f5xc_cluster Resource - terraform-provider-f5xc

f5xc_cluster (Resource)

Manages cluster will create the object in the storage backend for namespace metadata.namespace. in F5 Distributed Cloud.

~> Note For more information about this resource, please refer to the F5 XC API Documentation.

Example Usage

# Cluster Resource Example
# Manages cluster will create the object in the storage backend for namespace metadata.namespace. in F5 Distributed Cloud.

terraform {
  required_version = ">= 1.0"

  required_providers {
    f5xc = {
      source  = "f5xc-salesdemos/f5xc"
      version = ">= 0.1.0"
    }
  }
}

# Basic Cluster configuration
resource "f5xc_cluster" "example" {
  name      = "example-cluster"
  namespace = "staging"

  labels = {
    environment = "production"
    managed_by  = "terraform"
  }

  annotations = {
    "owner" = "platform-team"
  }

  # Resource-specific configuration
  # [OneOf: auto_http_config, http1_config, http2_options] En...
  auto_http_config {
    # Configure auto_http_config settings
  }
  # CircuitBreaker provides a mechanism for watching failures...
  circuit_breaker {
    # Configure circuit_breaker settings
  }
  # List of key-value pairs that define default subset. This ...
  default_subset {
    # Configure default_subset settings
  }
}

Argument Reference

🔶 High Risk Operations — Some operations on this resource have high danger level. Destructive operations may require confirmation.

Metadata Argument Reference

• name - Required String
Name of the Cluster. Must be unique within the namespace

• namespace - Required String
Namespace where the Cluster will be created

• annotations - Optional Map
Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata

• description - Optional String
Human readable description for the object

• disable - Optional Bool
A value of true will administratively disable the object

• labels - Optional Map
Labels is a user defined key value map that can be attached to resources for organization and filtering

Spec Argument Reference

-> One of the following: • auto_http_config - Optional Block
Enable this option

• http1_config - Optional Block
HTTP/1.1 Protocol OPTIONS for upstream connections
See Http1 Config below for details.

• http2_options - Optional Block
Http2 Protocol OPTIONS for upstream connections
See Http2 Options below for details.

• circuit_breaker - Optional Block
CircuitBreaker provides a mechanism for watching failures in upstream connections or requests and if the failures reach a certain threshold, automatically fail subsequent requests which allows to apply back pressure on downstream quickly
See Circuit Breaker below for details.

• connection_timeout - Required Number Defaults to 2 Specified in milliseconds
The timeout for new network connections to endpoints in the cluster. The seconds

• default_subset - Optional Block
List of key-value pairs that define default subset. This subset can be referred in fallback_policy which gets used when route specifies no metadata or no subset matching the metadata exists

-> One of the following: • disable_proxy_protocol - Optional Block
Configuration parameter for disable proxy protocol

• proxy_protocol_v1 - Optional Block
Configuration parameter for proxy protocol v1

• endpoint_selection - Required String Defaults to DISTRIBUTED
Possible values are DISTRIBUTED, LOCAL_ONLY, LOCAL_PREFERRED
[Enum: DISTRIBUTED|LOCAL_ONLY|LOCAL_PREFERRED] Policy for selection of endpoints from local site/remote site/both Consider both remote and local endpoints for load balancing LOCAL_ONLY: Consider only local endpoints for load balancing Enable this policy to load balance ONLY among locally discovered endpoints Prefer the local endpoints for

• endpoint_subsets - Optional Block
Configure endpoint groups based on metadata labels for traffic routing. Supports weighted distribution and session affinity across labeled endpoints
See Endpoint Subsets below for details.

• endpoints - Optional Block
List of endpoints for this cluster
See Endpoints below for details.

• fallback_policy - Required String Defaults to NO_FALLBACK
Possible values are NO_FALLBACK, ANY_ENDPOINT, DEFAULT_SUBSET
[Enum: NO_FALLBACK|ANY_ENDPOINT|DEFAULT_SUBSET] Enumeration for SubsetFallbackPolicy if subset match is not found. The request fails as if the cluster had no endpoint matching the subset policy Any cluster endpoint may be selected if the cluster had no endpoint matching the subset policy Load balancing is done over endpoints matching

• health_checks - Optional Block
Health check configuration for backend monitoring
See Health Checks below for details.

• http_idle_timeout - Required Number
The idle timeout for upstream connection pool connections. The idle timeout is defined as the period in which there are no active requests. When the idle timeout is reached the connection will be closed

• loadbalancer_algorithm - Required String Defaults to ROUND_ROBIN
Possible values are ROUND_ROBIN, LEAST_REQUEST, RING_HASH, RANDOM, LB_OVERRIDE
[Enum: ROUND_ROBIN|LEAST_REQUEST|RING_HASH|RANDOM|LB_OVERRIDE] Different load balancing algorithms supported When a connection to an endpoint in an upstream cluster is required, the load balancer uses loadbalancer_algorithm to determine which host is selected. - ROUND_ROBIN: ROUND_ROBIN Policy in which each healthy/available upstream endpoint is selected in

-> One of the following: • max_requests_per_connection - Optional Number
Sets the maximum number of requests allowed per connection to the origin server. Enter a value >=1 to define the request limit per connection

-> One of the following: • no_panic_threshold - Optional Block
Configuration parameter for no panic threshold

• no_request_limit_per_connection - Optional Block
Configuration parameter for no request limit per connection

• outlier_detection - Optional Block
Outlier detection and ejection is the process of dynamically determining whether some number of hosts in an upstream cluster are performing unlike the others and removing them from the healthy load balancing set. Outlier detection is a form of passive health checkingg. Algorithm 1
See Outlier Detection below for details.

• panic_threshold - Optional Number
Configure a threshold (percentage of unhealthy endpoints) below which all endpoints will be considered for loadbalancing ignoring its health status

• proxy_protocol_v2 - Optional Block
Configuration parameter for proxy protocol v2

• timeouts - Optional Block
See Timeouts below for details.

• tls_parameters - Optional Block
TLS configuration for upstream connections
See TLS Parameters below for details.

• upstream_conn_pool_reuse_type - Optional Block
Select upstream connection pool reuse state for every downstream connection. This configuration choice is for HTTP(S) LB only
See Upstream Conn Pool Reuse Type below for details.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

• id - Optional String
Unique identifier for the resource

Circuit Breaker

A circuit_breaker block supports the following:

• connection_limit - Optional Number
The maximum number of connections that loadbalancer will establish to all hosts in an upstream cluster. In practice this is only applicable to TCP and HTTP/1.1 clusters since HTTP/2 uses a single connection to each host. Remove endpoint out of load balancing decision, if number of connections

• max_requests - Optional Number
The maximum number of requests that can be outstanding to all hosts in a cluster at any given time. In practice this is applicable to HTTP/2 clusters since HTTP/1.1 clusters are governed by the maximum connections (connection_limit). Remove endpoint out of load balancing decision, if requests

• pending_requests - Optional Number
The maximum number of requests that will be queued while waiting for a ready connection pool connection. Since HTTP/2 requests are sent over a single connection, this circuit breaker only comes into play as the initial connection is created, as requests will be multiplexed immediately

• priority - Optional String Defaults to DEFAULT
Possible values are DEFAULT, HIGH
[Enum: DEFAULT|HIGH] Priority routing for each request. Different connection pools are used based on the priority selected for the request. Also, circuit-breaker configuration at destination cluster is chosen based on selected priority

• retries - Optional Number
The maximum number of retries that can be outstanding to all hosts in a cluster at any given time. Remove endpoint out of load balancing decision, if retries for request exceed this count

Endpoint Subsets

An endpoint_subsets block supports the following:

• keys - Optional List
List of keys that define a cluster subset class

Endpoints

An endpoints block supports the following:

• kind - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. ‘route’)

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

• uid - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid

Health Checks

A health_checks block supports the following:

• kind - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. ‘route’)

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

• uid - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid

Http1 Config

A http1_config block supports the following:

• header_transformation - Optional Block
Header Transformation OPTIONS for HTTP/1.1 request/response headers
See Header Transformation below.

Http1 Config Header Transformation

A header_transformation block (within http1_config) supports the following:

• default_header_transformation - Optional Block
Enable this option

• legacy_header_transformation - Optional Block
Enable this option

• preserve_case_header_transformation - Optional Block
Enable this option

• proper_case_header_transformation - Optional Block
Enable this option

Http2 Options

A http2_options block supports the following:

• enabled - Optional Bool
Enable/disable HTTP2 Protocol for upstream connections

Outlier Detection

An outlier_detection block supports the following:

• base_ejection_time - Optional Number
The base time that a host is ejected for. The real time is equal to the base time multiplied by the number of times the host has been ejected. This causes hosts to GET ejected for longer periods if they continue to fail

• consecutive_5xx - Optional Number
If an upstream endpoint returns some number of consecutive 5xx, it will be ejected. Note that in this case a 5xx means an actual 5xx respond code, or an event that would cause the HTTP router to return one on the upstream’s behalf(reset, connection failure, etc.) consecutive_5xx indicates the

• consecutive_gateway_failure - Optional Number
If an upstream endpoint returns some number of consecutive “gateway errors” (502, 503 or 504 status code), it will be ejected. Note that this includes events that would cause the HTTP router to return one of these status codes on the upstream’s behalf (reset, connection failure, etc.)

• interval - Optional Number Defaults to 10000ms
The time interval between ejection analysis sweeps. This can result in both new ejections as well as endpoints being returned to service

• max_ejection_percent - Optional Number Defaults to 10%
The maximum % of an upstream cluster that can be ejected due to outlier detection. but will eject at least one host regardless of the value

Timeouts

A timeouts block supports the following:

• create - Optional String (Defaults to 10 minutes)
Used when creating the resource

• delete - Optional String (Defaults to 10 minutes)
Used when deleting the resource

• read - Optional String (Defaults to 5 minutes)
Used when retrieving the resource

• update - Optional String (Defaults to 10 minutes)
Used when updating the resource

TLS Parameters

A tls_parameters block supports the following:

• cert_params - Optional Block
Certificate Parameters for authentication, TLS ciphers, and trust store
See Cert Params below.

• common_params - Optional Block
Information of different aspects for TLS authentication related to ciphers, certificates and trust store
See Common Params below.

• default_session_key_caching - Optional Block
Configuration parameter for default session key caching

• disable_session_key_caching - Optional Block
Configuration parameter for disable session key caching

• disable_sni - Optional Block
Configuration parameter for disable sni

• max_session_keys - Optional Number
Number of session keys that are cached

• sni - Optional String
SNI value to be used

• use_host_header_as_sni - Optional Block
Enable this option

TLS Parameters Cert Params

A cert_params block (within tls_parameters) supports the following:

• certificates - Optional Block
Client TLS Certificate required for mTLS authentication
See Certificates below.

• cipher_suites - Optional List
The following list specifies the supported cipher suite TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

• maximum_protocol_version - Optional String Defaults to TLS_AUTO
Possible values are TLS_AUTO, TLSv1_0, TLSv1_1, TLSv1_2, TLSv1_3
[Enum: TLS_AUTO|TLSv1_0|TLSv1_1|TLSv1_2|TLSv1_3] TlsProtocol is enumeration of supported TLS versions F5 Distributed Cloud will choose the optimal TLS version

• minimum_protocol_version - Optional String Defaults to TLS_AUTO
Possible values are TLS_AUTO, TLSv1_0, TLSv1_1, TLSv1_2, TLSv1_3
[Enum: TLS_AUTO|TLSv1_0|TLSv1_1|TLSv1_2|TLSv1_3] TlsProtocol is enumeration of supported TLS versions F5 Distributed Cloud will choose the optimal TLS version

• validation_params - Optional Block
Includes URL for a trust store, whether SAN verification is required and list of Subject Alt Names for verification
See Validation Params below.

TLS Parameters Cert Params Certificates

A certificates block (within tls_parameters.cert_params) supports the following:

• kind - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. ‘route’)

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

• uid - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid

TLS Parameters Cert Params Validation Params

A validation_params block (within tls_parameters.cert_params) supports the following:

• skip_hostname_verification - Optional Bool
When True, skip verification of hostname i.e. CN/Subject Alt Name of certificate is not matched to the connecting hostname

• trusted_ca - Optional Block
Root CA Certificate Reference. Reference to Root CA Certificate
See Trusted CA below.

• trusted_ca_url - Optional String
Inline Root CA Certificate

• verify_subject_alt_names - Optional List
List of acceptable Subject Alt Names/CN in the peer’s certificate. When skip_hostname_verification is false and verify_subject_alt_names is empty, the hostname of the peer will be used for matching against SAN/CN of peer’s certificate

TLS Parameters Cert Params Validation Params Trusted CA

Deeply nested CA block collapsed for readability.

TLS Parameters Cert Params Validation Params Trusted CA Trusted CA List

Deeply nested List block collapsed for readability.

TLS Parameters Common Params

A common_params block (within tls_parameters) supports the following:

• tls_certificates - Optional Block
TLS Certificates. Set of TLS certificates
See TLS Certificates below.

• validation_params - Optional Block
Includes URL for a trust store, whether SAN verification is required and list of Subject Alt Names for verification
See Validation Params below.

TLS Parameters Common Params TLS Certificates

A tls_certificates block (within tls_parameters.common_params) supports the following:

• certificate_url - Optional String
TLS certificate. Certificate or certificate chain in PEM format including the PEM headers

• custom_hash_algorithms - Optional Block
Specifies the hash algorithms to be used
See Custom Hash Algorithms below.

• description_spec - Optional String
Description. Description for the certificate

• disable_ocsp_stapling - Optional Block
Configuration parameter for disable OCSP stapling

• private_key - Optional Block
SecretType is used in an object to indicate a sensitive/confidential field
See Private Key below.

• use_system_defaults - Optional Block
Configuration parameter for use system defaults

TLS Parameters Common Params TLS Certificates Custom Hash Algorithms

Deeply nested Algorithms block collapsed for readability.

TLS Parameters Common Params TLS Certificates Private Key

Deeply nested Key block collapsed for readability.

TLS Parameters Common Params TLS Certificates Private Key Blindfold Secret Info

Deeply nested Info block collapsed for readability.

TLS Parameters Common Params TLS Certificates Private Key Clear Secret Info

Deeply nested Info block collapsed for readability.

TLS Parameters Common Params Validation Params

A validation_params block (within tls_parameters.common_params) supports the following:

• skip_hostname_verification - Optional Bool
When True, skip verification of hostname i.e. CN/Subject Alt Name of certificate is not matched to the connecting hostname

• trusted_ca - Optional Block
Root CA Certificate Reference. Reference to Root CA Certificate
See Trusted CA below.

• trusted_ca_url - Optional String
Inline Root CA Certificate

TLS Parameters Common Params Validation Params Trusted CA

Deeply nested CA block collapsed for readability.

TLS Parameters Common Params Validation Params Trusted CA Trusted CA List

Deeply nested List block collapsed for readability.

Upstream Conn Pool Reuse Type

An upstream_conn_pool_reuse_type block supports the following:

• disable_conn_pool_reuse - Optional Block
Configuration parameter for disable conn pool reuse

• enable_conn_pool_reuse - Optional Block
Configuration parameter for enable conn pool reuse

Common Types

The following type definitions are used throughout this resource. See the full definition here rather than repeated inline.

Object Reference {#common-object-reference}

Object references establish a direct reference from one configuration object to another in F5 Distributed Cloud. References use the format tenant/namespace/name.

Field	Type	Description
`name`	String	Name of the referenced object
`namespace`	String	Namespace containing the referenced object
`tenant`	String	Tenant of the referenced object (system-managed)

Transformers {#common-transformers}

Transformers apply transformations to input values before matching. Multiple transformers can be applied in order.

Value	Description
`LOWER_CASE`	Convert to lowercase
`UPPER_CASE`	Convert to uppercase
`BASE64_DECODE`	Decodebase64 content
`NORMALIZE_PATH`	Normalize URL path
`REMOVE_WHITESPACE`	Remove whitespace characters
`URL_DECODE`	Decode URL-encoded characters
`TRIM_LEFT`	Trim leading whitespace
`TRIM_RIGHT`	Trim trailing whitespace
`TRIM`	Trim both leading and trailing whitespace

HTTP Methods {#common-http-methods}

HTTP methods used for request matching.

Value	Description
`ANY`	Match any HTTP method
`GET`	HTTP GET request
`HEAD`	HTTP HEAD request
`POST`	HTTP POST request
`PUT`	HTTP PUT request
`DELETE`	HTTP DELETE request
`CONNECT`	HTTP CONNECT request
`OPTIONS`	HTTP OPTIONS request
`TRACE`	HTTP TRACE request
`PATCH`	HTTP PATCH request
`COPY`	HTTP COPY request (WebDAV)

TLS Fingerprints {#common-tls-fingerprints}

TLS fingerprint categories for malicious client detection.

Value	Description
`TLS_FINGERPRINT_NONE`	No fingerprint matching
`ANY_MALICIOUS_FINGERPRINT`	Match any known malicious fingerprint
`ADWARE`	Adware-associated fingerprints
`DRIDEX`	Dridex malware fingerprints
`GOOTKIT`	Gootkit malware fingerprints
`RANSOMWARE`	Ransomware-associated fingerprints
`TRICKBOT`	Trickbot malware fingerprints

IP Threat Categories {#common-ip-threat-categories}

IP address threat categories for security filtering.

Value	Description
`SPAM_SOURCES`	Known spam sources
`WINDOWS_EXPLOITS`	Windows exploit sources
`WEB_ATTACKS`	Web attack sources
`BOTNETS`	Known botnet IPs
`SCANNERS`	Network scanner IPs
`REPUTATION`	Poor reputation IPs
`PHISHING`	Phishing-related IPs
`PROXY`	Anonymous proxy IPs
`MOBILE_THREATS`	Mobile threat sources
`TOR_PROXY`	Tor exit nodes
`DENIAL_OF_SERVICE`	DoS attack sources
`NETWORK`	Known bad network ranges

Import

Import is supported using the following syntax:

# Import using namespace/name format
terraform import f5xc_cluster.example system/example