f5xc_secret_management_access Resource - terraform-provider-f5xc

f5xc_secret_management_access (Resource)

Manages secret_management_access creates a new object in storage backend for metadata.namespace. in F5 Distributed Cloud.

~> Note For more information about this resource, please refer to the F5 XC API Documentation.

Example Usage

# Secret Management Access Resource Example
# Manages secret_management_access creates a new object in storage backend for metadata.namespace. in F5 Distributed Cloud.

terraform {
  required_version = ">= 1.0"

  required_providers {
    f5xc = {
      source  = "f5xc-salesdemos/f5xc"
      version = ">= 0.1.0"
    }
  }
}

# Basic Secret Management Access configuration
resource "f5xc_secret_management_access" "example" {
  name      = "example-secret-management-access"
  namespace = "staging"

  labels = {
    environment = "production"
    managed_by  = "terraform"
  }

  annotations = {
    "owner" = "platform-team"
  }

  # Resource-specific configuration
  # HostAccessInfoType contains the information about how to ...
  access_info {
    # Configure access_info settings
  }
  # Authentication parameters for REST based hosts.
  rest_auth_info {
    # Configure rest_auth_info settings
  }
  # AuthnTypeBasicAuth is used for using basic_auth mode of H...
  basic_auth {
    # Configure basic_auth settings
  }
}

Argument Reference

🔶 High Risk Operations — Some operations on this resource have high danger level. Destructive operations may require confirmation.

Metadata Argument Reference

• name - Required String
Name of the Secret Management Access. Must be unique within the namespace

• namespace - Required String
Namespace where the Secret Management Access will be created

• annotations - Optional Map
Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata

• description - Optional String
Human readable description for the object

• disable - Optional Bool
A value of true will administratively disable the object

• labels - Optional Map
Labels is a user defined key value map that can be attached to resources for organization and filtering

Spec Argument Reference

• access_info - Optional Block
HostAccessInfoType contains the information about how to connect to the remote host
See Access Info below for details.

• provider_name - Required String
Name given to this secret management backend. site.provider needs to be unique, and will be referenced for using this object

• timeouts - Optional Block
See Timeouts below for details.

• where - Optional Block
NetworkSiteRefSelector defines a union of reference to site or reference to virtual_network or reference to virtual_site It is used to determine virtual network using following rules * Direct reference to virtual_network object * Site local network when refering to site object * All site local
See Where below for details.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

• id - Optional String
Unique identifier for the resource

Access Info

An access_info block supports the following:

• rest_auth_info - Optional Block
Authentication parameters for REST based hosts
See REST Auth Info below.

• scheme - Optional String Defaults to HTTP
Possible values are HTTP, HTTPS
[Enum: HTTP|HTTPS] SchemeType is used to indicate URL scheme HTTP:// scheme HTTPS:// scheme

• server_endpoint - Optional String
Endpoint to connect to, in host:port format

• tls_config - Optional Block
TLS configuration for upstream connections
See TLS Config below.

• vault_auth_info - Optional Block
Authentication parameters for Hashicorp Vault hosts
See Vault Auth Info below.

Access Info REST Auth Info

A rest_auth_info block (within access_info) supports the following:

• basic_auth - Optional Block
AuthnTypeBasicAuth is used for using basic_auth mode of HTTP authentication
See Basic Auth below.

• headers_auth - Optional Block
AuthnTypeHeaders is used for setting headers for authentication
See Headers Auth below.

• query_params_auth - Optional Block
AuthnTypeQueryParams is used for setting query_params for authentication
See Query Params Auth below.

Access Info REST Auth Info Basic Auth

A basic_auth block (within access_info.rest_auth_info) supports the following:

• password - Optional Block
SecretType is used in an object to indicate a sensitive/confidential field
See Password below.

• username - Optional String
The username to encode in Basic Auth scheme

Access Info REST Auth Info Basic Auth Password

Deeply nested Password block collapsed for readability.

Access Info REST Auth Info Basic Auth Password Blindfold Secret Info

Deeply nested Info block collapsed for readability.

Access Info REST Auth Info Basic Auth Password Clear Secret Info

Deeply nested Info block collapsed for readability.

Access Info REST Auth Info Headers Auth

A headers_auth block (within access_info.rest_auth_info) supports the following:

• headers - Optional Block
The set of authentication headers to pass in HTTP request

Access Info REST Auth Info Query Params Auth

Deeply nested Auth block collapsed for readability.

Access Info TLS Config

A tls_config block (within access_info) supports the following:

• cert_params - Optional Block
Certificate Parameters for authentication, TLS ciphers, and trust store
See Cert Params below.

• common_params - Optional Block
Information of different aspects for TLS authentication related to ciphers, certificates and trust store
See Common Params below.

• default_session_key_caching - Optional Block
Configuration parameter for default session key caching

• disable_session_key_caching - Optional Block
Configuration parameter for disable session key caching

• disable_sni - Optional Block
Configuration parameter for disable sni

• max_session_keys - Optional Number
Number of session keys that are cached

• sni - Optional String
SNI value to be used

• use_host_header_as_sni - Optional Block
Enable this option

Access Info TLS Config Cert Params

A cert_params block (within access_info.tls_config) supports the following:

• certificates - Optional Block
Client TLS Certificate required for mTLS authentication
See Certificates below.

• cipher_suites - Optional List
The following list specifies the supported cipher suite TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

• maximum_protocol_version - Optional String Defaults to TLS_AUTO
Possible values are TLS_AUTO, TLSv1_0, TLSv1_1, TLSv1_2, TLSv1_3
[Enum: TLS_AUTO|TLSv1_0|TLSv1_1|TLSv1_2|TLSv1_3] TlsProtocol is enumeration of supported TLS versions F5 Distributed Cloud will choose the optimal TLS version

• minimum_protocol_version - Optional String Defaults to TLS_AUTO
Possible values are TLS_AUTO, TLSv1_0, TLSv1_1, TLSv1_2, TLSv1_3
[Enum: TLS_AUTO|TLSv1_0|TLSv1_1|TLSv1_2|TLSv1_3] TlsProtocol is enumeration of supported TLS versions F5 Distributed Cloud will choose the optimal TLS version

• validation_params - Optional Block
Includes URL for a trust store, whether SAN verification is required and list of Subject Alt Names for verification
See Validation Params below.

Access Info TLS Config Cert Params Certificates

A certificates block (within access_info.tls_config.cert_params) supports the following:

• kind - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. ‘route’)

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

• uid - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid

Access Info TLS Config Cert Params Validation Params

Deeply nested Params block collapsed for readability.

Access Info TLS Config Cert Params Validation Params Trusted CA

Deeply nested CA block collapsed for readability.

Access Info TLS Config Cert Params Validation Params Trusted CA Trusted CA List

Deeply nested List block collapsed for readability.

Access Info TLS Config Common Params

A common_params block (within access_info.tls_config) supports the following:

• tls_certificates - Optional Block
TLS Certificates. Set of TLS certificates
See TLS Certificates below.

• validation_params - Optional Block
Includes URL for a trust store, whether SAN verification is required and list of Subject Alt Names for verification
See Validation Params below.

Access Info TLS Config Common Params TLS Certificates

Deeply nested Certificates block collapsed for readability.

Access Info TLS Config Common Params TLS Certificates Custom Hash Algorithms

Deeply nested Algorithms block collapsed for readability.

Access Info TLS Config Common Params TLS Certificates Private Key

Deeply nested Key block collapsed for readability.

Access Info TLS Config Common Params TLS Certificates Private Key Blindfold Secret Info

Deeply nested Info block collapsed for readability.

Access Info TLS Config Common Params TLS Certificates Private Key Clear Secret Info

Deeply nested Info block collapsed for readability.

Access Info TLS Config Common Params Validation Params

Deeply nested Params block collapsed for readability.

Access Info TLS Config Common Params Validation Params Trusted CA

Deeply nested CA block collapsed for readability.

Access Info TLS Config Common Params Validation Params Trusted CA Trusted CA List

Deeply nested List block collapsed for readability.

Access Info Vault Auth Info

A vault_auth_info block (within access_info) supports the following:

• app_role_auth - Optional Block
AppRoleAuthInfoType contains parameters for AppRole authentication in Hashicorp Vault
See App Role Auth below.

• token - Optional Block
SecretType is used in an object to indicate a sensitive/confidential field
See Token below.

Access Info Vault Auth Info App Role Auth

Deeply nested Auth block collapsed for readability.

Access Info Vault Auth Info App Role Auth Secret ID

Deeply nested ID block collapsed for readability.

Access Info Vault Auth Info App Role Auth Secret ID Blindfold Secret Info

Deeply nested Info block collapsed for readability.

Access Info Vault Auth Info App Role Auth Secret ID Clear Secret Info

Deeply nested Info block collapsed for readability.

Access Info Vault Auth Info Token

A token block (within access_info.vault_auth_info) supports the following:

• blindfold_secret_info - Optional Block
BlindfoldSecretInfoType specifies information about the Secret managed by F5XC Secret Management
See Blindfold Secret Info below.

• clear_secret_info - Optional Block
ClearSecretInfoType specifies information about the Secret that is not encrypted
See Clear Secret Info below.

Access Info Vault Auth Info Token Blindfold Secret Info

Deeply nested Info block collapsed for readability.

Access Info Vault Auth Info Token Clear Secret Info

Deeply nested Info block collapsed for readability.

Timeouts

A timeouts block supports the following:

• create - Optional String (Defaults to 10 minutes)
Used when creating the resource

• delete - Optional String (Defaults to 10 minutes)
Used when deleting the resource

• read - Optional String (Defaults to 5 minutes)
Used when retrieving the resource

• update - Optional String (Defaults to 10 minutes)
Used when updating the resource

Where

A where block supports the following:

• site - Optional Block
Specifies a direct reference to a site configuration object
See Site below.

• virtual_network - Optional Block
Specifies a direct reference to a network configuration object
See Virtual Network below.

• virtual_site - Optional Block
Virtual Site. A reference to virtual_site object
See Virtual Site below.

Where Site

A site block (within where) supports the following:

• disable_internet_vip - Optional Block
Enable this option

• enable_internet_vip - Optional Block
Enable this option

• network_type - Optional String Defaults to VIRTUAL_NETWORK_SITE_LOCAL
Possible values are VIRTUAL_NETWORK_SITE_LOCAL, VIRTUAL_NETWORK_SITE_LOCAL_INSIDE, VIRTUAL_NETWORK_PER_SITE, VIRTUAL_NETWORK_PUBLIC, VIRTUAL_NETWORK_GLOBAL, VIRTUAL_NETWORK_SITE_SERVICE, VIRTUAL_NETWORK_VER_INTERNAL, VIRTUAL_NETWORK_SITE_LOCAL_INSIDE_OUTSIDE, VIRTUAL_NETWORK_IP_AUTO, VIRTUAL_NETWORK_VOLTADN_PRIVATE_NETWORK, VIRTUAL_NETWORK_SRV6_NETWORK, VIRTUAL_NETWORK_IP_FABRIC, VIRTUAL_NETWORK_SEGMENT, VIRTUAL_NETWORK_MANAGEMENT
[Enum: VIRTUAL_NETWORK_SITE_LOCAL|VIRTUAL_NETWORK_SITE_LOCAL_INSIDE|VIRTUAL_NETWORK_PER_SITE|VIRTUAL_NETWORK_PUBLIC|VIRTUAL_NETWORK_GLOBAL|VIRTUAL_NETWORK_SITE_SERVICE|VIRTUAL_NETWORK_VER_INTERNAL|VIRTUAL_NETWORK_SITE_LOCAL_INSIDE_OUTSIDE|VIRTUAL_NETWORK_IP_AUTO|VIRTUAL_NETWORK_VOLTADN_PRIVATE_NETWORK|VIRTUAL_NETWORK_SRV6_NETWORK|VIRTUAL_NETWORK_IP_FABRIC|VIRTUAL_NETWORK_SEGMENT|VIRTUAL_NETWORK_MANAGEMENT] Different types of virtual networks understood by the system Virtual-network of type VIRTUAL_NETWORK_SITE_LOCAL provides connectivity to public (outside) network. This is an insecure network and is connected to public internet via NAT Gateways/firwalls Virtual-network of this type is local to

• ref - Optional Block
Reference. A site direct reference
See Ref below.

Where Site Ref

A ref block (within where.site) supports the following:

• kind - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. ‘route’)

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

• uid - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid

Where Virtual Network

A virtual_network block (within where) supports the following:

• ref - Optional Block
Virtual network direct reference
See Ref below.

Where Virtual Network Ref

A ref block (within where.virtual_network) supports the following:

• kind - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. ‘route’)

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

• uid - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid

Where Virtual Site

A virtual_site block (within where) supports the following:

• disable_internet_vip - Optional Block
Enable this option

• enable_internet_vip - Optional Block
Enable this option

• ref - Optional Block
Virtual_site direct reference
See Ref below.

Where Virtual Site Ref

A ref block (within where.virtual_site) supports the following:

• kind - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. ‘route’)

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

• uid - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid

Common Types

The following type definitions are used throughout this resource. See the full definition here rather than repeated inline.

Object Reference {#common-object-reference}

Object references establish a direct reference from one configuration object to another in F5 Distributed Cloud. References use the format tenant/namespace/name.

Field	Type	Description
`name`	String	Name of the referenced object
`namespace`	String	Namespace containing the referenced object
`tenant`	String	Tenant of the referenced object (system-managed)

Transformers {#common-transformers}

Transformers apply transformations to input values before matching. Multiple transformers can be applied in order.

Value	Description
`LOWER_CASE`	Convert to lowercase
`UPPER_CASE`	Convert to uppercase
`BASE64_DECODE`	Decodebase64 content
`NORMALIZE_PATH`	Normalize URL path
`REMOVE_WHITESPACE`	Remove whitespace characters
`URL_DECODE`	Decode URL-encoded characters
`TRIM_LEFT`	Trim leading whitespace
`TRIM_RIGHT`	Trim trailing whitespace
`TRIM`	Trim both leading and trailing whitespace

HTTP Methods {#common-http-methods}

HTTP methods used for request matching.

Value	Description
`ANY`	Match any HTTP method
`GET`	HTTP GET request
`HEAD`	HTTP HEAD request
`POST`	HTTP POST request
`PUT`	HTTP PUT request
`DELETE`	HTTP DELETE request
`CONNECT`	HTTP CONNECT request
`OPTIONS`	HTTP OPTIONS request
`TRACE`	HTTP TRACE request
`PATCH`	HTTP PATCH request
`COPY`	HTTP COPY request (WebDAV)

TLS Fingerprints {#common-tls-fingerprints}

TLS fingerprint categories for malicious client detection.

Value	Description
`TLS_FINGERPRINT_NONE`	No fingerprint matching
`ANY_MALICIOUS_FINGERPRINT`	Match any known malicious fingerprint
`ADWARE`	Adware-associated fingerprints
`DRIDEX`	Dridex malware fingerprints
`GOOTKIT`	Gootkit malware fingerprints
`RANSOMWARE`	Ransomware-associated fingerprints
`TRICKBOT`	Trickbot malware fingerprints

IP Threat Categories {#common-ip-threat-categories}

IP address threat categories for security filtering.

Value	Description
`SPAM_SOURCES`	Known spam sources
`WINDOWS_EXPLOITS`	Windows exploit sources
`WEB_ATTACKS`	Web attack sources
`BOTNETS`	Known botnet IPs
`SCANNERS`	Network scanner IPs
`REPUTATION`	Poor reputation IPs
`PHISHING`	Phishing-related IPs
`PROXY`	Anonymous proxy IPs
`MOBILE_THREATS`	Mobile threat sources
`TOR_PROXY`	Tor exit nodes
`DENIAL_OF_SERVICE`	DoS attack sources
`NETWORK`	Known bad network ranges

Import

Import is supported using the following syntax:

# Import using namespace/name format
terraform import f5xc_secret_management_access.example system/example