From d914ed00f35396ebbe5d85729841e0101fc803f7 Mon Sep 17 00:00:00 2001
From: luxiaohang <deerhang@163.com>
Date: Mon, 4 Nov 2024 17:28:55 +0800
Subject: [PATCH] chore(waf): maintain waf certificate datasource and fix some
 problems

---
 docs/data-sources/waf_certificate.md          |  30 ++--
 huaweicloud/provider.go                       |   2 +-
 ...source_huaweicloud_waf_certificate_test.go | 141 +++++++++-------
 ...data_source_huaweicloud_waf_certificate.go | 156 ++++++++++++------
 4 files changed, 201 insertions(+), 128 deletions(-)

diff --git a/docs/data-sources/waf_certificate.md b/docs/data-sources/waf_certificate.md
index 57d50c4dc89..7eb969da993 100644
--- a/docs/data-sources/waf_certificate.md
+++ b/docs/data-sources/waf_certificate.md
@@ -2,12 +2,15 @@
 subcategory: "Web Application Firewall (WAF)"
 layout: "huaweicloud"
 page_title: "HuaweiCloud: huaweicloud_waf_certificate"
-description: ""
+description: |
+  Use this data source to get the certificate of WAF within HuaweiCloud.
 ---
 
 # huaweicloud_waf_certificate
 
-Get the certificate in the WAF, including the one pushed from SCM.
+Use this data source to get the certificate of WAF within HuaweiCloud.
+
+-> When multiple pieces of data are queried, the datasource will process the first piece of data and put it back.
 
 ## Example Usage
 
@@ -24,19 +27,20 @@ data "huaweicloud_waf_certificate" "certificate_1" {
 
 The following arguments are supported:
 
-* `region` - (Optional, String) The region in which to obtain the WAF. If omitted, the provider-level region will be
-  used.
+* `region` - (Optional, String) Specifies the region in which to obtain the WAF. If omitted, the provider-level region
+  will be used.
 
-* `name` - (Required, String) The name of certificate. The value is case sensitive and supports fuzzy matching.
+* `name` - (Optional, String) Specifies the name of certificate. The value is case-sensitive and supports fuzzy matching.
 
-  -> **NOTE:** The certificate name is not unique. Only returns the last created one when matched multiple certificates.
+* `enterprise_project_id` - (Optional, String) Specifies the enterprise project ID of WAF certificate.
+  For enterprise users, if omitted, default enterprise project will be used.
 
-* `expire_status` - (Optional, Int) The expire status of certificate. Defaults is `0`. The value can be:
-  + `0`: not expire
-  + `1`: has expired
-  + `2`: wil expired soon
+* `expiration_status` - (Optional, String) Specifies the certificate expiration status. The options are as follows:
+  + `0`: Not expired;
+  + `1`: Expired;
+  + `2`: Expired soon (The certificate will expire in one month.)
 
-* `enterprise_project_id` - (Optional, String) The enterprise project ID of WAF certificate.
+  -> If this field is not configured, all certificates that meet the expired status will be found.
 
 ## Attribute Reference
 
@@ -44,4 +48,6 @@ In addition to all arguments above, the following attributes are exported:
 
 * `id` - The certificate ID in UUID format.
 
-* `expiration` - Indicates the time when the certificate expires.
+* `created_at` - Indicates the time when the certificate uploaded, in RFC3339 format.
+
+* `expired_at` - Indicates the time when the certificate expires, in RFC3339 format.
diff --git a/huaweicloud/provider.go b/huaweicloud/provider.go
index 3557c7de6ea..5ebe9ad5a4e 100644
--- a/huaweicloud/provider.go
+++ b/huaweicloud/provider.go
@@ -1075,7 +1075,7 @@ func Provider() *schema.Provider {
 			"huaweicloud_vpn_user_groups":                    vpn.DataSourceVpnUserGroups(),
 
 			"huaweicloud_waf_address_groups":                       waf.DataSourceWafAddressGroups(),
-			"huaweicloud_waf_certificate":                          waf.DataSourceWafCertificateV1(),
+			"huaweicloud_waf_certificate":                          waf.DataSourceWafCertificate(),
 			"huaweicloud_waf_dedicated_domains":                    waf.DataSourceWafDedicatedDomains(),
 			"huaweicloud_waf_dedicated_instances":                  waf.DataSourceWafDedicatedInstancesV1(),
 			"huaweicloud_waf_domains":                              waf.DataSourceWafDomains(),
diff --git a/huaweicloud/services/acceptance/waf/data_source_huaweicloud_waf_certificate_test.go b/huaweicloud/services/acceptance/waf/data_source_huaweicloud_waf_certificate_test.go
index b0910aa8f29..af4d696cf7c 100644
--- a/huaweicloud/services/acceptance/waf/data_source_huaweicloud_waf_certificate_test.go
+++ b/huaweicloud/services/acceptance/waf/data_source_huaweicloud_waf_certificate_test.go
@@ -5,39 +5,18 @@ import (
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
-	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
 
 	"github.com/huaweicloud/terraform-provider-huaweicloud/huaweicloud/services/acceptance"
-	"github.com/huaweicloud/terraform-provider-huaweicloud/huaweicloud/utils/fmtp"
 )
 
-func TestAccDataSourceWafCertificateV1_basic(t *testing.T) {
-	name := acceptance.RandomAccResourceName()
-	dataSourceName := "data.huaweicloud_waf_certificate.cert_1"
+// Before running the test case, please ensure that there is at least one WAF instance in the current region.
+func TestAccDataSourceWafCertificate_basic(t *testing.T) {
+	var (
+		name = acceptance.RandomAccResourceName()
 
-	resource.ParallelTest(t, resource.TestCase{
-		PreCheck: func() {
-			acceptance.TestAccPreCheck(t)
-			acceptance.TestAccPrecheckWafInstance(t)
-		},
-		ProviderFactories: acceptance.TestAccProviderFactories,
-		Steps: []resource.TestStep{
-			{
-				Config: testAccWafCertificateListV1_conf(name),
-				Check: resource.ComposeTestCheckFunc(
-					testAccCheckWafCertDataSourceID(dataSourceName),
-					resource.TestCheckResourceAttr(dataSourceName, "name", name),
-					resource.TestCheckResourceAttr(dataSourceName, "expire_status", "1"),
-					resource.TestCheckResourceAttrSet(dataSourceName, "expiration"),
-				),
-			},
-		},
-	})
-}
-
-func TestAccDataSourceWafCertificateV1_withEpsID(t *testing.T) {
-	name := acceptance.RandomAccResourceName()
-	dataSourceName := "data.huaweicloud_waf_certificate.cert_1"
+		datasourceName = "data.huaweicloud_waf_certificate.test"
+		dc             = acceptance.InitDataSourceCheck(datasourceName)
+	)
 
 	resource.ParallelTest(t, resource.TestCase{
 		PreCheck: func() {
@@ -48,59 +27,93 @@ func TestAccDataSourceWafCertificateV1_withEpsID(t *testing.T) {
 		ProviderFactories: acceptance.TestAccProviderFactories,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccWafCertificateListV1_conf_withEpsID(name, acceptance.HW_ENTERPRISE_PROJECT_ID_TEST),
+				Config: testAccWafCertificateList_basic(name),
 				Check: resource.ComposeTestCheckFunc(
-					testAccCheckWafCertDataSourceID(dataSourceName),
-					resource.TestCheckResourceAttr(dataSourceName, "enterprise_project_id", acceptance.HW_ENTERPRISE_PROJECT_ID_TEST),
-					resource.TestCheckResourceAttr(dataSourceName, "name", name),
-					resource.TestCheckResourceAttr(dataSourceName, "expire_status", "1"),
-					resource.TestCheckResourceAttrSet(dataSourceName, "expiration"),
+					dc.CheckResourceExists(),
+					resource.TestCheckResourceAttrSet(datasourceName, "name"),
+					resource.TestCheckResourceAttrSet(datasourceName, "enterprise_project_id"),
+					resource.TestCheckResourceAttrSet(datasourceName, "created_at"),
 				),
 			},
 		},
 	})
 }
 
-func testAccCheckWafCertDataSourceID(r string) resource.TestCheckFunc {
-	return func(s *terraform.State) error {
-		rs, ok := s.RootModule().Resources[r]
-		if !ok {
-			return fmtp.Errorf("Can't find waf data source: %s ", r)
-		}
-		if rs.Primary.ID == "" {
-			return fmtp.Errorf("The Waf Certificate data source ID not set ")
-		}
-		return nil
-	}
-}
-
-func testAccWafCertificateListV1_conf(name string) string {
+func testAccWafCertificateList_base(name string) string {
 	return fmt.Sprintf(`
-%s
+resource "huaweicloud_waf_certificate" "test" {
+  name                  = "%[1]s"
+  enterprise_project_id = "%[2]s"
 
-data "huaweicloud_waf_certificate" "cert_1" {
-  name          = huaweicloud_waf_certificate.certificate_1.name
-  expire_status = 1
+  certificate = <<EOT
+-----BEGIN CERTIFICATE-----
+MIIDazCCAlOgAwIBAgIUehx07qc7un7IB7/X9lHCLkt/jPowDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMTA1MzEwOTI1NTJaFw0yMjA1
+MzEwOTI1NTJaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
+HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQCvmuH5ViGtGOlevJ8vOoN3Ak4pp3SescdAfQa/r4cO
+z/bmBqBcZJTX9HODhiQzdemyLLs9aOkQXYIc8OrcaIsjns92XITVDpFW0ThGyjhT
+ZdELj9LsbIcVzNPPclTcebZBlzAyX0oLqpHK73OUYQY2E6l44U9G8Id763Bnws9N
+Rn3cg0qufrlUgdim/pYZ8ubjvlDJ9eEIhcsu9zu8c8i2+8qLjEsonx5PrwzNlYP4
+JqAmZ2dcbQeSPfv5U6ZceKEZfegK+Cxv4rFd5F4Rdxl+SAIY+6mr7qu1dAlcVMLS
+QcLlJLRWQ5NmqL9xju7Fbj2VZt+L6nb512iKaedPo2GfAgMBAAGjUzBRMB0GA1Ud
+DgQWBBR5yzB/GujpSlLrn0l2p+BslakGzjAfBgNVHSMEGDAWgBR5yzB/GujpSlLr
+n0l2p+BslakGzjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCk
+TqvcIk0Au/yOxOfIGUZzVkTiORxbwATAfRN6n/+mrgWnIbHG4XFqqjmFr7gGvHeH
++BuyU06VXJgKYaPUqbYl7eBd4Spm5v3Wq7C7i96dOHmG8fVcjQnTWleyEmUsEarv
+A6/lhTqXV1+AuNUaH+9EbBUBsrCHGLkECBMKl0+cJN8lo5XncAtp7z1+O/Mn0Zi6
+XyNOyvqcmmn8HUkSIS4RlJ2ohuZN6oFC3sYX9g9Vo++IkjGl3dRbf/7JutqBGHNE
+RVKoPyaivymDDIIL/qSy/Pi2s0hzUhwc1M8td0K/AMxyeigwNG7mTH0RzX32bUkf
+ZoURg5WiRskhtHEvBsLF
+-----END CERTIFICATE-----
+EOT
 
-  depends_on = [
-    huaweicloud_waf_certificate.certificate_1
-  ]
+  private_key = <<EOT
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCvmuH5ViGtGOle
+vJ8vOoN3Ak4pp3SescdAfQa/r4cOz/bmBqBcZJTX9HODhiQzdemyLLs9aOkQXYIc
+8OrcaIsjns92XITVDpFW0ThGyjhTZdELj9LsbIcVzNPPclTcebZBlzAyX0oLqpHK
+73OUYQY2E6l44U9G8Id763Bnws9NRn3cg0qufrlUgdim/pYZ8ubjvlDJ9eEIhcsu
+9zu8c8i2+8qLjEsonx5PrwzNlYP3JqAmZ2dcbQeSPfv5U6ZceKEZfegK+Cxv4rFd
+5F4Rdxl+SAIY+6mr7qu1dAlcVMLSQcLlJLRWQ5NmqL9xju7Fbj2VZt+L6nb512iK
+aedPo2GfAgMBAAECggEAeMAvDS3uAEI2Dx/y8h3xUn9yUfBFH+6tTanrXxoK6+OT
+Kj96O64qL4l3eQRflkdJiGx74FFomglCtDXxudflfXvxurkJ2hunUySQ5xScwLQt
+mB6w8kP6a8IqD+bVdbn32ohk6u5dU0JZ+ErJlklVZRAGJAoCYox5DXwrEh6CP+bJ
+pItgjv71tEEnX5sScQwV7FMRbjsPzXoJp8vCQjlUdetM1fk9rs3R2WSeFbPgLLtC
+xY0+8Hexy0q6BLmyPZvFCaVIAzAHCYeCyzPK3xcm4odbrBmRL/amOg24CCny065N
+MU9RFhEjQsY1RaK7dgkvjsntUZvU+aDcL8o6djOTuQKBgQDlDN/j2ntpGCtbTWH0
+cVTW13Ze7U7iE3BfDO3m4VYP3Xi/v5FI8nHlmLrcl30H1dPKvMTec0dCBOqD1wzF
+KiqHy8ELowO2CbXMYJpjuPzXH40/AE3eOJVTJM8mOeuFdeFgYCd/9cB7o5jfTA5Y
+4zj8EmcRzsH1rNSnvo7/O9q6+wKBgQDERDSvP8RScEbzDKuN6uhzj1K2CAEnY6//
+rDA1so18UhAie9NcAvlKa46jQTOcYD77g5h0WSlNt9ZbK9Plq9CY9psI0KNqN3Fl
+YVKOKdD5m6Rifmg+lt8KLc/WocQ10DXpPTXzzuRlN/TaMDdN2pedEre/0AAMs8Ia
+MIUnu4oyrQKBgQC6b6BNdqi9Ak9IIdR5g0XrGbXfzolGu0vcEkoSg5fpkfuXF/bJ
+yY2rtIVkyGmc1w9tFfmol2yI8Ddy2LgsRAYaQl7/edCre3vev0LrqMck0ynE/hpj
+purkojF6i+qI10p7h8ie/wmNmbv1BZMoBst7Yf9DH2gA8IynfRQn7DA9wQKBgGaU
+M2kJDgX8UsjDbYKuLTIAzb0AMAIzUxBxIX1fRh2dEnvDdjOYBk1EK/fdoyjvENwJ
+6ouc8j6BgBKEtKpMg6j+8wbHbTGdqrHPDQPqjSN4mpEz+i4EUqySRxep0tBBc3vl
+FybHko3okhvbqXwSbL2Ww90HzI7XAPMJOv8KQO+9AoGBAJxxftNWvypBXGkPCdH2
+f3ikvT2Vef9QZjqkvtipCecAkjM6ReLshVsdqFSv/ZmsVUeNKoTHvX2GnhweJM44
+x7N2mFK4skBzVtMVbjAHVjG78UitVu+FrzqGreaJXHaduhgUH2iFWfw09joOotAM
+X7ioLbTeWGBqFM+C80PkdBNp
+-----END PRIVATE KEY-----
+EOT
 }
-`, testAccWafCertificateV1_conf(name))
+`, name, acceptance.HW_ENTERPRISE_PROJECT_ID_TEST)
 }
 
-func testAccWafCertificateListV1_conf_withEpsID(name, epsID string) string {
+func testAccWafCertificateList_basic(name string) string {
 	return fmt.Sprintf(`
-%s
+%[1]s
 
-data "huaweicloud_waf_certificate" "cert_1" {
-  name                  = huaweicloud_waf_certificate.certificate_1.name
-  enterprise_project_id = "%s"
-  expire_status         = 1
+data "huaweicloud_waf_certificate" "test" {
+  name                  = huaweicloud_waf_certificate.test.name
+  enterprise_project_id = "%[2]s"
 
   depends_on = [
-    huaweicloud_waf_certificate.certificate_1
+    huaweicloud_waf_certificate.test
   ]
 }
-`, testAccWafCertificateV1_conf_withEpsID(name, epsID), epsID)
+`, testAccWafCertificateList_base(name), acceptance.HW_ENTERPRISE_PROJECT_ID_TEST)
 }
diff --git a/huaweicloud/services/waf/data_source_huaweicloud_waf_certificate.go b/huaweicloud/services/waf/data_source_huaweicloud_waf_certificate.go
index d613938a520..b43efefaeae 100644
--- a/huaweicloud/services/waf/data_source_huaweicloud_waf_certificate.go
+++ b/huaweicloud/services/waf/data_source_huaweicloud_waf_certificate.go
@@ -2,35 +2,23 @@ package waf
 
 import (
 	"context"
-	"log"
-	"time"
+	"fmt"
+	"strings"
 
 	"github.com/hashicorp/go-multierror"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
-	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 
-	"github.com/chnsz/golangsdk/openstack/waf/v1/certificates"
+	"github.com/chnsz/golangsdk"
 
 	"github.com/huaweicloud/terraform-provider-huaweicloud/huaweicloud/config"
-)
-
-const (
-	// ExpStatusNotExpired not expired
-	ExpStatusNotExpired = 0
-	// ExpStatusExpired has expired
-	ExpStatusExpired = 1
-	// ExpStatusExpiredSoon will expire soon
-	ExpStatusExpiredSoon = 2
-
-	DefaultPageNum  = 1
-	DefaultPageSize = 5
+	"github.com/huaweicloud/terraform-provider-huaweicloud/huaweicloud/utils"
 )
 
 // @API WAF GET /v1/{project_id}/waf/certificate
-func DataSourceWafCertificateV1() *schema.Resource {
+func DataSourceWafCertificate() *schema.Resource {
 	return &schema.Resource{
-		ReadContext: dataSourceWafCertificateV1Read,
+		ReadContext: dataSourceWafCertificateRead,
 
 		Schema: map[string]*schema.Schema{
 			"region": {
@@ -40,68 +28,134 @@ func DataSourceWafCertificateV1() *schema.Resource {
 			},
 			"name": {
 				Type:     schema.TypeString,
-				Required: true,
-			},
-			"expire_status": {
-				Type:     schema.TypeInt,
 				Optional: true,
-				Default:  ExpStatusNotExpired,
-				ValidateFunc: validation.IntInSlice([]int{
-					ExpStatusNotExpired, ExpStatusExpired, ExpStatusExpiredSoon,
-				}),
+				Computed: true,
 			},
 			"enterprise_project_id": {
 				Type:     schema.TypeString,
 				Optional: true,
+				Computed: true,
 			},
-			"expiration": {
+			// In some scenarios, the attribute value of this field will be empty in API response.
+			"expiration_status": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Computed: true,
+			},
+			"created_at": {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			// In some scenarios, the attribute value of this field will be empty in API response.
+			"expired_at": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			// Deprecated; Reasons for abandonment are as follows:
+			// `expire_status`: Default value of this field is empty, not zero.
+			"expire_status": {
+				Type:        schema.TypeInt,
+				Optional:    true,
+				Deprecated:  "Use 'expiration_status' instead. ",
+				Description: `schema: Deprecated; The certificate expiration status.`,
+			},
+			// `expiration`: Uniformly use dates in RFC3339 format.
+			"expiration": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Deprecated:  "Use 'expired_at' instead. ",
+				Description: `schema: Deprecated; The certificate expiration time.`,
+			},
 		},
 	}
 }
 
-func dataSourceWafCertificateV1Read(_ context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
-	conf := meta.(*config.Config)
-	wafClient, err := conf.WafV1Client(conf.GetRegion(d))
+// Paging is not considered cause this resource is a singular resource.
+func buildCertificateQueryParams(d *schema.ResourceData, cfg *config.Config) string {
+	res := ""
+	if epsId := cfg.GetEnterpriseProjectID(d); epsId != "" {
+		res = fmt.Sprintf("%s&enterprise_project_id=%s", res, epsId)
+	}
+	if v, ok := d.GetOk("name"); ok {
+		res = fmt.Sprintf("%s&name=%v", res, v)
+	}
+	if v, ok := d.GetOk("expiration_status"); ok {
+		res = fmt.Sprintf("%s&exp_status=%v", res, v)
+	}
+
+	if res != "" {
+		res = "?" + res[1:]
+	}
+	return res
+}
+
+func dataSourceWafCertificateRead(_ context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	var (
+		cfg     = meta.(*config.Config)
+		region  = cfg.GetRegion(d)
+		httpUrl = "v1/{project_id}/waf/certificate"
+		product = "waf"
+	)
+	client, err := cfg.NewServiceClient(product, region)
 	if err != nil {
 		return diag.Errorf("error creating WAF client: %s", err)
 	}
 
-	expStatus := d.Get("expire_status").(int)
-	listOpts := certificates.ListOpts{
-		Page:                DefaultPageNum,
-		Pagesize:            DefaultPageSize,
-		Name:                d.Get("name").(string),
-		ExpStatus:           &expStatus,
-		EnterpriseProjectID: conf.GetEnterpriseProjectID(d),
+	requestPath := client.Endpoint + httpUrl
+	requestPath = strings.ReplaceAll(requestPath, "{project_id}", client.ProjectID)
+	requestPath += buildCertificateQueryParams(d, cfg)
+	requestOpt := golangsdk.RequestOpts{
+		MoreHeaders: map[string]string{
+			"Content-Type": "application/json;charset=utf8",
+		},
+		KeepResponseBody: true,
 	}
 
-	page, err := certificates.List(wafClient, listOpts).AllPages()
+	resp, err := client.Request("GET", requestPath, &requestOpt)
 	if err != nil {
-		return diag.Errorf("error restrieving WAF certificates: %s", err)
+		return diag.Errorf("error retrieving WAF certificates: %s", err)
 	}
 
-	listCertificates, err := certificates.ExtractCertificates(page)
+	respBody, err := utils.FlattenResponse(resp)
 	if err != nil {
-		return diag.Errorf("Unable to retrieve certificates: %s", err)
+		return diag.FromErr(err)
+	}
+
+	certificatesResp := utils.PathSearch("items", respBody, make([]interface{}, 0)).([]interface{})
+	if len(certificatesResp) == 0 {
+		return diag.Errorf("Your query returned no results. Please change your search criteria and try again.")
 	}
-	log.Printf("[DEBUG] Get certificate list: %#v", listCertificates)
 
-	if len(listCertificates) == 0 {
-		return diag.Errorf("Your query returned no results. " +
-			"Please change your search criteria and try again.")
+	id := utils.PathSearch("[0]|id", certificatesResp, "").(string)
+	if id == "" {
+		return diag.Errorf("error retrieving WAF certificates: Certificate ID is not found in API response")
 	}
-	c := listCertificates[0]
-	d.SetId(c.Id)
-	expires := time.Unix(int64(c.ExpireTime/1000), 0).UTC().Format("2006-01-02 15:04:05 MST")
+
+	d.SetId(id)
+
+	expireTimestamp := utils.PathSearch("[0]|expire_time", certificatesResp, float64(0)).(float64)
+	createTimestamp := utils.PathSearch("[0]|timestamp", certificatesResp, float64(0)).(float64)
+
 	mErr := multierror.Append(
 		nil,
-		d.Set("name", c.Name),
-		d.Set("expire_status", c.ExpStatus),
-		d.Set("expiration", expires),
+		d.Set("name", utils.PathSearch("[0]|name", certificatesResp, nil)),
+		d.Set("enterprise_project_id", utils.PathSearch("[0]|enterprise_project_id", certificatesResp, nil)),
+		d.Set("expiration_status", flattenCertificateExpirationStatus(certificatesResp)),
+		d.Set("created_at", utils.FormatTimeStampRFC3339(int64(createTimestamp)/1000, true)),
+		d.Set("expired_at", utils.FormatTimeStampRFC3339(int64(expireTimestamp)/1000, true)),
+		// Keep historical code logic
+		d.Set("expiration", utils.FormatTimeStampRFC3339(int64(expireTimestamp)/1000, true, "2006-01-02 15:04:05 MST")),
 	)
 
 	return diag.FromErr(mErr.ErrorOrNil())
 }
+
+// This field may not be returned by the API.
+// When the field is not returned, the default value is empty instead of `0`.
+func flattenCertificateExpirationStatus(certificatesResp interface{}) string {
+	expStatus := utils.PathSearch("[0]|exp_status", certificatesResp, nil)
+	if expStatus == nil {
+		return ""
+	}
+	return fmt.Sprintf("%v", expStatus)
+}