tencentcloudstack · hellertang · Dec 9, 2025 · Dec 9, 2025 · Dec 9, 2025
diff --git a/.changelog/3639.txt b/.changelog/3639.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/tencentcloud_cvm_sync_image: support  `encrypt` and `kms_key_id`
+```
diff --git a/tencentcloud/services/cvm/resource_tc_cvm_sync_image.go b/tencentcloud/services/cvm/resource_tc_cvm_sync_image.go
@@ -1,6 +1,7 @@
 package cvm
 
 import (
+	"fmt"
 	"log"
 	"time"
 
@@ -57,6 +58,29 @@ func ResourceTencentCloudCvmSyncImage() *schema.Resource {
 				Type:        schema.TypeBool,
 				Description: "Whether to return the ID of image created in the destination region.",
 			},
+
+			"encrypt": {
+				Optional:    true,
+				ForceNew:    true,
+				Type:        schema.TypeBool,
+				Description: "Whether to synchronize as an encrypted custom image. Default value is `false`. Synchronization to an encrypted custom image is only supported within the same region.",
+			},
+
+			"kms_key_id": {
+				Optional:    true,
+				ForceNew:    true,
+				Type:        schema.TypeString,
+				Description: "KMS key ID used when synchronizing to an encrypted custom image. This parameter is valid only synchronizing to an encrypted image. If KmsKeyId is not specified, the default CBS cloud product KMS key is used.",
+			},
+
+			"image_set": {
+				Computed: true,
+				Type:     schema.TypeSet,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+				Description: "ID of the image created in the destination region.",
+			},
 		},
 	}
 }
@@ -67,6 +91,7 @@ func resourceTencentCloudCvmSyncImageCreate(d *schema.ResourceData, meta interfa
 
 	logId := tccommon.GetLogId(tccommon.ContextNil)
 	request := cvm.NewSyncImagesRequest()
+	response := cvm.NewSyncImagesResponse()
 	imageId := d.Get("image_id").(string)
 	request.ImageIds = []*string{&imageId}
 
@@ -78,34 +103,50 @@ func resourceTencentCloudCvmSyncImageCreate(d *schema.ResourceData, meta interfa
 		}
 	}
 
-	if v, _ := d.GetOk("dry_run"); v != nil {
+	if v, ok := d.GetOkExists("dry_run"); ok {
 		request.DryRun = helper.Bool(v.(bool))
 	}
 
 	if v, ok := d.GetOk("image_name"); ok {
 		request.ImageName = helper.String(v.(string))
 	}
 
-	if v, _ := d.GetOk("image_set_required"); v != nil {
+	if v, ok := d.GetOkExists("image_set_required"); ok {
 		request.ImageSetRequired = helper.Bool(v.(bool))
 	}
 
+	if v, ok := d.GetOkExists("encrypt"); ok {
+		request.Encrypt = helper.Bool(v.(bool))
+	}
+
+	if v, ok := d.GetOk("kms_key_id"); ok {
+		request.KmsKeyId = helper.String(v.(string))
+	}
+
 	err := resource.Retry(tccommon.WriteRetryTimeout, func() *resource.RetryError {
 		result, e := meta.(tccommon.ProviderMeta).GetAPIV3Conn().UseCvmClient().SyncImages(request)
 		if e != nil {
 			return tccommon.RetryError(e)
 		} else {
 			log.Printf("[DEBUG]%s api[%s] success, request body [%s], response body [%s]\n", logId, request.GetAction(), request.ToJsonString(), result.ToJsonString())
 		}
+		response = result
 		return nil
 	})
 	if err != nil {
 		log.Printf("[CRITAL]%s operate cvm syncImages failed, reason:%+v", logId, err)
 		return err
 	}
 
+	if response == nil || response.Response == nil || response.Response.ImageSet == nil {
+		err = fmt.Errorf("Response is nil")
+		return err
+	}
+
 	d.SetId(imageId)
 
+	_ = d.Set("image_set", response.Response.ImageSet)
+
 	service := CvmService{client: meta.(tccommon.ProviderMeta).GetAPIV3Conn()}
 
 	conf := tccommon.BuildStateChangeConf([]string{}, []string{"NORMAL"}, 20*tccommon.ReadRetryTimeout, time.Second, service.CvmSyncImagesStateRefreshFunc(d.Id(), []string{}))

diff --git a/tencentcloud/services/cvm/resource_tc_cvm_sync_image.md b/tencentcloud/services/cvm/resource_tc_cvm_sync_image.md
@@ -11,5 +11,7 @@ data "tencentcloud_images" "example" {
 resource "tencentcloud_cvm_sync_image" "example" {
   image_id            = data.tencentcloud_images.example.images.0.image_id
   destination_regions = ["ap-guangzhou", "ap-shanghai"]
+  encrypt             = true
+  kms_key_id          = "f063c18b-654b-11ef-9d9f-525400d3a886"
 }
 ```
diff --git a/website/docs/r/cvm_sync_image.html.markdown b/website/docs/r/cvm_sync_image.html.markdown
@@ -22,6 +22,8 @@ data "tencentcloud_images" "example" {
 resource "tencentcloud_cvm_sync_image" "example" {
   image_id            = data.tencentcloud_images.example.images.0.image_id
   destination_regions = ["ap-guangzhou", "ap-shanghai"]
+  encrypt             = true
+  kms_key_id          = "f063c18b-654b-11ef-9d9f-525400d3a886"
 }
 ```
 
@@ -32,14 +34,16 @@ The following arguments are supported:
 * `destination_regions` - (Required, Set: [`String`], ForceNew) List of destination regions for synchronization. Limits: It must be a valid region. For a custom image, the destination region cannot be the source region. For a shared image, the destination region must be the source region, which indicates to create a copy of the image as a custom image in the same region.
 * `image_id` - (Required, String, ForceNew) Image ID. The specified image must meet the following requirement: the images must be in the `NORMAL` state.
 * `dry_run` - (Optional, Bool, ForceNew) Checks whether image synchronization can be initiated.
+* `encrypt` - (Optional, Bool, ForceNew) Whether to synchronize as an encrypted custom image. Default value is `false`. Synchronization to an encrypted custom image is only supported within the same region.
 * `image_name` - (Optional, String, ForceNew) Destination image name.
 * `image_set_required` - (Optional, Bool, ForceNew) Whether to return the ID of image created in the destination region.
+* `kms_key_id` - (Optional, String, ForceNew) KMS key ID used when synchronizing to an encrypted custom image. This parameter is valid only synchronizing to an encrypted image. If KmsKeyId is not specified, the default CBS cloud product KMS key is used.
 
 ## Attributes Reference
 
 In addition to all arguments above, the following attributes are exported:
 
 * `id` - ID of the resource.
-
+* `image_set` - ID of the image created in the destination region.