f5xc_aws_tgw_site Resource - terraform-provider-f5xc

f5xc_aws_tgw_site (Resource)

Manages a AWS TGW Site resource in F5 Distributed Cloud for deploying F5 sites connected via AWS Transit Gateway.

~> Note For more information about this resource, please refer to the F5 XC API Documentation.

Example Usage

# AWS TGW Site Resource Example
# Manages a AWS TGW Site resource in F5 Distributed Cloud for deploying F5 sites connected via AWS Transit Gateway.

terraform {
  required_version = ">= 1.0"

  required_providers {
    f5xc = {
      source  = "f5xc-salesdemos/f5xc"
      version = ">= 0.1.0"
    }
  }
}

# Basic AWS TGW Site configuration
resource "f5xc_aws_tgw_site" "example" {
  name      = "example-aws-tgw-site"
  namespace = "staging"

  labels = {
    environment = "production"
    managed_by  = "terraform"
  }

  annotations = {
    "owner" = "platform-team"
  }

  # AWS TGW Site configuration
  aws_region = "us-west-2"

  # AWS credentials
  aws_cred {
    name      = "aws-credentials"
    namespace = "staging"
  }

  # VPC configuration
  vpc {
    new_vpc {
      name_tag     = "f5xc-tgw-vpc"
      primary_ipv4 = "10.0.0.0/16"
    }
  }

  # TGW configuration
  tgw {
    new_tgw {
      name = "f5xc-tgw"
    }
  }

  # Instance type
  instance_type = "t3.xlarge"

  # Service VPC
  services_vpc {
    aws_certified_hw = "aws-byol-voltmesh"
    az_nodes {
      aws_az_name = "us-west-2a"
      inside_subnet {
        subnet_param {
          ipv4 = "10.0.1.0/24"
        }
      }
      outside_subnet {
        subnet_param {
          ipv4 = "10.0.2.0/24"
        }
      }
      workload_subnet {
        subnet_param {
          ipv4 = "10.0.3.0/24"
        }
      }
    }
  }

  # No worker nodes
  no_worker_nodes {}
}

Argument Reference

🔶 High Risk Operations — Some operations on this resource have high danger level. Destructive operations may require confirmation.

Metadata Argument Reference

• name - Required String
Name of the AWS TGW Site. Must be unique within the namespace

• namespace - Required String
Namespace where the AWS TGW Site will be created

• annotations - Optional Map
Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata

• description - Optional String
Human readable description for the object

• disable - Optional Bool
A value of true will administratively disable the object

• labels - Optional Map
Labels is a user defined key value map that can be attached to resources for organization and filtering

Spec Argument Reference

• aws_parameters - Optional Block
Setup AWS services VPC, transit gateway and site
See AWS Parameters below for details.

-> One of the following: • block_all_services - Optional Block
Enable this option

• blocked_services - Optional Block
Disable node local services on this site
See Blocked Services below for details.

• coordinates - Optional Block
Coordinates of the site which provides the site physical location
See Coordinates below for details.

• custom_dns - Optional Block
Custom DNS is the configured for specify CE site
See Custom DNS below for details.

• default_blocked_services - Optional Block
Enable this option

-> One of the following: • direct_connect_disabled - Optional Block
Enable this option

• direct_connect_enabled - Optional Block
Direct Connect Configuration. Direct Connect Configuration
See Direct Connect Enabled below for details.

• private_connectivity - Optional Block
X-displayName: ‘Private Connect Configuration’ Private Connect Configuration

• kubernetes_upgrade_drain - Optional Block
Specify how worker nodes within a site will be upgraded
See Kubernetes Upgrade Drain below for details.

-> One of the following: • log_receiver - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Log Receiver below for details.

• logs_streaming_disabled - Optional Block
Enable this option

• offline_survivability_mode - Optional Block
Offline Survivability allows the Site to continue functioning normally without traffic loss during periods of connectivity loss to the Regional Edge (RE) or the Global Controller (GC). When this feature is enabled, a site can continue to function as is with existing configuration for upto 7
See Offline Survivability Mode below for details.

• os - Optional Block
Select the F5XC Operating System Version for the site. By default, latest available OS Version will be used. Refer to release notes to find required released OS versions

• performance_enhancement_mode - Optional Block
Optimize the site for L3 or L7 traffic processing. L7 optimized is the default

• sw - Optional Block
Select the F5XC Software Version for the site. By default, latest available F5XC Software Version will be used. Refer to release notes to find required released SW versions

• tags - Optional Block
AWS Tags is a label consisting of a user-defined key and value. It helps to manage, identify, organize, search for, and filter resources in AWS console

• tgw_security - Optional Block
Security Configuration for transit gateway

• timeouts - Optional Block

• vn_config - Optional Block
Virtual Network Configuration. Virtual Network Configuration

• vpc_attachments - Optional Block
Spoke VPCs to be attached to the AWS TGW Site

Attributes Reference

In addition to all arguments above, the following attributes are exported:

• id - Optional String
Unique identifier for the resource

---

AWS Parameters

An aws_parameters block supports the following:

• admin_password - Optional Block
SecretType is used in an object to indicate a sensitive/confidential field
See Admin Password below.

• aws_cred - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See AWS Cred below.

• aws_region - Optional String
AWS Region of your services VPC, where F5XC site will be deployed

• az_nodes - Optional Block
Only Single AZ or Three AZ(s) nodes are supported currently
See Az Nodes below.

• custom_security_group - Optional Block
Enter pre created security groups for slo(Site Local Outside) and SLI(Site Local Inside) interface. Supported only for sites deployed on existing VPC
See Custom Security Group below.

• disable_encryption - Optional Block
Configuration parameter for disable encryption

• disable_internet_vip - Optional Block
Enable this option

• disk_size - Optional Number
Node disk size for all node in the F5XC site. Unit is GiB

• enable_encryption - Optional Block
Configuration parameter for enable encryption
See Enable Encryption below.

• enable_internet_vip - Optional Block
Enable this option

• existing_tgw - Optional Block
X-displayName: ‘Existing TGW Type’ Information needed for existing TGW
See Existing TGW below.

• f5xc_security_group - Optional Block
Enable this option

• instance_type - Optional String
Instance size based on the performance

• new_tgw - Optional Block
TGWParamsType. X-displayName: ‘TGWParamsType’
See New TGW below.

• new_vpc - Optional Block
X-displayName: ‘AWS VPC Parameters’ Parameters to create new AWS VPC
See New VPC below.

• no_worker_nodes - Optional Block
Configuration parameter for no worker nodes

• nodes_per_az - Optional Number
Desired Worker Nodes Per AZ. Max limit is up to 21

• reserved_tgw_cidr - Optional Block
Configuration parameter for reserved TGW CIDR

• ssh_key - Optional String
Public SSH key for accessing nodes of the site

• tgw_cidr - Optional Block
Parameters for creating a new cloud subnet
See TGW CIDR below.

• total_nodes - Optional Number
Total number of worker nodes to be deployed across all AZ’s used in the Site

• vpc_id - Optional String
Existing VPC ID

AWS Parameters Admin Password

An admin_password block (within aws_parameters) supports the following:

• blindfold_secret_info - Optional Block
X-displayName: ‘Blindfold Secret’ BlindfoldSecretInfoType specifies information about the Secret managed by F5XC Secret Management
See Blindfold Secret Info below.

• blindfold_secret_info_internal - Optional Block
X-displayName: ‘Blindfold Secret’ BlindfoldSecretInfoType specifies information about the Secret managed by F5XC Secret Management
See Blindfold Secret Info Internal below.

• clear_secret_info - Optional Block
X-displayName: ‘In-Clear Secret’ ClearSecretInfoType specifies information about the Secret that is not encrypted
See Clear Secret Info below.

• secret_encoding_type - Optional String Defaults to EncodingNone
Possible values are EncodingNone, Encodingbase64
[Enum: EncodingNone|Encodingbase64] X-displayName: ‘Secret Encoding’ SecretEncodingType defines the encoding type of the secret before handled by the Secret Management Service. - EncodingNone: x-displayName: ‘None’ No Encoding - Encodingbase64: base64 x-displayName: ‘base64’ base64 encoding

• vault_secret_info - Optional Block
X-displayName: ‘Vault Secret’ VaultSecretInfoType specifies information about the Secret managed by Hashicorp Vault
See Vault Secret Info below.

• wingman_secret_info - Optional Block
X-displayName: ‘Wingman Secret’ WingmanSecretInfoType specifies the handle to the wingman secret
See Wingman Secret Info below.

AWS Parameters Admin Password Blindfold Secret Info

A blindfold_secret_info block (within aws_parameters.admin_password) supports the following:

• decryption_provider - Optional String
Name of the Secret Management Access object that contains information about the backend Secret Management service

• location - Optional String
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location

• store_provider - Optional String
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///

AWS Parameters Admin Password Blindfold Secret Info Internal

Deeply nested Internal block collapsed for readability.

AWS Parameters Admin Password Clear Secret Info

A clear_secret_info block (within aws_parameters.admin_password) supports the following:

• provider_ref - Optional String
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///

• url - Optional String
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded base64 format. When asked for this secret, caller will GET Secret bytes after base64 decoding

AWS Parameters Admin Password Vault Secret Info

A vault_secret_info block (within aws_parameters.admin_password) supports the following:

• key - Optional String
X-displayName: ‘Key’ Key of the individual secret. Vault Secrets are stored as key-value pair. If user is only interested in one value from the map, this field should be set to the corresponding key

• location - Optional String
X-displayName: ‘Location’Path to secret in Vault

• provider_ref - Optional String
X-displayName: ‘Provider’Name of the Secret Management Access object that contains information about the backend Vault

• secret_encoding - Optional String Defaults to EncodingNone
Possible values are EncodingNone, Encodingbase64
[Enum: EncodingNone|Encodingbase64] X-displayName: ‘Secret Encoding’ SecretEncodingType defines the encoding type of the secret before handled by the Secret Management Service. - EncodingNone: x-displayName: ‘None’ No Encoding - Encodingbase64: base64 x-displayName: ‘base64’ base64 encoding

• version - Optional Number
X-displayName: ‘Version’ Version of the secret to be fetched. As vault secrets are versioned, user can specify this field to fetch specific version. If not provided latest version will be returned

AWS Parameters Admin Password Wingman Secret Info

A wingman_secret_info block (within aws_parameters.admin_password) supports the following:

• name - Optional String
X-displayName: ‘Name’Name of the secret

AWS Parameters AWS Cred

An aws_cred block (within aws_parameters) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

AWS Parameters Az Nodes

An az_nodes block (within aws_parameters) supports the following:

• aws_az_name - Optional String
AWS availability zone, must be consistent with the selected AWS region

• inside_subnet - Optional Block
Configuration parameter for inside subnet
See Inside Subnet below.

• outside_subnet - Optional Block
Configuration parameter for outside subnet
See Outside Subnet below.

• reserved_inside_subnet - Optional Block
Configuration parameter for reserved inside subnet

• workload_subnet - Optional Block
Configuration parameter for workload subnet
See Workload Subnet below.

AWS Parameters Az Nodes Inside Subnet

An inside_subnet block (within aws_parameters.az_nodes) supports the following:

• existing_subnet_id - Optional String
Information about existing subnet ID

• subnet_param - Optional Block
Parameters for creating a new cloud subnet
See Subnet Param below.

AWS Parameters Az Nodes Inside Subnet Subnet Param

Deeply nested Param block collapsed for readability.

AWS Parameters Az Nodes Outside Subnet

An outside_subnet block (within aws_parameters.az_nodes) supports the following:

• existing_subnet_id - Optional String
Information about existing subnet ID

• subnet_param - Optional Block
Parameters for creating a new cloud subnet
See Subnet Param below.

AWS Parameters Az Nodes Outside Subnet Subnet Param

Deeply nested Param block collapsed for readability.

AWS Parameters Az Nodes Workload Subnet

A workload_subnet block (within aws_parameters.az_nodes) supports the following:

• existing_subnet_id - Optional String
Information about existing subnet ID

• subnet_param - Optional Block
Parameters for creating a new cloud subnet
See Subnet Param below.

AWS Parameters Az Nodes Workload Subnet Subnet Param

Deeply nested Param block collapsed for readability.

AWS Parameters Custom Security Group

A custom_security_group block (within aws_parameters) supports the following:

• inside_security_group_id - Optional String
X-displayName: ‘Inside Security Group ID’ Security Group ID to be attached to SLI(Site Local Inside) Interface

• outside_security_group_id - Optional String
X-displayName: ‘Outside Security Group ID’ Security Group ID to be attached to SLO(Site Local Outside) Interface

AWS Parameters Enable Encryption

An enable_encryption block (within aws_parameters) supports the following:

• kms_key_id - Optional String
AWS KMS Key to be used to encrypt the disk attached to the VM

AWS Parameters Existing TGW

An existing_tgw block (within aws_parameters) supports the following:

• tgw_asn - Optional Number
Enter TGW ASN. TGW ASN

• tgw_id - Optional String
X-displayName: ‘Existing TGW ID’ Existing TGW ID

• volterra_site_asn - Optional Number
X-displayName: ‘Enter F5XC Site ASN’ F5XC Site ASN

AWS Parameters New TGW

A new_tgw block (within aws_parameters) supports the following:

• system_generated - Optional Block
Configuration parameter for system generated

• user_assigned - Optional Block
Information needed when ASNs are assigned by the user
See User Assigned below.

AWS Parameters New TGW User Assigned

An user_assigned block (within aws_parameters.new_tgw) supports the following:

• tgw_asn - Optional Number
X-displayName: ‘Enter TGW ASN’ TGW ASN. Allowed range for 16-bit private ASNs include 64512 to 65534

• volterra_site_asn - Optional Number
X-displayName: ‘Enter F5XC Site ASN’ F5XC Site ASN

AWS Parameters New VPC

A new_vpc block (within aws_parameters) supports the following:

• allocate_ipv6 - Optional Bool
X-displayName: ‘Allocate IPv6 CIDR block from AWS’ Allocate IPv6 CIDR block from AWS

• autogenerate - Optional Block
Configuration parameter for autogenerate

• name_tag - Optional String
Specify the VPC Name

• primary_ipv4 - Optional String
IPv4 CIDR block for this VPC. It has to be private address space. The Primary IPv4 block cannot be modified. All subnets prefixes in this VPC must be part of this CIDR block

AWS Parameters TGW CIDR

A tgw_cidr block (within aws_parameters) supports the following:

• ipv4 - Optional String
IPv4 subnet prefix for this subnet

Blocked Services

A blocked_services block supports the following:

• blocked_service - Optional Block
Disable Node Local Services. Blocking or denial configuration
See Blocked Service below.

Blocked Services Blocked Service

A blocked_service block (within blocked_services) supports the following:

• dns - Optional Block
Enable this option

• network_type - Optional String Defaults to VIRTUAL_NETWORK_SITE_LOCAL
Possible values are VIRTUAL_NETWORK_SITE_LOCAL, VIRTUAL_NETWORK_SITE_LOCAL_INSIDE, VIRTUAL_NETWORK_PER_SITE, VIRTUAL_NETWORK_PUBLIC, VIRTUAL_NETWORK_GLOBAL, VIRTUAL_NETWORK_SITE_SERVICE, VIRTUAL_NETWORK_VER_INTERNAL, VIRTUAL_NETWORK_SITE_LOCAL_INSIDE_OUTSIDE, VIRTUAL_NETWORK_IP_AUTO, VIRTUAL_NETWORK_VOLTADN_PRIVATE_NETWORK, VIRTUAL_NETWORK_SRV6_NETWORK, VIRTUAL_NETWORK_IP_FABRIC, VIRTUAL_NETWORK_SEGMENT, VIRTUAL_NETWORK_MANAGEMENT
[Enum: VIRTUAL_NETWORK_SITE_LOCAL|VIRTUAL_NETWORK_SITE_LOCAL_INSIDE|VIRTUAL_NETWORK_PER_SITE|VIRTUAL_NETWORK_PUBLIC|VIRTUAL_NETWORK_GLOBAL|VIRTUAL_NETWORK_SITE_SERVICE|VIRTUAL_NETWORK_VER_INTERNAL|VIRTUAL_NETWORK_SITE_LOCAL_INSIDE_OUTSIDE|VIRTUAL_NETWORK_IP_AUTO|VIRTUAL_NETWORK_VOLTADN_PRIVATE_NETWORK|VIRTUAL_NETWORK_SRV6_NETWORK|VIRTUAL_NETWORK_IP_FABRIC|VIRTUAL_NETWORK_SEGMENT|VIRTUAL_NETWORK_MANAGEMENT] Different types of virtual networks understood by the system Virtual-network of type VIRTUAL_NETWORK_SITE_LOCAL provides connectivity to public (outside) network. This is an insecure network and is connected to public internet via NAT Gateways/firwalls Virtual-network of this type is local to

• ssh - Optional Block
Enable this option

• web_user_interface - Optional Block
Enable this option

Coordinates

A coordinates block supports the following:

• latitude - Optional Number
Latitude. Latitude of the site location

• longitude - Optional Number
Longitude. Longitude of site location

Custom DNS

A custom_dns block supports the following:

• inside_nameserver - Optional String
Optional DNS server IP to be used for name resolution in inside network

• outside_nameserver - Optional String
Optional DNS server IP to be used for name resolution in outside network

Direct Connect Enabled

A direct_connect_enabled block supports the following:

• auto_asn - Optional Block
Enable this option

• custom_asn - Optional Number
Custom Autonomous System Number

• hosted_vifs - Optional Block
AWS Direct Connect Hosted VIF Configuration
See Hosted Vifs below.

• standard_vifs - Optional Block
Configuration parameter for standard vifs

Direct Connect Enabled Hosted Vifs

A hosted_vifs block (within direct_connect_enabled) supports the following:

• site_registration_over_direct_connect - Optional Block
CloudLink AND Network Config
See Site Registration Over Direct Connect below.

• site_registration_over_internet - Optional Block
Enable this option

• vif_list - Optional Block
List of Hosted VIF Config. List of Hosted VIF Config
See Vif List below.

Direct Connect Enabled Hosted Vifs Site Registration Over Direct Connect

Deeply nested Connect block collapsed for readability.

Direct Connect Enabled Hosted Vifs Vif List

A vif_list block (within direct_connect_enabled.hosted_vifs) supports the following:

• other_region - Optional String
Other Region

• same_as_site_region - Optional Block
Enable this option

• vif_id - Optional String
AWS Direct Connect VIF ID that needs to be connected to the site

Kubernetes Upgrade Drain

A kubernetes_upgrade_drain block supports the following:

• disable_upgrade_drain - Optional Block
Configuration parameter for disable upgrade drain

• enable_upgrade_drain - Optional Block
Specify batch upgrade settings for worker nodes within a site
See Enable Upgrade Drain below.

Kubernetes Upgrade Drain Enable Upgrade Drain

An enable_upgrade_drain block (within kubernetes_upgrade_drain) supports the following:

• disable_vega_upgrade_mode - Optional Block
Configuration parameter for disable vega upgrade mode

• drain_max_unavailable_node_count - Optional Number
Node Batch Size Count

• drain_node_timeout - Optional Number
Seconds to wait before initiating upgrade on the next set of nodes. Setting it to 0 will wait indefinitely for all services on nodes to be upgraded gracefully before proceeding to the next set of nodes. (Warning: It may block upgrade if services on a node cannot be gracefully upgraded. It is

• enable_vega_upgrade_mode - Optional Block
Configuration parameter for enable vega upgrade mode

Log Receiver

A log_receiver block supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Offline Survivability Mode

An offline_survivability_mode block supports the following:

• enable_offline_survivability_mode - Optional Block
Configuration parameter for enable offline survivability mode

• no_offline_survivability_mode - Optional Block
Configuration parameter for no offline survivability mode

OS

An os block supports the following:

• default_os_version - Optional Block
Enable this option

• operating_system_version - Optional String
Specify a OS version to be used e.g. 9.2024.6

Performance Enhancement Mode

A performance_enhancement_mode block supports the following:

• perf_mode_l3_enhanced - Optional Block
Configuration parameter for perf mode l3 enhanced
See Perf Mode L3 Enhanced below.

• perf_mode_l7_enhanced - Optional Block
Configuration parameter for perf mode l7 enhanced

Performance Enhancement Mode Perf Mode L3 Enhanced

A perf_mode_l3_enhanced block (within performance_enhancement_mode) supports the following:

• jumbo - Optional Block
Enable this option

• no_jumbo - Optional Block
Enable this option

Private Connectivity

A private_connectivity block supports the following:

• cloud_link - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Cloud Link below.

• inside - Optional Block
Enable this option

• outside - Optional Block
Enable this option

Private Connectivity Cloud Link

A cloud_link block (within private_connectivity) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Sw

A sw block supports the following:

• default_sw_version - Optional Block
Enable this option

• volterra_software_version - Optional String
Specify a F5XC Software Version to be used e.g. Crt-20210329-1002

TGW Security

A tgw_security block supports the following:

• active_east_west_service_policies - Optional Block
Active service policies for the east-west proxy
See Active East West Service Policies below.

• active_enhanced_firewall_policies - Optional Block
List of Enhanced Firewall Policies These policies use session-based rules and provide all OPTIONS available under firewall policies with an additional option for service insertion
See Active Enhanced Firewall Policies below.

• active_forward_proxy_policies - Optional Block
Ordered List of Forward Proxy Policies active
See Active Forward Proxy Policies below.

• active_network_policies - Optional Block
Configuration parameter for active network policies
See Active Network Policies below.

• east_west_service_policy_allow_all - Optional Block
Configuration parameter for east west service policy allow all

• forward_proxy_allow_all - Optional Block
Configuration parameter for forward proxy allow all

• no_east_west_policy - Optional Block
Policy configuration for this feature

• no_forward_proxy - Optional Block
Configuration parameter for no forward proxy

• no_network_policy - Optional Block
Policy configuration for this feature

TGW Security Active East West Service Policies

An active_east_west_service_policies block (within tgw_security) supports the following:

• service_policies - Optional Block
List of references to service_policy objects
See Service Policies below.

TGW Security Active East West Service Policies Service Policies

Deeply nested Policies block collapsed for readability.

TGW Security Active Enhanced Firewall Policies

An active_enhanced_firewall_policies block (within tgw_security) supports the following:

• enhanced_firewall_policies - Optional Block
Ordered List of Enhanced Firewall Policies active
See Enhanced Firewall Policies below.

TGW Security Active Enhanced Firewall Policies Enhanced Firewall Policies

Deeply nested Policies block collapsed for readability.

TGW Security Active Forward Proxy Policies

An active_forward_proxy_policies block (within tgw_security) supports the following:

• forward_proxy_policies - Optional Block
Ordered List of Forward Proxy Policies active
See Forward Proxy Policies below.

TGW Security Active Forward Proxy Policies Forward Proxy Policies

Deeply nested Policies block collapsed for readability.

TGW Security Active Network Policies

An active_network_policies block (within tgw_security) supports the following:

• network_policies - Optional Block
Ordered List of Firewall Policies active for this network firewall
See Network Policies below.

TGW Security Active Network Policies Network Policies

A network_policies block (within tgw_security.active_network_policies) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Timeouts

A timeouts block supports the following:

• create - Optional String (Defaults to 30 minutes)
Used when creating the resource

• delete - Optional String (Defaults to 30 minutes)
Used when deleting the resource

• read - Optional String (Defaults to 5 minutes)
Used when retrieving the resource

• update - Optional String (Defaults to 30 minutes)
Used when updating the resource

Vn Config

A vn_config block supports the following:

• allowed_vip_port - Optional Block
Defines the TCP port(s) which will be opened on the cloud loadbalancer. Such that the client can use the cloud VIP IP and port combination to reach TCP/HTTP LB configured on the F5XC Site
See Allowed VIP Port below.

• allowed_vip_port_sli - Optional Block
Defines the TCP port(s) which will be opened on the cloud loadbalancer. Such that the client can use the cloud VIP IP and port combination to reach TCP/HTTP LB configured on the F5XC Site
See Allowed VIP Port SLI below.

• dc_cluster_group_inside_vn - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Dc Cluster Group Inside Vn below.

• dc_cluster_group_outside_vn - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Dc Cluster Group Outside Vn below.

• global_network_list - Optional Block
Global Network Connection List. List of global network connections
See Global Network List below.

• inside_static_routes - Optional Block
Configuration parameter for inside static routes
See Inside Static Routes below.

• no_dc_cluster_group - Optional Block
Enable this option

• no_global_network - Optional Block
Configuration parameter for no global network

• no_inside_static_routes - Optional Block
Configuration parameter for no inside static routes

• no_outside_static_routes - Optional Block
Configuration parameter for no outside static routes

• outside_static_routes - Optional Block
Configuration parameter for outside static routes
See Outside Static Routes below.

• sm_connection_public_ip - Optional Block
Enable this option

• sm_connection_pvt_ip - Optional Block
Enable this option

Vn Config Allowed VIP Port

An allowed_vip_port block (within vn_config) supports the following:

• custom_ports - Optional Block
Custom Ports. List of Custom port
See Custom Ports below.

• disable_allowed_vip_port - Optional Block
Enable this option

• use_http_https_port - Optional Block
Enable this option

• use_http_port - Optional Block
Enable this option

• use_https_port - Optional Block
Enable this option

Vn Config Allowed VIP Port Custom Ports

A custom_ports block (within vn_config.allowed_vip_port) supports the following:

• port_ranges - Optional String
Port Ranges. Port Ranges

Vn Config Allowed VIP Port SLI

An allowed_vip_port_sli block (within vn_config) supports the following:

• custom_ports - Optional Block
Custom Ports. List of Custom port
See Custom Ports below.

• disable_allowed_vip_port - Optional Block
Enable this option

• use_http_https_port - Optional Block
Enable this option

• use_http_port - Optional Block
Enable this option

• use_https_port - Optional Block
Enable this option

Vn Config Allowed VIP Port SLI Custom Ports

Deeply nested Ports block collapsed for readability.

Vn Config Dc Cluster Group Inside Vn

A dc_cluster_group_inside_vn block (within vn_config) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Vn Config Dc Cluster Group Outside Vn

A dc_cluster_group_outside_vn block (within vn_config) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Vn Config Global Network List

A global_network_list block (within vn_config) supports the following:

• global_network_connections - Optional Block
Global network connections
See Global Network Connections below.

Vn Config Global Network List Global Network Connections

Deeply nested Connections block collapsed for readability.

Vn Config Global Network List Global Network Connections SLI To Global DR

Deeply nested DR block collapsed for readability.

Vn Config Global Network List Global Network Connections SLI To Global DR Global Vn

Deeply nested Vn block collapsed for readability.

Vn Config Global Network List Global Network Connections Slo To Global DR

Deeply nested DR block collapsed for readability.

Vn Config Global Network List Global Network Connections Slo To Global DR Global Vn

Deeply nested Vn block collapsed for readability.

Vn Config Inside Static Routes

An inside_static_routes block (within vn_config) supports the following:

• static_route_list - Optional Block
List of Static Routes. List of Static routes
See Static Route List below.

Vn Config Inside Static Routes Static Route List

Deeply nested List block collapsed for readability.

Vn Config Inside Static Routes Static Route List Custom Static Route

Deeply nested Route block collapsed for readability.

Vn Config Inside Static Routes Static Route List Custom Static Route Nexthop

Deeply nested Nexthop block collapsed for readability.

Vn Config Inside Static Routes Static Route List Custom Static Route Nexthop Interface

Deeply nested Interface block collapsed for readability.

Vn Config Inside Static Routes Static Route List Custom Static Route Nexthop Nexthop Address

Deeply nested Address block collapsed for readability.

Vn Config Inside Static Routes Static Route List Custom Static Route Nexthop Nexthop Address IPv4

Deeply nested IPv4 block collapsed for readability.

Vn Config Inside Static Routes Static Route List Custom Static Route Nexthop Nexthop Address IPv6

Deeply nested IPv6 block collapsed for readability.

Vn Config Inside Static Routes Static Route List Custom Static Route Subnets

Deeply nested Subnets block collapsed for readability.

Vn Config Inside Static Routes Static Route List Custom Static Route Subnets IPv4

Deeply nested IPv4 block collapsed for readability.

Vn Config Inside Static Routes Static Route List Custom Static Route Subnets IPv6

Deeply nested IPv6 block collapsed for readability.

Vn Config Outside Static Routes

An outside_static_routes block (within vn_config) supports the following:

• static_route_list - Optional Block
List of Static Routes. List of Static routes
See Static Route List below.

Vn Config Outside Static Routes Static Route List

Deeply nested List block collapsed for readability.

Vn Config Outside Static Routes Static Route List Custom Static Route

Deeply nested Route block collapsed for readability.

Vn Config Outside Static Routes Static Route List Custom Static Route Nexthop

Deeply nested Nexthop block collapsed for readability.

Vn Config Outside Static Routes Static Route List Custom Static Route Nexthop Interface

Deeply nested Interface block collapsed for readability.

Vn Config Outside Static Routes Static Route List Custom Static Route Nexthop Nexthop Address

Deeply nested Address block collapsed for readability.

Vn Config Outside Static Routes Static Route List Custom Static Route Nexthop Nexthop Address IPv4

Deeply nested IPv4 block collapsed for readability.

Vn Config Outside Static Routes Static Route List Custom Static Route Nexthop Nexthop Address IPv6

Deeply nested IPv6 block collapsed for readability.

Vn Config Outside Static Routes Static Route List Custom Static Route Subnets

Deeply nested Subnets block collapsed for readability.

Vn Config Outside Static Routes Static Route List Custom Static Route Subnets IPv4

Deeply nested IPv4 block collapsed for readability.

Vn Config Outside Static Routes Static Route List Custom Static Route Subnets IPv6

Deeply nested IPv6 block collapsed for readability.

VPC Attachments

A vpc_attachments block supports the following:

• vpc_list - Optional Block
List of VPC attachments to transit gateway
See VPC List below.

VPC Attachments VPC List

A vpc_list block (within vpc_attachments) supports the following:

• labels - Optional Block
Add labels for the VPC attachment. These labels can then be used in policies such as enhanced firewall

• vpc_id - Optional String
VPC ID. Information about existing VPC

---

Common Types

The following type definitions are used throughout this resource. See the full definition here rather than repeated inline.

Object Reference {#common-object-reference}

Object references establish a direct reference from one configuration object to another in F5 Distributed Cloud. References use the format tenant/namespace/name.

Field	Type	Description
name	String	Name of the referenced object
namespace	String	Namespace containing the referenced object
tenant	String	Tenant of the referenced object (system-managed)

Transformers {#common-transformers}

Transformers apply transformations to input values before matching. Multiple transformers can be applied in order.

Value	Description
LOWER_CASE	Convert to lowercase
UPPER_CASE	Convert to uppercase
BASE64_DECODE	Decodebase64 content
NORMALIZE_PATH	Normalize URL path
REMOVE_WHITESPACE	Remove whitespace characters
URL_DECODE	Decode URL-encoded characters
TRIM_LEFT	Trim leading whitespace
TRIM_RIGHT	Trim trailing whitespace
TRIM	Trim both leading and trailing whitespace

HTTP Methods {#common-http-methods}

HTTP methods used for request matching.

Value	Description
ANY	Match any HTTP method
GET	HTTP GET request
HEAD	HTTP HEAD request
POST	HTTP POST request
PUT	HTTP PUT request
DELETE	HTTP DELETE request
CONNECT	HTTP CONNECT request
OPTIONS	HTTP OPTIONS request
TRACE	HTTP TRACE request
PATCH	HTTP PATCH request
COPY	HTTP COPY request (WebDAV)

TLS Fingerprints {#common-tls-fingerprints}

TLS fingerprint categories for malicious client detection.

Value	Description
TLS_FINGERPRINT_NONE	No fingerprint matching
ANY_MALICIOUS_FINGERPRINT	Match any known malicious fingerprint
ADWARE	Adware-associated fingerprints
DRIDEX	Dridex malware fingerprints
GOOTKIT	Gootkit malware fingerprints
RANSOMWARE	Ransomware-associated fingerprints
TRICKBOT	Trickbot malware fingerprints

IP Threat Categories {#common-ip-threat-categories}

IP address threat categories for security filtering.

Value	Description
SPAM_SOURCES	Known spam sources
WINDOWS_EXPLOITS	Windows exploit sources
WEB_ATTACKS	Web attack sources
BOTNETS	Known botnet IPs
SCANNERS	Network scanner IPs
REPUTATION	Poor reputation IPs
PHISHING	Phishing-related IPs
PROXY	Anonymous proxy IPs
MOBILE_THREATS	Mobile threat sources
TOR_PROXY	Tor exit nodes
DENIAL_OF_SERVICE	DoS attack sources
NETWORK	Known bad network ranges

Import

Import is supported using the following syntax:

# Import using namespace/name format
terraform import f5xc_aws_tgw_site.example system/example