
+			authentications = append(authentications, ssh.KeyboardInteractive(func(user, instruction string, questions []string, echos []bool) ([]string, error) {
+				if len(questions) == 1 {
+					return []string{password}, nil
+				}
+				return nil, fmt.Errorf("unexpected keyboard interactive question [%s]", strings.Join(questions, ", "))
+			}))
 		}
-		authMethod = ssh.PublicKeys(signer)
-	} else {
-		authMethod = ssh.Password(password)
+
+	case AUTH_METHOD_KEY:
+		{
+			var signer ssh.Signer
+			var err error
+
+			if keyPassphrase != "" {
+				signer, err = ssh.ParsePrivateKeyWithPassphrase([]byte(key), []byte(keyPassphrase))
+			} else {
+				signer, err = ssh.ParsePrivateKey([]byte(key))
+			}
+
+			if err != nil {
+				return nil, err
+			}
+
+			authentications = append(authentications, ssh.PublicKeys(signer))
+		}
+
+	default:
+		return nil, fmt.Errorf("unsupported auth method '%s'", authMethod)
 	}
 
 	sshConn, chans, reqs, err := ssh.NewClientConn(conn, fmt.Sprintf("%s:%d", host, port), &ssh.ClientConfig{
 		User:            username,
-		Auth:            []ssh.AuthMethod{authMethod},
+		Auth:            authentications,
 		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
 	})
 	if err != nil {

internal/pkg/core/deployer/providers/tencentcloud-cdn/tencentcloud_cdn.go

@@ -70,7 +70,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/tencentcloud-clb/tencentcloud_clb.go

@@ -79,7 +79,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/tencentcloud-cos/tencentcloud_cos.go

@@ -66,7 +66,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/tencentcloud-css/tencentcloud_css.go

@@ -60,7 +60,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/tencentcloud-ecdn/tencentcloud_ecdn.go

@@ -69,7 +69,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/tencentcloud-eo/tencentcloud_eo.go

@@ -69,7 +69,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/tencentcloud-scf/tencentcloud_scf.go

@@ -62,7 +62,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/tencentcloud-ssl-deploy/tencentcloud_ssl_deploy.go

@@ -66,7 +66,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/tencentcloud-ssl/tencentcloud_ssl.go

@@ -47,7 +47,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/tencentcloud-vod/tencentcloud_vod.go

@@ -62,7 +62,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/tencentcloud-waf/tencentcloud_waf.go

@@ -67,7 +67,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}

internal/pkg/core/deployer/providers/ucloud-ucdn/ucloud_ucdn.go

@@ -65,7 +65,7 @@ func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
 
 func (d *DeployerProvider) WithLogger(logger *slog.Logger) deployer.Deployer {
 	if logger == nil {
-		d.logger = slog.Default()
+		d.logger = slog.New(slog.DiscardHandler)
 	} else {
 		d.logger = logger
 	}