f5xc_origin_pool Resource - terraform-provider-f5xc

f5xc_origin_pool (Resource)

Manages an Origin Pool resource in F5 Distributed Cloud for defining backend server pools for load balancer targets.

~> Note For more information about this resource, please refer to the F5 XC API Documentation.

Example Usage

# Origin Pool Resource Example
# Manages an Origin Pool resource in F5 Distributed Cloud for defining backend server pools for load balancer targets.

terraform {
  required_version = ">= 1.0"

  required_providers {
    f5xc = {
      source  = "f5xc-salesdemos/f5xc"
      version = ">= 0.1.0"
    }
  }
}

# Basic Origin Pool configuration
resource "f5xc_origin_pool" "example" {
  name      = "example-origin-pool"
  namespace = "staging"

  labels = {
    environment = "production"
    managed_by  = "terraform"
  }

  annotations = {
    "owner" = "platform-team"
  }

  // Origin servers configuration
  origin_servers {
    // One of the arguments from this list "consul_service custom_endpoint_object k8s_service private_ip private_name public_ip public_name vn_private_ip vn_private_name" must be set

    public_name {
      dns_name         = "origin.example.com"
      refresh_interval = 60
    }

    labels = {
      "app" = "backend"
    }
  }

  origin_servers {
    // One of the arguments from this list "consul_service custom_endpoint_object k8s_service private_ip private_name public_ip public_name vn_private_ip vn_private_name" must be set

    k8s_service {
      service_name = "backend-svc"

      // One of the arguments from this list "inside_network outside_network vk8s_networks" must be set

      vk8s_networks {}

      site_locator {
        // One of the arguments from this list "site virtual_site" must be set

        site {
          name      = "example-site"
          namespace = "staging"
        }
      }
    }
  }

  port = 443

  // One of the arguments from this list "no_tls use_tls" must be set

  use_tls {
    // One of the arguments from this list "disable_sni sni use_host_header_as_sni" must be set

    sni = "backend.example.com"

    tls_config {
      // One of the arguments from this list "custom_security default_security low_security medium_security" must be set

      default_security {}
    }

    // One of the arguments from this list "no_mtls use_mtls use_mtls_obj" must be set

    no_mtls {}

    // One of the arguments from this list "skip_server_verification use_server_verification volterra_trusted_ca" must be set

    volterra_trusted_ca {}
  }

  // Health check configuration
  healthcheck {
    name      = "example-healthcheck"
    namespace = "staging"
  }

  // Load balancing configuration
  endpoint_selection     = "LOCAL_PREFERRED"
  loadbalancer_algorithm = "ROUND_ROBIN"
}

# The following optional fields have server-applied defaults and can be omitted:
# - endpoint_selection
# - loadbalancer_algorithm
# - healthcheck
# - no_tls
# - same_as_endpoint_port

Verified Configuration Examples

These configurations are extracted from acceptance tests verified against the live F5 XC API.

Labels Update

resource "f5xc_origin_pool" "test" {
  name      = "example"
  namespace = "system"

  port = 443

  labels = {
    environment = "example-value"
  }

  origin_servers {
    labels {} # API returns this even if not set
    public_name {
      dns_name = "example.com"
    }
  }

  no_tls {}
  same_as_endpoint_port {}
}

Multiple Origins

resource "f5xc_origin_pool" "test" {
  name      = "example"
  namespace = "system"

  port = 443

  origin_servers {
    labels {}
    public_name {
      dns_name = "backend1.example.com"
    }
  }

  origin_servers {
    labels {}
    public_name {
      dns_name = "backend2.example.com"
    }
  }

  no_tls {}
  same_as_endpoint_port {}
}

Port

resource "f5xc_origin_pool" "test" {
  name      = "example"
  namespace = "system"

  port = 443

  origin_servers {
    labels {}
    public_name {
      dns_name = "example.com"
    }
  }

  no_tls {}
  same_as_endpoint_port {}
}

Public Ip

resource "f5xc_origin_pool" "test" {
  name      = "example"
  namespace = "system"

  port = 8080

  origin_servers {
    labels {}
    public_ip {
      ip = "93.184.216.34"
    }
  }

  no_tls {}
  same_as_endpoint_port {}
}

With Healthcheck Ref

resource "f5xc_healthcheck" "test" {
  name      = "example"
  namespace = "system"

  healthy_threshold   = 3
  unhealthy_threshold = 1
  timeout             = 3
  interval            = 15

  tcp_health_check {}
}

resource "f5xc_origin_pool" "test" {
  name      = "example"
  namespace = "system"

  port = 443

  origin_servers {
    labels {}
    public_name {
      dns_name = "example.com"
    }
  }

  healthcheck {
    name      = f5xc_healthcheck.test.name
    namespace = f5xc_healthcheck.test.namespace
  }

  no_tls {}
  same_as_endpoint_port {}
}

With Labels

resource "f5xc_origin_pool" "test" {
  name        = "example"
  namespace   = "system"
  description = "Test origin pool"

  port = 443

  labels = {
    environment = "test"
    team        = "platform"
  }

  origin_servers {
    labels {} # API returns this even if not set
    public_name {
      dns_name = "example.com"
    }
  }

  no_tls {}
  same_as_endpoint_port {}
}

Argument Reference

🔶 High Risk Operations — Some operations on this resource have high danger level. Destructive operations may require confirmation.

Minimum Configuration

Required fields:

• name
• namespace
• origin_servers
• port

Example (API format):

apiVersion: v1
kind: origin_pool
metadata:
  name: backend-pool
  namespace: default
spec:
  origin_servers:
    - public_name:
        dns_name: backend1.example.com
    - public_name:
        dns_name: backend2.example.com
  port: 8080

Metadata Argument Reference

• name - Required String
Name of the Origin Pool. Must be unique within the namespace

• namespace - Required String
Namespace where the Origin Pool will be created

• annotations - Optional Map
Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata

• description - Optional String
Human readable description for the object

• disable - Optional Bool
A value of true will administratively disable the object

• labels - Optional Map
Labels is a user defined key value map that can be attached to resources for organization and filtering

Spec Argument Reference

• advanced_options - Optional Block Defaults to null
Configure Advanced OPTIONS for origin pool
See Advanced Options below for details.

-> One of the following: • automatic_port - Optional Block
Enable this option

• lb_port - Optional Block
Enable this option

• port - Optional Number
Endpoint service is available on this port. Recommended: 443

• endpoint_selection - Optional String Defaults to DISTRIBUTED
Possible values are DISTRIBUTED, LOCAL_ONLY, LOCAL_PREFERRED
[Enum: DISTRIBUTED|LOCAL_ONLY|LOCAL_PREFERRED] Policy for selection of endpoints from local site/remote site/both Consider both remote and local endpoints for load balancing LOCAL_ONLY: Consider only local endpoints for load balancing Enable this policy to load balance ONLY among locally discovered endpoints Prefer the local endpoints for.. Server applies default when omitted

-> One of the following: • health_check_port - Optional Number
Port used for performing health check

• same_as_endpoint_port - Optional Block Defaults to map[]
Enable this option. Server applies default when omitted

• healthcheck - Optional Block Defaults to []
Reference to healthcheck configuration objects. Server applies default when omitted
See Healthcheck below for details.

• loadbalancer_algorithm - Optional String Defaults to ROUND_ROBIN
Possible values are ROUND_ROBIN, LEAST_REQUEST, RING_HASH, RANDOM, LB_OVERRIDE
[Enum: ROUND_ROBIN|LEAST_REQUEST|RING_HASH|RANDOM|LB_OVERRIDE] Different load balancing algorithms supported When a connection to an endpoint in an upstream cluster is required, the load balancer uses loadbalancer_algorithm to determine which host is selected. - ROUND_ROBIN: ROUND_ROBIN Policy in which each healthy/available upstream endpoint is selected in.. Server applies default when omitted

-> One of the following: • no_tls - Optional Block Defaults to map[]
Enable this option. Server applies default when omitted

• origin_servers - Optional Block
List of origin servers in this pool
See Origin Servers below for details.

• timeouts - Optional Block

• upstream_conn_pool_reuse_type - Optional Block Defaults to null
Select upstream connection pool reuse state for every downstream connection. This configuration choice is for HTTP(S) LB only

• use_tls - Optional Block
TLS Parameters for Origin Servers. Upstream TLS Parameters

Attributes Reference

In addition to all arguments above, the following attributes are exported:

• id - Optional String
Unique identifier for the resource

---

Advanced Options

An advanced_options block supports the following:

• auto_http_config - Optional Block
Enable this option

• circuit_breaker - Optional Block
CircuitBreaker provides a mechanism for watching failures in upstream connections or requests and if the failures reach a certain threshold, automatically fail subsequent requests which allows to apply back pressure on downstream quickly
See Circuit Breaker below.

• connection_timeout - Optional Number Defaults to 2 Specified in milliseconds
The timeout for new network connections to endpoints in the cluster. The seconds

• default_circuit_breaker - Optional Block
Configuration parameter for default circuit breaker

• disable_circuit_breaker - Optional Block
Configuration parameter for disable circuit breaker

• disable_lb_source_ip_persistance - Optional Block
Enable this option

• disable_outlier_detection - Optional Block
Configuration parameter for disable outlier detection

• disable_proxy_protocol - Optional Block
Configuration parameter for disable proxy protocol

• disable_subsets - Optional Block
Configuration parameter for disable subsets

• enable_lb_source_ip_persistance - Optional Block
Enable this option

• enable_subsets - Optional Block
Configure subset OPTIONS for origin pool
See Enable Subsets below.

• http1_config - Optional Block
HTTP/1.1 Protocol OPTIONS for upstream connections
See Http1 Config below.

• http2_options - Optional Block
Http2 Protocol OPTIONS for upstream connections
See Http2 Options below.

• http_idle_timeout - Optional Number
The idle timeout for upstream connection pool connections. The idle timeout is defined as the period in which there are no active requests. When the idle timeout is reached the connection will be closed

• max_requests_per_connection - Optional Number
Sets the maximum number of requests allowed per connection to the origin server. Enter a value >=1 to define the request limit per connection

• no_panic_threshold - Optional Block
Configuration parameter for no panic threshold

• no_request_limit_per_connection - Optional Block
Configuration parameter for no request limit per connection

• outlier_detection - Optional Block
Outlier detection and ejection is the process of dynamically determining whether some number of hosts in an upstream cluster are performing unlike the others and removing them from the healthy load balancing set. Outlier detection is a form of passive health checkingg. Algorithm 1
See Outlier Detection below.

• panic_threshold - Optional Number
Configure a threshold (percentage of unhealthy endpoints) below which all endpoints will be considered for load balancing ignoring its health status

• proxy_protocol_v1 - Optional Block
Configuration parameter for proxy protocol v1

• proxy_protocol_v2 - Optional Block
Configuration parameter for proxy protocol v2

Advanced Options Circuit Breaker

A circuit_breaker block (within advanced_options) supports the following:

• connection_limit - Optional Number
The maximum number of connections that loadbalancer will establish to all hosts in an upstream cluster. In practice this is only applicable to TCP and HTTP/1.1 clusters since HTTP/2 uses a single connection to each host. Remove endpoint out of load balancing decision, if number of connections

• max_requests - Optional Number
The maximum number of requests that can be outstanding to all hosts in a cluster at any given time. In practice this is applicable to HTTP/2 clusters since HTTP/1.1 clusters are governed by the maximum connections (connection_limit). Remove endpoint out of load balancing decision, if requests

• pending_requests - Optional Number
The maximum number of requests that will be queued while waiting for a ready connection pool connection. Since HTTP/2 requests are sent over a single connection, this circuit breaker only comes into play as the initial connection is created, as requests will be multiplexed immediately

• priority - Optional String Defaults to DEFAULT
Possible values are DEFAULT, HIGH
[Enum: DEFAULT|HIGH] Priority routing for each request. Different connection pools are used based on the priority selected for the request. Also, circuit-breaker configuration at destination cluster is chosen based on selected priority

• retries - Optional Number
The maximum number of retries that can be outstanding to all hosts in a cluster at any given time. Remove endpoint out of load balancing decision, if retries for request exceed this count

Advanced Options Enable Subsets

An enable_subsets block (within advanced_options) supports the following:

• any_endpoint - Optional Block
Enable this option

• default_subset - Optional Block
Configuration parameter for default subset
See Default Subset below.

• endpoint_subsets - Optional Block
List of subset class. Subsets class is defined using list of keys. Every unique combination of values of these keys form a subset within the class
See Endpoint Subsets below.

• fail_request - Optional Block
Configuration parameter for fail request

Advanced Options Enable Subsets Default Subset

A default_subset block (within advanced_options.enable_subsets) supports the following:

• default_subset - Optional Block
List of key-value pairs that define default subset. Which gets used when route specifies no metadata or no subset matching the metadata exists

Advanced Options Enable Subsets Endpoint Subsets

An endpoint_subsets block (within advanced_options.enable_subsets) supports the following:

• keys - Optional List
List of keys that define a cluster subset class

Advanced Options Http1 Config

A http1_config block (within advanced_options) supports the following:

• header_transformation - Optional Block
Header Transformation OPTIONS for HTTP/1.1 request/response headers
See Header Transformation below.

Advanced Options Http1 Config Header Transformation

A header_transformation block (within advanced_options.http1_config) supports the following:

• default_header_transformation - Optional Block
Enable this option

• legacy_header_transformation - Optional Block
Enable this option

• preserve_case_header_transformation - Optional Block
Enable this option

• proper_case_header_transformation - Optional Block
Enable this option

Advanced Options Http2 Options

A http2_options block (within advanced_options) supports the following:

• enabled - Optional Bool
Enable/disable HTTP2 Protocol for upstream connections

Advanced Options Outlier Detection

An outlier_detection block (within advanced_options) supports the following:

• base_ejection_time - Optional Number
The base time that a host is ejected for. The real time is equal to the base time multiplied by the number of times the host has been ejected. This causes hosts to GET ejected for longer periods if they continue to fail

• consecutive_5xx - Optional Number
If an upstream endpoint returns some number of consecutive 5xx, it will be ejected. Note that in this case a 5xx means an actual 5xx respond code, or an event that would cause the HTTP router to return one on the upstream’s behalf(reset, connection failure, etc.) consecutive_5xx indicates the

• consecutive_gateway_failure - Optional Number
If an upstream endpoint returns some number of consecutive “gateway errors” (502, 503 or 504 status code), it will be ejected. Note that this includes events that would cause the HTTP router to return one of these status codes on the upstream’s behalf (reset, connection failure, etc.)

• interval - Optional Number Defaults to 10000ms
The time interval between ejection analysis sweeps. This can result in both new ejections as well as endpoints being returned to service

• max_ejection_percent - Optional Number Defaults to 10%
The maximum % of an upstream cluster that can be ejected due to outlier detection. but will eject at least one host regardless of the value

Healthcheck

A healthcheck block supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Origin Servers

An origin_servers block supports the following:

• cbip_service - Optional Block
Specify origin server with Classic BIG-IP Service (Virtual Server)
See Cbip Service below.

• consul_service - Optional Block
Specify origin server with Hashi Corp Consul service name and site information
See Consul Service below.

• custom_endpoint_object - Optional Block
Specify origin server with a reference to endpoint object
See Custom Endpoint Object below.

• k8s_service - Optional Block
Specify origin server with K8S service name and site information
See K8S Service below.

• labels - Optional Block
Add Labels for this origin server, these labels can be used to form subset

• private_ip - Optional Block
Specify origin server with private or public IP address and site information
See Private IP below.

• private_name - Optional Block
Specify origin server with private or public DNS name and site information
See Private Name below.

• public_ip - Optional Block
Specify origin server with public IP address
See Public IP below.

• public_name - Optional Block
Specify origin server with public DNS name
See Public Name below.

• vn_private_ip - Optional Block
Specify origin server with IP on Virtual Network
See Vn Private IP below.

• vn_private_name - Optional Block
Specify origin server with DNS name on Virtual Network
See Vn Private Name below.

Origin Servers Cbip Service

A cbip_service block (within origin_servers) supports the following:

• service_name - Optional String
Name of the discovered Classic BIG-IP virtual server to be used as origin

Origin Servers Consul Service

A consul_service block (within origin_servers) supports the following:

• inside_network - Optional Block
Configuration parameter for inside network

• outside_network - Optional Block
Configuration parameter for outside network

• service_name - Optional String
Consul service name of this origin server will be listed, including cluster-ID. The format is servicename:cluster-ID

• site_locator - Optional Block
Message defines a reference to a site or virtual site object
See Site Locator below.

• snat_pool - Optional Block
SNAT Pool. SNAT Pool configuration
See Snat Pool below.

Origin Servers Consul Service Site Locator

A site_locator block (within origin_servers.consul_service) supports the following:

• site - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Site below.

• virtual_site - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Virtual Site below.

Origin Servers Consul Service Site Locator Site

A site block (within origin_servers.consul_service.site_locator) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Origin Servers Consul Service Site Locator Virtual Site

Deeply nested Site block collapsed for readability.

Origin Servers Consul Service Snat Pool

A snat_pool block (within origin_servers.consul_service) supports the following:

• no_snat_pool - Optional Block
Configuration parameter for no snat pool

• snat_pool - Optional Block
List of IPv4 prefixes that represent an endpoint
See Snat Pool below.

Origin Servers Consul Service Snat Pool Snat Pool

Deeply nested Pool block collapsed for readability.

Origin Servers Custom Endpoint Object

A custom_endpoint_object block (within origin_servers) supports the following:

• endpoint - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Endpoint below.

Origin Servers Custom Endpoint Object Endpoint

An endpoint block (within origin_servers.custom_endpoint_object) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Origin Servers K8S Service

A k8s_service block (within origin_servers) supports the following:

• inside_network - Optional Block
Configuration parameter for inside network

• outside_network - Optional Block
Configuration parameter for outside network

• protocol - Optional String Defaults to PROTOCOL_TCP
Possible values are PROTOCOL_TCP, PROTOCOL_UDP
[Enum: PROTOCOL_TCP|PROTOCOL_UDP] Type of protocol - PROTOCOL_TCP: TCP - PROTOCOL_UDP: UDP

• service_name - Optional String
K8S service name of the origin server will be listed, including the namespace and cluster-ID. For vK8s services, you need to enter a string with the format servicename.namespace:cluster-ID. If the servicename is ‘frontend’, namespace is ‘speedtest’ and cluster-ID is ‘prod’

• site_locator - Optional Block
Message defines a reference to a site or virtual site object
See Site Locator below.

• snat_pool - Optional Block
SNAT Pool. SNAT Pool configuration
See Snat Pool below.

• vk8s_networks - Optional Block
Configuration parameter for vk8s networks

Origin Servers K8S Service Site Locator

A site_locator block (within origin_servers.k8s_service) supports the following:

• site - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Site below.

• virtual_site - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Virtual Site below.

Origin Servers K8S Service Site Locator Site

A site block (within origin_servers.k8s_service.site_locator) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Origin Servers K8S Service Site Locator Virtual Site

Deeply nested Site block collapsed for readability.

Origin Servers K8S Service Snat Pool

A snat_pool block (within origin_servers.k8s_service) supports the following:

• no_snat_pool - Optional Block
Configuration parameter for no snat pool

• snat_pool - Optional Block
List of IPv4 prefixes that represent an endpoint
See Snat Pool below.

Origin Servers K8S Service Snat Pool Snat Pool

Deeply nested Pool block collapsed for readability.

Origin Servers Private IP

A private_ip block (within origin_servers) supports the following:

• inside_network - Optional Block
Configuration parameter for inside network

• ip - Optional String
IP. Private IPv4 address

• outside_network - Optional Block
Configuration parameter for outside network

• segment - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Segment below.

• site_locator - Optional Block
Message defines a reference to a site or virtual site object
See Site Locator below.

• snat_pool - Optional Block
SNAT Pool. SNAT Pool configuration
See Snat Pool below.

Origin Servers Private IP Segment

A segment block (within origin_servers.private_ip) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Origin Servers Private IP Site Locator

A site_locator block (within origin_servers.private_ip) supports the following:

• site - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Site below.

• virtual_site - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Virtual Site below.

Origin Servers Private IP Site Locator Site

A site block (within origin_servers.private_ip.site_locator) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Origin Servers Private IP Site Locator Virtual Site

Deeply nested Site block collapsed for readability.

Origin Servers Private IP Snat Pool

A snat_pool block (within origin_servers.private_ip) supports the following:

• no_snat_pool - Optional Block
Configuration parameter for no snat pool

• snat_pool - Optional Block
List of IPv4 prefixes that represent an endpoint
See Snat Pool below.

Origin Servers Private IP Snat Pool Snat Pool

Deeply nested Pool block collapsed for readability.

Origin Servers Private Name

A private_name block (within origin_servers) supports the following:

• dns_name - Optional String
DNS Name. DNS Name

• inside_network - Optional Block
Configuration parameter for inside network

• outside_network - Optional Block
Configuration parameter for outside network

• refresh_interval - Optional Number
Interval for DNS refresh in seconds. Max value is 7 days as per HTTPS://datatracker.ietf.org/doc/HTML/rfc8767.

• segment - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Segment below.

• site_locator - Optional Block
Message defines a reference to a site or virtual site object
See Site Locator below.

• snat_pool - Optional Block
SNAT Pool. SNAT Pool configuration
See Snat Pool below.

Origin Servers Private Name Segment

A segment block (within origin_servers.private_name) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Origin Servers Private Name Site Locator

A site_locator block (within origin_servers.private_name) supports the following:

• site - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Site below.

• virtual_site - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Virtual Site below.

Origin Servers Private Name Site Locator Site

A site block (within origin_servers.private_name.site_locator) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Origin Servers Private Name Site Locator Virtual Site

Deeply nested Site block collapsed for readability.

Origin Servers Private Name Snat Pool

A snat_pool block (within origin_servers.private_name) supports the following:

• no_snat_pool - Optional Block
Configuration parameter for no snat pool

• snat_pool - Optional Block
List of IPv4 prefixes that represent an endpoint
See Snat Pool below.

Origin Servers Private Name Snat Pool Snat Pool

Deeply nested Pool block collapsed for readability.

Origin Servers Public IP

A public_ip block (within origin_servers) supports the following:

• ip - Optional String
Public IPv4. Public IPv4 address

Origin Servers Public Name

A public_name block (within origin_servers) supports the following:

• dns_name - Optional String
DNS Name. DNS Name

• refresh_interval - Optional Number
Interval for DNS refresh in seconds. Max value is 7 days as per HTTPS://datatracker.ietf.org/doc/HTML/rfc8767.

Origin Servers Vn Private IP

A vn_private_ip block (within origin_servers) supports the following:

• ip - Optional String
IPv4. IPv4 address

• virtual_network - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Virtual Network below.

Origin Servers Vn Private IP Virtual Network

A virtual_network block (within origin_servers.vn_private_ip) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Origin Servers Vn Private Name

A vn_private_name block (within origin_servers) supports the following:

• dns_name - Optional String
DNS Name. DNS Name

• private_network - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Private Network below.

Origin Servers Vn Private Name Private Network

A private_network block (within origin_servers.vn_private_name) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Timeouts

A timeouts block supports the following:

• create - Optional String (Defaults to 10 minutes)
Used when creating the resource

• delete - Optional String (Defaults to 10 minutes)
Used when deleting the resource

• read - Optional String (Defaults to 5 minutes)
Used when retrieving the resource

• update - Optional String (Defaults to 10 minutes)
Used when updating the resource

Upstream Conn Pool Reuse Type

An upstream_conn_pool_reuse_type block supports the following:

• disable_conn_pool_reuse - Optional Block
Configuration parameter for disable conn pool reuse

• enable_conn_pool_reuse - Optional Block
Configuration parameter for enable conn pool reuse

Use TLS

An use_tls block supports the following:

• default_session_key_caching - Optional Block
Configuration parameter for default session key caching

• disable_session_key_caching - Optional Block
Configuration parameter for disable session key caching

• disable_sni - Optional Block
Configuration parameter for disable sni

• max_session_keys - Optional Number
Number of session keys that are cached

• no_mtls - Optional Block
Enable this option

• skip_server_verification - Optional Block
Enable this option

• sni - Optional String
SNI value to be used

• tls_config - Optional Block
Defines various OPTIONS to configure TLS configuration parameters
See TLS Config below.

• use_host_header_as_sni - Optional Block
Enable this option

• use_mtls - Optional Block
mTLS Certificate. mTLS Client Certificate
See Use mTLS below.

• use_mtls_obj - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Use mTLS Obj below.

• use_server_verification - Optional Block
Configuration parameter for use server verification
See Use Server Verification below.

• volterra_trusted_ca - Optional Block
Configuration parameter for volterra trusted CA

Use TLS TLS Config

A tls_config block (within use_tls) supports the following:

• custom_security - Optional Block
Defines TLS protocol config including min/max versions and allowed ciphers
See Custom Security below.

• default_security - Optional Block
Enable this option

• low_security - Optional Block
Enable this option

• medium_security - Optional Block
Enable this option

Use TLS TLS Config Custom Security

A custom_security block (within use_tls.tls_config) supports the following:

• cipher_suites - Optional List
The TLS listener will only support the specified cipher list

• max_version - Optional String Defaults to TLS_AUTO
Possible values are TLS_AUTO, TLSv1_0, TLSv1_1, TLSv1_2, TLSv1_3
[Enum: TLS_AUTO|TLSv1_0|TLSv1_1|TLSv1_2|TLSv1_3] TlsProtocol is enumeration of supported TLS versions F5 Distributed Cloud will choose the optimal TLS version

• min_version - Optional String Defaults to TLS_AUTO
Possible values are TLS_AUTO, TLSv1_0, TLSv1_1, TLSv1_2, TLSv1_3
[Enum: TLS_AUTO|TLSv1_0|TLSv1_1|TLSv1_2|TLSv1_3] TlsProtocol is enumeration of supported TLS versions F5 Distributed Cloud will choose the optimal TLS version

Use TLS Use mTLS

An use_mtls block (within use_tls) supports the following:

• tls_certificates - Optional Block
mTLS Client Certificate. mTLS Client Certificate
See TLS Certificates below.

Use TLS Use mTLS TLS Certificates

A tls_certificates block (within use_tls.use_mtls) supports the following:

• certificate_url - Optional String
TLS certificate. Certificate or certificate chain in PEM format including the PEM headers

• custom_hash_algorithms - Optional Block
Specifies the hash algorithms to be used
See Custom Hash Algorithms below.

• description_spec - Optional String
Description. Description for the certificate

• disable_ocsp_stapling - Optional Block
Configuration parameter for disable OCSP stapling

• private_key - Optional Block
SecretType is used in an object to indicate a sensitive/confidential field
See Private Key below.

• use_system_defaults - Optional Block
Configuration parameter for use system defaults

Use TLS Use mTLS TLS Certificates Custom Hash Algorithms

Deeply nested Algorithms block collapsed for readability.

Use TLS Use mTLS TLS Certificates Private Key

Deeply nested Key block collapsed for readability.

Use TLS Use mTLS TLS Certificates Private Key Blindfold Secret Info

Deeply nested Info block collapsed for readability.

Use TLS Use mTLS TLS Certificates Private Key Clear Secret Info

Deeply nested Info block collapsed for readability.

Use TLS Use mTLS Obj

An use_mtls_obj block (within use_tls) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Use TLS Use Server Verification

An use_server_verification block (within use_tls) supports the following:

• trusted_ca - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Trusted CA below.

• trusted_ca_url - Optional String
Upload a Root CA Certificate specifically for this Origin Pool for verification of server’s certificate

Use TLS Use Server Verification Trusted CA

A trusted_ca block (within use_tls.use_server_verification) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

---

Common Types

The following type definitions are used throughout this resource. See the full definition here rather than repeated inline.

Object Reference {#common-object-reference}

Object references establish a direct reference from one configuration object to another in F5 Distributed Cloud. References use the format tenant/namespace/name.

Field	Type	Description
name	String	Name of the referenced object
namespace	String	Namespace containing the referenced object
tenant	String	Tenant of the referenced object (system-managed)

Transformers {#common-transformers}

Transformers apply transformations to input values before matching. Multiple transformers can be applied in order.

Value	Description
LOWER_CASE	Convert to lowercase
UPPER_CASE	Convert to uppercase
BASE64_DECODE	Decodebase64 content
NORMALIZE_PATH	Normalize URL path
REMOVE_WHITESPACE	Remove whitespace characters
URL_DECODE	Decode URL-encoded characters
TRIM_LEFT	Trim leading whitespace
TRIM_RIGHT	Trim trailing whitespace
TRIM	Trim both leading and trailing whitespace

HTTP Methods {#common-http-methods}

HTTP methods used for request matching.

Value	Description
ANY	Match any HTTP method
GET	HTTP GET request
HEAD	HTTP HEAD request
POST	HTTP POST request
PUT	HTTP PUT request
DELETE	HTTP DELETE request
CONNECT	HTTP CONNECT request
OPTIONS	HTTP OPTIONS request
TRACE	HTTP TRACE request
PATCH	HTTP PATCH request
COPY	HTTP COPY request (WebDAV)

TLS Fingerprints {#common-tls-fingerprints}

TLS fingerprint categories for malicious client detection.

Value	Description
TLS_FINGERPRINT_NONE	No fingerprint matching
ANY_MALICIOUS_FINGERPRINT	Match any known malicious fingerprint
ADWARE	Adware-associated fingerprints
DRIDEX	Dridex malware fingerprints
GOOTKIT	Gootkit malware fingerprints
RANSOMWARE	Ransomware-associated fingerprints
TRICKBOT	Trickbot malware fingerprints

IP Threat Categories {#common-ip-threat-categories}

IP address threat categories for security filtering.

Value	Description
SPAM_SOURCES	Known spam sources
WINDOWS_EXPLOITS	Windows exploit sources
WEB_ATTACKS	Web attack sources
BOTNETS	Known botnet IPs
SCANNERS	Network scanner IPs
REPUTATION	Poor reputation IPs
PHISHING	Phishing-related IPs
PROXY	Anonymous proxy IPs
MOBILE_THREATS	Mobile threat sources
TOR_PROXY	Tor exit nodes
DENIAL_OF_SERVICE	DoS attack sources
NETWORK	Known bad network ranges

Import

Import is supported using the following syntax:

# Import using namespace/name format
terraform import f5xc_origin_pool.example system/example