f5xc_proxy Resource - terraform-provider-f5xc

f5xc_proxy (Resource)

Manages a Proxy resource in F5 Distributed Cloud for tcp loadbalancer create specification. configuration.

~> Note For more information about this resource, please refer to the F5 XC API Documentation.

Example Usage

# Proxy Resource Example
# Manages a Proxy resource in F5 Distributed Cloud for tcp loadbalancer create specification. configuration.

terraform {
  required_version = ">= 1.0"

  required_providers {
    f5xc = {
      source  = "f5xc-salesdemos/f5xc"
      version = ">= 0.1.0"
    }
  }
}

# Basic Proxy configuration
resource "f5xc_proxy" "example" {
  name      = "example-proxy"
  namespace = "staging"

  labels = {
    environment = "production"
    managed_by  = "terraform"
  }

  annotations = {
    "owner" = "platform-team"
  }

  # Proxy configuration
  proxy_url = "`http://proxy.example.com:8080"`
}

Argument Reference

🔶 High Risk Operations — Some operations on this resource have high danger level. Destructive operations may require confirmation.

Metadata Argument Reference

• name - Required String
Name of the Proxy. Must be unique within the namespace

• namespace - Required String
Namespace where the Proxy will be created

• annotations - Optional Map
Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata

• description - Optional String
Human readable description for the object

• disable - Optional Bool
A value of true will administratively disable the object

• labels - Optional Map
Labels is a user defined key value map that can be attached to resources for organization and filtering

Spec Argument Reference

-> One of the following: • active_forward_proxy_policies - Optional Block
Ordered List of Forward Proxy Policies active
See Active Forward Proxy Policies below for details.

• connection_timeout - Required Number Defaults to 2000 Specified in milliseconds
The timeout for new network connections to upstream server. The (2 seconds)

-> One of the following: • do_not_advertise - Optional Block
Configuration parameter for do not advertise

• site_virtual_sites - Optional Block
Defines a way to advertise a VIP on specific sites

-> One of the following: • dynamic_proxy - Optional Block
Configuration parameter for dynamic proxy
See Dynamic Proxy below for details.

• http_proxy - Optional Block
HTTP Connect Proxy. Parameters for HTTP Connect Proxy

• no_forward_proxy_policy - Optional Block
Policy configuration for this feature

-> One of the following: • no_interception - Optional Block
Configuration parameter for no interception

-> One of the following: • site_local_inside_network - Optional Block
Enable this option

• site_local_network - Optional Block
Enable this option

• timeouts - Optional Block

• tls_intercept - Optional Block
Configuration to enable TLS interception

Attributes Reference

In addition to all arguments above, the following attributes are exported:

• id - Optional String
Unique identifier for the resource

Active Forward Proxy Policies

An active_forward_proxy_policies block supports the following:

• forward_proxy_policies - Optional Block
Ordered List of Forward Proxy Policies active
See Forward Proxy Policies below.

Active Forward Proxy Policies Forward Proxy Policies

A forward_proxy_policies block (within active_forward_proxy_policies) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Dynamic Proxy

A dynamic_proxy block supports the following:

• disable_dns_masquerade - Optional Block
Configuration parameter for disable DNS masquerade

• domains - Optional List
List of Domains to be proxied. Wildcard hosts are supported in the suffix or prefix form Supported Domains and search order: 1. Exact Domain names: www.example.com. 2

• enable_dns_masquerade - Optional Block
Configuration parameter for enable DNS masquerade

• http_proxy - Optional Block
Dynamic HTTP Proxy Type. Parameters for dynamic HTTP proxy
See HTTP Proxy below.

• https_proxy - Optional Block
Configuration parameter for HTTPS proxy
See HTTPS Proxy below.

• sni_proxy - Optional Block
Dynamic SNI Proxy Type. Parameters for dynamic SNI proxy
See Sni Proxy below.

Dynamic Proxy HTTP Proxy

A http_proxy block (within dynamic_proxy) supports the following:

• more_option - Optional Block
Defines various OPTIONS to define a route
See More Option below.

Dynamic Proxy HTTP Proxy More Option

A more_option block (within dynamic_proxy.http_proxy) supports the following:

• buffer_policy - Optional Block
Some upstream applications are not capable of handling streamed data. This config enables buffering the entire request before sending to upstream application. We can specify the maximum buffer size and buffer interval with this config
See Buffer Policy below.

• compression_params - Optional Block
Enables loadbalancer to compress dispatched data from an upstream service upon client request. The content is compressed and then sent to the client with the appropriate headers if either response and request allow. Only GZIP compression is supported
See Compression Params below.

• custom_errors - Optional Block
Map of integer error codes as keys and string values that can be used to provide custom HTTP pages for each error code. Key of the map can be either response code class or HTTP Error code. Response code classes for key is configured as follows 3 — for 3xx response code class 4 — for 4xx

• disable_default_error_pages - Optional Bool
Disable the use of default F5XC error pages

• disable_path_normalize - Optional Block
Enable this option

• enable_path_normalize - Optional Block
Enable this option

• idle_timeout - Optional Number
The amount of time that a stream can exist without upstream or downstream activity, in milliseconds. The stream is terminated with an HTTP 504 (Gateway Timeout) error code if no upstream response header has been received, otherwise the stream is reset

• max_request_header_size - Optional Number
The maximum request header size for downstream connections, in KiB. A HTTP 431 (Request Header Fields Too Large) error code is sent for requests that exceed this size. If multiple load balancers share the same advertise_policy, the highest value configured across all such load balancers is used

• max_requests_per_connection - Optional Number
Sets the maximum number of requests a downstream client can send over a single connection to Envoy. Enter a value >=1 to define the request limit per connection

• no_request_limit_per_connection - Optional Block
Configuration parameter for no request limit per connection

• request_cookies_to_add - Optional Block
Cookies are key-value pairs to be added to HTTP request being routed towards upstream. Cookies specified at this level are applied after cookies from matched Route are applied
See Request Cookies To Add below.

• request_cookies_to_remove - Optional List
List of keys of Cookies to be removed from the HTTP request being sent towards upstream

• request_headers_to_add - Optional Block
Headers are key-value pairs to be added to HTTP request being routed towards upstream. Headers specified at this level are applied after headers from matched Route are applied
See Request Headers To Add below.

• request_headers_to_remove - Optional List
List of keys of Headers to be removed from the HTTP request being sent towards upstream

• response_cookies_to_add - Optional Block
Cookies are name-value pairs along with optional attribute parameters to be added to HTTP response being sent towards downstream. Cookies specified at this level are applied after cookies from matched Route are applied
See Response Cookies To Add below.

• response_cookies_to_remove - Optional List
List of name of Cookies to be removed from the HTTP response being sent towards downstream. Entire set-cookie header will be removed

• response_headers_to_add - Optional Block
Headers are key-value pairs to be added to HTTP response being sent towards downstream. Headers specified at this level are applied after headers from matched Route are applied
See Response Headers To Add below.

• response_headers_to_remove - Optional List
List of keys of Headers to be removed from the HTTP response being sent towards downstream

Dynamic Proxy HTTP Proxy More Option Buffer Policy

Deeply nested Policy block collapsed for readability.

Dynamic Proxy HTTP Proxy More Option Compression Params

Deeply nested Params block collapsed for readability.

Dynamic Proxy HTTP Proxy More Option Request Cookies To Add

Deeply nested Add block collapsed for readability.

Dynamic Proxy HTTP Proxy More Option Request Cookies To Add Secret Value

Deeply nested Value block collapsed for readability.

Dynamic Proxy HTTP Proxy More Option Request Cookies To Add Secret Value Blindfold Secret Info

Deeply nested Info block collapsed for readability.

Dynamic Proxy HTTP Proxy More Option Request Cookies To Add Secret Value Clear Secret Info

Deeply nested Info block collapsed for readability.

Dynamic Proxy HTTP Proxy More Option Request Headers To Add

Deeply nested Add block collapsed for readability.

Dynamic Proxy HTTP Proxy More Option Request Headers To Add Secret Value

Deeply nested Value block collapsed for readability.

Dynamic Proxy HTTP Proxy More Option Request Headers To Add Secret Value Blindfold Secret Info

Deeply nested Info block collapsed for readability.

Dynamic Proxy HTTP Proxy More Option Request Headers To Add Secret Value Clear Secret Info

Deeply nested Info block collapsed for readability.

Dynamic Proxy HTTP Proxy More Option Response Cookies To Add

Deeply nested Add block collapsed for readability.

Dynamic Proxy HTTP Proxy More Option Response Cookies To Add Secret Value

Deeply nested Value block collapsed for readability.

Dynamic Proxy HTTP Proxy More Option Response Cookies To Add Secret Value Blindfold Secret Info

Deeply nested Info block collapsed for readability.

Dynamic Proxy HTTP Proxy More Option Response Cookies To Add Secret Value Clear Secret Info

Deeply nested Info block collapsed for readability.

Dynamic Proxy HTTP Proxy More Option Response Headers To Add

Deeply nested Add block collapsed for readability.

Dynamic Proxy HTTP Proxy More Option Response Headers To Add Secret Value

Deeply nested Value block collapsed for readability.

Dynamic Proxy HTTP Proxy More Option Response Headers To Add Secret Value Blindfold Secret Info

Deeply nested Info block collapsed for readability.

Dynamic Proxy HTTP Proxy More Option Response Headers To Add Secret Value Clear Secret Info

Deeply nested Info block collapsed for readability.

Dynamic Proxy HTTPS Proxy

A https_proxy block (within dynamic_proxy) supports the following:

• more_option - Optional Block
Defines various OPTIONS to define a route
See More Option below.

• tls_params - Optional Block
Inline TLS Parameters. Inline TLS parameters
See TLS Params below.

Dynamic Proxy HTTPS Proxy More Option

A more_option block (within dynamic_proxy.https_proxy) supports the following:

• disable_default_error_pages - Optional Bool
Disable the use of default F5XC error pages

• disable_path_normalize - Optional Block
Enable this option

• enable_path_normalize - Optional Block
Enable this option

• no_request_limit_per_connection - Optional Block
Configuration parameter for no request limit per connection

• request_cookies_to_remove - Optional List
List of keys of Cookies to be removed from the HTTP request being sent towards upstream

• request_headers_to_remove - Optional List
List of keys of Headers to be removed from the HTTP request being sent towards upstream

• response_cookies_to_remove - Optional List
List of name of Cookies to be removed from the HTTP response being sent towards downstream. Entire set-cookie header will be removed

• response_headers_to_remove - Optional List
List of keys of Headers to be removed from the HTTP response being sent towards downstream

Dynamic Proxy HTTPS Proxy More Option Buffer Policy

Deeply nested Policy block collapsed for readability.

Dynamic Proxy HTTPS Proxy More Option Compression Params

Deeply nested Params block collapsed for readability.

Dynamic Proxy HTTPS Proxy More Option Request Cookies To Add

Deeply nested Add block collapsed for readability.

Dynamic Proxy HTTPS Proxy More Option Request Cookies To Add Secret Value

Deeply nested Value block collapsed for readability.

Dynamic Proxy HTTPS Proxy More Option Request Cookies To Add Secret Value Blindfold Secret Info

Deeply nested Info block collapsed for readability.

Dynamic Proxy HTTPS Proxy More Option Request Cookies To Add Secret Value Clear Secret Info

Deeply nested Info block collapsed for readability.

Dynamic Proxy HTTPS Proxy More Option Request Headers To Add

Deeply nested Add block collapsed for readability.

Dynamic Proxy HTTPS Proxy More Option Request Headers To Add Secret Value

Deeply nested Value block collapsed for readability.

Dynamic Proxy HTTPS Proxy More Option Request Headers To Add Secret Value Blindfold Secret Info

Deeply nested Info block collapsed for readability.

Dynamic Proxy HTTPS Proxy More Option Request Headers To Add Secret Value Clear Secret Info

Deeply nested Info block collapsed for readability.

Dynamic Proxy HTTPS Proxy More Option Response Cookies To Add

Deeply nested Add block collapsed for readability.

Dynamic Proxy HTTPS Proxy More Option Response Cookies To Add Secret Value

Deeply nested Value block collapsed for readability.

Dynamic Proxy HTTPS Proxy More Option Response Cookies To Add Secret Value Blindfold Secret Info

Deeply nested Info block collapsed for readability.

Dynamic Proxy HTTPS Proxy More Option Response Cookies To Add Secret Value Clear Secret Info

Deeply nested Info block collapsed for readability.

Dynamic Proxy HTTPS Proxy More Option Response Headers To Add

Deeply nested Add block collapsed for readability.

Dynamic Proxy HTTPS Proxy More Option Response Headers To Add Secret Value

Deeply nested Value block collapsed for readability.

Dynamic Proxy HTTPS Proxy More Option Response Headers To Add Secret Value Blindfold Secret Info

Deeply nested Info block collapsed for readability.

Dynamic Proxy HTTPS Proxy More Option Response Headers To Add Secret Value Clear Secret Info

Deeply nested Info block collapsed for readability.

Dynamic Proxy HTTPS Proxy TLS Params

A tls_params block (within dynamic_proxy.https_proxy) supports the following:

• no_mtls - Optional Block
Enable this option

• tls_certificates - Optional Block
Users can add one or more certificates that share the same set of domains. For example, domain.com and *.domain.com - but use different signature algorithms
See TLS Certificates below.

• tls_config - Optional Block
Defines various OPTIONS to configure TLS configuration parameters
See TLS Config below.

• use_mtls - Optional Block
Validation context for downstream client TLS connections
See Use mTLS below.

Dynamic Proxy HTTPS Proxy TLS Params TLS Certificates

Deeply nested Certificates block collapsed for readability.

Dynamic Proxy HTTPS Proxy TLS Params TLS Certificates Custom Hash Algorithms

Deeply nested Algorithms block collapsed for readability.

Dynamic Proxy HTTPS Proxy TLS Params TLS Certificates Private Key

Deeply nested Key block collapsed for readability.

Dynamic Proxy HTTPS Proxy TLS Params TLS Certificates Private Key Blindfold Secret Info

Deeply nested Info block collapsed for readability.

Dynamic Proxy HTTPS Proxy TLS Params TLS Certificates Private Key Clear Secret Info

Deeply nested Info block collapsed for readability.

Dynamic Proxy HTTPS Proxy TLS Params TLS Config

Deeply nested Config block collapsed for readability.

Dynamic Proxy HTTPS Proxy TLS Params TLS Config Custom Security

Deeply nested Security block collapsed for readability.

Dynamic Proxy HTTPS Proxy TLS Params Use mTLS

Deeply nested mTLS block collapsed for readability.

Dynamic Proxy HTTPS Proxy TLS Params Use mTLS CRL

Deeply nested CRL block collapsed for readability.

Dynamic Proxy HTTPS Proxy TLS Params Use mTLS Trusted CA

Deeply nested CA block collapsed for readability.

Dynamic Proxy HTTPS Proxy TLS Params Use mTLS Xfcc Options

Deeply nested Options block collapsed for readability.

Dynamic Proxy Sni Proxy

A sni_proxy block (within dynamic_proxy) supports the following:

• idle_timeout - Optional Number
The amount of time that a stream can exist without upstream or downstream activity, in milliseconds

HTTP Proxy

A http_proxy block supports the following:

• enable_http - Optional Block
Configuration parameter for enable HTTP

• more_option - Optional Block
Defines various OPTIONS to define a route
See More Option below.

HTTP Proxy More Option

A more_option block (within http_proxy) supports the following:

• disable_default_error_pages - Optional Bool
Disable the use of default F5XC error pages

• disable_path_normalize - Optional Block
Enable this option

• enable_path_normalize - Optional Block
Enable this option

• no_request_limit_per_connection - Optional Block
Configuration parameter for no request limit per connection

• request_cookies_to_remove - Optional List
List of keys of Cookies to be removed from the HTTP request being sent towards upstream

• request_headers_to_remove - Optional List
List of keys of Headers to be removed from the HTTP request being sent towards upstream

• response_cookies_to_remove - Optional List
List of name of Cookies to be removed from the HTTP response being sent towards downstream. Entire set-cookie header will be removed

• response_headers_to_remove - Optional List
List of keys of Headers to be removed from the HTTP response being sent towards downstream

HTTP Proxy More Option Buffer Policy

A buffer_policy block (within http_proxy.more_option) supports the following:

• disabled - Optional Bool
Disable buffering for a particular route. This is useful when virtual-host has buffering, but we need to disable it on a specific route. The value of this field is ignored for virtual-host

• max_request_bytes - Optional Number
The maximum request size that the filter will buffer before the connection manager will stop buffering and return a RequestEntityTooLarge (413) response

HTTP Proxy More Option Compression Params

A compression_params block (within http_proxy.more_option) supports the following:

• content_length - Optional Number Defaults to 30
Minimum response length, in bytes, which will trigger compression. The

• content_type - Optional List
Set of strings that allows specifying which mime-types yield compression When this field is not defined, compression will be applied to the following mime-types: ‘application/JavaScript’ ‘application/JSON’, ‘application/xhtml+XML’ ‘image/svg+XML’ ‘text/CSS’ ‘text/HTML’ ‘text/plain’ ‘text/XML’

• disable_on_etag_header - Optional Bool
If true, disables compression when the response contains an etag header. When it is false, weak etags will be preserved and the ones that require strong validation will be removed

• remove_accept_encoding_header - Optional Bool
If true, removes accept-encoding from the request headers before dispatching it to the upstream so that responses do not GET compressed before reaching the filter

HTTP Proxy More Option Request Cookies To Add

Deeply nested Add block collapsed for readability.

HTTP Proxy More Option Request Cookies To Add Secret Value

Deeply nested Value block collapsed for readability.

HTTP Proxy More Option Request Cookies To Add Secret Value Blindfold Secret Info

Deeply nested Info block collapsed for readability.

HTTP Proxy More Option Request Cookies To Add Secret Value Clear Secret Info

Deeply nested Info block collapsed for readability.

HTTP Proxy More Option Request Headers To Add

Deeply nested Add block collapsed for readability.

HTTP Proxy More Option Request Headers To Add Secret Value

Deeply nested Value block collapsed for readability.

HTTP Proxy More Option Request Headers To Add Secret Value Blindfold Secret Info

Deeply nested Info block collapsed for readability.

HTTP Proxy More Option Request Headers To Add Secret Value Clear Secret Info

Deeply nested Info block collapsed for readability.

HTTP Proxy More Option Response Cookies To Add

Deeply nested Add block collapsed for readability.

HTTP Proxy More Option Response Cookies To Add Secret Value

Deeply nested Value block collapsed for readability.

HTTP Proxy More Option Response Cookies To Add Secret Value Blindfold Secret Info

Deeply nested Info block collapsed for readability.

HTTP Proxy More Option Response Cookies To Add Secret Value Clear Secret Info

Deeply nested Info block collapsed for readability.

HTTP Proxy More Option Response Headers To Add

Deeply nested Add block collapsed for readability.

HTTP Proxy More Option Response Headers To Add Secret Value

Deeply nested Value block collapsed for readability.

HTTP Proxy More Option Response Headers To Add Secret Value Blindfold Secret Info

Deeply nested Info block collapsed for readability.

HTTP Proxy More Option Response Headers To Add Secret Value Clear Secret Info

Deeply nested Info block collapsed for readability.

Site Virtual Sites

A site_virtual_sites block supports the following:

• advertise_where - Optional Block
Where should this load balancer be available
See Advertise Where below.

Site Virtual Sites Advertise Where

An advertise_where block (within site_virtual_sites) supports the following:

• port - Optional Number
TCP port to Listen

• site - Optional Block
Defines a reference to a CE site along with network type and an optional IP address where a load balancer could be advertised
See Site below.

• use_default_port - Optional Block
Enable this option

• virtual_site - Optional Block
Defines a reference to a customer site virtual site along with network type where a load balancer could be advertised
See Virtual Site below.

Site Virtual Sites Advertise Where Site

A site block (within site_virtual_sites.advertise_where) supports the following:

• ip - Optional String
Use given IP address as VIP on the site

• network - Optional String Defaults to SITE_NETWORK_INSIDE_AND_OUTSIDE
Possible values are SITE_NETWORK_INSIDE_AND_OUTSIDE, SITE_NETWORK_INSIDE, SITE_NETWORK_OUTSIDE, SITE_NETWORK_SERVICE, SITE_NETWORK_OUTSIDE_WITH_INTERNET_VIP, SITE_NETWORK_INSIDE_AND_OUTSIDE_WITH_INTERNET_VIP, SITE_NETWORK_IP_FABRIC
[Enum: SITE_NETWORK_INSIDE_AND_OUTSIDE|SITE_NETWORK_INSIDE|SITE_NETWORK_OUTSIDE|SITE_NETWORK_SERVICE|SITE_NETWORK_OUTSIDE_WITH_INTERNET_VIP|SITE_NETWORK_INSIDE_AND_OUTSIDE_WITH_INTERNET_VIP|SITE_NETWORK_IP_FABRIC] Defines network types to be used on site All inside and outside networks. All inside and outside networks with internet VIP support. All inside networks

• site - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Site below.

Site Virtual Sites Advertise Where Site Site

A site block (within site_virtual_sites.advertise_where.site) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Site Virtual Sites Advertise Where Virtual Site

A virtual_site block (within site_virtual_sites.advertise_where) supports the following:

• virtual_site - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Virtual Site below.

Site Virtual Sites Advertise Where Virtual Site Virtual Site

Deeply nested Site block collapsed for readability.

Timeouts

A timeouts block supports the following:

• create - Optional String (Defaults to 10 minutes)
Used when creating the resource

• delete - Optional String (Defaults to 10 minutes)
Used when deleting the resource

• read - Optional String (Defaults to 5 minutes)
Used when retrieving the resource

• update - Optional String (Defaults to 10 minutes)
Used when updating the resource

TLS Intercept

A tls_intercept block supports the following:

• custom_certificate - Optional Block
Configuration parameter for custom certificate
See Custom Certificate below.

• enable_for_all_domains - Optional Block
Configuration parameter for enable for all domains

• policy - Optional Block
Policy to enable or disable TLS interception
See Policy below.

• trusted_ca_url - Optional String
Custom Root CA Certificate for validating upstream server certificate

• volterra_certificate - Optional Block
Configuration parameter for volterra certificate

• volterra_trusted_ca - Optional Block
Configuration parameter for volterra trusted CA

TLS Intercept Custom Certificate

A custom_certificate block (within tls_intercept) supports the following:

• certificate_url - Optional String
TLS certificate. Certificate or certificate chain in PEM format including the PEM headers

• custom_hash_algorithms - Optional Block
Specifies the hash algorithms to be used
See Custom Hash Algorithms below.

• description_spec - Optional String
Description. Description for the certificate

• disable_ocsp_stapling - Optional Block
Configuration parameter for disable OCSP stapling

• private_key - Optional Block
SecretType is used in an object to indicate a sensitive/confidential field
See Private Key below.

• use_system_defaults - Optional Block
Configuration parameter for use system defaults

TLS Intercept Custom Certificate Custom Hash Algorithms

A custom_hash_algorithms block (within tls_intercept.custom_certificate) supports the following:

• hash_algorithms - Optional List Defaults to INVALID_HASH_ALGORITHM
Possible values are INVALID_HASH_ALGORITHM, SHA256, SHA1
[Enum: INVALID_HASH_ALGORITHM|SHA256|SHA1] Ordered list of hash algorithms to be used

TLS Intercept Custom Certificate Private Key

A private_key block (within tls_intercept.custom_certificate) supports the following:

• blindfold_secret_info - Optional Block
BlindfoldSecretInfoType specifies information about the Secret managed by F5XC Secret Management
See Blindfold Secret Info below.

• clear_secret_info - Optional Block
ClearSecretInfoType specifies information about the Secret that is not encrypted
See Clear Secret Info below.

TLS Intercept Custom Certificate Private Key Blindfold Secret Info

Deeply nested Info block collapsed for readability.

TLS Intercept Custom Certificate Private Key Clear Secret Info

Deeply nested Info block collapsed for readability.

TLS Intercept Policy

A policy block (within tls_intercept) supports the following:

• interception_rules - Optional Block
List of ordered rules to enable or disable for TLS interception
See Interception Rules below.

TLS Intercept Policy Interception Rules

An interception_rules block (within tls_intercept.policy) supports the following:

• disable_interception - Optional Block
Configuration parameter for disable interception

• domain_match - Optional Block
Configuration parameter for domain match
See Domain Match below.

• enable_interception - Optional Block
Configuration parameter for enable interception

TLS Intercept Policy Interception Rules Domain Match

A domain_match block (within tls_intercept.policy.interception_rules) supports the following:

• exact_value - Optional String
Exact domain name

• regex_value - Optional String
Regular Expression value for the domain name

• suffix_value - Optional String
Suffix of domain name e.g ‘xyz.com’ will match ‘*.xyz.com’ and ‘xyz.com’

Common Types

The following type definitions are used throughout this resource. See the full definition here rather than repeated inline.

Object Reference {#common-object-reference}

Object references establish a direct reference from one configuration object to another in F5 Distributed Cloud. References use the format tenant/namespace/name.

Field	Type	Description
`name`	String	Name of the referenced object
`namespace`	String	Namespace containing the referenced object
`tenant`	String	Tenant of the referenced object (system-managed)

Transformers {#common-transformers}

Transformers apply transformations to input values before matching. Multiple transformers can be applied in order.

Value	Description
`LOWER_CASE`	Convert to lowercase
`UPPER_CASE`	Convert to uppercase
`BASE64_DECODE`	Decodebase64 content
`NORMALIZE_PATH`	Normalize URL path
`REMOVE_WHITESPACE`	Remove whitespace characters
`URL_DECODE`	Decode URL-encoded characters
`TRIM_LEFT`	Trim leading whitespace
`TRIM_RIGHT`	Trim trailing whitespace
`TRIM`	Trim both leading and trailing whitespace

HTTP Methods {#common-http-methods}

HTTP methods used for request matching.

Value	Description
`ANY`	Match any HTTP method
`GET`	HTTP GET request
`HEAD`	HTTP HEAD request
`POST`	HTTP POST request
`PUT`	HTTP PUT request
`DELETE`	HTTP DELETE request
`CONNECT`	HTTP CONNECT request
`OPTIONS`	HTTP OPTIONS request
`TRACE`	HTTP TRACE request
`PATCH`	HTTP PATCH request
`COPY`	HTTP COPY request (WebDAV)

TLS Fingerprints {#common-tls-fingerprints}

TLS fingerprint categories for malicious client detection.

Value	Description
`TLS_FINGERPRINT_NONE`	No fingerprint matching
`ANY_MALICIOUS_FINGERPRINT`	Match any known malicious fingerprint
`ADWARE`	Adware-associated fingerprints
`DRIDEX`	Dridex malware fingerprints
`GOOTKIT`	Gootkit malware fingerprints
`RANSOMWARE`	Ransomware-associated fingerprints
`TRICKBOT`	Trickbot malware fingerprints

IP Threat Categories {#common-ip-threat-categories}

IP address threat categories for security filtering.

Value	Description
`SPAM_SOURCES`	Known spam sources
`WINDOWS_EXPLOITS`	Windows exploit sources
`WEB_ATTACKS`	Web attack sources
`BOTNETS`	Known botnet IPs
`SCANNERS`	Network scanner IPs
`REPUTATION`	Poor reputation IPs
`PHISHING`	Phishing-related IPs
`PROXY`	Anonymous proxy IPs
`MOBILE_THREATS`	Mobile threat sources
`TOR_PROXY`	Tor exit nodes
`DENIAL_OF_SERVICE`	DoS attack sources
`NETWORK`	Known bad network ranges

Import

Import is supported using the following syntax:

# Import using namespace/name format
terraform import f5xc_proxy.example system/example