f5xc_enhanced_firewall_policy Resource - terraform-provider-f5xc

f5xc_enhanced_firewall_policy (Resource)

Manages an Enhanced Firewall Policy resource in F5 Distributed Cloud for enhanced firewall policy specification. configuration.

~> Note For more information about this resource, please refer to the F5 XC API Documentation.

Example Usage

# Enhanced Firewall Policy Resource Example
# Manages an Enhanced Firewall Policy resource in F5 Distributed Cloud for enhanced firewall policy specification. configuration.

terraform {
  required_version = ">= 1.0"

  required_providers {
    f5xc = {
      source  = "f5xc-salesdemos/f5xc"
      version = ">= 0.1.0"
    }
  }
}

# Basic Enhanced Firewall Policy configuration
resource "f5xc_enhanced_firewall_policy" "example" {
  name      = "example-enhanced-firewall-policy"
  namespace = "staging"

  labels = {
    environment = "production"
    managed_by  = "terraform"
  }

  annotations = {
    "owner" = "platform-team"
  }

  # Enhanced Firewall Policy configuration
  rule_list {
    rules {
      metadata {
        name = "allow-web-traffic"
      }
      allow {}
      advanced_action {
        action = "LOG"
      }
      source_prefix_list {
        ip_prefix_set {
          name      = "trusted-ips"
          namespace = "staging"
        }
      }
      all_traffic {}
    }
  }
}

# The following optional fields have server-applied defaults and can be omitted:
# - allow_all

Argument Reference

🔶 High Risk Operations — Some operations on this resource have high danger level. Destructive operations may require confirmation.

Minimum Configuration

Required fields:

• name
• namespace

Example (API format):

metadata:
  name: my-efp
  namespace: default
spec: {}

Metadata Argument Reference

• name - Required String
Name of the Enhanced Firewall Policy. Must be unique within the namespace

• namespace - Required String
Namespace where the Enhanced Firewall Policy will be created

• annotations - Optional Map
Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata

• description - Optional String
Human readable description for the object

• disable - Optional Bool
A value of true will administratively disable the object

• labels - Optional Map
Labels is a user defined key value map that can be attached to resources for organization and filtering

Spec Argument Reference

-> One of the following: • allow_all - Optional Block Defaults to map[]
Enable this option. Server applies default when omitted

• allowed_destinations - Optional Block
List of IP Address prefixes. Prefix must contain both prefix and prefix-length The list can contain mix of both IPv4 and IPv6 prefixes
See Allowed Destinations below for details.

• allowed_sources - Optional Block
List of IP Address prefixes. Prefix must contain both prefix and prefix-length The list can contain mix of both IPv4 and IPv6 prefixes
See Allowed Sources below for details.

• denied_destinations - Optional Block
List of IP Address prefixes. Prefix must contain both prefix and prefix-length The list can contain mix of both IPv4 and IPv6 prefixes
See Denied Destinations below for details.

• denied_sources - Optional Block
List of IP Address prefixes. Prefix must contain both prefix and prefix-length The list can contain mix of both IPv4 and IPv6 prefixes
See Denied Sources below for details.

• deny_all - Optional Block
Enable this option

• rule_list - Optional Block
Custom Enhanced Firewall Policy Rules. Custom Enhanced Firewall Policy Rules
See Rule List below for details.

• timeouts - Optional Block
See Timeouts below for details.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

• id - Optional String
Unique identifier for the resource

---

Allowed Destinations

An allowed_destinations block supports the following:

• prefix - Optional List
IP Address prefix in string format. String must contain both prefix and prefix-length

Allowed Sources

An allowed_sources block supports the following:

• prefix - Optional List
IP Address prefix in string format. String must contain both prefix and prefix-length

Denied Destinations

A denied_destinations block supports the following:

• prefix - Optional List
IP Address prefix in string format. String must contain both prefix and prefix-length

Denied Sources

A denied_sources block supports the following:

• prefix - Optional List
IP Address prefix in string format. String must contain both prefix and prefix-length

Rule List

A rule_list block supports the following:

• rules - Optional Block
Ordered List of Enhanced Firewall Policy Rules
See Rules below.

Rule List Rules

A rules block (within rule_list) supports the following:

• advanced_action - Optional Block
Network Policy Rule Advanced Action provides additional OPTIONS along with RuleAction and PBRRuleAction
See Advanced Action below.

• all_destinations - Optional Block
Configuration parameter for all destinations

• all_sli_vips - Optional Block
Enable this option

• all_slo_vips - Optional Block
Enable this option

• all_sources - Optional Block
Configuration parameter for all sources

• all_tcp_traffic - Optional Block
Configuration parameter for all TCP traffic

• all_traffic - Optional Block
Configuration parameter for all traffic

• all_udp_traffic - Optional Block
Configuration parameter for all UDP traffic

• allow - Optional Block
Enable this option

• applications - Optional Block
Configuration parameter for applications
See Applications below.

• deny - Optional Block
Enable this option

• destination_aws_vpc_ids - Optional Block
Configuration parameter for destination AWS VPC ids
See Destination AWS VPC Ids below.

• destination_ip_prefix_set - Optional Block
List of references to ip_prefix_set objects
See Destination IP Prefix Set below.

• destination_label_selector - Optional Block
Type can be used to establish a ‘selector reference’ from one object(called selector) to a set of other objects(called selectees) based on the value of expressions. A label selector is a label query over a set of resources. An empty label selector matches all objects
See Destination Label Selector below.

• destination_prefix_list - Optional Block
List of IPv4 prefixes that represent an endpoint
See Destination Prefix List below.

• insert_service - Optional Block
Action to forward traffic to external service
See Insert Service below.

• inside_destinations - Optional Block
Configuration parameter for inside destinations

• inside_sources - Optional Block
Configuration parameter for inside sources

• label_matcher - Optional Block
Label matcher specifies a list of label keys whose values need to match for source/client and destination/server. Note that the actual label values are not specified and do not matter. This allows an ability to scope grouping by the label key name
See Label Matcher below.

• metadata - Optional Block
MessageMetaType is metadata (common attributes) of a message that only certain messages have. This information is propagated to the metadata of a child object that gets created from the containing message during view processing. The information in this type can be specified by user during create
See Metadata below.

• outside_destinations - Optional Block
Configuration parameter for outside destinations

• outside_sources - Optional Block
Configuration parameter for outside sources

• protocol_port_range - Optional Block
Protocol and Port. Protocol and Port ranges
See Protocol Port Range below.

• source_aws_vpc_ids - Optional Block
Configuration parameter for source AWS VPC ids
See Source AWS VPC Ids below.

• source_ip_prefix_set - Optional Block
List of references to ip_prefix_set objects
See Source IP Prefix Set below.

• source_label_selector - Optional Block
Type can be used to establish a ‘selector reference’ from one object(called selector) to a set of other objects(called selectees) based on the value of expressions. A label selector is a label query over a set of resources. An empty label selector matches all objects
See Source Label Selector below.

• source_prefix_list - Optional Block
List of IPv4 prefixes that represent an endpoint
See Source Prefix List below.

Rule List Rules Advanced Action

An advanced_action block (within rule_list.rules) supports the following:

• action - Optional String Defaults to NOLOG
Possible values are NOLOG, LOG
[Enum: NOLOG|LOG] Choice to choose logging or no logging This works together with option selected via NetworkPolicyRuleAction or any other action specified x-

Rule List Rules Applications

An applications block (within rule_list.rules) supports the following:

• applications - Optional List Defaults to APPLICATION_HTTP
Possible values are APPLICATION_HTTP, APPLICATION_HTTPS, APPLICATION_SNMP, APPLICATION_DNS
[Enum: APPLICATION_HTTP|APPLICATION_HTTPS|APPLICATION_SNMP|APPLICATION_DNS] Application Protocols. Application protocols like HTTP, SNMP

Rule List Rules Destination AWS VPC Ids

A destination_aws_vpc_ids block (within rule_list.rules) supports the following:

• vpc_id - Optional List
List of VPC Identifiers in AWS

Rule List Rules Destination IP Prefix Set

A destination_ip_prefix_set block (within rule_list.rules) supports the following:

• ref - Optional Block
List of references to ip_prefix_set objects
See Ref below.

Rule List Rules Destination IP Prefix Set Ref

Deeply nested Ref block collapsed for readability.

Rule List Rules Destination Label Selector

A destination_label_selector block (within rule_list.rules) supports the following:

• expressions - Optional List
Expressions contains the Kubernetes style label expression for selections

Rule List Rules Destination Prefix List

A destination_prefix_list block (within rule_list.rules) supports the following:

• prefixes - Optional List
List of IPv4 prefixes that represent an endpoint

Rule List Rules Insert Service

An insert_service block (within rule_list.rules) supports the following:

• nfv_service - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Nfv Service below.

Rule List Rules Insert Service Nfv Service

A nfv_service block (within rule_list.rules.insert_service) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Rule List Rules Label Matcher

A label_matcher block (within rule_list.rules) supports the following:

• keys - Optional List
The list of label key names that have to match

Rule List Rules Metadata

A metadata block (within rule_list.rules) supports the following:

• description_spec - Optional String
Description. Human readable description

• name - Optional String
Name of the message. The value of name has to follow DNS-1035 format

Rule List Rules Protocol Port Range

A protocol_port_range block (within rule_list.rules) supports the following:

• port_ranges - Optional List
List of port ranges. Each range is a single port or a pair of start and end ports e.g. 8080-8192

• protocol - Optional String
Protocol in IP packet to be used as match criteria Values are TCP, UDP, and ICMP

Rule List Rules Source AWS VPC Ids

A source_aws_vpc_ids block (within rule_list.rules) supports the following:

• vpc_id - Optional List
List of VPC Identifiers in AWS

Rule List Rules Source IP Prefix Set

A source_ip_prefix_set block (within rule_list.rules) supports the following:

• ref - Optional Block
List of references to ip_prefix_set objects
See Ref below.

Rule List Rules Source IP Prefix Set Ref

Deeply nested Ref block collapsed for readability.

Rule List Rules Source Label Selector

A source_label_selector block (within rule_list.rules) supports the following:

• expressions - Optional List
Expressions contains the Kubernetes style label expression for selections

Rule List Rules Source Prefix List

A source_prefix_list block (within rule_list.rules) supports the following:

• prefixes - Optional List
List of IPv4 prefixes that represent an endpoint

Timeouts

A timeouts block supports the following:

• create - Optional String (Defaults to 10 minutes)
Used when creating the resource

• delete - Optional String (Defaults to 10 minutes)
Used when deleting the resource

• read - Optional String (Defaults to 5 minutes)
Used when retrieving the resource

• update - Optional String (Defaults to 10 minutes)
Used when updating the resource

---

Common Types

The following type definitions are used throughout this resource. See the full definition here rather than repeated inline.

Object Reference {#common-object-reference}

Object references establish a direct reference from one configuration object to another in F5 Distributed Cloud. References use the format tenant/namespace/name.

Field	Type	Description
name	String	Name of the referenced object
namespace	String	Namespace containing the referenced object
tenant	String	Tenant of the referenced object (system-managed)

Transformers {#common-transformers}

Transformers apply transformations to input values before matching. Multiple transformers can be applied in order.

Value	Description
LOWER_CASE	Convert to lowercase
UPPER_CASE	Convert to uppercase
BASE64_DECODE	Decodebase64 content
NORMALIZE_PATH	Normalize URL path
REMOVE_WHITESPACE	Remove whitespace characters
URL_DECODE	Decode URL-encoded characters
TRIM_LEFT	Trim leading whitespace
TRIM_RIGHT	Trim trailing whitespace
TRIM	Trim both leading and trailing whitespace

HTTP Methods {#common-http-methods}

HTTP methods used for request matching.

Value	Description
ANY	Match any HTTP method
GET	HTTP GET request
HEAD	HTTP HEAD request
POST	HTTP POST request
PUT	HTTP PUT request
DELETE	HTTP DELETE request
CONNECT	HTTP CONNECT request
OPTIONS	HTTP OPTIONS request
TRACE	HTTP TRACE request
PATCH	HTTP PATCH request
COPY	HTTP COPY request (WebDAV)

TLS Fingerprints {#common-tls-fingerprints}

TLS fingerprint categories for malicious client detection.

Value	Description
TLS_FINGERPRINT_NONE	No fingerprint matching
ANY_MALICIOUS_FINGERPRINT	Match any known malicious fingerprint
ADWARE	Adware-associated fingerprints
DRIDEX	Dridex malware fingerprints
GOOTKIT	Gootkit malware fingerprints
RANSOMWARE	Ransomware-associated fingerprints
TRICKBOT	Trickbot malware fingerprints

IP Threat Categories {#common-ip-threat-categories}

IP address threat categories for security filtering.

Value	Description
SPAM_SOURCES	Known spam sources
WINDOWS_EXPLOITS	Windows exploit sources
WEB_ATTACKS	Web attack sources
BOTNETS	Known botnet IPs
SCANNERS	Network scanner IPs
REPUTATION	Poor reputation IPs
PHISHING	Phishing-related IPs
PROXY	Anonymous proxy IPs
MOBILE_THREATS	Mobile threat sources
TOR_PROXY	Tor exit nodes
DENIAL_OF_SERVICE	DoS attack sources
NETWORK	Known bad network ranges

Import

Import is supported using the following syntax:

# Import using namespace/name format
terraform import f5xc_enhanced_firewall_policy.example system/example