f5xc_service_policy Resource - terraform-provider-f5xc

f5xc_service_policy (Resource)

Manages service_policy creates a new object in the storage backend for metadata.namespace. in F5 Distributed Cloud.

~> Note For more information about this resource, please refer to the F5 XC API Documentation.

Example Usage

# Service Policy Resource Example
# Manages service_policy creates a new object in the storage backend for metadata.namespace. in F5 Distributed Cloud.

terraform {
  required_version = ">= 1.0"

  required_providers {
    f5xc = {
      source  = "f5xc-salesdemos/f5xc"
      version = ">= 0.1.0"
    }
  }
}

# Basic Service Policy configuration
resource "f5xc_service_policy" "example" {
  name      = "example-service-policy"
  namespace = "staging"

  labels = {
    environment = "production"
    managed_by  = "terraform"
  }

  annotations = {
    "owner" = "platform-team"
  }

  # Service Policy configuration
  algo = "FIRST_MATCH"

  # Allow specific paths
  rules {
    metadata {
      name = "allow-api"
    }
    spec {
      action = "ALLOW"
      path {
        prefix = "/api/"
      }
    }
  }
}

# The following optional fields have server-applied defaults and can be omitted:
# - port_matcher
# - any_server

Verified Configuration Examples

These configurations are extracted from acceptance tests verified against the live F5 XC API.

Allow List

resource "f5xc_service_policy" "test" {
  name      = "example"
  namespace = "system"

Deny All

resource "f5xc_service_policy" "test" {
  name      = "example"
  namespace = "system"

Deny List

resource "f5xc_service_policy" "test" {
  name      = "example"
  namespace = "system"

  deny_list {
    prefix_list {
      prefixes = ["172.16.0.0/12"]
    }
    default_action_allow {}
  }

  any_server {}
}

With Labels

resource "f5xc_service_policy" "test" {
  name        = "example"
  namespace   = "system"
  description = "Test service policy"

  labels = {
    environment = "test"
    team        = "security"
  }

Argument Reference

🔶 High Risk Operations — Some operations on this resource have high danger level. Destructive operations may require confirmation.

Minimum Configuration

Required fields:

• name
• namespace

Example (API format):

apiVersion: v1
kind: service_policy
metadata:
  name: allow-all
  namespace: default
spec:
  allow_all_requests: {}

Metadata Argument Reference

• name - Required String
Name of the Service Policy. Must be unique within the namespace

• namespace - Required String
Namespace where the Service Policy will be created

• annotations - Optional Map
Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata

• description - Optional String
Human readable description for the object

• disable - Optional Bool
A value of true will administratively disable the object

• labels - Optional Map
Labels is a user defined key value map that can be attached to resources for organization and filtering

Spec Argument Reference

-> One of the following: • allow_all_requests - Optional Block
Configuration parameter for allow all requests

• allow_list - Optional Block
List of sources. A request belongs to this list if it satisfies any of the match criteria
See Allow List below for details.

• deny_all_requests - Optional Block
Configuration parameter for deny all requests

• deny_list - Optional Block
List of sources. A request belongs to this list if it satisfies any of the match criteria
See Deny List below for details.

• rule_list - Optional Block
List of rules. The order of evaluation of the rules depends on the rule combining algorithm
See Rule List below for details.

-> One of the following: • any_server - Optional Block Defaults to map[]
Enable this option. Server applies default when omitted

• server_name - Optional String
The expected name of the server to which the request API is directed. The actual names for the server are extracted from the HTTP Host header and the name of the virtual_host to which the request is directed. If the request is

• server_name_matcher - Optional Block
Matcher specifies multiple criteria for matching an input string. The match is considered successful if any of the criteria are satisfied. The set of supported match criteria includes a list of exact values and a list of regular expressions

• server_selector - Optional Block
Type can be used to establish a ‘selector reference’ from one object(called selector) to a set of other objects(called selectees) based on the value of expressions. A label selector is a label query over a set of resources. An empty label selector matches all objects

• timeouts - Optional Block

Attributes Reference

In addition to all arguments above, the following attributes are exported:

• id - Optional String
Unique identifier for the resource

---

Allow List

An allow_list block supports the following:

• asn_list - Optional Block
Unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer
See Asn List below.

• asn_set - Optional Block
Addresses that belong to the ASNs in the given bgp_asn_set The ASN is obtained by performing a lookup for the source IPv4 Address in a GeoIP DB
See Asn Set below.

• country_list - Optional List Defaults to COUNTRY_NONE
Possible values are COUNTRY_NONE, COUNTRY_AD, COUNTRY_AE, COUNTRY_AF, COUNTRY_AG, COUNTRY_AI, COUNTRY_AL, COUNTRY_AM, COUNTRY_AN, COUNTRY_AO, COUNTRY_AQ, COUNTRY_AR, COUNTRY_AS, COUNTRY_AT, COUNTRY_AU, COUNTRY_AW, COUNTRY_AX, COUNTRY_AZ, COUNTRY_BA, COUNTRY_BB, COUNTRY_BD, COUNTRY_BE, COUNTRY_BF, COUNTRY_BG, COUNTRY_BH, COUNTRY_BI, COUNTRY_BJ, COUNTRY_BL, COUNTRY_BM, COUNTRY_BN, COUNTRY_BO, COUNTRY_BQ, COUNTRY_BR, COUNTRY_BS, COUNTRY_BT, COUNTRY_BV, COUNTRY_BW, COUNTRY_BY, COUNTRY_BZ, COUNTRY_CA, COUNTRY_CC, COUNTRY_CD, COUNTRY_CF, COUNTRY_CG, COUNTRY_CH, COUNTRY_CI, COUNTRY_CK, COUNTRY_CL, COUNTRY_CM, COUNTRY_CN, COUNTRY_CO, COUNTRY_CR, COUNTRY_CS, COUNTRY_CU, COUNTRY_CV, COUNTRY_CW, COUNTRY_CX, COUNTRY_CY, COUNTRY_CZ, COUNTRY_DE, COUNTRY_DJ, COUNTRY_DK, COUNTRY_DM, COUNTRY_DO, COUNTRY_DZ, COUNTRY_EC, COUNTRY_EE, COUNTRY_EG, COUNTRY_EH, COUNTRY_ER, COUNTRY_ES, COUNTRY_ET, COUNTRY_FI, COUNTRY_FJ, COUNTRY_FK, COUNTRY_FM, COUNTRY_FO, COUNTRY_FR, COUNTRY_GA, COUNTRY_GB, COUNTRY_GD, COUNTRY_GE, COUNTRY_GF, COUNTRY_GG, COUNTRY_GH, COUNTRY_GI, COUNTRY_GL, COUNTRY_GM, COUNTRY_GN, COUNTRY_GP, COUNTRY_GQ, COUNTRY_GR, COUNTRY_GS, COUNTRY_GT, COUNTRY_GU, COUNTRY_GW, COUNTRY_GY, COUNTRY_HK, COUNTRY_HM, COUNTRY_HN, COUNTRY_HR, COUNTRY_HT, COUNTRY_HU, COUNTRY_ID, COUNTRY_IE, COUNTRY_IL, COUNTRY_IM, COUNTRY_IN, COUNTRY_IO, COUNTRY_IQ, COUNTRY_IR, COUNTRY_IS, COUNTRY_IT, COUNTRY_JE, COUNTRY_JM, COUNTRY_JO, COUNTRY_JP, COUNTRY_KE, COUNTRY_KG, COUNTRY_KH, COUNTRY_KI, COUNTRY_KM, COUNTRY_KN, COUNTRY_KP, COUNTRY_KR, COUNTRY_KW, COUNTRY_KY, COUNTRY_KZ, COUNTRY_LA, COUNTRY_LB, COUNTRY_LC, COUNTRY_LI, COUNTRY_LK, COUNTRY_LR, COUNTRY_LS, COUNTRY_LT, COUNTRY_LU, COUNTRY_LV, COUNTRY_LY, COUNTRY_MA, COUNTRY_MC, COUNTRY_MD, COUNTRY_ME, COUNTRY_MF, COUNTRY_MG, COUNTRY_MH, COUNTRY_MK, COUNTRY_ML, COUNTRY_MM, COUNTRY_MN, COUNTRY_MO, COUNTRY_MP, COUNTRY_MQ, COUNTRY_MR, COUNTRY_MS, COUNTRY_MT, COUNTRY_MU, COUNTRY_MV, COUNTRY_MW, COUNTRY_MX, COUNTRY_MY, COUNTRY_MZ, COUNTRY_NA, COUNTRY_NC, COUNTRY_NE, COUNTRY_NF, COUNTRY_NG, COUNTRY_NI, COUNTRY_NL, COUNTRY_NO, COUNTRY_NP, COUNTRY_NR, COUNTRY_NU, COUNTRY_NZ, COUNTRY_OM, COUNTRY_PA, COUNTRY_PE, COUNTRY_PF, COUNTRY_PG, COUNTRY_PH, COUNTRY_PK, COUNTRY_PL, COUNTRY_PM, COUNTRY_PN, COUNTRY_PR, COUNTRY_PS, COUNTRY_PT, COUNTRY_PW, COUNTRY_PY, COUNTRY_QA, COUNTRY_RE, COUNTRY_RO, COUNTRY_RS, COUNTRY_RU, COUNTRY_RW, COUNTRY_SA, COUNTRY_SB, COUNTRY_SC, COUNTRY_SD, COUNTRY_SE, COUNTRY_SG, COUNTRY_SH, COUNTRY_SI, COUNTRY_SJ, COUNTRY_SK, COUNTRY_SL, COUNTRY_SM, COUNTRY_SN, COUNTRY_SO, COUNTRY_SR, COUNTRY_SS, COUNTRY_ST, COUNTRY_SV, COUNTRY_SX, COUNTRY_SY, COUNTRY_SZ, COUNTRY_TC, COUNTRY_TD, COUNTRY_TF, COUNTRY_TG, COUNTRY_TH, COUNTRY_TJ, COUNTRY_TK, COUNTRY_TL, COUNTRY_TM, COUNTRY_TN, COUNTRY_TO, COUNTRY_TR, COUNTRY_TT, COUNTRY_TV, COUNTRY_TW, COUNTRY_TZ, COUNTRY_UA, COUNTRY_UG, COUNTRY_UM, COUNTRY_US, COUNTRY_UY, COUNTRY_UZ, COUNTRY_VA, COUNTRY_VC, COUNTRY_VE, COUNTRY_VG, COUNTRY_VI, COUNTRY_VN, COUNTRY_VU, COUNTRY_WF, COUNTRY_WS, COUNTRY_XK, COUNTRY_XT, COUNTRY_YE, COUNTRY_YT, COUNTRY_ZA, COUNTRY_ZM, COUNTRY_ZW
[Enum: COUNTRY_NONE|COUNTRY_AD|COUNTRY_AE|COUNTRY_AF|COUNTRY_AG|COUNTRY_AI|COUNTRY_AL|COUNTRY_AM|COUNTRY_AN|COUNTRY_AO|COUNTRY_AQ|COUNTRY_AR|COUNTRY_AS|COUNTRY_AT|COUNTRY_AU|COUNTRY_AW|COUNTRY_AX|COUNTRY_AZ|COUNTRY_BA|COUNTRY_BB|COUNTRY_BD|COUNTRY_BE|COUNTRY_BF|COUNTRY_BG|COUNTRY_BH|COUNTRY_BI|COUNTRY_BJ|COUNTRY_BL|COUNTRY_BM|COUNTRY_BN|COUNTRY_BO|COUNTRY_BQ|COUNTRY_BR|COUNTRY_BS|COUNTRY_BT|COUNTRY_BV|COUNTRY_BW|COUNTRY_BY|COUNTRY_BZ|COUNTRY_CA|COUNTRY_CC|COUNTRY_CD|COUNTRY_CF|COUNTRY_CG|COUNTRY_CH|COUNTRY_CI|COUNTRY_CK|COUNTRY_CL|COUNTRY_CM|COUNTRY_CN|COUNTRY_CO|COUNTRY_CR|COUNTRY_CS|COUNTRY_CU|COUNTRY_CV|COUNTRY_CW|COUNTRY_CX|COUNTRY_CY|COUNTRY_CZ|COUNTRY_DE|COUNTRY_DJ|COUNTRY_DK|COUNTRY_DM|COUNTRY_DO|COUNTRY_DZ|COUNTRY_EC|COUNTRY_EE|COUNTRY_EG|COUNTRY_EH|COUNTRY_ER|COUNTRY_ES|COUNTRY_ET|COUNTRY_FI|COUNTRY_FJ|COUNTRY_FK|COUNTRY_FM|COUNTRY_FO|COUNTRY_FR|COUNTRY_GA|COUNTRY_GB|COUNTRY_GD|COUNTRY_GE|COUNTRY_GF|COUNTRY_GG|COUNTRY_GH|COUNTRY_GI|COUNTRY_GL|COUNTRY_GM|COUNTRY_GN|COUNTRY_GP|COUNTRY_GQ|COUNTRY_GR|COUNTRY_GS|COUNTRY_GT|COUNTRY_GU|COUNTRY_GW|COUNTRY_GY|COUNTRY_HK|COUNTRY_HM|COUNTRY_HN|COUNTRY_HR|COUNTRY_HT|COUNTRY_HU|COUNTRY_ID|COUNTRY_IE|COUNTRY_IL|COUNTRY_IM|COUNTRY_IN|COUNTRY_IO|COUNTRY_IQ|COUNTRY_IR|COUNTRY_IS|COUNTRY_IT|COUNTRY_JE|COUNTRY_JM|COUNTRY_JO|COUNTRY_JP|COUNTRY_KE|COUNTRY_KG|COUNTRY_KH|COUNTRY_KI|COUNTRY_KM|COUNTRY_KN|COUNTRY_KP|COUNTRY_KR|COUNTRY_KW|COUNTRY_KY|COUNTRY_KZ|COUNTRY_LA|COUNTRY_LB|COUNTRY_LC|COUNTRY_LI|COUNTRY_LK|COUNTRY_LR|COUNTRY_LS|COUNTRY_LT|COUNTRY_LU|COUNTRY_LV|COUNTRY_LY|COUNTRY_MA|COUNTRY_MC|COUNTRY_MD|COUNTRY_ME|COUNTRY_MF|COUNTRY_MG|COUNTRY_MH|COUNTRY_MK|COUNTRY_ML|COUNTRY_MM|COUNTRY_MN|COUNTRY_MO|COUNTRY_MP|COUNTRY_MQ|COUNTRY_MR|COUNTRY_MS|COUNTRY_MT|COUNTRY_MU|COUNTRY_MV|COUNTRY_MW|COUNTRY_MX|COUNTRY_MY|COUNTRY_MZ|COUNTRY_NA|COUNTRY_NC|COUNTRY_NE|COUNTRY_NF|COUNTRY_NG|COUNTRY_NI|COUNTRY_NL|COUNTRY_NO|COUNTRY_NP|COUNTRY_NR|COUNTRY_NU|COUNTRY_NZ|COUNTRY_OM|COUNTRY_PA|COUNTRY_PE|COUNTRY_PF|COUNTRY_PG|COUNTRY_PH|COUNTRY_PK|COUNTRY_PL|COUNTRY_PM|COUNTRY_PN|COUNTRY_PR|COUNTRY_PS|COUNTRY_PT|COUNTRY_PW|COUNTRY_PY|COUNTRY_QA|COUNTRY_RE|COUNTRY_RO|COUNTRY_RS|COUNTRY_RU|COUNTRY_RW|COUNTRY_SA|COUNTRY_SB|COUNTRY_SC|COUNTRY_SD|COUNTRY_SE|COUNTRY_SG|COUNTRY_SH|COUNTRY_SI|COUNTRY_SJ|COUNTRY_SK|COUNTRY_SL|COUNTRY_SM|COUNTRY_SN|COUNTRY_SO|COUNTRY_SR|COUNTRY_SS|COUNTRY_ST|COUNTRY_SV|COUNTRY_SX|COUNTRY_SY|COUNTRY_SZ|COUNTRY_TC|COUNTRY_TD|COUNTRY_TF|COUNTRY_TG|COUNTRY_TH|COUNTRY_TJ|COUNTRY_TK|COUNTRY_TL|COUNTRY_TM|COUNTRY_TN|COUNTRY_TO|COUNTRY_TR|COUNTRY_TT|COUNTRY_TV|COUNTRY_TW|COUNTRY_TZ|COUNTRY_UA|COUNTRY_UG|COUNTRY_UM|COUNTRY_US|COUNTRY_UY|COUNTRY_UZ|COUNTRY_VA|COUNTRY_VC|COUNTRY_VE|COUNTRY_VG|COUNTRY_VI|COUNTRY_VN|COUNTRY_VU|COUNTRY_WF|COUNTRY_WS|COUNTRY_XK|COUNTRY_XT|COUNTRY_YE|COUNTRY_YT|COUNTRY_ZA|COUNTRY_ZM|COUNTRY_ZW] Addresses that belong to one of the countries in the given list The country is obtained by performing a lookup for the source IPv4 Address in a GeoIP DB

• default_action_allow - Optional Block
Enable this option

• default_action_deny - Optional Block
Enable this option

• default_action_next_policy - Optional Block
Policy configuration for this feature

• ip_prefix_set - Optional Block
Addresses that are covered by the prefixes in the given ip_prefix_set
See IP Prefix Set below.

• prefix_list - Optional Block
List of IPv4 prefixes that represent an endpoint
See Prefix List below.

• tls_fingerprint_classes - Optional List Defaults to TLS_FINGERPRINT_NONE
See TLS Fingerprints
[Enum: TLS_FINGERPRINT_NONE|ANY_MALICIOUS_FINGERPRINT|ADWARE|ADWIND|DRIDEX|GOOTKIT|GOZI|JBIFROST|QUAKBOT|RANSOMWARE|TROLDESH|TOFSEE|TORRENTLOCKER|TRICKBOT] List of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against

• tls_fingerprint_values - Optional List
List of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against

Allow List Asn List

An asn_list block (within allow_list) supports the following:

• as_numbers - Optional List
Unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer

Allow List Asn Set

An asn_set block (within allow_list) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Allow List IP Prefix Set

An ip_prefix_set block (within allow_list) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Allow List Prefix List

A prefix_list block (within allow_list) supports the following:

• prefixes - Optional List
List of IPv4 prefixes that represent an endpoint

Deny List

A deny_list block supports the following:

• asn_list - Optional Block
Unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer
See Asn List below.

• asn_set - Optional Block
Addresses that belong to the ASNs in the given bgp_asn_set The ASN is obtained by performing a lookup for the source IPv4 Address in a GeoIP DB
See Asn Set below.

• country_list - Optional List Defaults to COUNTRY_NONE
Possible values are COUNTRY_NONE, COUNTRY_AD, COUNTRY_AE, COUNTRY_AF, COUNTRY_AG, COUNTRY_AI, COUNTRY_AL, COUNTRY_AM, COUNTRY_AN, COUNTRY_AO, COUNTRY_AQ, COUNTRY_AR, COUNTRY_AS, COUNTRY_AT, COUNTRY_AU, COUNTRY_AW, COUNTRY_AX, COUNTRY_AZ, COUNTRY_BA, COUNTRY_BB, COUNTRY_BD, COUNTRY_BE, COUNTRY_BF, COUNTRY_BG, COUNTRY_BH, COUNTRY_BI, COUNTRY_BJ, COUNTRY_BL, COUNTRY_BM, COUNTRY_BN, COUNTRY_BO, COUNTRY_BQ, COUNTRY_BR, COUNTRY_BS, COUNTRY_BT, COUNTRY_BV, COUNTRY_BW, COUNTRY_BY, COUNTRY_BZ, COUNTRY_CA, COUNTRY_CC, COUNTRY_CD, COUNTRY_CF, COUNTRY_CG, COUNTRY_CH, COUNTRY_CI, COUNTRY_CK, COUNTRY_CL, COUNTRY_CM, COUNTRY_CN, COUNTRY_CO, COUNTRY_CR, COUNTRY_CS, COUNTRY_CU, COUNTRY_CV, COUNTRY_CW, COUNTRY_CX, COUNTRY_CY, COUNTRY_CZ, COUNTRY_DE, COUNTRY_DJ, COUNTRY_DK, COUNTRY_DM, COUNTRY_DO, COUNTRY_DZ, COUNTRY_EC, COUNTRY_EE, COUNTRY_EG, COUNTRY_EH, COUNTRY_ER, COUNTRY_ES, COUNTRY_ET, COUNTRY_FI, COUNTRY_FJ, COUNTRY_FK, COUNTRY_FM, COUNTRY_FO, COUNTRY_FR, COUNTRY_GA, COUNTRY_GB, COUNTRY_GD, COUNTRY_GE, COUNTRY_GF, COUNTRY_GG, COUNTRY_GH, COUNTRY_GI, COUNTRY_GL, COUNTRY_GM, COUNTRY_GN, COUNTRY_GP, COUNTRY_GQ, COUNTRY_GR, COUNTRY_GS, COUNTRY_GT, COUNTRY_GU, COUNTRY_GW, COUNTRY_GY, COUNTRY_HK, COUNTRY_HM, COUNTRY_HN, COUNTRY_HR, COUNTRY_HT, COUNTRY_HU, COUNTRY_ID, COUNTRY_IE, COUNTRY_IL, COUNTRY_IM, COUNTRY_IN, COUNTRY_IO, COUNTRY_IQ, COUNTRY_IR, COUNTRY_IS, COUNTRY_IT, COUNTRY_JE, COUNTRY_JM, COUNTRY_JO, COUNTRY_JP, COUNTRY_KE, COUNTRY_KG, COUNTRY_KH, COUNTRY_KI, COUNTRY_KM, COUNTRY_KN, COUNTRY_KP, COUNTRY_KR, COUNTRY_KW, COUNTRY_KY, COUNTRY_KZ, COUNTRY_LA, COUNTRY_LB, COUNTRY_LC, COUNTRY_LI, COUNTRY_LK, COUNTRY_LR, COUNTRY_LS, COUNTRY_LT, COUNTRY_LU, COUNTRY_LV, COUNTRY_LY, COUNTRY_MA, COUNTRY_MC, COUNTRY_MD, COUNTRY_ME, COUNTRY_MF, COUNTRY_MG, COUNTRY_MH, COUNTRY_MK, COUNTRY_ML, COUNTRY_MM, COUNTRY_MN, COUNTRY_MO, COUNTRY_MP, COUNTRY_MQ, COUNTRY_MR, COUNTRY_MS, COUNTRY_MT, COUNTRY_MU, COUNTRY_MV, COUNTRY_MW, COUNTRY_MX, COUNTRY_MY, COUNTRY_MZ, COUNTRY_NA, COUNTRY_NC, COUNTRY_NE, COUNTRY_NF, COUNTRY_NG, COUNTRY_NI, COUNTRY_NL, COUNTRY_NO, COUNTRY_NP, COUNTRY_NR, COUNTRY_NU, COUNTRY_NZ, COUNTRY_OM, COUNTRY_PA, COUNTRY_PE, COUNTRY_PF, COUNTRY_PG, COUNTRY_PH, COUNTRY_PK, COUNTRY_PL, COUNTRY_PM, COUNTRY_PN, COUNTRY_PR, COUNTRY_PS, COUNTRY_PT, COUNTRY_PW, COUNTRY_PY, COUNTRY_QA, COUNTRY_RE, COUNTRY_RO, COUNTRY_RS, COUNTRY_RU, COUNTRY_RW, COUNTRY_SA, COUNTRY_SB, COUNTRY_SC, COUNTRY_SD, COUNTRY_SE, COUNTRY_SG, COUNTRY_SH, COUNTRY_SI, COUNTRY_SJ, COUNTRY_SK, COUNTRY_SL, COUNTRY_SM, COUNTRY_SN, COUNTRY_SO, COUNTRY_SR, COUNTRY_SS, COUNTRY_ST, COUNTRY_SV, COUNTRY_SX, COUNTRY_SY, COUNTRY_SZ, COUNTRY_TC, COUNTRY_TD, COUNTRY_TF, COUNTRY_TG, COUNTRY_TH, COUNTRY_TJ, COUNTRY_TK, COUNTRY_TL, COUNTRY_TM, COUNTRY_TN, COUNTRY_TO, COUNTRY_TR, COUNTRY_TT, COUNTRY_TV, COUNTRY_TW, COUNTRY_TZ, COUNTRY_UA, COUNTRY_UG, COUNTRY_UM, COUNTRY_US, COUNTRY_UY, COUNTRY_UZ, COUNTRY_VA, COUNTRY_VC, COUNTRY_VE, COUNTRY_VG, COUNTRY_VI, COUNTRY_VN, COUNTRY_VU, COUNTRY_WF, COUNTRY_WS, COUNTRY_XK, COUNTRY_XT, COUNTRY_YE, COUNTRY_YT, COUNTRY_ZA, COUNTRY_ZM, COUNTRY_ZW
[Enum: COUNTRY_NONE|COUNTRY_AD|COUNTRY_AE|COUNTRY_AF|COUNTRY_AG|COUNTRY_AI|COUNTRY_AL|COUNTRY_AM|COUNTRY_AN|COUNTRY_AO|COUNTRY_AQ|COUNTRY_AR|COUNTRY_AS|COUNTRY_AT|COUNTRY_AU|COUNTRY_AW|COUNTRY_AX|COUNTRY_AZ|COUNTRY_BA|COUNTRY_BB|COUNTRY_BD|COUNTRY_BE|COUNTRY_BF|COUNTRY_BG|COUNTRY_BH|COUNTRY_BI|COUNTRY_BJ|COUNTRY_BL|COUNTRY_BM|COUNTRY_BN|COUNTRY_BO|COUNTRY_BQ|COUNTRY_BR|COUNTRY_BS|COUNTRY_BT|COUNTRY_BV|COUNTRY_BW|COUNTRY_BY|COUNTRY_BZ|COUNTRY_CA|COUNTRY_CC|COUNTRY_CD|COUNTRY_CF|COUNTRY_CG|COUNTRY_CH|COUNTRY_CI|COUNTRY_CK|COUNTRY_CL|COUNTRY_CM|COUNTRY_CN|COUNTRY_CO|COUNTRY_CR|COUNTRY_CS|COUNTRY_CU|COUNTRY_CV|COUNTRY_CW|COUNTRY_CX|COUNTRY_CY|COUNTRY_CZ|COUNTRY_DE|COUNTRY_DJ|COUNTRY_DK|COUNTRY_DM|COUNTRY_DO|COUNTRY_DZ|COUNTRY_EC|COUNTRY_EE|COUNTRY_EG|COUNTRY_EH|COUNTRY_ER|COUNTRY_ES|COUNTRY_ET|COUNTRY_FI|COUNTRY_FJ|COUNTRY_FK|COUNTRY_FM|COUNTRY_FO|COUNTRY_FR|COUNTRY_GA|COUNTRY_GB|COUNTRY_GD|COUNTRY_GE|COUNTRY_GF|COUNTRY_GG|COUNTRY_GH|COUNTRY_GI|COUNTRY_GL|COUNTRY_GM|COUNTRY_GN|COUNTRY_GP|COUNTRY_GQ|COUNTRY_GR|COUNTRY_GS|COUNTRY_GT|COUNTRY_GU|COUNTRY_GW|COUNTRY_GY|COUNTRY_HK|COUNTRY_HM|COUNTRY_HN|COUNTRY_HR|COUNTRY_HT|COUNTRY_HU|COUNTRY_ID|COUNTRY_IE|COUNTRY_IL|COUNTRY_IM|COUNTRY_IN|COUNTRY_IO|COUNTRY_IQ|COUNTRY_IR|COUNTRY_IS|COUNTRY_IT|COUNTRY_JE|COUNTRY_JM|COUNTRY_JO|COUNTRY_JP|COUNTRY_KE|COUNTRY_KG|COUNTRY_KH|COUNTRY_KI|COUNTRY_KM|COUNTRY_KN|COUNTRY_KP|COUNTRY_KR|COUNTRY_KW|COUNTRY_KY|COUNTRY_KZ|COUNTRY_LA|COUNTRY_LB|COUNTRY_LC|COUNTRY_LI|COUNTRY_LK|COUNTRY_LR|COUNTRY_LS|COUNTRY_LT|COUNTRY_LU|COUNTRY_LV|COUNTRY_LY|COUNTRY_MA|COUNTRY_MC|COUNTRY_MD|COUNTRY_ME|COUNTRY_MF|COUNTRY_MG|COUNTRY_MH|COUNTRY_MK|COUNTRY_ML|COUNTRY_MM|COUNTRY_MN|COUNTRY_MO|COUNTRY_MP|COUNTRY_MQ|COUNTRY_MR|COUNTRY_MS|COUNTRY_MT|COUNTRY_MU|COUNTRY_MV|COUNTRY_MW|COUNTRY_MX|COUNTRY_MY|COUNTRY_MZ|COUNTRY_NA|COUNTRY_NC|COUNTRY_NE|COUNTRY_NF|COUNTRY_NG|COUNTRY_NI|COUNTRY_NL|COUNTRY_NO|COUNTRY_NP|COUNTRY_NR|COUNTRY_NU|COUNTRY_NZ|COUNTRY_OM|COUNTRY_PA|COUNTRY_PE|COUNTRY_PF|COUNTRY_PG|COUNTRY_PH|COUNTRY_PK|COUNTRY_PL|COUNTRY_PM|COUNTRY_PN|COUNTRY_PR|COUNTRY_PS|COUNTRY_PT|COUNTRY_PW|COUNTRY_PY|COUNTRY_QA|COUNTRY_RE|COUNTRY_RO|COUNTRY_RS|COUNTRY_RU|COUNTRY_RW|COUNTRY_SA|COUNTRY_SB|COUNTRY_SC|COUNTRY_SD|COUNTRY_SE|COUNTRY_SG|COUNTRY_SH|COUNTRY_SI|COUNTRY_SJ|COUNTRY_SK|COUNTRY_SL|COUNTRY_SM|COUNTRY_SN|COUNTRY_SO|COUNTRY_SR|COUNTRY_SS|COUNTRY_ST|COUNTRY_SV|COUNTRY_SX|COUNTRY_SY|COUNTRY_SZ|COUNTRY_TC|COUNTRY_TD|COUNTRY_TF|COUNTRY_TG|COUNTRY_TH|COUNTRY_TJ|COUNTRY_TK|COUNTRY_TL|COUNTRY_TM|COUNTRY_TN|COUNTRY_TO|COUNTRY_TR|COUNTRY_TT|COUNTRY_TV|COUNTRY_TW|COUNTRY_TZ|COUNTRY_UA|COUNTRY_UG|COUNTRY_UM|COUNTRY_US|COUNTRY_UY|COUNTRY_UZ|COUNTRY_VA|COUNTRY_VC|COUNTRY_VE|COUNTRY_VG|COUNTRY_VI|COUNTRY_VN|COUNTRY_VU|COUNTRY_WF|COUNTRY_WS|COUNTRY_XK|COUNTRY_XT|COUNTRY_YE|COUNTRY_YT|COUNTRY_ZA|COUNTRY_ZM|COUNTRY_ZW] Addresses that belong to one of the countries in the given list The country is obtained by performing a lookup for the source IPv4 Address in a GeoIP DB

• default_action_allow - Optional Block
Enable this option

• default_action_deny - Optional Block
Enable this option

• default_action_next_policy - Optional Block
Policy configuration for this feature

• ip_prefix_set - Optional Block
Addresses that are covered by the prefixes in the given ip_prefix_set
See IP Prefix Set below.

• prefix_list - Optional Block
List of IPv4 prefixes that represent an endpoint
See Prefix List below.

• tls_fingerprint_classes - Optional List Defaults to TLS_FINGERPRINT_NONE
See TLS Fingerprints
[Enum: TLS_FINGERPRINT_NONE|ANY_MALICIOUS_FINGERPRINT|ADWARE|ADWIND|DRIDEX|GOOTKIT|GOZI|JBIFROST|QUAKBOT|RANSOMWARE|TROLDESH|TOFSEE|TORRENTLOCKER|TRICKBOT] List of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against

• tls_fingerprint_values - Optional List
List of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against

Deny List Asn List

An asn_list block (within deny_list) supports the following:

• as_numbers - Optional List
Unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer

Deny List Asn Set

An asn_set block (within deny_list) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Deny List IP Prefix Set

An ip_prefix_set block (within deny_list) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Deny List Prefix List

A prefix_list block (within deny_list) supports the following:

• prefixes - Optional List
List of IPv4 prefixes that represent an endpoint

Rule List

A rule_list block supports the following:

• rules - Optional Block
Define the list of rules (with an order) that should be evaluated by this service policy. Rules are evaluated from top to bottom in the list
See Rules below.

Rule List Rules

A rules block (within rule_list) supports the following:

• metadata - Optional Block
MessageMetaType is metadata (common attributes) of a message that only certain messages have. This information is propagated to the metadata of a child object that gets created from the containing message during view processing. The information in this type can be specified by user during create
See Metadata below.

• spec - Optional Block
Shape of service_policy_rule in the storage backend
See Spec below.

Rule List Rules Metadata

A metadata block (within rule_list.rules) supports the following:

• description_spec - Optional String
Description. Human readable description

• name - Optional String
Name of the message. The value of name has to follow DNS-1035 format

Rule List Rules Spec

A spec block (within rule_list.rules) supports the following:

• action - Optional String Defaults to DENY
Possible values are DENY, ALLOW, NEXT_POLICY
[Enum: DENY|ALLOW|NEXT_POLICY] The rule action determines the disposition of the input request API. If a policy matches a rule with an ALLOW action, the processing of the request proceeds forward. If it matches a rule with a DENY action, the processing of the request is terminated and an appropriate message/code returned to

• any_asn - Optional Block
Enable this option

• any_client - Optional Block
Enable this option

• any_ip - Optional Block
Enable this option

• api_group_matcher - Optional Block
Matcher specifies a list of values for matching an input string. The match is considered successful if the input value is present in the list. The result of the match is inverted if invert_matcher is true
See API Group Matcher below.

• arg_matchers - Optional Block
List of predicates for all POST args that need to be matched. The criteria for matching each arg are described in individual instances of ArgMatcherType. The actual arg values are extracted from the request API as a list of strings for each arg selector name
See Arg Matchers below.

• asn_list - Optional Block
Unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer
See Asn List below.

• asn_matcher - Optional Block
Match any AS number contained in the list of bgp_asn_sets
See Asn Matcher below.

• body_matcher - Optional Block
Matcher specifies multiple criteria for matching an input string. The match is considered successful if any of the criteria are satisfied. The set of supported match criteria includes a list of exact values and a list of regular expressions
See Body Matcher below.

• bot_action - Optional Block
Modify Bot protection behavior for a matching request. The modification could be to entirely skip Bot processing
See Bot Action below.

• client_name - Optional String
The expected name of the client invoking the request API. The predicate evaluates to true if any of the actual names is the same as the expected client name

• client_name_matcher - Optional Block
Matcher specifies multiple criteria for matching an input string. The match is considered successful if any of the criteria are satisfied. The set of supported match criteria includes a list of exact values and a list of regular expressions
See Client Name Matcher below.

• client_selector - Optional Block
Type can be used to establish a ‘selector reference’ from one object(called selector) to a set of other objects(called selectees) based on the value of expressions. A label selector is a label query over a set of resources. An empty label selector matches all objects
See Client Selector below.

• cookie_matchers - Optional Block
List of predicates for all cookies that need to be matched. The criteria for matching each cookie is described in individual instances of CookieMatcherType. The actual cookie values are extracted from the request API as a list of strings for each cookie name
See Cookie Matchers below.

• domain_matcher - Optional Block
Matcher specifies multiple criteria for matching an input string. The match is considered successful if any of the criteria are satisfied. The set of supported match criteria includes a list of exact values and a list of regular expressions
See Domain Matcher below.

• expiration_timestamp - Optional String
Specifies expiration_timestamp the RFC 3339 format timestamp at which the containing rule is considered to be logically expired. The rule continues to exist in the configuration but is not applied anymore

• headers - Optional Block
List of predicates for various HTTP headers that need to match. The criteria for matching each HTTP header are described in individual HeaderMatcherType instances. The actual HTTP header values are extracted from the request API as a list of strings for each HTTP header type
See Headers below.

• http_method - Optional Block
HTTP method matcher specifies a list of methods to match an input HTTP method. The match is considered successful if the input method is a member of the list. The result of the match based on the method list is inverted if invert_matcher is true
See HTTP Method below.

• ip_matcher - Optional Block
Match any IP prefix contained in the list of ip_prefix_sets. The result of the match is inverted if invert_matcher is true
See IP Matcher below.

• ip_prefix_list - Optional Block
List of IP Prefix strings to match against
See IP Prefix List below.

• ip_threat_category_list - Optional Block
IP Threat Category List Type. List of IP threat categories
See IP Threat Category List below.

• ja4_tls_fingerprint - Optional Block
Extended version of JA3 that includes additional fields for more comprehensive fingerprinting of SSL/TLS clients and potentially has a different structure and length
See Ja4 TLS Fingerprint below.

• jwt_claims - Optional Block
List of predicates for various JWT claims that need to match. The criteria for matching each JWT claim are described in individual JWTClaimMatcherType instances. The actual JWT claims values are extracted from the JWT payload as a list of strings
See JWT Claims below.

• label_matcher - Optional Block
Label matcher specifies a list of label keys whose values need to match for source/client and destination/server. Note that the actual label values are not specified and do not matter. This allows an ability to scope grouping by the label key name
See Label Matcher below.

• mum_action - Optional Block
Modify behavior for a matching request. The modification could be to entirely skip processing
See Mum Action below.

• path - Optional Block
Path matcher specifies multiple criteria for matching an HTTP path string. The match is considered successful if any of the criteria are satisfied. The set of supported match criteria includes a list of path prefixes, a list of exact path values and a list of regular expressions
See Path below.

• port_matcher - Optional Block
Port matcher specifies a list of port ranges as match criteria. The match is considered successful if the input port falls within any of the port ranges. The result of the match is inverted if invert_matcher is true. Server applies default when omitted
See Port Matcher below.

• query_params - Optional Block
List of predicates for all query parameters that need to be matched. The criteria for matching each query parameter are described in individual instances of QueryParameterMatcherType. The actual query parameter values are extracted from the request API as a list of strings for each query
See Query Params below.

• request_constraints - Optional Block
Configuration parameter for request constraints
See Request Constraints below.

• segment_policy - Optional Block
Configure source and destination segment for policy
See Segment Policy below.

• tls_fingerprint_matcher - Optional Block
TLS fingerprint matcher specifies multiple criteria for matching a TLS fingerprint. The set of supported positive match criteria includes a list of known classes of TLS fingerprints and a list of exact values. The match is considered successful if either of these positive criteria are satisfied
See TLS Fingerprint Matcher below.

• user_identity_matcher - Optional Block
Matcher specifies multiple criteria for matching an input string. The match is considered successful if any of the criteria are satisfied. The set of supported match criteria includes a list of exact values and a list of regular expressions
See User Identity Matcher below.

• waf_action - Optional Block
Modify App Firewall behavior for a matching request. The modification could either be to entirely skip firewall processing or to customize the firewall rules to be applied as defined by App Firewall Rule Control settings
See WAF Action below.

Rule List Rules Spec API Group Matcher

An api_group_matcher block (within rule_list.rules.spec) supports the following:

• invert_matcher - Optional Bool
Invert String Matcher. Invert the match result

• match - Optional List
List of exact values to match the input against

Rule List Rules Spec Arg Matchers

An arg_matchers block (within rule_list.rules.spec) supports the following:

• check_not_present - Optional Block
Configuration parameter for check not present

• check_present - Optional Block
Configuration parameter for check present

• invert_matcher - Optional Bool
Invert Matcher. Invert Match of the expression defined

• item - Optional Block
Matcher specifies multiple criteria for matching an input string. The match is considered successful if any of the criteria are satisfied. The set of supported match criteria includes a list of exact values and a list of regular expressions
See Item below.

• name - Optional String
Case-sensitive JSON path in the HTTP request body

Rule List Rules Spec Arg Matchers Item

An item block (within rule_list.rules.spec.arg_matchers) supports the following:

• exact_values - Optional List
List of exact values to match the input against

• regex_values - Optional List
List of regular expressions to match the input against

• transformers - Optional List
See Transformers
Ordered list of transformers (starting from index 0) to be applied to the path before matching

Rule List Rules Spec Asn List

An asn_list block (within rule_list.rules.spec) supports the following:

• as_numbers - Optional List
Unordered set of RFC 6793 defined 4-byte AS numbers that can be used to create allow or deny lists for use in network policy or service policy. It can be used to create the allow list only for DNS Load Balancer

Rule List Rules Spec Asn Matcher

An asn_matcher block (within rule_list.rules.spec) supports the following:

• asn_sets - Optional Block
List of references to bgp_asn_set objects
See Asn Sets below.

Rule List Rules Spec Asn Matcher Asn Sets

Deeply nested Sets block collapsed for readability.

Rule List Rules Spec Body Matcher

A body_matcher block (within rule_list.rules.spec) supports the following:

• exact_values - Optional List
List of exact values to match the input against

• regex_values - Optional List
List of regular expressions to match the input against

• transformers - Optional List
See Transformers
Ordered list of transformers (starting from index 0) to be applied to the path before matching

Rule List Rules Spec Bot Action

A bot_action block (within rule_list.rules.spec) supports the following:

• bot_skip_processing - Optional Block
Enable this option

• none - Optional Block
Enable this option

Rule List Rules Spec Client Name Matcher

A client_name_matcher block (within rule_list.rules.spec) supports the following:

• exact_values - Optional List
List of exact values to match the input against

• regex_values - Optional List
List of regular expressions to match the input against

• transformers - Optional List
See Transformers
Ordered list of transformers (starting from index 0) to be applied to the path before matching

Rule List Rules Spec Client Selector

A client_selector block (within rule_list.rules.spec) supports the following:

• expressions - Optional List
Expressions contains the Kubernetes style label expression for selections

Rule List Rules Spec Cookie Matchers

A cookie_matchers block (within rule_list.rules.spec) supports the following:

• check_not_present - Optional Block
Configuration parameter for check not present

• check_present - Optional Block
Configuration parameter for check present

• invert_matcher - Optional Bool
Invert Matcher. Invert Match of the expression defined

• item - Optional Block
Matcher specifies multiple criteria for matching an input string. The match is considered successful if any of the criteria are satisfied. The set of supported match criteria includes a list of exact values and a list of regular expressions
See Item below.

• name - Optional String
Case-sensitive cookie name

Rule List Rules Spec Cookie Matchers Item

An item block (within rule_list.rules.spec.cookie_matchers) supports the following:

• exact_values - Optional List
List of exact values to match the input against

• regex_values - Optional List
List of regular expressions to match the input against

• transformers - Optional List
See Transformers
Ordered list of transformers (starting from index 0) to be applied to the path before matching

Rule List Rules Spec Domain Matcher

A domain_matcher block (within rule_list.rules.spec) supports the following:

• exact_values - Optional List
List of exact values to match the input against

• regex_values - Optional List
List of regular expressions to match the input against

• transformers - Optional List
See Transformers
Ordered list of transformers (starting from index 0) to be applied to the path before matching

Rule List Rules Spec Headers

A headers block (within rule_list.rules.spec) supports the following:

• check_not_present - Optional Block
Configuration parameter for check not present

• check_present - Optional Block
Configuration parameter for check present

• invert_matcher - Optional Bool
Invert Header Matcher. Invert the match result

• item - Optional Block
Matcher specifies multiple criteria for matching an input string. The match is considered successful if any of the criteria are satisfied. The set of supported match criteria includes a list of exact values and a list of regular expressions
See Item below.

• name - Optional String
Case-insensitive HTTP header name

Rule List Rules Spec Headers Item

An item block (within rule_list.rules.spec.headers) supports the following:

• exact_values - Optional List
List of exact values to match the input against

• regex_values - Optional List
List of regular expressions to match the input against

• transformers - Optional List
See Transformers
Ordered list of transformers (starting from index 0) to be applied to the path before matching

Rule List Rules Spec HTTP Method

A http_method block (within rule_list.rules.spec) supports the following:

• invert_matcher - Optional Bool
Invert Method Matcher. Invert the match result

• methods - Optional List Defaults to ANY
See HTTP Methods
List of methods values to match against

Rule List Rules Spec IP Matcher

An ip_matcher block (within rule_list.rules.spec) supports the following:

• invert_matcher - Optional Bool
Invert IP Matcher. Invert the match result

• prefix_sets - Optional Block
List of references to ip_prefix_set objects
See Prefix Sets below.

Rule List Rules Spec IP Matcher Prefix Sets

Deeply nested Sets block collapsed for readability.

Rule List Rules Spec IP Prefix List

An ip_prefix_list block (within rule_list.rules.spec) supports the following:

• invert_match - Optional Bool
Invert Match Result. Invert the match result

• ip_prefixes - Optional List
IPv4 Prefix List. List of IPv4 prefix strings

Rule List Rules Spec IP Threat Category List

Deeply nested List block collapsed for readability.

Rule List Rules Spec Ja4 TLS Fingerprint

A ja4_tls_fingerprint block (within rule_list.rules.spec) supports the following:

• exact_values - Optional List
List of exact JA4 TLS fingerprint to match the input JA4 TLS fingerprint against

Rule List Rules Spec JWT Claims

A jwt_claims block (within rule_list.rules.spec) supports the following:

• check_not_present - Optional Block
Configuration parameter for check not present

• check_present - Optional Block
Configuration parameter for check present

• invert_matcher - Optional Bool
Invert Matcher. Invert the match result

• item - Optional Block
Matcher specifies multiple criteria for matching an input string. The match is considered successful if any of the criteria are satisfied. The set of supported match criteria includes a list of exact values and a list of regular expressions
See Item below.

• name - Optional String
JWT Claim Name. JWT claim name

Rule List Rules Spec JWT Claims Item

An item block (within rule_list.rules.spec.jwt_claims) supports the following:

• exact_values - Optional List
List of exact values to match the input against

• regex_values - Optional List
List of regular expressions to match the input against

• transformers - Optional List
See Transformers
Ordered list of transformers (starting from index 0) to be applied to the path before matching

Rule List Rules Spec Label Matcher

A label_matcher block (within rule_list.rules.spec) supports the following:

• keys - Optional List
The list of label key names that have to match

Rule List Rules Spec Mum Action

A mum_action block (within rule_list.rules.spec) supports the following:

• default - Optional Block
Enable this option

• skip_processing - Optional Block
Enable this option

Rule List Rules Spec Path

A path block (within rule_list.rules.spec) supports the following:

• exact_values - Optional List
List of exact path values to match the input HTTP path against

• invert_matcher - Optional Bool
Invert Path Matcher. Invert the match result

• prefix_values - Optional List
List of path prefix values to match the input HTTP path against

• regex_values - Optional List
List of regular expressions to match the input HTTP path against

• suffix_values - Optional List
List of path suffix values to match the input HTTP path against

• transformers - Optional List
See Transformers
Ordered list of transformers (starting from index 0) to be applied to the path before matching

Rule List Rules Spec Port Matcher

A port_matcher block (within rule_list.rules.spec) supports the following:

• invert_matcher - Optional Bool
Invert Port Matcher. Invert the match result

• ports - Optional List
List of strings, each of which is a single port value or a tuple of start and end port values separated by ’-’. The start and end values are considered to be part of the range

Rule List Rules Spec Query Params

A query_params block (within rule_list.rules.spec) supports the following:

• check_not_present - Optional Block
Configuration parameter for check not present

• check_present - Optional Block
Configuration parameter for check present

• invert_matcher - Optional Bool
Invert Query Parameter Matcher. Invert the match result

• item - Optional Block
Matcher specifies multiple criteria for matching an input string. The match is considered successful if any of the criteria are satisfied. The set of supported match criteria includes a list of exact values and a list of regular expressions
See Item below.

• key - Optional String
Case-sensitive HTTP query parameter name

Rule List Rules Spec Query Params Item

An item block (within rule_list.rules.spec.query_params) supports the following:

• exact_values - Optional List
List of exact values to match the input against

• regex_values - Optional List
List of regular expressions to match the input against

• transformers - Optional List
See Transformers
Ordered list of transformers (starting from index 0) to be applied to the path before matching

Rule List Rules Spec Request Constraints

A request_constraints block (within rule_list.rules.spec) supports the following:

• max_cookie_count_exceeds - Optional Number
Match on the Count for all Cookies that exceed this value

• max_cookie_count_none - Optional Block
Configuration parameter for max cookie count none

• max_cookie_key_size_exceeds - Optional Number

• max_cookie_key_size_none - Optional Block
Configuration parameter for max cookie key size none

• max_cookie_value_size_exceeds - Optional Number

• max_cookie_value_size_none - Optional Block
Configuration parameter for max cookie value size none

• max_header_count_exceeds - Optional Number
Match on the Count for all Headers that exceed this value

• max_header_count_none - Optional Block
Configuration parameter for max header count none

• max_header_key_size_exceeds - Optional Number

• max_header_key_size_none - Optional Block
Configuration parameter for max header key size none

• max_header_value_size_exceeds - Optional Number

• max_header_value_size_none - Optional Block
Configuration parameter for max header value size none

• max_parameter_count_exceeds - Optional Number

• max_parameter_count_none - Optional Block
Configuration parameter for max parameter count none

• max_parameter_name_size_exceeds - Optional Number

• max_parameter_name_size_none - Optional Block
Enable this option

• max_parameter_value_size_exceeds - Optional Number

• max_parameter_value_size_none - Optional Block
Configuration parameter for max parameter value size none

• max_query_size_exceeds - Optional Number
Match on the URL Query Size that exceed this value

• max_query_size_none - Optional Block
Configuration parameter for max query size none

• max_request_line_size_exceeds - Optional Number

• max_request_line_size_none - Optional Block
Configuration parameter for max request line size none

• max_request_size_exceeds - Optional Number
Match on the Request Size that exceed this value

• max_request_size_none - Optional Block
Configuration parameter for max request size none

• max_url_size_exceeds - Optional Number
Match on the URL Size that exceed this value

• max_url_size_none - Optional Block
Enable this option

Rule List Rules Spec Segment Policy

A segment_policy block (within rule_list.rules.spec) supports the following:

• dst_any - Optional Block
Enable this option

• dst_segments - Optional Block
X-displayName: ‘Segment List’ List of references to Segments
See Dst Segments below.

• intra_segment - Optional Block
Configuration parameter for intra segment

• src_any - Optional Block
Enable this option

• src_segments - Optional Block
X-displayName: ‘Segment List’ List of references to Segments
See Src Segments below.

Rule List Rules Spec Segment Policy Dst Segments

Deeply nested Segments block collapsed for readability.

Rule List Rules Spec Segment Policy Dst Segments Segments

Deeply nested Segments block collapsed for readability.

Rule List Rules Spec Segment Policy Src Segments

Deeply nested Segments block collapsed for readability.

Rule List Rules Spec Segment Policy Src Segments Segments

Deeply nested Segments block collapsed for readability.

Rule List Rules Spec TLS Fingerprint Matcher

A tls_fingerprint_matcher block (within rule_list.rules.spec) supports the following:

• classes - Optional List Defaults to TLS_FINGERPRINT_NONE
See TLS Fingerprints
[Enum: TLS_FINGERPRINT_NONE|ANY_MALICIOUS_FINGERPRINT|ADWARE|ADWIND|DRIDEX|GOOTKIT|GOZI|JBIFROST|QUAKBOT|RANSOMWARE|TROLDESH|TOFSEE|TORRENTLOCKER|TRICKBOT] List of known classes of TLS fingerprints to match the input TLS JA3 fingerprint against

• exact_values - Optional List
List of exact TLS JA3 fingerprints to match the input TLS JA3 fingerprint against

• excluded_values - Optional List
List of TLS JA3 fingerprints to be excluded when matching the input TLS JA3 fingerprint. This can be used to skip known false positives when using one or more known TLS fingerprint classes in the enclosing matcher

Rule List Rules Spec User Identity Matcher

An user_identity_matcher block (within rule_list.rules.spec) supports the following:

• exact_values - Optional List
List of exact values to match the input against

• regex_values - Optional List
List of regular expressions to match the input against

Rule List Rules Spec WAF Action

A waf_action block (within rule_list.rules.spec) supports the following:

• app_firewall_detection_control - Optional Block
Define the list of Signature IDs, Violations, Attack Types and Bot Names that should be excluded from triggering on the defined match criteria
See App Firewall Detection Control below.

• none - Optional Block
Enable this option

• waf_skip_processing - Optional Block
Enable this option

Rule List Rules Spec WAF Action App Firewall Detection Control

Deeply nested Control block collapsed for readability.

Rule List Rules Spec WAF Action App Firewall Detection Control Exclude Attack Type Contexts

Deeply nested Contexts block collapsed for readability.

Rule List Rules Spec WAF Action App Firewall Detection Control Exclude Bot Name Contexts

Deeply nested Contexts block collapsed for readability.

Rule List Rules Spec WAF Action App Firewall Detection Control Exclude Signature Contexts

Deeply nested Contexts block collapsed for readability.

Rule List Rules Spec WAF Action App Firewall Detection Control Exclude Violation Contexts

Deeply nested Contexts block collapsed for readability.

Server Name Matcher

A server_name_matcher block supports the following:

• exact_values - Optional List
List of exact values to match the input against

• regex_values - Optional List
List of regular expressions to match the input against

Server Selector

A server_selector block supports the following:

• expressions - Optional List
Expressions contains the Kubernetes style label expression for selections

Timeouts

A timeouts block supports the following:

• create - Optional String (Defaults to 10 minutes)
Used when creating the resource

• delete - Optional String (Defaults to 10 minutes)
Used when deleting the resource

• read - Optional String (Defaults to 5 minutes)
Used when retrieving the resource

• update - Optional String (Defaults to 10 minutes)
Used when updating the resource

---

Common Types

The following type definitions are used throughout this resource. See the full definition here rather than repeated inline.

Object Reference {#common-object-reference}

Object references establish a direct reference from one configuration object to another in F5 Distributed Cloud. References use the format tenant/namespace/name.

Field	Type	Description
name	String	Name of the referenced object
namespace	String	Namespace containing the referenced object
tenant	String	Tenant of the referenced object (system-managed)

Transformers {#common-transformers}

Transformers apply transformations to input values before matching. Multiple transformers can be applied in order.

Value	Description
LOWER_CASE	Convert to lowercase
UPPER_CASE	Convert to uppercase
BASE64_DECODE	Decodebase64 content
NORMALIZE_PATH	Normalize URL path
REMOVE_WHITESPACE	Remove whitespace characters
URL_DECODE	Decode URL-encoded characters
TRIM_LEFT	Trim leading whitespace
TRIM_RIGHT	Trim trailing whitespace
TRIM	Trim both leading and trailing whitespace

HTTP Methods {#common-http-methods}

HTTP methods used for request matching.

Value	Description
ANY	Match any HTTP method
GET	HTTP GET request
HEAD	HTTP HEAD request
POST	HTTP POST request
PUT	HTTP PUT request
DELETE	HTTP DELETE request
CONNECT	HTTP CONNECT request
OPTIONS	HTTP OPTIONS request
TRACE	HTTP TRACE request
PATCH	HTTP PATCH request
COPY	HTTP COPY request (WebDAV)

TLS Fingerprints {#common-tls-fingerprints}

TLS fingerprint categories for malicious client detection.

Value	Description
TLS_FINGERPRINT_NONE	No fingerprint matching
ANY_MALICIOUS_FINGERPRINT	Match any known malicious fingerprint
ADWARE	Adware-associated fingerprints
DRIDEX	Dridex malware fingerprints
GOOTKIT	Gootkit malware fingerprints
RANSOMWARE	Ransomware-associated fingerprints
TRICKBOT	Trickbot malware fingerprints

IP Threat Categories {#common-ip-threat-categories}

IP address threat categories for security filtering.

Value	Description
SPAM_SOURCES	Known spam sources
WINDOWS_EXPLOITS	Windows exploit sources
WEB_ATTACKS	Web attack sources
BOTNETS	Known botnet IPs
SCANNERS	Network scanner IPs
REPUTATION	Poor reputation IPs
PHISHING	Phishing-related IPs
PROXY	Anonymous proxy IPs
MOBILE_THREATS	Mobile threat sources
TOR_PROXY	Tor exit nodes
DENIAL_OF_SERVICE	DoS attack sources
NETWORK	Known bad network ranges

Import

Import is supported using the following syntax:

# Import using namespace/name format
terraform import f5xc_service_policy.example system/example