f5xc_rate_limiter_policy Resource - terraform-provider-f5xc

f5xc_rate_limiter_policy (Resource)

Manages a Rate Limiter Policy resource in F5 Distributed Cloud for rate limiter policy create specification. configuration.

~> Note For more information about this resource, please refer to the F5 XC API Documentation.

Example Usage

# Rate Limiter Policy Resource Example
# Manages a Rate Limiter Policy resource in F5 Distributed Cloud for rate limiter policy create specification. configuration.

terraform {
  required_version = ">= 1.0"

  required_providers {
    f5xc = {
      source  = "f5xc-salesdemos/f5xc"
      version = ">= 0.1.0"
    }
  }
}

# Basic Rate Limiter Policy configuration
resource "f5xc_rate_limiter_policy" "example" {
  name      = "example-rate-limiter-policy"
  namespace = "staging"

  labels = {
    environment = "production"
    managed_by  = "terraform"
  }

  annotations = {
    "owner" = "platform-team"
  }

  # Resource-specific configuration
  # [OneOf: any_server, server_name, server_name_matcher, ser...
  any_server {
    # Configure any_server settings
  }
  # Matcher specifies multiple criteria for matching an input...
  server_name_matcher {
    # Configure server_name_matcher settings
  }
  # Type can be used to establish a 'selector reference' from...
  server_selector {
    # Configure server_selector settings
  }
}

# The following optional fields have server-applied defaults and can be omitted:
# - rules

Argument Reference

🔶 High Risk Operations — Some operations on this resource have high danger level. Destructive operations may require confirmation.

Minimum Configuration

Required fields:

name
namespace
burst_size
committed_information_rate

Example (API format):

apiVersion: v1
kind: rate_limiter_policy
metadata:
  name: example-rl
  namespace: default
spec:
  burst_size: 1
  committed_information_rate: 1

Metadata Argument Reference

• name - Required String
Name of the Rate Limiter Policy. Must be unique within the namespace

• namespace - Required String
Namespace where the Rate Limiter Policy will be created

• annotations - Optional Map
Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata

• description - Optional String
Human readable description for the object

• disable - Optional Bool
A value of true will administratively disable the object

• labels - Optional Map
Labels is a user defined key value map that can be attached to resources for organization and filtering

Spec Argument Reference

-> One of the following: • any_server - Optional Block
Enable this option

• server_name - Optional String
The expected name of the server. The actual names for the server are extracted from the HTTP Host header and the name of the virtual_host for the request

• server_name_matcher - Optional Block
Matcher specifies multiple criteria for matching an input string. The match is considered successful if any of the criteria are satisfied. The set of supported match criteria includes a list of exact values and a list of regular expressions
See Server Name Matcher below for details.

• server_selector - Optional Block
Type can be used to establish a ‘selector reference’ from one object(called selector) to a set of other objects(called selectees) based on the value of expressions. A label selector is a label query over a set of resources. An empty label selector matches all objects
See Server Selector below for details.

• rules - Optional Block Defaults to []
List of RateLimiterRules that are evaluated sequentially till a matching rule is identified. Server applies default when omitted
See Rules below for details.

• timeouts - Optional Block
See Timeouts below for details.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

• id - Optional String
Unique identifier for the resource

Rules

A rules block supports the following:

• metadata - Optional Block
MessageMetaType is metadata (common attributes) of a message that only certain messages have. This information is propagated to the metadata of a child object that gets created from the containing message during view processing. The information in this type can be specified by user during create
See Metadata below.

• spec - Optional Block
Rate Limiter Rule Specification. Shape of Rate Limiter Rule
See Spec below.

Rules Metadata

A metadata block (within rules) supports the following:

• description_spec - Optional String
Description. Human readable description

• name - Optional String
Name of the message. The value of name has to follow DNS-1035 format

Rules Spec

A spec block (within rules) supports the following:

• any_asn - Optional Block
Enable this option

• any_country - Optional Block
Configuration parameter for any country

• any_ip - Optional Block
Enable this option

• apply_rate_limiter - Optional Block
Configuration parameter for apply rate limiter

• asn_list - Optional Block
Unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer
See Asn List below.

• asn_matcher - Optional Block
Match any AS number contained in the list of bgp_asn_sets
See Asn Matcher below.

• bypass_rate_limiter - Optional Block
Configuration parameter for bypass rate limiter

• country_list - Optional Block
Country Codes List. List of Country Codes to match against
See Country List below.

• custom_rate_limiter - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Custom Rate Limiter below.

• domain_matcher - Optional Block
Matcher specifies multiple criteria for matching an input string. The match is considered successful if any of the criteria are satisfied. The set of supported match criteria includes a list of exact values and a list of regular expressions
See Domain Matcher below.

• headers - Optional Block
List of predicates for various HTTP headers that need to match. The criteria for matching each HTTP header are described in individual HeaderMatcherType instances. The actual HTTP header values are extracted from the request API as a list of strings for each HTTP header type
See Headers below.

• http_method - Optional Block
HTTP method matcher specifies a list of methods to match an input HTTP method. The match is considered successful if the input method is a member of the list. The result of the match based on the method list is inverted if invert_matcher is true
See HTTP Method below.

• ip_matcher - Optional Block
Match any IP prefix contained in the list of ip_prefix_sets. The result of the match is inverted if invert_matcher is true
See IP Matcher below.

• ip_prefix_list - Optional Block
List of IP Prefix strings to match against
See IP Prefix List below.

• path - Optional Block
Path matcher specifies multiple criteria for matching an HTTP path string. The match is considered successful if any of the criteria are satisfied. The set of supported match criteria includes a list of path prefixes, a list of exact path values and a list of regular expressions
See Path below.

Rules Spec Asn List

An asn_list block (within rules.spec) supports the following:

• as_numbers - Optional List
Unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer

Rules Spec Asn Matcher

An asn_matcher block (within rules.spec) supports the following:

• asn_sets - Optional Block
List of references to bgp_asn_set objects
See Asn Sets below.

Rules Spec Asn Matcher Asn Sets

An asn_sets block (within rules.spec.asn_matcher) supports the following:

• kind - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. ‘route’)

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

• uid - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid

Rules Spec Country List

A country_list block (within rules.spec) supports the following:

• invert_match - Optional Bool
Invert Match Result. Invert the match result

Rules Spec Custom Rate Limiter

A custom_rate_limiter block (within rules.spec) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Rules Spec Domain Matcher

A domain_matcher block (within rules.spec) supports the following:

• exact_values - Optional List
List of exact values to match the input against

• regex_values - Optional List
List of regular expressions to match the input against

Rules Spec Headers

A headers block (within rules.spec) supports the following:

• check_not_present - Optional Block
Configuration parameter for check not present

• check_present - Optional Block
Configuration parameter for check present

• invert_matcher - Optional Bool
Invert Header Matcher. Invert the match result

• item - Optional Block
Matcher specifies multiple criteria for matching an input string. The match is considered successful if any of the criteria are satisfied. The set of supported match criteria includes a list of exact values and a list of regular expressions
See Item below.

• name - Optional String
Case-insensitive HTTP header name

Rules Spec Headers Item

An item block (within rules.spec.headers) supports the following:

• exact_values - Optional List
List of exact values to match the input against

• regex_values - Optional List
List of regular expressions to match the input against

• transformers - Optional List
See Transformers
Ordered list of transformers (starting from index 0) to be applied to the path before matching

Rules Spec HTTP Method

A http_method block (within rules.spec) supports the following:

• invert_matcher - Optional Bool
Invert Method Matcher. Invert the match result

• methods - Optional List Defaults to ANY
See HTTP Methods
List of methods values to match against

Rules Spec IP Matcher

An ip_matcher block (within rules.spec) supports the following:

• invert_matcher - Optional Bool
Invert IP Matcher. Invert the match result

• prefix_sets - Optional Block
List of references to ip_prefix_set objects
See Prefix Sets below.

Rules Spec IP Matcher Prefix Sets

A prefix_sets block (within rules.spec.ip_matcher) supports the following:

• kind - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. ‘route’)

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

• uid - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid

Rules Spec IP Prefix List

An ip_prefix_list block (within rules.spec) supports the following:

• invert_match - Optional Bool
Invert Match Result. Invert the match result

• ip_prefixes - Optional List
IPv4 Prefix List. List of IPv4 prefix strings

Rules Spec Path

A path block (within rules.spec) supports the following:

• exact_values - Optional List
List of exact path values to match the input HTTP path against

• invert_matcher - Optional Bool
Invert Path Matcher. Invert the match result

• prefix_values - Optional List
List of path prefix values to match the input HTTP path against

• regex_values - Optional List
List of regular expressions to match the input HTTP path against

• suffix_values - Optional List
List of path suffix values to match the input HTTP path against

• transformers - Optional List
See Transformers
Ordered list of transformers (starting from index 0) to be applied to the path before matching

Server Name Matcher

A server_name_matcher block supports the following:

• exact_values - Optional List
List of exact values to match the input against

• regex_values - Optional List
List of regular expressions to match the input against

Server Selector

A server_selector block supports the following:

• expressions - Optional List
Expressions contains the Kubernetes style label expression for selections

Timeouts

A timeouts block supports the following:

• create - Optional String (Defaults to 10 minutes)
Used when creating the resource

• delete - Optional String (Defaults to 10 minutes)
Used when deleting the resource

• read - Optional String (Defaults to 5 minutes)
Used when retrieving the resource

• update - Optional String (Defaults to 10 minutes)
Used when updating the resource

Common Types

The following type definitions are used throughout this resource. See the full definition here rather than repeated inline.

Object Reference {#common-object-reference}

Object references establish a direct reference from one configuration object to another in F5 Distributed Cloud. References use the format tenant/namespace/name.

Field	Type	Description
`name`	String	Name of the referenced object
`namespace`	String	Namespace containing the referenced object
`tenant`	String	Tenant of the referenced object (system-managed)

Transformers {#common-transformers}

Transformers apply transformations to input values before matching. Multiple transformers can be applied in order.

Value	Description
`LOWER_CASE`	Convert to lowercase
`UPPER_CASE`	Convert to uppercase
`BASE64_DECODE`	Decodebase64 content
`NORMALIZE_PATH`	Normalize URL path
`REMOVE_WHITESPACE`	Remove whitespace characters
`URL_DECODE`	Decode URL-encoded characters
`TRIM_LEFT`	Trim leading whitespace
`TRIM_RIGHT`	Trim trailing whitespace
`TRIM`	Trim both leading and trailing whitespace

HTTP Methods {#common-http-methods}

HTTP methods used for request matching.

Value	Description
`ANY`	Match any HTTP method
`GET`	HTTP GET request
`HEAD`	HTTP HEAD request
`POST`	HTTP POST request
`PUT`	HTTP PUT request
`DELETE`	HTTP DELETE request
`CONNECT`	HTTP CONNECT request
`OPTIONS`	HTTP OPTIONS request
`TRACE`	HTTP TRACE request
`PATCH`	HTTP PATCH request
`COPY`	HTTP COPY request (WebDAV)

TLS Fingerprints {#common-tls-fingerprints}

TLS fingerprint categories for malicious client detection.

Value	Description
`TLS_FINGERPRINT_NONE`	No fingerprint matching
`ANY_MALICIOUS_FINGERPRINT`	Match any known malicious fingerprint
`ADWARE`	Adware-associated fingerprints
`DRIDEX`	Dridex malware fingerprints
`GOOTKIT`	Gootkit malware fingerprints
`RANSOMWARE`	Ransomware-associated fingerprints
`TRICKBOT`	Trickbot malware fingerprints

IP Threat Categories {#common-ip-threat-categories}

IP address threat categories for security filtering.

Value	Description
`SPAM_SOURCES`	Known spam sources
`WINDOWS_EXPLOITS`	Windows exploit sources
`WEB_ATTACKS`	Web attack sources
`BOTNETS`	Known botnet IPs
`SCANNERS`	Network scanner IPs
`REPUTATION`	Poor reputation IPs
`PHISHING`	Phishing-related IPs
`PROXY`	Anonymous proxy IPs
`MOBILE_THREATS`	Mobile threat sources
`TOR_PROXY`	Tor exit nodes
`DENIAL_OF_SERVICE`	DoS attack sources
`NETWORK`	Known bad network ranges

Import

Import is supported using the following syntax:

# Import using namespace/name format
terraform import f5xc_rate_limiter_policy.example system/example