f5xc_fast_acl Resource - terraform-provider-f5xc

f5xc_fast_acl (Resource)

Manages object, object contains rules to protect site from denial of service It has destination{destination IP, destination port) and references to. in F5 Distributed Cloud.

~> Note For more information about this resource, please refer to the F5 XC API Documentation.

Example Usage

# Fast ACL Resource Example
# Manages object, object contains rules to protect site from denial of service It has destination{destination IP, destination port) and references to. in F5 Distributed Cloud.

terraform {
  required_version = ">= 1.0"

  required_providers {
    f5xc = {
      source  = "f5xc-salesdemos/f5xc"
      version = ">= 0.1.0"
    }
  }
}

# Basic Fast ACL configuration
resource "f5xc_fast_acl" "example" {
  name      = "example-fast-acl"
  namespace = "staging"

  labels = {
    environment = "production"
    managed_by  = "terraform"
  }

  annotations = {
    "owner" = "platform-team"
  }

  # Resource-specific configuration
  # Type establishes a direct reference from one object(the r...
  protocol_policer {
    # Configure protocol_policer settings
  }
  # [OneOf: re_acl, site_acl] Fast ACL for RE. Fast ACL defin...
  re_acl {
    # Configure re_acl settings
  }
  # Enable this option
  all_public_vips {
    # Configure all_public_vips settings
  }
}

Argument Reference

🔶 High Risk Operations — Some operations on this resource have high danger level. Destructive operations may require confirmation.

Metadata Argument Reference

• name - Required String
Name of the Fast ACL. Must be unique within the namespace

• namespace - Required String
Namespace where the Fast ACL will be created

• annotations - Optional Map
Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata

• description - Optional String
Human readable description for the object

• disable - Optional Bool
A value of true will administratively disable the object

• labels - Optional Map
Labels is a user defined key value map that can be attached to resources for organization and filtering

Spec Argument Reference

• protocol_policer - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Protocol Policer below for details.

-> One of the following: • re_acl - Optional Block
Fast ACL for RE. Fast ACL definition for RE
See RE ACL below for details.

• site_acl - Optional Block
Fast ACL for Site. Fast ACL definition for Site
See Site ACL below for details.

• timeouts - Optional Block
See Timeouts below for details.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

• id - Optional String
Unique identifier for the resource

---

Protocol Policer

A protocol_policer block supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

RE ACL

A re_acl block supports the following:

• all_public_vips - Optional Block
Enable this option

• default_tenant_vip - Optional Block
Enable this option

• fast_acl_rules - Optional Block
Rules. Fast ACL rules to match
See Fast ACL Rules below.

• selected_tenant_vip - Optional Block
Specific Tenant VIP. Select various tenant public VIP(s)
See Selected Tenant VIP below.

RE ACL Fast ACL Rules

A fast_acl_rules block (within re_acl) supports the following:

• action - Optional Block
FastAclRuleAction specifies possible action to be applied on traffic, possible action include dropping, forwarding or ratelimiting the traffic
See Action below.

• ip_prefix_set - Optional Block
List of references to ip_prefix_set objects
See IP Prefix Set below.

• metadata - Optional Block
MessageMetaType is metadata (common attributes) of a message that only certain messages have. This information is propagated to the metadata of a child object that gets created from the containing message during view processing. The information in this type can be specified by user during create
See Metadata below.

• port - Optional Block
Source Ports. L4 port numbers to match
See Port below.

• prefix - Optional Block
List of IP Address prefixes. Prefix must contain both prefix and prefix-length The list can contain mix of both IPv4 and IPv6 prefixes
See Prefix below.

RE ACL Fast ACL Rules Action

An action block (within re_acl.fast_acl_rules) supports the following:

• policer_action - Optional Block
Policer Reference. Reference to policer object
See Policer Action below.

• protocol_policer_action - Optional Block
Protocol Policer Reference. Reference to policer object
See Protocol Policer Action below.

• simple_action - Optional String Defaults to DENY
Possible values are DENY, ALLOW
[Enum: DENY|ALLOW] FastAclRuleSimpleAction specifies simple action like PASS or DENY Drop the traffic Forward the traffic

RE ACL Fast ACL Rules Action Policer Action

Deeply nested Action block collapsed for readability.

RE ACL Fast ACL Rules Action Policer Action Ref

Deeply nested Ref block collapsed for readability.

RE ACL Fast ACL Rules Action Protocol Policer Action

Deeply nested Action block collapsed for readability.

RE ACL Fast ACL Rules Action Protocol Policer Action Ref

Deeply nested Ref block collapsed for readability.

RE ACL Fast ACL Rules IP Prefix Set

Deeply nested Set block collapsed for readability.

RE ACL Fast ACL Rules IP Prefix Set Ref

Deeply nested Ref block collapsed for readability.

RE ACL Fast ACL Rules Metadata

A metadata block (within re_acl.fast_acl_rules) supports the following:

• description_spec - Optional String
Description. Human readable description

• name - Optional String
Name of the message. The value of name has to follow DNS-1035 format

RE ACL Fast ACL Rules Port

A port block (within re_acl.fast_acl_rules) supports the following:

• all - Optional Block
Enable this option

• dns - Optional Block
Enable this option

• user_defined - Optional Number
Matches the user defined port

RE ACL Fast ACL Rules Prefix

A prefix block (within re_acl.fast_acl_rules) supports the following:

• prefix - Optional List
IP Address prefix in string format. String must contain both prefix and prefix-length

RE ACL Selected Tenant VIP

A selected_tenant_vip block (within re_acl) supports the following:

• default_tenant_vip - Optional Bool
Include tenant VIP in list of specific VIP(s)

• public_ip_refs - Optional Block
Select additional public VIP(s)
See Public IP Refs below.

RE ACL Selected Tenant VIP Public IP Refs

Deeply nested Refs block collapsed for readability.

Site ACL

A site_acl block supports the following:

• all_services - Optional Block
Configuration parameter for all services

• fast_acl_rules - Optional Block
Rules. Fast ACL rules to match
See Fast ACL Rules below.

• inside_network - Optional Block
Configuration parameter for inside network

• interface_services - Optional Block
Configuration parameter for interface services

• outside_network - Optional Block
Configuration parameter for outside network

• vip_services - Optional Block
Enable this option

Site ACL Fast ACL Rules

A fast_acl_rules block (within site_acl) supports the following:

• action - Optional Block
FastAclRuleAction specifies possible action to be applied on traffic, possible action include dropping, forwarding or ratelimiting the traffic
See Action below.

• ip_prefix_set - Optional Block
List of references to ip_prefix_set objects
See IP Prefix Set below.

• metadata - Optional Block
MessageMetaType is metadata (common attributes) of a message that only certain messages have. This information is propagated to the metadata of a child object that gets created from the containing message during view processing. The information in this type can be specified by user during create
See Metadata below.

• port - Optional Block
Source Ports. L4 port numbers to match
See Port below.

• prefix - Optional Block
List of IP Address prefixes. Prefix must contain both prefix and prefix-length The list can contain mix of both IPv4 and IPv6 prefixes
See Prefix below.

Site ACL Fast ACL Rules Action

An action block (within site_acl.fast_acl_rules) supports the following:

• policer_action - Optional Block
Policer Reference. Reference to policer object
See Policer Action below.

• protocol_policer_action - Optional Block
Protocol Policer Reference. Reference to policer object
See Protocol Policer Action below.

• simple_action - Optional String Defaults to DENY
Possible values are DENY, ALLOW
[Enum: DENY|ALLOW] FastAclRuleSimpleAction specifies simple action like PASS or DENY Drop the traffic Forward the traffic

Site ACL Fast ACL Rules Action Policer Action

Deeply nested Action block collapsed for readability.

Site ACL Fast ACL Rules Action Policer Action Ref

Deeply nested Ref block collapsed for readability.

Site ACL Fast ACL Rules Action Protocol Policer Action

Deeply nested Action block collapsed for readability.

Site ACL Fast ACL Rules Action Protocol Policer Action Ref

Deeply nested Ref block collapsed for readability.

Site ACL Fast ACL Rules IP Prefix Set

Deeply nested Set block collapsed for readability.

Site ACL Fast ACL Rules IP Prefix Set Ref

Deeply nested Ref block collapsed for readability.

Site ACL Fast ACL Rules Metadata

A metadata block (within site_acl.fast_acl_rules) supports the following:

• description_spec - Optional String
Description. Human readable description

• name - Optional String
Name of the message. The value of name has to follow DNS-1035 format

Site ACL Fast ACL Rules Port

A port block (within site_acl.fast_acl_rules) supports the following:

• all - Optional Block
Enable this option

• dns - Optional Block
Enable this option

• user_defined - Optional Number
Matches the user defined port

Site ACL Fast ACL Rules Prefix

A prefix block (within site_acl.fast_acl_rules) supports the following:

• prefix - Optional List
IP Address prefix in string format. String must contain both prefix and prefix-length

Timeouts

A timeouts block supports the following:

• create - Optional String (Defaults to 10 minutes)
Used when creating the resource

• delete - Optional String (Defaults to 10 minutes)
Used when deleting the resource

• read - Optional String (Defaults to 5 minutes)
Used when retrieving the resource

• update - Optional String (Defaults to 10 minutes)
Used when updating the resource

---

Common Types

The following type definitions are used throughout this resource. See the full definition here rather than repeated inline.

Object Reference {#common-object-reference}

Object references establish a direct reference from one configuration object to another in F5 Distributed Cloud. References use the format tenant/namespace/name.

Field	Type	Description
name	String	Name of the referenced object
namespace	String	Namespace containing the referenced object
tenant	String	Tenant of the referenced object (system-managed)

Transformers {#common-transformers}

Transformers apply transformations to input values before matching. Multiple transformers can be applied in order.

Value	Description
LOWER_CASE	Convert to lowercase
UPPER_CASE	Convert to uppercase
BASE64_DECODE	Decodebase64 content
NORMALIZE_PATH	Normalize URL path
REMOVE_WHITESPACE	Remove whitespace characters
URL_DECODE	Decode URL-encoded characters
TRIM_LEFT	Trim leading whitespace
TRIM_RIGHT	Trim trailing whitespace
TRIM	Trim both leading and trailing whitespace

HTTP Methods {#common-http-methods}

HTTP methods used for request matching.

Value	Description
ANY	Match any HTTP method
GET	HTTP GET request
HEAD	HTTP HEAD request
POST	HTTP POST request
PUT	HTTP PUT request
DELETE	HTTP DELETE request
CONNECT	HTTP CONNECT request
OPTIONS	HTTP OPTIONS request
TRACE	HTTP TRACE request
PATCH	HTTP PATCH request
COPY	HTTP COPY request (WebDAV)

TLS Fingerprints {#common-tls-fingerprints}

TLS fingerprint categories for malicious client detection.

Value	Description
TLS_FINGERPRINT_NONE	No fingerprint matching
ANY_MALICIOUS_FINGERPRINT	Match any known malicious fingerprint
ADWARE	Adware-associated fingerprints
DRIDEX	Dridex malware fingerprints
GOOTKIT	Gootkit malware fingerprints
RANSOMWARE	Ransomware-associated fingerprints
TRICKBOT	Trickbot malware fingerprints

IP Threat Categories {#common-ip-threat-categories}

IP address threat categories for security filtering.

Value	Description
SPAM_SOURCES	Known spam sources
WINDOWS_EXPLOITS	Windows exploit sources
WEB_ATTACKS	Web attack sources
BOTNETS	Known botnet IPs
SCANNERS	Network scanner IPs
REPUTATION	Poor reputation IPs
PHISHING	Phishing-related IPs
PROXY	Anonymous proxy IPs
MOBILE_THREATS	Mobile threat sources
TOR_PROXY	Tor exit nodes
DENIAL_OF_SERVICE	DoS attack sources
NETWORK	Known bad network ranges

Import

Import is supported using the following syntax:

# Import using namespace/name format
terraform import f5xc_fast_acl.example system/example