f5xc_app_firewall Resource - terraform-provider-f5xc

f5xc_app_firewall (Resource)

Manages Application Firewall. in F5 Distributed Cloud.

~> Note For more information about this resource, please refer to the F5 XC API Documentation.

Example Usage

# App Firewall Resource Example
# Manages Application Firewall. in F5 Distributed Cloud.

terraform {
  required_version = ">= 1.0"

  required_providers {
    f5xc = {
      source  = "f5xc-salesdemos/f5xc"
      version = ">= 0.1.0"
    }
  }
}

# Basic App Firewall configuration
resource "f5xc_app_firewall" "example" {
  name      = "example-app-firewall"
  namespace = "staging"

  labels = {
    environment = "production"
    managed_by  = "terraform"
  }

  annotations = {
    "owner" = "platform-team"
  }

  // One of the arguments from this list "blocking monitoring" must be set

  blocking {}

  // One of the arguments from this list "blocking_page use_default_blocking_page" must be set

  use_default_blocking_page {}

  // One of the arguments from this list "bot_protection_setting default_bot_setting" must be set

  bot_protection_setting {
    malicious_bot_action  = "BLOCK"
    suspicious_bot_action = "REPORT"
    good_bot_action       = "REPORT"
  }

  // One of the arguments from this list "ai_risk_based_blocking default_detection_settings detection_settings" must be set

  default_detection_settings {}

  // One of the arguments from this list "allow_all_response_codes allowed_response_codes" must be set

  allow_all_response_codes {}
}

# The following optional fields have server-applied defaults and can be omitted:
# - allow_all_response_codes
# - default_anonymization
# - default_detection_settings
# - disable_ai_enhancements
# - monitoring
# - use_default_blocking_page

Verified Configuration Examples

These configurations are extracted from acceptance tests verified against the live F5 XC API.

Ai Enhancements

resource "f5xc_app_firewall" "test" {
  name      = "example"
  namespace = "system"

  default_detection_settings {}
  allow_all_response_codes {}
  blocking {}
  use_default_blocking_page {}
  default_bot_setting {}
  default_anonymization {}

  enable_ai_enhancements {
    mitigate_high_risk_action {}
  }
}

All Attributes

resource "f5xc_app_firewall" "test" {
  name        = "example"
  namespace   = "system"
  description = "Full attributes test"

  labels = {
    environment = "test"
    managed_by  = "terraform-acceptance-test"
  }

  annotations = {
    purpose = "acceptance-testing"
  }

  default_detection_settings {}
  allow_all_response_codes {}
  blocking {}
  use_default_blocking_page {}
  default_bot_setting {}
  default_anonymization {}
}

Allowed Response Codes

resource "f5xc_app_firewall" "test" {
  name      = "example"
  namespace = "system"

  default_detection_settings {}
  blocking {}
  use_default_blocking_page {}
  default_bot_setting {}
  default_anonymization {}

  allowed_response_codes {
    response_code = [200, 204, 301, 302]
  }
}

Blocking

resource "f5xc_app_firewall" "test" {
  name      = "example"
  namespace = "system"

Bot Protection

resource "f5xc_app_firewall" "test" {
  name      = "example"
  namespace = "system"

  default_detection_settings {}
  allow_all_response_codes {}
  blocking {}
  use_default_blocking_page {}
  default_anonymization {}

  bot_protection_setting {
    good_bot_action       = "REPORT"
    malicious_bot_action  = "BLOCK"
    suspicious_bot_action = "REPORT"
  }
}

Custom Blocking Page

resource "f5xc_app_firewall" "test" {
  name      = "example"
  namespace = "system"

  default_detection_settings {}
  allow_all_response_codes {}
  blocking {}
  default_bot_setting {}
  default_anonymization {}

  blocking_page {
    blocking_page = "https://example.com/blocked.html"
    response_code = "Forbidden"
  }
}

Detection Settings

resource "f5xc_app_firewall" "test" {
  name      = "example"
  namespace = "system"

  allow_all_response_codes {}
  blocking {}
  use_default_blocking_page {}
  default_bot_setting {}
  default_anonymization {}

  detection_settings {
    default_violation_settings {}
    default_bot_setting {}
    enable_suppression {}
    enable_threat_campaigns {}
    signature_selection_setting {
      high_medium_accuracy_signatures {}
      default_attack_type_settings {}
    }
  }
}

Disable Anonymization

resource "f5xc_app_firewall" "test" {
  name      = "example"
  namespace = "system"

  default_detection_settings {}
  allow_all_response_codes {}
  blocking {}
  use_default_blocking_page {}
  default_bot_setting {}

  disable_anonymization {}
}

Monitoring

resource "f5xc_app_firewall" "test" {
  name      = "example"
  namespace = "system"

  default_detection_settings {}
  allow_all_response_codes {}
  monitoring {}
  use_default_blocking_page {}
  default_bot_setting {}
  default_anonymization {}
}

With Labels

resource "f5xc_app_firewall" "test" {
  name        = "example"
  namespace   = "system"
  description = "Test application firewall"

  labels = {
    environment = "test"
    team        = "security"
  }

With Updated Labels

resource "f5xc_app_firewall" "test" {
  name        = "example"
  namespace   = "system"
  description = "Test application firewall"

  labels = {
    environment = "staging"
    team        = "platform"
  }

  default_detection_settings {}
  allow_all_response_codes {}
  blocking {}
  use_default_blocking_page {}
  default_bot_setting {}
  default_anonymization {}
}

Argument Reference

🔶 High Risk Operations — Some operations on this resource have high danger level. Destructive operations may require confirmation.

Minimum Configuration

Required fields:

• name
• namespace

Example (API format):

apiVersion: v1
kind: app_firewall
metadata:
  name: default-waf
  namespace: default
spec:
  blocking: {}

Metadata Argument Reference

• name - Required String
Name of the App Firewall. Must be unique within the namespace

• namespace - Required String
Namespace where the App Firewall will be created

• annotations - Optional Map
Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata

• description - Optional String
Human readable description for the object

• disable - Optional Bool
A value of true will administratively disable the object

• labels - Optional Map
Labels is a user defined key value map that can be attached to resources for organization and filtering

Spec Argument Reference

-> One of the following: • allow_all_response_codes - Optional Block Defaults to map[]
Configuration parameter for allow all response codes. Server applies default when omitted

• allowed_response_codes - Optional Block
List of HTTP response status codes that are allowed
See Allowed Response Codes below for details.

-> One of the following: • blocking - Optional Block
Enable this option

• monitoring - Optional Block Defaults to map[]
Enable this option. Server applies default when omitted

-> One of the following: • blocking_page - Optional Block
Custom Blocking Response Page. Custom blocking response page body
See Blocking Page below for details.

-> One of the following: • bot_protection_setting - Optional Block
Configuration parameter for bot protection setting
See Bot Protection Setting below for details.

-> One of the following: • custom_anonymization - Optional Block
Anonymization settings which is a list of HTTP headers, parameters and cookies
See Custom Anonymization below for details.

• default_anonymization - Optional Block Defaults to map[]
Configuration parameter for default anonymization. Server applies default when omitted

• default_bot_setting - Optional Block Defaults to map[]
Configuration parameter for default bot setting. Server applies default when omitted

-> One of the following: • default_detection_settings - Optional Block Defaults to map[]
Configuration parameter for default detection settings. Server applies default when omitted

• detection_settings - Optional Block
Specifies detection settings to be used by WAF
See Detection Settings below for details.

-> One of the following: • disable_ai_enhancements - Optional Block Defaults to map[]
Configuration parameter for disable ai enhancements. Server applies default when omitted

• disable_anonymization - Optional Block
Configuration parameter for disable anonymization

• enable_ai_enhancements - Optional Block
Actions complimented by the additional intelligence of the F5 AI Powered Risk-based analysis
See Enable Ai Enhancements below for details.

• timeouts - Optional Block
See Timeouts below for details.

• use_default_blocking_page - Optional Block Defaults to map[]
Enable this option. Server applies default when omitted

Attributes Reference

In addition to all arguments above, the following attributes are exported:

• id - Optional String
Unique identifier for the resource

---

Allowed Response Codes

An allowed_response_codes block supports the following:

• response_code - Optional List
List of HTTP response status codes that are allowed

Blocking Page

A blocking_page block supports the following:

• blocking_page - Optional String
Define the content of the response page (e.g., an HTML document or a JSON object), use the {{request_id}} placeholder to provide users with a unique identifier to be able to trace the blocked request in the logs. The maximum allowed size of response body is 4096 bytes after base64 encoding

• response_code - Optional String Defaults to EmptyStatusCode
Possible values are EmptyStatusCode, Continue, OK, Created, Accepted, NonAuthoritativeInformation, NoContent, ResetContent, PartialContent, MultiStatus, AlreadyReported, IMUsed, MultipleChoices, MovedPermanently, Found, SeeOther, NotModified, UseProxy, TemporaryRedirect, PermanentRedirect, BadRequest, Unauthorized, PaymentRequired, Forbidden, NotFound, MethodNotAllowed, NotAcceptable, ProxyAuthenticationRequired, RequestTimeout, Conflict, Gone, LengthRequired, PreconditionFailed, PayloadTooLarge, URITooLong, UnsupportedMediaType, RangeNotSatisfiable, ExpectationFailed, MisdirectedRequest, UnprocessableEntity, Locked, FailedDependency, UpgradeRequired, PreconditionRequired, TooManyRequests, RequestHeaderFieldsTooLarge, InternalServerError, NotImplemented, BadGateway, ServiceUnavailable, GatewayTimeout, HTTPVersionNotSupported, VariantAlsoNegotiates, InsufficientStorage, LoopDetected, NotExtended, NetworkAuthenticationRequired
[Enum: EmptyStatusCode|Continue|OK|Created|Accepted|NonAuthoritativeInformation|NoContent|ResetContent|PartialContent|MultiStatus|AlreadyReported|IMUsed|MultipleChoices|MovedPermanently|Found|SeeOther|NotModified|UseProxy|TemporaryRedirect|PermanentRedirect|BadRequest|Unauthorized|PaymentRequired|Forbidden|NotFound|MethodNotAllowed|NotAcceptable|ProxyAuthenticationRequired|RequestTimeout|Conflict|Gone|LengthRequired|PreconditionFailed|PayloadTooLarge|URITooLong|UnsupportedMediaType|RangeNotSatisfiable|ExpectationFailed|MisdirectedRequest|UnprocessableEntity|Locked|FailedDependency|UpgradeRequired|PreconditionRequired|TooManyRequests|RequestHeaderFieldsTooLarge|InternalServerError|NotImplemented|BadGateway|ServiceUnavailable|GatewayTimeout|HTTPVersionNotSupported|VariantAlsoNegotiates|InsufficientStorage|LoopDetected|NotExtended|NetworkAuthenticationRequired] HTTP response status codes EmptyStatusCode response codes means it is not specified Continue status code OK status code Created status code Accepted status code Non Authoritative Information status code No Content status code Reset Content status code Partial Content status code Multi Status

Bot Protection Setting

A bot_protection_setting block supports the following:

• good_bot_action - Optional String Defaults to BLOCK
Possible values are BLOCK, REPORT, IGNORE
[Enum: BLOCK|REPORT|IGNORE] Action to be performed on the request Log and block Log only Disable detection

• malicious_bot_action - Optional String Defaults to BLOCK
Possible values are BLOCK, REPORT, IGNORE
[Enum: BLOCK|REPORT|IGNORE] Action to be performed on the request Log and block Log only Disable detection

• suspicious_bot_action - Optional String Defaults to BLOCK
Possible values are BLOCK, REPORT, IGNORE
[Enum: BLOCK|REPORT|IGNORE] Action to be performed on the request Log and block Log only Disable detection

Custom Anonymization

A custom_anonymization block supports the following:

• anonymization_config - Optional Block
List of HTTP headers, cookies and query parameters whose values will be masked
See Anonymization Config below.

Custom Anonymization Anonymization Config

An anonymization_config block (within custom_anonymization) supports the following:

• cookie - Optional Block
Configure anonymization for HTTP Cookies
See Cookie below.

• http_header - Optional Block
Configure anonymization for HTTP Headers
See HTTP Header below.

• query_parameter - Optional Block
Configure anonymization for HTTP Parameters
See Query Parameter below.

Custom Anonymization Anonymization Config Cookie

A cookie block (within custom_anonymization.anonymization_config) supports the following:

• cookie_name - Optional String
Masks the cookie value. The setting does not mask the cookie name. Wildcard matching can be used by prefixing or suffixing the cookie name with a wildcard asterisk (*), or by using only an asterisk to match any cookie name

Custom Anonymization Anonymization Config HTTP Header

A http_header block (within custom_anonymization.anonymization_config) supports the following:

• header_name - Optional String
Masks the HTTP header value. The setting does not mask the HTTP header name. Wildcard matching can be used by prefixing or suffixing the HTTP header name with a wildcard asterisk (*), or by using only an asterisk to match any HTTP header name

Custom Anonymization Anonymization Config Query Parameter

A query_parameter block (within custom_anonymization.anonymization_config) supports the following:

• query_param_name - Optional String
Masks the query parameter value. The setting does not mask the query parameter name. Wildcard matching can be used by prefixing or suffixing the query parameter name with a wildcard asterisk (*), or by using only an asterisk to match any query parameter name

Detection Settings

A detection_settings block supports the following:

• bot_protection_setting - Optional Block
Configuration parameter for bot protection setting
See Bot Protection Setting below.

• default_bot_setting - Optional Block
Configuration parameter for default bot setting

• default_violation_settings - Optional Block
Configuration parameter for default violation settings

• disable_staging - Optional Block
Enable this option

• disable_suppression - Optional Block
Configuration parameter for disable suppression

• disable_threat_campaigns - Optional Block
Enable this option

• enable_suppression - Optional Block
Configuration parameter for enable suppression

• enable_threat_campaigns - Optional Block
Enable this option

• signature_selection_setting - Optional Block
Attack Signatures are patterns that identify attacks on a web application and its components
See Signature Selection Setting below.

• stage_new_and_updated_signatures - Optional Block
Attack Signatures staging configuration
See Stage New And Updated Signatures below.

• stage_new_signatures - Optional Block
Attack Signatures staging configuration
See Stage New Signatures below.

• violation_settings - Optional Block
Specifies violation settings to be used by WAF
See Violation Settings below.

• violations_view - Optional Block
List of violation checks that are performed on HTTP request to ensure the requests are properly formatted, detection of evasion techniques and other violations
See Violations View below.

Detection Settings Bot Protection Setting

A bot_protection_setting block (within detection_settings) supports the following:

• good_bot_action - Optional String Defaults to BLOCK
Possible values are BLOCK, REPORT, IGNORE
[Enum: BLOCK|REPORT|IGNORE] Action to be performed on the request Log and block Log only Disable detection

• malicious_bot_action - Optional String Defaults to BLOCK
Possible values are BLOCK, REPORT, IGNORE
[Enum: BLOCK|REPORT|IGNORE] Action to be performed on the request Log and block Log only Disable detection

• suspicious_bot_action - Optional String Defaults to BLOCK
Possible values are BLOCK, REPORT, IGNORE
[Enum: BLOCK|REPORT|IGNORE] Action to be performed on the request Log and block Log only Disable detection

Detection Settings Signature Selection Setting

A signature_selection_setting block (within detection_settings) supports the following:

• attack_type_settings - Optional Block
Specifies attack-type settings to be used by WAF
See Attack Type Settings below.

• default_attack_type_settings - Optional Block
Configuration parameter for default attack type settings

• high_medium_accuracy_signatures - Optional Block
Configuration parameter for high medium accuracy signatures

• high_medium_low_accuracy_signatures - Optional Block
Configuration parameter for high medium low accuracy signatures

• only_high_accuracy_signatures - Optional Block
Configuration parameter for only high accuracy signatures

Detection Settings Signature Selection Setting Attack Type Settings

Deeply nested Settings block collapsed for readability.

Detection Settings Stage New And Updated Signatures

A stage_new_and_updated_signatures block (within detection_settings) supports the following:

• staging_period - Optional Number
Define staging period in days. The default staging period is 7 days and the max supported staging period is 20 days

Detection Settings Stage New Signatures

A stage_new_signatures block (within detection_settings) supports the following:

• staging_period - Optional Number
Define staging period in days. The default staging period is 7 days and the max supported staging period is 20 days

Detection Settings Violation Settings

A violation_settings block (within detection_settings) supports the following:

• disabled_violation_types - Optional List Defaults to VIOL_NONE
Possible values are VIOL_NONE, VIOL_FILETYPE, VIOL_METHOD, VIOL_MANDATORY_HEADER, VIOL_HTTP_RESPONSE_STATUS, VIOL_REQUEST_MAX_LENGTH, VIOL_FILE_UPLOAD, VIOL_FILE_UPLOAD_IN_BODY, VIOL_XML_MALFORMED, VIOL_JSON_MALFORMED, VIOL_ASM_COOKIE_MODIFIED, VIOL_HTTP_PROTOCOL_MULTIPLE_HOST_HEADERS, VIOL_HTTP_PROTOCOL_BAD_HOST_HEADER_VALUE, VIOL_HTTP_PROTOCOL_UNPARSABLE_REQUEST_CONTENT, VIOL_HTTP_PROTOCOL_NULL_IN_REQUEST, VIOL_HTTP_PROTOCOL_BAD_HTTP_VERSION, VIOL_HTTP_PROTOCOL_SEVERAL_CONTENT_LENGTH_HEADERS, VIOL_EVASION_DIRECTORY_TRAVERSALS, VIOL_MALFORMED_REQUEST, VIOL_EVASION_MULTIPLE_DECODING, VIOL_DATA_GUARD, VIOL_EVASION_APACHE_WHITESPACE, VIOL_COOKIE_MODIFIED, VIOL_EVASION_IIS_UNICODE_CODEPOINTS, VIOL_EVASION_IIS_BACKSLASHES, VIOL_EVASION_PERCENT_U_DECODING, VIOL_EVASION_BARE_BYTE_DECODING, VIOL_EVASION_BAD_UNESCAPE, VIOL_HTTP_PROTOCOL_BODY_IN_GET_OR_HEAD_REQUEST, VIOL_ENCODING, VIOL_COOKIE_MALFORMED, VIOL_GRAPHQL_FORMAT, VIOL_GRAPHQL_MALFORMED, VIOL_GRAPHQL_INTROSPECTION_QUERY
[Enum: VIOL_NONE|VIOL_FILETYPE|VIOL_METHOD|VIOL_MANDATORY_HEADER|VIOL_HTTP_RESPONSE_STATUS|VIOL_REQUEST_MAX_LENGTH|VIOL_FILE_UPLOAD|VIOL_FILE_UPLOAD_IN_BODY|VIOL_XML_MALFORMED|VIOL_JSON_MALFORMED|VIOL_ASM_COOKIE_MODIFIED|VIOL_HTTP_PROTOCOL_MULTIPLE_HOST_HEADERS|VIOL_HTTP_PROTOCOL_BAD_HOST_HEADER_VALUE|VIOL_HTTP_PROTOCOL_UNPARSABLE_REQUEST_CONTENT|VIOL_HTTP_PROTOCOL_NULL_IN_REQUEST|VIOL_HTTP_PROTOCOL_BAD_HTTP_VERSION|VIOL_HTTP_PROTOCOL_SEVERAL_CONTENT_LENGTH_HEADERS|VIOL_EVASION_DIRECTORY_TRAVERSALS|VIOL_MALFORMED_REQUEST|VIOL_EVASION_MULTIPLE_DECODING|VIOL_DATA_GUARD|VIOL_EVASION_APACHE_WHITESPACE|VIOL_COOKIE_MODIFIED|VIOL_EVASION_IIS_UNICODE_CODEPOINTS|VIOL_EVASION_IIS_BACKSLASHES|VIOL_EVASION_PERCENT_U_DECODING|VIOL_EVASION_BARE_BYTE_DECODING|VIOL_EVASION_BAD_UNESCAPE|VIOL_HTTP_PROTOCOL_BODY_IN_GET_OR_HEAD_REQUEST|VIOL_ENCODING|VIOL_COOKIE_MALFORMED|VIOL_GRAPHQL_FORMAT|VIOL_GRAPHQL_MALFORMED|VIOL_GRAPHQL_INTROSPECTION_QUERY] List of violations to be excluded

Detection Settings Violations View

A violations_view block (within detection_settings) supports the following:

• description_spec - Optional String
Description. Human-readable description text

• enabled - Optional Bool
State. Enable or disable the feature

• enabled_by_default - Optional String
Violations that are enabled by default by F5 are advisable to leave enabled

• name - Optional String
Name. Human-readable name for the resource

• title - Optional String
Title. Human-readable title for the resource

Enable Ai Enhancements

An enable_ai_enhancements block supports the following:

• mitigate_high_medium_risk_action - Optional Block
Enable this option

• mitigate_high_risk_action - Optional Block
Enable this option

Timeouts

A timeouts block supports the following:

• create - Optional String (Defaults to 10 minutes)
Used when creating the resource

• delete - Optional String (Defaults to 10 minutes)
Used when deleting the resource

• read - Optional String (Defaults to 5 minutes)
Used when retrieving the resource

• update - Optional String (Defaults to 10 minutes)
Used when updating the resource

---

Common Types

The following type definitions are used throughout this resource. See the full definition here rather than repeated inline.

Object Reference {#common-object-reference}

Object references establish a direct reference from one configuration object to another in F5 Distributed Cloud. References use the format tenant/namespace/name.

Field	Type	Description
name	String	Name of the referenced object
namespace	String	Namespace containing the referenced object
tenant	String	Tenant of the referenced object (system-managed)

Transformers {#common-transformers}

Transformers apply transformations to input values before matching. Multiple transformers can be applied in order.

Value	Description
LOWER_CASE	Convert to lowercase
UPPER_CASE	Convert to uppercase
BASE64_DECODE	Decodebase64 content
NORMALIZE_PATH	Normalize URL path
REMOVE_WHITESPACE	Remove whitespace characters
URL_DECODE	Decode URL-encoded characters
TRIM_LEFT	Trim leading whitespace
TRIM_RIGHT	Trim trailing whitespace
TRIM	Trim both leading and trailing whitespace

HTTP Methods {#common-http-methods}

HTTP methods used for request matching.

Value	Description
ANY	Match any HTTP method
GET	HTTP GET request
HEAD	HTTP HEAD request
POST	HTTP POST request
PUT	HTTP PUT request
DELETE	HTTP DELETE request
CONNECT	HTTP CONNECT request
OPTIONS	HTTP OPTIONS request
TRACE	HTTP TRACE request
PATCH	HTTP PATCH request
COPY	HTTP COPY request (WebDAV)

TLS Fingerprints {#common-tls-fingerprints}

TLS fingerprint categories for malicious client detection.

Value	Description
TLS_FINGERPRINT_NONE	No fingerprint matching
ANY_MALICIOUS_FINGERPRINT	Match any known malicious fingerprint
ADWARE	Adware-associated fingerprints
DRIDEX	Dridex malware fingerprints
GOOTKIT	Gootkit malware fingerprints
RANSOMWARE	Ransomware-associated fingerprints
TRICKBOT	Trickbot malware fingerprints

IP Threat Categories {#common-ip-threat-categories}

IP address threat categories for security filtering.

Value	Description
SPAM_SOURCES	Known spam sources
WINDOWS_EXPLOITS	Windows exploit sources
WEB_ATTACKS	Web attack sources
BOTNETS	Known botnet IPs
SCANNERS	Network scanner IPs
REPUTATION	Poor reputation IPs
PHISHING	Phishing-related IPs
PROXY	Anonymous proxy IPs
MOBILE_THREATS	Mobile threat sources
TOR_PROXY	Tor exit nodes
DENIAL_OF_SERVICE	DoS attack sources
NETWORK	Known bad network ranges

Import

Import is supported using the following syntax:

# Import using namespace/name format
terraform import f5xc_app_firewall.example system/example