f5xc_authentication Resource - terraform-provider-f5xc
f5xc_authentication (Resource)
Section titled “f5xc_authentication (Resource)”Manages an Authentication resource in F5 Distributed Cloud.
~> Note For more information about this resource, please refer to the F5 XC API Documentation.
Example Usage
Section titled “Example Usage”# Authentication Resource Example# Manages an Authentication resource in F5 Distributed Cloud.
terraform { required_version = ">= 1.0"
required_providers { f5xc = { source = "f5xc-salesdemos/f5xc" version = ">= 0.1.0" } }}
# Basic Authentication configurationresource "f5xc_authentication" "example" { name = "example-authentication" namespace = "staging"
labels = { environment = "production" managed_by = "terraform" }
annotations = { "owner" = "platform-team" }
# Resource-specific configuration # Specifies different cookie related config parameters for ... cookie_params { # Configure cookie_params settings } # HMAC primary and secondary keys to be used for hashing th... auth_hmac { # Configure auth_hmac settings } # SecretType is used in an object to indicate a sensitive/c... prim_key { # Configure prim_key settings }}Argument Reference
Section titled “Argument Reference”🔶 High Risk Operations — Some operations on this resource have high danger level. Destructive operations may require confirmation.
Metadata Argument Reference
Section titled “Metadata Argument Reference”• name - Required String
Name of the Authentication. Must be unique within the namespace
• namespace - Required String
Namespace where the Authentication will be created
• annotations - Optional Map
Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata
• description - Optional String
Human readable description for the object
• disable - Optional Bool
A value of true will administratively disable the object
• labels - Optional Map
Labels is a user defined key value map that can be attached to resources for organization and filtering
Spec Argument Reference
Section titled “Spec Argument Reference”• cookie_params - Optional Block
Specifies different cookie related config parameters for authentication
See Cookie Params below for details.
• oidc_auth - Optional Block
OIDCAuthType
See OIDC Auth below for details.
• timeouts - Optional Block
See Timeouts below for details.
Attributes Reference
Section titled “Attributes Reference”In addition to all arguments above, the following attributes are exported:
• id - Optional String
Unique identifier for the resource
Cookie Params
Section titled “Cookie Params”A cookie_params block supports the following:
• auth_hmac - Optional Block
HMAC primary and secondary keys to be used for hashing the Cookie. Each key also have an associated expiry timestamp, beyond which key is invalid
See Auth HMAC below.
• cookie_expiry - Optional Number
Specifies in seconds max duration of the allocated cookie. This maps to “Max-Age” attribute in the session cookie. This will act as an expiry duration on the client-side after which client will not be setting the cookie as part of the request
• cookie_refresh_interval - Optional Number
Specifies in seconds refresh interval for session cookie. This is used to keep the active user active and reduce RE-login. When an incoming cookie’s session expiry is still valid, and time to expire falls behind this interval, RE-issue a cookie with
new expiry and with the same original session
• kms_key_hmac - Optional Block
Configuration parameter for kms key HMAC
• session_expiry - Optional Number
Specifies in seconds max lifetime of an authenticated session after which the user will be forced to login again. Default session expiry is 86400 seconds(24 hours)
Cookie Params Auth HMAC
Section titled “Cookie Params Auth HMAC”An auth_hmac block (within cookie_params) supports the following:
• prim_key - Optional Block
SecretType is used in an object to indicate a sensitive/confidential field
See Prim Key below.
• prim_key_expiry - Optional String
Primary HMAC Key Expiry time
• sec_key - Optional Block
SecretType is used in an object to indicate a sensitive/confidential field
See Sec Key below.
• sec_key_expiry - Optional String
Secondary HMAC Key Expiry time
Cookie Params Auth HMAC Prim Key
Section titled “Cookie Params Auth HMAC Prim Key”A prim_key block (within cookie_params.auth_hmac) supports the following:
• blindfold_secret_info - Optional Block
BlindfoldSecretInfoType specifies information about the Secret managed by F5XC Secret Management
See Blindfold Secret Info below.
• clear_secret_info - Optional Block
ClearSecretInfoType specifies information about the Secret that is not encrypted
See Clear Secret Info below.
Cookie Params Auth HMAC Prim Key Blindfold Secret Info
Section titled “Cookie Params Auth HMAC Prim Key Blindfold Secret Info”Deeply nested Info block collapsed for readability.
Cookie Params Auth HMAC Prim Key Clear Secret Info
Section titled “Cookie Params Auth HMAC Prim Key Clear Secret Info”Deeply nested Info block collapsed for readability.
Cookie Params Auth HMAC Sec Key
Section titled “Cookie Params Auth HMAC Sec Key”A sec_key block (within cookie_params.auth_hmac) supports the following:
• blindfold_secret_info - Optional Block
BlindfoldSecretInfoType specifies information about the Secret managed by F5XC Secret Management
See Blindfold Secret Info below.
• clear_secret_info - Optional Block
ClearSecretInfoType specifies information about the Secret that is not encrypted
See Clear Secret Info below.
Cookie Params Auth HMAC Sec Key Blindfold Secret Info
Section titled “Cookie Params Auth HMAC Sec Key Blindfold Secret Info”Deeply nested Info block collapsed for readability.
Cookie Params Auth HMAC Sec Key Clear Secret Info
Section titled “Cookie Params Auth HMAC Sec Key Clear Secret Info”Deeply nested Info block collapsed for readability.
OIDC Auth
Section titled “OIDC Auth”An oidc_auth block supports the following:
• client_secret - Optional Block
SecretType is used in an object to indicate a sensitive/confidential field
See Client Secret below.
• oidc_auth_params - Optional Block
Configuration parameter for OIDC auth params
See OIDC Auth Params below.
• oidc_client_id - Optional String
Client ID used while sending the Authorization Request to OIDC server
• oidc_well_known_config_url - Optional String
An OIDC well-known configuration URL that will be used to fetch authentication related endpoints
OIDC Auth Client Secret
Section titled “OIDC Auth Client Secret”A client_secret block (within oidc_auth) supports the following:
• blindfold_secret_info - Optional Block
BlindfoldSecretInfoType specifies information about the Secret managed by F5XC Secret Management
See Blindfold Secret Info below.
• clear_secret_info - Optional Block
ClearSecretInfoType specifies information about the Secret that is not encrypted
See Clear Secret Info below.
OIDC Auth Client Secret Blindfold Secret Info
Section titled “OIDC Auth Client Secret Blindfold Secret Info”A blindfold_secret_info block (within oidc_auth.client_secret) supports the following:
• decryption_provider - Optional String
Name of the Secret Management Access object that contains information about the backend Secret Management service
• location - Optional String
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location
• store_provider - Optional String
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///
OIDC Auth Client Secret Clear Secret Info
Section titled “OIDC Auth Client Secret Clear Secret Info”A clear_secret_info block (within oidc_auth.client_secret) supports the following:
• provider_ref - Optional String
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///
• url - Optional String
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded base64 format. When asked for this secret, caller will GET Secret bytes after base64 decoding
OIDC Auth OIDC Auth Params
Section titled “OIDC Auth OIDC Auth Params”An oidc_auth_params block (within oidc_auth) supports the following:
• auth_endpoint_url - Optional String
URL of the authorization server’s authorization endpoint
• end_session_endpoint_url - Optional String
URL of the authorization server’s Logout endpoint
• token_endpoint_url - Optional String
URL of the authorization server’s Token endpoint
Timeouts
Section titled “Timeouts”A timeouts block supports the following:
• create - Optional String (Defaults to 10 minutes)
Used when creating the resource
• delete - Optional String (Defaults to 10 minutes)
Used when deleting the resource
• read - Optional String (Defaults to 5 minutes)
Used when retrieving the resource
• update - Optional String (Defaults to 10 minutes)
Used when updating the resource
Common Types
Section titled “Common Types”The following type definitions are used throughout this resource. See the full definition here rather than repeated inline.
Object Reference {#common-object-reference}
Section titled “Object Reference {#common-object-reference}”Object references establish a direct reference from one configuration object to another in F5 Distributed Cloud. References use the format tenant/namespace/name.
| Field | Type | Description |
|---|---|---|
name | String | Name of the referenced object |
namespace | String | Namespace containing the referenced object |
tenant | String | Tenant of the referenced object (system-managed) |
Transformers {#common-transformers}
Section titled “Transformers {#common-transformers}”Transformers apply transformations to input values before matching. Multiple transformers can be applied in order.
| Value | Description |
|---|---|
LOWER_CASE | Convert to lowercase |
UPPER_CASE | Convert to uppercase |
BASE64_DECODE | Decodebase64 content |
NORMALIZE_PATH | Normalize URL path |
REMOVE_WHITESPACE | Remove whitespace characters |
URL_DECODE | Decode URL-encoded characters |
TRIM_LEFT | Trim leading whitespace |
TRIM_RIGHT | Trim trailing whitespace |
TRIM | Trim both leading and trailing whitespace |
HTTP Methods {#common-http-methods}
Section titled “HTTP Methods {#common-http-methods}”HTTP methods used for request matching.
| Value | Description |
|---|---|
ANY | Match any HTTP method |
GET | HTTP GET request |
HEAD | HTTP HEAD request |
POST | HTTP POST request |
PUT | HTTP PUT request |
DELETE | HTTP DELETE request |
CONNECT | HTTP CONNECT request |
OPTIONS | HTTP OPTIONS request |
TRACE | HTTP TRACE request |
PATCH | HTTP PATCH request |
COPY | HTTP COPY request (WebDAV) |
TLS Fingerprints {#common-tls-fingerprints}
Section titled “TLS Fingerprints {#common-tls-fingerprints}”TLS fingerprint categories for malicious client detection.
| Value | Description |
|---|---|
TLS_FINGERPRINT_NONE | No fingerprint matching |
ANY_MALICIOUS_FINGERPRINT | Match any known malicious fingerprint |
ADWARE | Adware-associated fingerprints |
DRIDEX | Dridex malware fingerprints |
GOOTKIT | Gootkit malware fingerprints |
RANSOMWARE | Ransomware-associated fingerprints |
TRICKBOT | Trickbot malware fingerprints |
IP Threat Categories {#common-ip-threat-categories}
Section titled “IP Threat Categories {#common-ip-threat-categories}”IP address threat categories for security filtering.
| Value | Description |
|---|---|
SPAM_SOURCES | Known spam sources |
WINDOWS_EXPLOITS | Windows exploit sources |
WEB_ATTACKS | Web attack sources |
BOTNETS | Known botnet IPs |
SCANNERS | Network scanner IPs |
REPUTATION | Poor reputation IPs |
PHISHING | Phishing-related IPs |
PROXY | Anonymous proxy IPs |
MOBILE_THREATS | Mobile threat sources |
TOR_PROXY | Tor exit nodes |
DENIAL_OF_SERVICE | DoS attack sources |
NETWORK | Known bad network ranges |
Import
Section titled “Import”Import is supported using the following syntax:
# Import using namespace/name formatterraform import f5xc_authentication.example system/example