f5xc_aws_vpc_site Resource - terraform-provider-f5xc

f5xc_aws_vpc_site (Resource)

Manages a AWS VPC Site resource in F5 Distributed Cloud for deploying F5 sites within AWS VPC environments.

~> Note For more information about this resource, please refer to the F5 XC API Documentation.

Example Usage

# AWS VPC Site Resource Example
# Manages a AWS VPC Site resource in F5 Distributed Cloud for deploying F5 sites within AWS VPC environments.

terraform {
  required_version = ">= 1.0"

  required_providers {
    f5xc = {
      source  = "f5xc-salesdemos/f5xc"
      version = ">= 0.1.0"
    }
  }
}

# Basic AWS VPC Site configuration
resource "f5xc_aws_vpc_site" "example" {
  name      = "example-aws-vpc-site"
  namespace = "staging"

  labels = {
    environment = "production"
    managed_by  = "terraform"
  }

  annotations = {
    "owner" = "platform-team"
  }

  # AWS VPC Site configuration
  aws_region = "us-west-2"

  # AWS credentials reference
  aws_cred {
    name      = "aws-credentials"
    namespace = "staging"
  }

  # VPC configuration
  vpc {
    new_vpc {
      name_tag     = "f5xc-vpc"
      primary_ipv4 = "10.0.0.0/16"
    }
  }

  # Instance type
  instance_type = "t3.xlarge"

  # Ingress/Egress gateway
  ingress_egress_gw {
    aws_certified_hw = "aws-byol-multi-nic-voltmesh"
    az_nodes {
      aws_az_name = "us-west-2a"
      inside_subnet {
        subnet_param {
          ipv4 = "10.0.1.0/24"
        }
      }
      outside_subnet {
        subnet_param {
          ipv4 = "10.0.2.0/24"
        }
      }
    }
  }

  # No worker nodes by default
  no_worker_nodes {}
}

Argument Reference

🔶 High Risk Operations — Some operations on this resource have high danger level. Destructive operations may require confirmation.

~> Dependencies — This resource requires: cloud_credentials.

Metadata Argument Reference

• name - Required String
Name of the AWS VPC Site. Must be unique within the namespace

• namespace - Required String
Namespace where the AWS VPC Site will be created

• annotations - Optional Map
Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata

• description - Optional String
Human readable description for the object

• disable - Optional Bool
A value of true will administratively disable the object

• labels - Optional Map
Labels is a user defined key value map that can be attached to resources for organization and filtering

Spec Argument Reference

• address - Required String
Site’s geographical address that can be used to determine its latitude and longitude

• admin_password - Optional Block
SecretType is used in an object to indicate a sensitive/confidential field
See Admin Password below for details.

• aws_cred - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See AWS Cred below for details.

• aws_region - Required String
AWS Region. Name for AWS Region

-> One of the following: • block_all_services - Optional Block
Enable this option

• blocked_services - Optional Block
Disable node local services on this site
See Blocked Services below for details.

• coordinates - Optional Block
Coordinates of the site which provides the site physical location
See Coordinates below for details.

• custom_dns - Optional Block
Custom DNS is the configured for specify CE site
See Custom DNS below for details.

-> One of the following: • custom_security_group - Optional Block
Enter pre created security groups for slo(Site Local Outside) and SLI(Site Local Inside) interface. Supported only for sites deployed on existing VPC
See Custom Security Group below for details.

• f5xc_security_group - Optional Block
Enable this option

• default_blocked_services - Optional Block
Enable this option

-> One of the following: • direct_connect_disabled - Optional Block
Enable this option

• direct_connect_enabled - Optional Block
Direct Connect Configuration. Direct Connect Configuration
See Direct Connect Enabled below for details.

• private_connectivity - Optional Block
X-displayName: ‘Private Connect Configuration’ Private Connect Configuration

-> One of the following: • disable_encryption - Optional Block
Configuration parameter for disable encryption

-> One of the following: • disable_internet_vip - Optional Block
Enable this option

• disk_size - Required Number
Disk size to be used for this instance in GiB. 80 is 80 GiB

-> One of the following: • egress_gateway_default - Optional Block
Configuration parameter for egress gateway default

• egress_nat_gw - Optional Block
With this option, egress site traffic will be routed through an Network Address Translation(NAT) Gateway
See Egress NAT Gw below for details.

• egress_virtual_private_gateway - Optional Block
X-displayName: ‘AWS Virtual Private Gateway choice’ With this option, egress site traffic will be routed through an Virtual Private Gateway
See Egress Virtual Private Gateway below for details.

• enable_encryption - Optional Block
Configuration parameter for enable encryption
See Enable Encryption below for details.

• enable_internet_vip - Optional Block
Enable this option

-> One of the following: • f5_orchestrated_routing - Optional Block
Enable this option

• manual_routing - Optional Block
Enable this option

-> One of the following: • ingress_egress_gw - Optional Block
Configuration parameter for ingress egress gw
See Ingress Egress Gw below for details.

• ingress_gw - Optional Block
AWS Ingress Gateway. Single interface AWS ingress site

• voltstack_cluster - Optional Block
App Stack cluster of single interface AWS nodes

• instance_type - Required String
Select Instance size based on performance needed

• kubernetes_upgrade_drain - Optional Block
Specify how worker nodes within a site will be upgraded

-> One of the following: • log_receiver - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name

• logs_streaming_disabled - Optional Block
Enable this option

-> One of the following: • no_worker_nodes - Optional Block
Configuration parameter for no worker nodes

• nodes_per_az - Optional Number
Desired Worker Nodes Per AZ. Max limit is up to 21

• offline_survivability_mode - Optional Block
Offline Survivability allows the Site to continue functioning normally without traffic loss during periods of connectivity loss to the Regional Edge (RE) or the Global Controller (GC). When this feature is enabled, a site can continue to function as is with existing configuration for upto 7

• os - Optional Block
Select the F5XC Operating System Version for the site. By default, latest available OS Version will be used. Refer to release notes to find required released OS versions

• ssh_key - Required String
Public SSH key for accessing the site

• sw - Optional Block
Select the F5XC Software Version for the site. By default, latest available F5XC Software Version will be used. Refer to release notes to find required released SW versions

• tags - Optional Block
AWS Tags is a label consisting of a user-defined key and value. It helps to manage, identify, organize, search for, and filter resources in AWS console

• timeouts - Optional Block

• total_nodes - Optional Number
Total number of worker nodes to be deployed across all AZ’s used in the Site

• vpc - Optional Block
Defines choice about AWS VPC for a view

Attributes Reference

In addition to all arguments above, the following attributes are exported:

• id - Optional String
Unique identifier for the resource

Admin Password

An admin_password block supports the following:

• blindfold_secret_info - Optional Block
X-displayName: ‘Blindfold Secret’ BlindfoldSecretInfoType specifies information about the Secret managed by F5XC Secret Management
See Blindfold Secret Info below.

• blindfold_secret_info_internal - Optional Block
X-displayName: ‘Blindfold Secret’ BlindfoldSecretInfoType specifies information about the Secret managed by F5XC Secret Management
See Blindfold Secret Info Internal below.

• clear_secret_info - Optional Block
X-displayName: ‘In-Clear Secret’ ClearSecretInfoType specifies information about the Secret that is not encrypted
See Clear Secret Info below.

• secret_encoding_type - Optional String Defaults to EncodingNone
Possible values are EncodingNone, Encodingbase64
[Enum: EncodingNone|Encodingbase64] X-displayName: ‘Secret Encoding’ SecretEncodingType defines the encoding type of the secret before handled by the Secret Management Service. - EncodingNone: x-displayName: ‘None’ No Encoding - Encodingbase64: base64 x-displayName: ‘base64’ base64 encoding

• vault_secret_info - Optional Block
X-displayName: ‘Vault Secret’ VaultSecretInfoType specifies information about the Secret managed by Hashicorp Vault
See Vault Secret Info below.

• wingman_secret_info - Optional Block
X-displayName: ‘Wingman Secret’ WingmanSecretInfoType specifies the handle to the wingman secret
See Wingman Secret Info below.

Admin Password Blindfold Secret Info

A blindfold_secret_info block (within admin_password) supports the following:

• decryption_provider - Optional String
Name of the Secret Management Access object that contains information about the backend Secret Management service

• location - Optional String
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location

• store_provider - Optional String
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///

Admin Password Blindfold Secret Info Internal

A blindfold_secret_info_internal block (within admin_password) supports the following:

• decryption_provider - Optional String
Name of the Secret Management Access object that contains information about the backend Secret Management service

• location - Optional String
Location is the uri_ref. It could be in URL format for string:/// Or it could be a path if the store provider is an HTTP/HTTPS location

Admin Password Clear Secret Info

A clear_secret_info block (within admin_password) supports the following:

• provider_ref - Optional String
Name of the Secret Management Access object that contains information about the store to GET encrypted bytes This field needs to be provided only if the URL scheme is not string:///

• url - Optional String
URL of the secret. Currently supported URL schemes is string:///. For string:/// scheme, Secret needs to be encoded base64 format. When asked for this secret, caller will GET Secret bytes after base64 decoding

Admin Password Vault Secret Info

A vault_secret_info block (within admin_password) supports the following:

• key - Optional String
X-displayName: ‘Key’ Key of the individual secret. Vault Secrets are stored as key-value pair. If user is only interested in one value from the map, this field should be set to the corresponding key

• location - Optional String
X-displayName: ‘Location’Path to secret in Vault

• provider_ref - Optional String
X-displayName: ‘Provider’Name of the Secret Management Access object that contains information about the backend Vault

• secret_encoding - Optional String Defaults to EncodingNone
Possible values are EncodingNone, Encodingbase64
[Enum: EncodingNone|Encodingbase64] X-displayName: ‘Secret Encoding’ SecretEncodingType defines the encoding type of the secret before handled by the Secret Management Service. - EncodingNone: x-displayName: ‘None’ No Encoding - Encodingbase64: base64 x-displayName: ‘base64’ base64 encoding

• version - Optional Number
X-displayName: ‘Version’ Version of the secret to be fetched. As vault secrets are versioned, user can specify this field to fetch specific version. If not provided latest version will be returned

Admin Password Wingman Secret Info

A wingman_secret_info block (within admin_password) supports the following:

• name - Optional String
X-displayName: ‘Name’Name of the secret

AWS Cred

An aws_cred block supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Blocked Services

A blocked_services block supports the following:

• blocked_service - Optional Block
Disable Node Local Services. Blocking or denial configuration
See Blocked Service below.

Blocked Services Blocked Service

A blocked_service block (within blocked_services) supports the following:

• dns - Optional Block
Enable this option

• network_type - Optional String Defaults to VIRTUAL_NETWORK_SITE_LOCAL
Possible values are VIRTUAL_NETWORK_SITE_LOCAL, VIRTUAL_NETWORK_SITE_LOCAL_INSIDE, VIRTUAL_NETWORK_PER_SITE, VIRTUAL_NETWORK_PUBLIC, VIRTUAL_NETWORK_GLOBAL, VIRTUAL_NETWORK_SITE_SERVICE, VIRTUAL_NETWORK_VER_INTERNAL, VIRTUAL_NETWORK_SITE_LOCAL_INSIDE_OUTSIDE, VIRTUAL_NETWORK_IP_AUTO, VIRTUAL_NETWORK_VOLTADN_PRIVATE_NETWORK, VIRTUAL_NETWORK_SRV6_NETWORK, VIRTUAL_NETWORK_IP_FABRIC, VIRTUAL_NETWORK_SEGMENT, VIRTUAL_NETWORK_MANAGEMENT
[Enum: VIRTUAL_NETWORK_SITE_LOCAL|VIRTUAL_NETWORK_SITE_LOCAL_INSIDE|VIRTUAL_NETWORK_PER_SITE|VIRTUAL_NETWORK_PUBLIC|VIRTUAL_NETWORK_GLOBAL|VIRTUAL_NETWORK_SITE_SERVICE|VIRTUAL_NETWORK_VER_INTERNAL|VIRTUAL_NETWORK_SITE_LOCAL_INSIDE_OUTSIDE|VIRTUAL_NETWORK_IP_AUTO|VIRTUAL_NETWORK_VOLTADN_PRIVATE_NETWORK|VIRTUAL_NETWORK_SRV6_NETWORK|VIRTUAL_NETWORK_IP_FABRIC|VIRTUAL_NETWORK_SEGMENT|VIRTUAL_NETWORK_MANAGEMENT] Different types of virtual networks understood by the system Virtual-network of type VIRTUAL_NETWORK_SITE_LOCAL provides connectivity to public (outside) network. This is an insecure network and is connected to public internet via NAT Gateways/firwalls Virtual-network of this type is local to

• ssh - Optional Block
Enable this option

• web_user_interface - Optional Block
Enable this option

Coordinates

A coordinates block supports the following:

• latitude - Optional Number
Latitude. Latitude of the site location

• longitude - Optional Number
Longitude. Longitude of site location

Custom DNS

A custom_dns block supports the following:

• inside_nameserver - Optional String
Optional DNS server IP to be used for name resolution in inside network

• outside_nameserver - Optional String
Optional DNS server IP to be used for name resolution in outside network

Custom Security Group

A custom_security_group block supports the following:

• inside_security_group_id - Optional String
X-displayName: ‘Inside Security Group ID’ Security Group ID to be attached to SLI(Site Local Inside) Interface

• outside_security_group_id - Optional String
X-displayName: ‘Outside Security Group ID’ Security Group ID to be attached to SLO(Site Local Outside) Interface

Direct Connect Enabled

A direct_connect_enabled block supports the following:

• auto_asn - Optional Block
Enable this option

• custom_asn - Optional Number
Custom Autonomous System Number

• hosted_vifs - Optional Block
AWS Direct Connect Hosted VIF Configuration
See Hosted Vifs below.

• standard_vifs - Optional Block
Configuration parameter for standard vifs

Direct Connect Enabled Hosted Vifs

A hosted_vifs block (within direct_connect_enabled) supports the following:

• site_registration_over_direct_connect - Optional Block
CloudLink AND Network Config
See Site Registration Over Direct Connect below.

• site_registration_over_internet - Optional Block
Enable this option

• vif_list - Optional Block
List of Hosted VIF Config. List of Hosted VIF Config
See Vif List below.

Direct Connect Enabled Hosted Vifs Site Registration Over Direct Connect

Deeply nested Connect block collapsed for readability.

Direct Connect Enabled Hosted Vifs Vif List

A vif_list block (within direct_connect_enabled.hosted_vifs) supports the following:

• other_region - Optional String
Other Region

• same_as_site_region - Optional Block
Enable this option

• vif_id - Optional String
AWS Direct Connect VIF ID that needs to be connected to the site

Egress NAT Gw

An egress_nat_gw block supports the following:

• nat_gw_id - Optional String
X-displayName: ‘Existing NAT Gateway ID’

Egress Virtual Private Gateway

An egress_virtual_private_gateway block supports the following:

• vgw_id - Optional String
X-displayName: ‘Existing Virtual Private Gateway ID’

Enable Encryption

An enable_encryption block supports the following:

• kms_key_id - Optional String
AWS KMS Key to be used to encrypt the disk attached to the VM

Ingress Egress Gw

An ingress_egress_gw block supports the following:

• active_enhanced_firewall_policies - Optional Block
List of Enhanced Firewall Policies These policies use session-based rules and provide all OPTIONS available under firewall policies with an additional option for service insertion
See Active Enhanced Firewall Policies below.

• active_forward_proxy_policies - Optional Block
Ordered List of Forward Proxy Policies active
See Active Forward Proxy Policies below.

• active_network_policies - Optional Block
Configuration parameter for active network policies
See Active Network Policies below.

• allowed_vip_port - Optional Block
Defines the TCP port(s) which will be opened on the cloud loadbalancer. Such that the client can use the cloud VIP IP and port combination to reach TCP/HTTP LB configured on the F5XC Site
See Allowed VIP Port below.

• allowed_vip_port_sli - Optional Block
Defines the TCP port(s) which will be opened on the cloud loadbalancer. Such that the client can use the cloud VIP IP and port combination to reach TCP/HTTP LB configured on the F5XC Site
See Allowed VIP Port SLI below.

• aws_certified_hw - Optional String
Name for AWS certified hardware

• az_nodes - Optional Block
Only Single AZ or Three AZ(s) nodes are supported currently
See Az Nodes below.

• dc_cluster_group_inside_vn - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Dc Cluster Group Inside Vn below.

• dc_cluster_group_outside_vn - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Dc Cluster Group Outside Vn below.

• forward_proxy_allow_all - Optional Block
Configuration parameter for forward proxy allow all

• global_network_list - Optional Block
Global Network Connection List. List of global network connections
See Global Network List below.

• inside_static_routes - Optional Block
Configuration parameter for inside static routes
See Inside Static Routes below.

• no_dc_cluster_group - Optional Block
Enable this option

• no_forward_proxy - Optional Block
Configuration parameter for no forward proxy

• no_global_network - Optional Block
Configuration parameter for no global network

• no_inside_static_routes - Optional Block
Configuration parameter for no inside static routes

• no_network_policy - Optional Block
Policy configuration for this feature

• no_outside_static_routes - Optional Block
Configuration parameter for no outside static routes

• outside_static_routes - Optional Block
Configuration parameter for outside static routes
See Outside Static Routes below.

• performance_enhancement_mode - Optional Block
Optimize the site for L3 or L7 traffic processing. L7 optimized is the default
See Performance Enhancement Mode below.

• sm_connection_public_ip - Optional Block
Enable this option

• sm_connection_pvt_ip - Optional Block
Enable this option

Ingress Egress Gw Active Enhanced Firewall Policies

An active_enhanced_firewall_policies block (within ingress_egress_gw) supports the following:

• enhanced_firewall_policies - Optional Block
Ordered List of Enhanced Firewall Policies active
See Enhanced Firewall Policies below.

Ingress Egress Gw Active Enhanced Firewall Policies Enhanced Firewall Policies

Deeply nested Policies block collapsed for readability.

Ingress Egress Gw Active Forward Proxy Policies

An active_forward_proxy_policies block (within ingress_egress_gw) supports the following:

• forward_proxy_policies - Optional Block
Ordered List of Forward Proxy Policies active
See Forward Proxy Policies below.

Ingress Egress Gw Active Forward Proxy Policies Forward Proxy Policies

Deeply nested Policies block collapsed for readability.

Ingress Egress Gw Active Network Policies

An active_network_policies block (within ingress_egress_gw) supports the following:

• network_policies - Optional Block
Ordered List of Firewall Policies active for this network firewall
See Network Policies below.

Ingress Egress Gw Active Network Policies Network Policies

Deeply nested Policies block collapsed for readability.

Ingress Egress Gw Allowed VIP Port

An allowed_vip_port block (within ingress_egress_gw) supports the following:

• custom_ports - Optional Block
Custom Ports. List of Custom port
See Custom Ports below.

• disable_allowed_vip_port - Optional Block
Enable this option

• use_http_https_port - Optional Block
Enable this option

• use_http_port - Optional Block
Enable this option

• use_https_port - Optional Block
Enable this option

Ingress Egress Gw Allowed VIP Port Custom Ports

Deeply nested Ports block collapsed for readability.

Ingress Egress Gw Allowed VIP Port SLI

An allowed_vip_port_sli block (within ingress_egress_gw) supports the following:

• custom_ports - Optional Block
Custom Ports. List of Custom port
See Custom Ports below.

• disable_allowed_vip_port - Optional Block
Enable this option

• use_http_https_port - Optional Block
Enable this option

• use_http_port - Optional Block
Enable this option

• use_https_port - Optional Block
Enable this option

Ingress Egress Gw Allowed VIP Port SLI Custom Ports

Deeply nested Ports block collapsed for readability.

Ingress Egress Gw Az Nodes

An az_nodes block (within ingress_egress_gw) supports the following:

• aws_az_name - Optional String
AWS availability zone, must be consistent with the selected AWS region

• inside_subnet - Optional Block
Configuration parameter for inside subnet
See Inside Subnet below.

• outside_subnet - Optional Block
Configuration parameter for outside subnet
See Outside Subnet below.

• reserved_inside_subnet - Optional Block
Configuration parameter for reserved inside subnet

• workload_subnet - Optional Block
Configuration parameter for workload subnet
See Workload Subnet below.

Ingress Egress Gw Az Nodes Inside Subnet

An inside_subnet block (within ingress_egress_gw.az_nodes) supports the following:

• existing_subnet_id - Optional String
Information about existing subnet ID

• subnet_param - Optional Block
Parameters for creating a new cloud subnet
See Subnet Param below.

Ingress Egress Gw Az Nodes Inside Subnet Subnet Param

Deeply nested Param block collapsed for readability.

Ingress Egress Gw Az Nodes Outside Subnet

An outside_subnet block (within ingress_egress_gw.az_nodes) supports the following:

• existing_subnet_id - Optional String
Information about existing subnet ID

• subnet_param - Optional Block
Parameters for creating a new cloud subnet
See Subnet Param below.

Ingress Egress Gw Az Nodes Outside Subnet Subnet Param

Deeply nested Param block collapsed for readability.

Ingress Egress Gw Az Nodes Workload Subnet

A workload_subnet block (within ingress_egress_gw.az_nodes) supports the following:

• existing_subnet_id - Optional String
Information about existing subnet ID

• subnet_param - Optional Block
Parameters for creating a new cloud subnet
See Subnet Param below.

Ingress Egress Gw Az Nodes Workload Subnet Subnet Param

Deeply nested Param block collapsed for readability.

Ingress Egress Gw Dc Cluster Group Inside Vn

Deeply nested Vn block collapsed for readability.

Ingress Egress Gw Dc Cluster Group Outside Vn

Deeply nested Vn block collapsed for readability.

Ingress Egress Gw Global Network List

A global_network_list block (within ingress_egress_gw) supports the following:

• global_network_connections - Optional Block
Global network connections
See Global Network Connections below.

Ingress Egress Gw Global Network List Global Network Connections

Deeply nested Connections block collapsed for readability.

Ingress Egress Gw Global Network List Global Network Connections SLI To Global DR

Deeply nested DR block collapsed for readability.

Ingress Egress Gw Global Network List Global Network Connections SLI To Global DR Global Vn

Deeply nested Vn block collapsed for readability.

Ingress Egress Gw Global Network List Global Network Connections Slo To Global DR

Deeply nested DR block collapsed for readability.

Ingress Egress Gw Global Network List Global Network Connections Slo To Global DR Global Vn

Deeply nested Vn block collapsed for readability.

Ingress Egress Gw Inside Static Routes

An inside_static_routes block (within ingress_egress_gw) supports the following:

• static_route_list - Optional Block
List of Static Routes. List of Static routes
See Static Route List below.

Ingress Egress Gw Inside Static Routes Static Route List

Deeply nested List block collapsed for readability.

Ingress Egress Gw Inside Static Routes Static Route List Custom Static Route

Deeply nested Route block collapsed for readability.

Ingress Egress Gw Inside Static Routes Static Route List Custom Static Route Nexthop

Deeply nested Nexthop block collapsed for readability.

Ingress Egress Gw Inside Static Routes Static Route List Custom Static Route Nexthop Interface

Deeply nested Interface block collapsed for readability.

Ingress Egress Gw Inside Static Routes Static Route List Custom Static Route Nexthop Nexthop Address

Deeply nested Address block collapsed for readability.

Ingress Egress Gw Inside Static Routes Static Route List Custom Static Route Nexthop Nexthop Address IPv4

Deeply nested IPv4 block collapsed for readability.

Ingress Egress Gw Inside Static Routes Static Route List Custom Static Route Nexthop Nexthop Address IPv6

Deeply nested IPv6 block collapsed for readability.

Ingress Egress Gw Inside Static Routes Static Route List Custom Static Route Subnets

Deeply nested Subnets block collapsed for readability.

Ingress Egress Gw Inside Static Routes Static Route List Custom Static Route Subnets IPv4

Deeply nested IPv4 block collapsed for readability.

Ingress Egress Gw Inside Static Routes Static Route List Custom Static Route Subnets IPv6

Deeply nested IPv6 block collapsed for readability.

Ingress Egress Gw Outside Static Routes

An outside_static_routes block (within ingress_egress_gw) supports the following:

• static_route_list - Optional Block
List of Static Routes. List of Static routes
See Static Route List below.

Ingress Egress Gw Outside Static Routes Static Route List

Deeply nested List block collapsed for readability.

Ingress Egress Gw Outside Static Routes Static Route List Custom Static Route

Deeply nested Route block collapsed for readability.

Ingress Egress Gw Outside Static Routes Static Route List Custom Static Route Nexthop

Deeply nested Nexthop block collapsed for readability.

Ingress Egress Gw Outside Static Routes Static Route List Custom Static Route Nexthop Interface

Deeply nested Interface block collapsed for readability.

Ingress Egress Gw Outside Static Routes Static Route List Custom Static Route Nexthop Nexthop Address

Deeply nested Address block collapsed for readability.

Ingress Egress Gw Outside Static Routes Static Route List Custom Static Route Nexthop Nexthop Address IPv4

Deeply nested IPv4 block collapsed for readability.

Ingress Egress Gw Outside Static Routes Static Route List Custom Static Route Nexthop Nexthop Address IPv6

Deeply nested IPv6 block collapsed for readability.

Ingress Egress Gw Outside Static Routes Static Route List Custom Static Route Subnets

Deeply nested Subnets block collapsed for readability.

Ingress Egress Gw Outside Static Routes Static Route List Custom Static Route Subnets IPv4

Deeply nested IPv4 block collapsed for readability.

Ingress Egress Gw Outside Static Routes Static Route List Custom Static Route Subnets IPv6

Deeply nested IPv6 block collapsed for readability.

Ingress Egress Gw Performance Enhancement Mode

A performance_enhancement_mode block (within ingress_egress_gw) supports the following:

• perf_mode_l3_enhanced - Optional Block
Configuration parameter for perf mode l3 enhanced
See Perf Mode L3 Enhanced below.

• perf_mode_l7_enhanced - Optional Block
Configuration parameter for perf mode l7 enhanced

Ingress Egress Gw Performance Enhancement Mode Perf Mode L3 Enhanced

Deeply nested Enhanced block collapsed for readability.

Ingress Gw

An ingress_gw block supports the following:

• aws_certified_hw - Optional String
Name for AWS certified hardware

• az_nodes - Optional Block
Only Single AZ or Three AZ(s) nodes are supported currently
See Az Nodes below.

• performance_enhancement_mode - Optional Block
Optimize the site for L3 or L7 traffic processing. L7 optimized is the default
See Performance Enhancement Mode below.

Ingress Gw Allowed VIP Port

An allowed_vip_port block (within ingress_gw) supports the following:

• custom_ports - Optional Block
Custom Ports. List of Custom port
See Custom Ports below.

• disable_allowed_vip_port - Optional Block
Enable this option

• use_http_https_port - Optional Block
Enable this option

• use_http_port - Optional Block
Enable this option

• use_https_port - Optional Block
Enable this option

Ingress Gw Allowed VIP Port Custom Ports

A custom_ports block (within ingress_gw.allowed_vip_port) supports the following:

• port_ranges - Optional String
Port Ranges. Port Ranges

Ingress Gw Az Nodes

An az_nodes block (within ingress_gw) supports the following:

• aws_az_name - Optional String
AWS availability zone, must be consistent with the selected AWS region

• local_subnet - Optional Block
Configuration parameter for local subnet
See Local Subnet below.

Ingress Gw Az Nodes Local Subnet

A local_subnet block (within ingress_gw.az_nodes) supports the following:

• existing_subnet_id - Optional String
Information about existing subnet ID

• subnet_param - Optional Block
Parameters for creating a new cloud subnet
See Subnet Param below.

Ingress Gw Az Nodes Local Subnet Subnet Param

Deeply nested Param block collapsed for readability.

Ingress Gw Performance Enhancement Mode

A performance_enhancement_mode block (within ingress_gw) supports the following:

• perf_mode_l3_enhanced - Optional Block
Configuration parameter for perf mode l3 enhanced
See Perf Mode L3 Enhanced below.

• perf_mode_l7_enhanced - Optional Block
Configuration parameter for perf mode l7 enhanced

Ingress Gw Performance Enhancement Mode Perf Mode L3 Enhanced

Deeply nested Enhanced block collapsed for readability.

Kubernetes Upgrade Drain

A kubernetes_upgrade_drain block supports the following:

• disable_upgrade_drain - Optional Block
Configuration parameter for disable upgrade drain

• enable_upgrade_drain - Optional Block
Specify batch upgrade settings for worker nodes within a site
See Enable Upgrade Drain below.

Kubernetes Upgrade Drain Enable Upgrade Drain

An enable_upgrade_drain block (within kubernetes_upgrade_drain) supports the following:

• disable_vega_upgrade_mode - Optional Block
Configuration parameter for disable vega upgrade mode

• drain_max_unavailable_node_count - Optional Number
Node Batch Size Count

• drain_node_timeout - Optional Number
Seconds to wait before initiating upgrade on the next set of nodes. Setting it to 0 will wait indefinitely for all services on nodes to be upgraded gracefully before proceeding to the next set of nodes. (Warning: It may block upgrade if services on a node cannot be gracefully upgraded. It is

• enable_vega_upgrade_mode - Optional Block
Configuration parameter for enable vega upgrade mode

Log Receiver

A log_receiver block supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Offline Survivability Mode

An offline_survivability_mode block supports the following:

• enable_offline_survivability_mode - Optional Block
Configuration parameter for enable offline survivability mode

• no_offline_survivability_mode - Optional Block
Configuration parameter for no offline survivability mode

OS

An os block supports the following:

• default_os_version - Optional Block
Enable this option

• operating_system_version - Optional String
Specify a OS version to be used e.g. 9.2024.6

Private Connectivity

A private_connectivity block supports the following:

• cloud_link - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Cloud Link below.

• inside - Optional Block
Enable this option

• outside - Optional Block
Enable this option

Private Connectivity Cloud Link

A cloud_link block (within private_connectivity) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Sw

A sw block supports the following:

• default_sw_version - Optional Block
Enable this option

• volterra_software_version - Optional String
Specify a F5XC Software Version to be used e.g. Crt-20210329-1002

Timeouts

A timeouts block supports the following:

• create - Optional String (Defaults to 30 minutes)
Used when creating the resource

• delete - Optional String (Defaults to 30 minutes)
Used when deleting the resource

• read - Optional String (Defaults to 5 minutes)
Used when retrieving the resource

• update - Optional String (Defaults to 30 minutes)
Used when updating the resource

Voltstack Cluster

A voltstack_cluster block supports the following:

• active_forward_proxy_policies - Optional Block
Ordered List of Forward Proxy Policies active
See Active Forward Proxy Policies below.

• active_network_policies - Optional Block
Configuration parameter for active network policies
See Active Network Policies below.

• aws_certified_hw - Optional String
Name for AWS certified hardware

• az_nodes - Optional Block
Only Single AZ or Three AZ(s) nodes are supported currently
See Az Nodes below.

• dc_cluster_group - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Dc Cluster Group below.

• default_storage - Optional Block
Configuration parameter for default storage

• forward_proxy_allow_all - Optional Block
Configuration parameter for forward proxy allow all

• global_network_list - Optional Block
Global Network Connection List. List of global network connections
See Global Network List below.

• k8s_cluster - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See K8S Cluster below.

• no_dc_cluster_group - Optional Block
Enable this option

• no_forward_proxy - Optional Block
Configuration parameter for no forward proxy

• no_global_network - Optional Block
Configuration parameter for no global network

• no_k8s_cluster - Optional Block
Enable this option

• no_network_policy - Optional Block
Policy configuration for this feature

• no_outside_static_routes - Optional Block
Configuration parameter for no outside static routes

• outside_static_routes - Optional Block
Configuration parameter for outside static routes
See Outside Static Routes below.

• sm_connection_public_ip - Optional Block
Enable this option

• sm_connection_pvt_ip - Optional Block
Enable this option

• storage_class_list - Optional Block
Add additional custom storage classes in Kubernetes for this site
See Storage Class List below.

Voltstack Cluster Active Enhanced Firewall Policies

An active_enhanced_firewall_policies block (within voltstack_cluster) supports the following:

• enhanced_firewall_policies - Optional Block
Ordered List of Enhanced Firewall Policies active
See Enhanced Firewall Policies below.

Voltstack Cluster Active Enhanced Firewall Policies Enhanced Firewall Policies

Deeply nested Policies block collapsed for readability.

Voltstack Cluster Active Forward Proxy Policies

An active_forward_proxy_policies block (within voltstack_cluster) supports the following:

• forward_proxy_policies - Optional Block
Ordered List of Forward Proxy Policies active
See Forward Proxy Policies below.

Voltstack Cluster Active Forward Proxy Policies Forward Proxy Policies

Deeply nested Policies block collapsed for readability.

Voltstack Cluster Active Network Policies

An active_network_policies block (within voltstack_cluster) supports the following:

• network_policies - Optional Block
Ordered List of Firewall Policies active for this network firewall
See Network Policies below.

Voltstack Cluster Active Network Policies Network Policies

A network_policies block (within voltstack_cluster.active_network_policies) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Voltstack Cluster Allowed VIP Port

An allowed_vip_port block (within voltstack_cluster) supports the following:

• custom_ports - Optional Block
Custom Ports. List of Custom port
See Custom Ports below.

• disable_allowed_vip_port - Optional Block
Enable this option

• use_http_https_port - Optional Block
Enable this option

• use_http_port - Optional Block
Enable this option

• use_https_port - Optional Block
Enable this option

Voltstack Cluster Allowed VIP Port Custom Ports

A custom_ports block (within voltstack_cluster.allowed_vip_port) supports the following:

• port_ranges - Optional String
Port Ranges. Port Ranges

Voltstack Cluster Az Nodes

An az_nodes block (within voltstack_cluster) supports the following:

• aws_az_name - Optional String
AWS availability zone, must be consistent with the selected AWS region

• local_subnet - Optional Block
Configuration parameter for local subnet
See Local Subnet below.

Voltstack Cluster Az Nodes Local Subnet

A local_subnet block (within voltstack_cluster.az_nodes) supports the following:

• existing_subnet_id - Optional String
Information about existing subnet ID

• subnet_param - Optional Block
Parameters for creating a new cloud subnet
See Subnet Param below.

Voltstack Cluster Az Nodes Local Subnet Subnet Param

Deeply nested Param block collapsed for readability.

Voltstack Cluster Dc Cluster Group

A dc_cluster_group block (within voltstack_cluster) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Voltstack Cluster Global Network List

A global_network_list block (within voltstack_cluster) supports the following:

• global_network_connections - Optional Block
Global network connections
See Global Network Connections below.

Voltstack Cluster Global Network List Global Network Connections

Deeply nested Connections block collapsed for readability.

Voltstack Cluster Global Network List Global Network Connections SLI To Global DR

Deeply nested DR block collapsed for readability.

Voltstack Cluster Global Network List Global Network Connections SLI To Global DR Global Vn

Deeply nested Vn block collapsed for readability.

Voltstack Cluster Global Network List Global Network Connections Slo To Global DR

Deeply nested DR block collapsed for readability.

Voltstack Cluster Global Network List Global Network Connections Slo To Global DR Global Vn

Deeply nested Vn block collapsed for readability.

Voltstack Cluster K8S Cluster

A k8s_cluster block (within voltstack_cluster) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Voltstack Cluster Outside Static Routes

An outside_static_routes block (within voltstack_cluster) supports the following:

• static_route_list - Optional Block
List of Static Routes. List of Static routes
See Static Route List below.

Voltstack Cluster Outside Static Routes Static Route List

Deeply nested List block collapsed for readability.

Voltstack Cluster Outside Static Routes Static Route List Custom Static Route

Deeply nested Route block collapsed for readability.

Voltstack Cluster Outside Static Routes Static Route List Custom Static Route Nexthop

Deeply nested Nexthop block collapsed for readability.

Voltstack Cluster Outside Static Routes Static Route List Custom Static Route Nexthop Interface

Deeply nested Interface block collapsed for readability.

Voltstack Cluster Outside Static Routes Static Route List Custom Static Route Nexthop Nexthop Address

Deeply nested Address block collapsed for readability.

Voltstack Cluster Outside Static Routes Static Route List Custom Static Route Nexthop Nexthop Address IPv4

Deeply nested IPv4 block collapsed for readability.

Voltstack Cluster Outside Static Routes Static Route List Custom Static Route Nexthop Nexthop Address IPv6

Deeply nested IPv6 block collapsed for readability.

Voltstack Cluster Outside Static Routes Static Route List Custom Static Route Subnets

Deeply nested Subnets block collapsed for readability.

Voltstack Cluster Outside Static Routes Static Route List Custom Static Route Subnets IPv4

Deeply nested IPv4 block collapsed for readability.

Voltstack Cluster Outside Static Routes Static Route List Custom Static Route Subnets IPv6

Deeply nested IPv6 block collapsed for readability.

Voltstack Cluster Storage Class List

A storage_class_list block (within voltstack_cluster) supports the following:

• storage_classes - Optional Block
List of Storage Classes. List of custom storage classes
See Storage Classes below.

Voltstack Cluster Storage Class List Storage Classes

A storage_classes block (within voltstack_cluster.storage_class_list) supports the following:

• default_storage_class - Optional Bool
Make this storage class default storage class for the K8S cluster

• storage_class_name - Optional String
Name of the storage class as it will appear in K8S

VPC

A vpc block supports the following:

• new_vpc - Optional Block
X-displayName: ‘AWS VPC Parameters’ Parameters to create new AWS VPC
See New VPC below.

• vpc_id - Optional String
Information about existing VPC ID

VPC New VPC

A new_vpc block (within vpc) supports the following:

• allocate_ipv6 - Optional Bool
X-displayName: ‘Allocate IPv6 CIDR block from AWS’ Allocate IPv6 CIDR block from AWS

• autogenerate - Optional Block
Configuration parameter for autogenerate

• name_tag - Optional String
Specify the VPC Name

• primary_ipv4 - Optional String
IPv4 CIDR block for this VPC. It has to be private address space. The Primary IPv4 block cannot be modified. All subnets prefixes in this VPC must be part of this CIDR block

Common Types

The following type definitions are used throughout this resource. See the full definition here rather than repeated inline.

Object Reference {#common-object-reference}

Object references establish a direct reference from one configuration object to another in F5 Distributed Cloud. References use the format tenant/namespace/name.

Field	Type	Description
`name`	String	Name of the referenced object
`namespace`	String	Namespace containing the referenced object
`tenant`	String	Tenant of the referenced object (system-managed)

Transformers {#common-transformers}

Transformers apply transformations to input values before matching. Multiple transformers can be applied in order.

Value	Description
`LOWER_CASE`	Convert to lowercase
`UPPER_CASE`	Convert to uppercase
`BASE64_DECODE`	Decodebase64 content
`NORMALIZE_PATH`	Normalize URL path
`REMOVE_WHITESPACE`	Remove whitespace characters
`URL_DECODE`	Decode URL-encoded characters
`TRIM_LEFT`	Trim leading whitespace
`TRIM_RIGHT`	Trim trailing whitespace
`TRIM`	Trim both leading and trailing whitespace

HTTP Methods {#common-http-methods}

HTTP methods used for request matching.

Value	Description
`ANY`	Match any HTTP method
`GET`	HTTP GET request
`HEAD`	HTTP HEAD request
`POST`	HTTP POST request
`PUT`	HTTP PUT request
`DELETE`	HTTP DELETE request
`CONNECT`	HTTP CONNECT request
`OPTIONS`	HTTP OPTIONS request
`TRACE`	HTTP TRACE request
`PATCH`	HTTP PATCH request
`COPY`	HTTP COPY request (WebDAV)

TLS Fingerprints {#common-tls-fingerprints}

TLS fingerprint categories for malicious client detection.

Value	Description
`TLS_FINGERPRINT_NONE`	No fingerprint matching
`ANY_MALICIOUS_FINGERPRINT`	Match any known malicious fingerprint
`ADWARE`	Adware-associated fingerprints
`DRIDEX`	Dridex malware fingerprints
`GOOTKIT`	Gootkit malware fingerprints
`RANSOMWARE`	Ransomware-associated fingerprints
`TRICKBOT`	Trickbot malware fingerprints

IP Threat Categories {#common-ip-threat-categories}

IP address threat categories for security filtering.

Value	Description
`SPAM_SOURCES`	Known spam sources
`WINDOWS_EXPLOITS`	Windows exploit sources
`WEB_ATTACKS`	Web attack sources
`BOTNETS`	Known botnet IPs
`SCANNERS`	Network scanner IPs
`REPUTATION`	Poor reputation IPs
`PHISHING`	Phishing-related IPs
`PROXY`	Anonymous proxy IPs
`MOBILE_THREATS`	Mobile threat sources
`TOR_PROXY`	Tor exit nodes
`DENIAL_OF_SERVICE`	DoS attack sources
`NETWORK`	Known bad network ranges

Import

Import is supported using the following syntax:

# Import using namespace/name format
terraform import f5xc_aws_vpc_site.example system/example