Clanker Docs

Appearance

Tencent Cloud

Clanker supports Tencent Cloud through the built-in clanker tencent command tree, the clanker ask --tencent natural-language path, and Tencent maker plans. The implementation talks directly to Tencent Cloud APIs through the Tencent SDK, so you do not need to install a separate Tencent CLI.

Authentication

Tencent Cloud authentication uses a CAM secret ID and secret key. Create a CAM user or role credentials with the permissions needed for the services you want Clanker to inspect.

Configuration file

Add Tencent credentials to ~/.clanker.yaml:

yaml
tencent:
    secret_id: "AKID..."
    secret_key: "..."
    region: ap-singapore

Environment variables

You can also use the environment variable names recognized by Tencent tooling:

bash
export TENCENTCLOUD_SECRET_ID="AKID..."
export TENCENTCLOUD_SECRET_KEY="..."
export TENCENTCLOUD_REGION="ap-singapore"

Legacy aliases are also supported:

bash
export TENCENT_SECRET_ID="AKID..."
export TENCENT_SECRET_KEY="..."
export TENCENT_REGION="ap-singapore"

Resolution order

Clanker resolves Tencent credentials in this order:

  1. tencent.secret_id, tencent.secret_key, and tencent.region in ~/.clanker.yaml
  2. TENCENTCLOUD_SECRET_ID, TENCENTCLOUD_SECRET_KEY, and TENCENTCLOUD_REGION
  3. TENCENT_SECRET_ID, TENCENT_SECRET_KEY, and TENCENT_REGION
  4. Region fallback: ap-singapore

The static clanker tencent commands also accept --region, which overrides the configured or environment region for that command.

Natural-Language Queries

Use --tencent with clanker ask to gather Tencent Cloud inventory context and ask a question against it:

bash
clanker ask --tencent "What CVMs are running?"
clanker ask --tencent "Which security groups expose SSH to the internet?"
clanker ask --tencent "Show me TKE clusters and their node counts"

The Tencent context collector always includes CVM instances and then fetches additional services when your question mentions them, such as VPCs, security groups, databases, COS buckets, TKE clusters, CLBs, EIPs, CBS volumes, SSL certificates, CAM users, Redis, MongoDB, CynosDB, CDN, EdgeOne, WAF, Anti-DDoS, NAT, VPN, CCN, Direct Connect, Cloud Monitor alarms, CLS topics, and Cloud Audit tracks.

Direct Inventory Commands

The direct command is useful when you want raw infrastructure data without AI interpretation:

bash
clanker tencent list cvm
clanker tencent list vpc --region ap-singapore
clanker tencent list security-groups --all-regions
clanker tencent list tke --format json

Aliases for the command are clanker tc and clanker tencentcloud.

Supported resource types

ResourceAliases
CVM instancescvm, instances, vm, vms
VPCsvpc, vpcs
Subnetssubnet, subnets
Security groupssecurity-groups, sg, sgs
MySQLmysql, cdb
PostgreSQLpostgres, postgresql, pg
COS bucketscos, buckets
TKE clusterstke, k8s, clusters
Cloud Load Balancersclb, lbs, lb
Elastic IPseip, eips, addresses
CBS volumescbs, disks, volumes
SSL certificatesssl, certs, certificates
CAM userscam, iam, users
Redisredis, valkey
MongoDBmongo, mongodb
CynosDBcynosdb, tdsql-c
CDN domainscdn, cdn-domains
EdgeOne zonesedgeone, teo, zones
WAF hostswaf, waf-hosts
Anti-DDoSantiddos, ddos
NAT gatewaysnat, nat-gateway
VPN gatewaysvpn, vpn-gateway
Cloud Connect Networksccn, cloud-connect
Direct Connectdc, direct-connect
Cloud Monitor alarmsmonitor, alarms
CLS log topicscls, logs
Cloud Audit trackscloudaudit, audit, tracks

Use --format json for scripts, dashboards, or jq pipelines. With --all-regions, JSON output is wrapped as a regions array so each region's data remains identifiable.

Regions

List the regions available to your Tencent credential:

bash
clanker tencent regions

Most inventory commands query a single region by default. Use --all-regions for resource discovery across every available region:

bash
clanker tencent list cvm --all-regions

Service-global or account-global resources, such as COS buckets, SSL certificates, CAM users, CDN domains, EdgeOne zones, WAF hosts, CCN, and Cloud Audit tracks, do not need regional fan-out.

Security and Operations

Security group rules

Inspect ingress and egress rules for a specific security group:

bash
clanker tencent sg-rules sg-abc12345 --region ap-singapore

The output flags public inbound rules to sensitive ports such as SSH, MySQL, RDP, PostgreSQL, Redis, Elasticsearch, and MongoDB.

Security scans

Run individual JSON security scans:

bash
clanker tencent security public-exposure --region ap-singapore
clanker tencent security db-exposure --region ap-singapore
clanker tencent security cert-expiry --days 14

Run the full scan bundle:

bash
clanker tencent security all --region ap-singapore

Available scans are:

  • public-exposure — CVMs reachable from the public internet
  • clb-exposure — public CLB listeners with risky protocol or port combinations
  • db-exposure — MySQL, PostgreSQL, Redis, or MongoDB instances exposed beyond the VPC
  • idle-eips — unassociated Elastic IPs that may still be billed
  • unencrypted-cbs — CBS volumes without server-side encryption
  • cert-expiry — SSL certificates expiring within the --days window
  • cam-hygiene — CAM users missing MFA, with old access keys, or without login restrictions
  • waf-coverage — public hosts that do not have WAF in front
  • antiddos-coverage — public Elastic IPs not protected by Anti-DDoS Advanced
  • audit-coverage — Cloud Audit delivery status

TKE kubeconfig

Fetch a kubeconfig for a TKE cluster:

bash
clanker tencent kubeconfig cls-abc123 --region ap-singapore > ~/.kube/tencent
KUBECONFIG=~/.kube/tencent kubectl get nodes

By default Clanker fetches the private VPC-internal endpoint. Use --public when running from outside the cluster VPC:

bash
clanker tencent kubeconfig cls-abc123 --region ap-singapore --public > ~/.kube/tencent

Expiry alerts

Find prepaid resources approaching renewal deadlines:

bash
clanker tencent expiry
clanker tencent expiry --regions=ap-singapore,ap-jakarta --threshold=14 --format=json
clanker tencent expiry --include-ssl --threshold=30

The command is designed for cron and automation:

  • Exit code 0 means nothing was flagged.
  • Exit code 1 means one or more resources are within the threshold.
  • Exit code 2 means one or more resources are already expired.

By default, auto-renewing resources are counted but not listed. Pass --manual-only=false to include auto-renewing resources in the output.

Cost Commands

Tencent billing commands live under clanker tencent cost:

bash
clanker tencent cost by-product --month 2026-05
clanker tencent cost by-product --month 2026-05 --format json
clanker tencent cost top --month 2026-05 --limit 20
clanker tencent cost vouchers
clanker tencent cost vouchers --status unUsed
clanker tencent cost voucher-usage voucher-abc123

Billing APIs may require separate CAM permissions from infrastructure read APIs.

Maker Pipeline

Tencent Cloud is supported by the maker pipeline for generated API execution plans:

bash
clanker ask --maker --tencent "Create a VPC named clanker-demo in ap-singapore"

Review and apply a saved plan:

bash
clanker ask --maker --tencent "Create a security group that allows HTTPS" > plan.json
clanker ask --apply --plan-file plan.json

Tencent maker plans use a tencent-api command verb internally. Each command maps to a Tencent Cloud API service, action, region, and JSON parameters. Destructive actions are blocked unless you explicitly pass --destroyer while generating and applying the plan.

bash
clanker ask --maker --destroyer --tencent "Delete the unused test CVM"
clanker ask --apply --destroyer --plan-file plan.json

Permissions

Give the CAM credential the least privilege needed for your workflow:

  • Inventory queries need read-only permissions for the services you list or ask about.
  • Security scans need read access to CVM, VPC, CLB, database, CBS, SSL, CAM, WAF, Anti-DDoS, and Cloud Audit APIs depending on the scan.
  • Cost commands need Tencent billing API permissions.
  • TKE kubeconfig export needs permission to call the TKE kubeconfig API.
  • Maker apply needs the exact create, update, or delete permissions required by the generated plan.

When a credential lacks permission for one Tencent service, natural-language context gathering keeps the other successful sections and reports the missing service as a warning.