f5xc_tcp_loadbalancer Resource - terraform-provider-f5xc

f5xc_tcp_loadbalancer (Resource)

Manages a TCP Load Balancer resource in F5 Distributed Cloud for load balancing TCP traffic across origin pools.

~> Note For more information about this resource, please refer to the F5 XC API Documentation.

Example Usage

# TCP Loadbalancer Resource Example
# Manages a TCP Load Balancer resource in F5 Distributed Cloud for load balancing TCP traffic across origin pools.

terraform {
  required_version = ">= 1.0"

  required_providers {
    f5xc = {
      source  = "f5xc-salesdemos/f5xc"
      version = ">= 0.1.0"
    }
  }
}

# Basic TCP Loadbalancer configuration
resource "f5xc_tcp_loadbalancer" "example" {
  name      = "example-tcp-loadbalancer"
  namespace = "staging"

  labels = {
    environment = "production"
    managed_by  = "terraform"
  }

  annotations = {
    "owner" = "platform-team"
  }

  # TCP Load Balancer specific configuration
  listen_port = 8443

  # Advertise on public internet
  advertise_on_internet {
    default_vip {}
  }

  # Origin pools
  origin_pools_weights {
    pool {
      name      = "example-tcp-pool"
      namespace = "staging"
    }
    weight = 1
  }

  # DNS for TCP load balancer
  dns_volterra_managed = true

  # No retract cluster by default
  retract_cluster {}
}

# The following optional fields have server-applied defaults and can be omitted:
# - dns_volterra_managed
# - idle_timeout
# - hash_policy_choice_round_robin
# - no_sni
# - retract_cluster
# - service_policies_from_namespace
# - tcp

Verified Configuration Examples

These configurations are extracted from acceptance tests verified against the live F5 XC API.

All Attributes

resource "f5xc_origin_pool" "test" {
  name      = "example-pool"
  namespace = "system"
  port      = 443

  origin_servers {
    labels {}
    public_name {
      dns_name = "example.com"
    }
  }

  no_tls {}
  same_as_endpoint_port {}
}

resource "f5xc_tcp_loadbalancer" "test" {
  name        = "example"
  namespace   = "system"
  description = "Acceptance test tcp loadbalancer with all attributes"

  labels = {
    environment = "test"
    managed_by  = "terraform-acceptance-test"
  }

  annotations = {
    purpose = "acceptance-testing"
    owner   = "ci-cd"
  }

  domains     = ["example.example.com"]
  listen_port = 443
  tcp {}
  sni {}

  origin_pools_weights {
    pool {
      name      = f5xc_origin_pool.test.name
      namespace = "system"
    }
    weight = 1
  }

  advertise_on_public_default_vip {}
}

With Annotations

resource "f5xc_origin_pool" "test" {
  name      = "example-pool"
  namespace = "system"
  port      = 443

  origin_servers {
    labels {}
    public_name {
      dns_name = "example.com"
    }
  }

  no_tls {}
  same_as_endpoint_port {}
}

resource "f5xc_tcp_loadbalancer" "test" {
  name      = "example"
  namespace = "system"

  labels = {
    environment = "test"
    managed_by  = "terraform-acceptance-test"
  }

  annotations = {
    test_key = "example-value"
  }

  domains     = ["example.example.com"]
  listen_port = 443
  tcp {}
  sni {}

  origin_pools_weights {
    pool {
      name      = f5xc_origin_pool.test.name
      namespace = "system"
    }
    weight = 1
  }

  advertise_on_public_default_vip {}
}

With Description

resource "f5xc_origin_pool" "test" {
  name      = "example-pool"
  namespace = "system"
  port      = 443

  origin_servers {
    labels {}
    public_name {
      dns_name = "example.com"
    }
  }

  no_tls {}
  same_as_endpoint_port {}
}

resource "f5xc_tcp_loadbalancer" "test" {
  name        = "example"
  namespace   = "system"
  description = "example-value"

  labels = {
    environment = "test"
    managed_by  = "terraform-acceptance-test"
  }

  domains     = ["example.example.com"]
  listen_port = 443
  tcp {}
  sni {}

  origin_pools_weights {
    pool {
      name      = f5xc_origin_pool.test.name
      namespace = "system"
    }
    weight = 1
  }

  advertise_on_public_default_vip {}
}

With Healthcheck

resource "f5xc_healthcheck" "test" {
  name      = "example-hc"
  namespace = "system"

  healthy_threshold   = 3
  unhealthy_threshold = 1
  timeout             = 3
  interval            = 15

  tcp_health_check {}
}

resource "f5xc_origin_pool" "test" {
  name      = "example-pool"
  namespace = "system"
  port      = 443

  origin_servers {
    labels {}
    public_name {
      dns_name = "example.com"
    }
  }

  healthcheck {
    name      = f5xc_healthcheck.test.name
    namespace = "system"
  }

  no_tls {}
  same_as_endpoint_port {}
}

resource "f5xc_tcp_loadbalancer" "test" {
  name      = "example"
  namespace = "system"

  domains     = ["example.example.com"]
  listen_port = 443
  tcp {}
  sni {}

  origin_pools_weights {
    pool {
      name      = f5xc_origin_pool.test.name
      namespace = "system"
    }
    weight = 1
  }

  advertise_on_public_default_vip {}
}

With Labels

resource "f5xc_origin_pool" "test" {
  name      = "example-pool"
  namespace = "system"
  port      = 443

  origin_servers {
    labels {}
    public_name {
      dns_name = "example.com"
    }
  }

  no_tls {}
  same_as_endpoint_port {}
}

resource "f5xc_tcp_loadbalancer" "test" {
  name      = "example"
  namespace = "system"

  labels = {
    environment = "example-value"
    managed_by  = "example-description"
  }

  domains     = ["example.example.com"]
  listen_port = 443
  tcp {}
  sni {}

  origin_pools_weights {
    pool {
      name      = f5xc_origin_pool.test.name
      namespace = "system"
    }
    weight = 1
  }

  advertise_on_public_default_vip {}
}

With Listen Port

resource "f5xc_origin_pool" "test" {
  name      = "example-pool"
  namespace = "system"
  port      = 443

  origin_servers {
    labels {}
    public_name {
      dns_name = "example.com"
    }
  }

  no_tls {}
  same_as_endpoint_port {}
}

resource "f5xc_tcp_loadbalancer" "test" {
  name      = "example"
  namespace = "system"

  labels = {
    environment = "test"
    managed_by  = "terraform-acceptance-test"
  }

  domains     = ["example.example.com"]
  listen_port = 443

  tcp {}
  sni {}

  origin_pools_weights {
    pool {
      name      = f5xc_origin_pool.test.name
      namespace = "system"
    }
    weight = 1
  }

  advertise_on_public_default_vip {}
}

Argument Reference

🔶 High Risk Operations — Some operations on this resource have high danger level. Destructive operations may require confirmation.

~> Dependencies — This resource requires: origin_pool.

Minimum Configuration

Required fields:

• name
• namespace
• origin_pools

Example (API format):

apiVersion: v1
kind: tcp_loadbalancer
metadata:
  name: database-lb
  namespace: default
spec:
  listener:
    port: 5432
    protocol: "TCP"
  origin_pools:
    - pool_name: postgres-cluster
  advertise:
    - public_ip: true

Metadata Argument Reference

• name - Required String
Name of the TCP Load Balancer. Must be unique within the namespace

• namespace - Required String
Namespace where the TCP Load Balancer will be created

• annotations - Optional Map
Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata

• description - Optional String
Human readable description for the object

• disable - Optional Bool
A value of true will administratively disable the object

• labels - Optional Map
Labels is a user defined key value map that can be attached to resources for organization and filtering

Spec Argument Reference

-> One of the following: • active_service_policies - Optional Block
Configuration parameter for active service policies
See Active Service Policies below for details.

• no_service_policies - Optional Block
Configuration parameter for no service policies

-> One of the following: • advertise_custom - Optional Block
Defines a way to advertise a VIP on specific sites
See Advertise Custom below for details.

• advertise_on_public - Optional Block
Defines a way to advertise a load balancer on public. If optional public_ip is provided, it will only be advertised on RE sites where that public_ip is available
See Advertise On Public below for details.

• advertise_on_public_default_vip - Optional Block
Enable this option

-> One of the following: • default_lb_with_sni - Optional Block
Configuration parameter for default LB with sni

• no_sni - Optional Block Defaults to map[]
Enable this option. Server applies default when omitted

• dns_volterra_managed - Optional Bool Defaults to false
DNS records for domains will be managed automatically by F5 Distributed Cloud. This requires the domain to be delegated to F5XC using the Delegated Domain feature. Server applies default when omitted

• do_not_advertise - Optional Block
Configuration parameter for do not advertise

-> One of the following: • do_not_retract_cluster - Optional Block
Enable this option

• retract_cluster - Optional Block Defaults to map[]
Enable this option. Server applies default when omitted

• domains - Optional List
List of Domains (host/authority header) that will be matched to this Load Balancer. Supported Domains and search order: 1. Exact Domain names: www.example.com. 2

-> One of the following: • hash_policy_choice_least_active - Optional Block
Enable this option

• hash_policy_choice_random - Optional Block
Configuration parameter for hash policy choice random

• hash_policy_choice_round_robin - Optional Block Defaults to map[]
Configuration parameter for hash policy choice round robin. Server applies default when omitted

• hash_policy_choice_source_ip_stickiness - Optional Block
Enable this option

• idle_timeout - Optional Number
The amount of time that a stream can exist without upstream or downstream activity, in milliseconds. Server applies default when omitted

-> One of the following: • listen_port - Optional Number
Listen Port for this load balancer

• port_ranges - Optional String
A string containing a comma separated list of port ranges. Each port range consists of a single port or two ports separated by ’-’

• origin_pools_weights - Optional Block
Origin pools and weights used for this load balancer
See Origin Pools Weights below for details.

• service_policies_from_namespace - Optional Block Defaults to map[]
Enable this option. Server applies default when omitted

• sni - Optional Block
Enable this option

-> One of the following: • tcp - Optional Block Defaults to map[]
Enable this option. Server applies default when omitted

• tls_tcp - Optional Block
Choice for selecting TLS over TCP proxy with bring your own certificates
See TLS TCP below for details.

• tls_tcp_auto_cert - Optional Block
Choice for selecting TLS over TCP proxy with automatic certificates

• timeouts - Optional Block
See Timeouts below for details.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

• id - Optional String
Unique identifier for the resource

---

Active Service Policies

An active_service_policies block supports the following:

• policies - Optional Block
Service Policies is a sequential engine where policies (and rules within the policy) are evaluated one after the other. It’s important to define the correct order (policies evaluated from top to bottom in the list) for service policies, to GET the intended result. For each request, its
See Policies below.

Active Service Policies Policies

A policies block (within active_service_policies) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Advertise Custom

An advertise_custom block supports the following:

• advertise_where - Optional Block
Where should this load balancer be available
See Advertise Where below.

Advertise Custom Advertise Where

An advertise_where block (within advertise_custom) supports the following:

• advertise_on_public - Optional Block
Defines a way to advertise a load balancer on public. If optional public_ip is provided, it will only be advertised on RE sites where that public_ip is available
See Advertise On Public below.

• port - Optional Number
Port to Listen

• port_ranges - Optional String
A string containing a comma separated list of port ranges. Each port range consists of a single port or two ports separated by ’-’

• site - Optional Block
Defines a reference to a CE site along with network type and an optional IP address where a load balancer could be advertised
See Site below.

• use_default_port - Optional Block
Enable this option

• virtual_network - Optional Block
Parameters to advertise on a given virtual network
See Virtual Network below.

• virtual_site - Optional Block
Defines a reference to a customer site virtual site along with network type where a load balancer could be advertised
See Virtual Site below.

• virtual_site_with_vip - Optional Block
Defines a reference to a customer site virtual site along with network type and IP where a load balancer could be advertised
See Virtual Site With VIP below.

• vk8s_service - Optional Block
Defines a reference to a RE site or virtual site where a load balancer could be advertised in the vK8s service network
See Vk8s Service below.

Advertise Custom Advertise Where Advertise On Public

An advertise_on_public block (within advertise_custom.advertise_where) supports the following:

• public_ip - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Public IP below.

Advertise Custom Advertise Where Advertise On Public Public IP

Deeply nested IP block collapsed for readability.

Advertise Custom Advertise Where Site

A site block (within advertise_custom.advertise_where) supports the following:

• ip - Optional String
Use given IP address as VIP on the site

• network - Optional String Defaults to SITE_NETWORK_INSIDE_AND_OUTSIDE
Possible values are SITE_NETWORK_INSIDE_AND_OUTSIDE, SITE_NETWORK_INSIDE, SITE_NETWORK_OUTSIDE, SITE_NETWORK_SERVICE, SITE_NETWORK_OUTSIDE_WITH_INTERNET_VIP, SITE_NETWORK_INSIDE_AND_OUTSIDE_WITH_INTERNET_VIP, SITE_NETWORK_IP_FABRIC
[Enum: SITE_NETWORK_INSIDE_AND_OUTSIDE|SITE_NETWORK_INSIDE|SITE_NETWORK_OUTSIDE|SITE_NETWORK_SERVICE|SITE_NETWORK_OUTSIDE_WITH_INTERNET_VIP|SITE_NETWORK_INSIDE_AND_OUTSIDE_WITH_INTERNET_VIP|SITE_NETWORK_IP_FABRIC] Defines network types to be used on site All inside and outside networks. All inside and outside networks with internet VIP support. All inside networks

• site - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Site below.

Advertise Custom Advertise Where Site Site

A site block (within advertise_custom.advertise_where.site) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Advertise Custom Advertise Where Virtual Network

A virtual_network block (within advertise_custom.advertise_where) supports the following:

• default_v6_vip - Optional Block
Enable this option

• default_vip - Optional Block
Enable this option

• specific_v6_vip - Optional String
Use given IPv6 address as VIP on virtual Network

• specific_vip - Optional String
Use given IPv4 address as VIP on virtual Network

• virtual_network - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Virtual Network below.

Advertise Custom Advertise Where Virtual Network Virtual Network

Deeply nested Network block collapsed for readability.

Advertise Custom Advertise Where Virtual Site

A virtual_site block (within advertise_custom.advertise_where) supports the following:

• network - Optional String Defaults to SITE_NETWORK_INSIDE_AND_OUTSIDE
Possible values are SITE_NETWORK_INSIDE_AND_OUTSIDE, SITE_NETWORK_INSIDE, SITE_NETWORK_OUTSIDE, SITE_NETWORK_SERVICE, SITE_NETWORK_OUTSIDE_WITH_INTERNET_VIP, SITE_NETWORK_INSIDE_AND_OUTSIDE_WITH_INTERNET_VIP, SITE_NETWORK_IP_FABRIC
[Enum: SITE_NETWORK_INSIDE_AND_OUTSIDE|SITE_NETWORK_INSIDE|SITE_NETWORK_OUTSIDE|SITE_NETWORK_SERVICE|SITE_NETWORK_OUTSIDE_WITH_INTERNET_VIP|SITE_NETWORK_INSIDE_AND_OUTSIDE_WITH_INTERNET_VIP|SITE_NETWORK_IP_FABRIC] Defines network types to be used on site All inside and outside networks. All inside and outside networks with internet VIP support. All inside networks

• virtual_site - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Virtual Site below.

Advertise Custom Advertise Where Virtual Site Virtual Site

Deeply nested Site block collapsed for readability.

Advertise Custom Advertise Where Virtual Site With VIP

Deeply nested VIP block collapsed for readability.

Advertise Custom Advertise Where Virtual Site With VIP Virtual Site

Deeply nested Site block collapsed for readability.

Advertise Custom Advertise Where Vk8s Service

A vk8s_service block (within advertise_custom.advertise_where) supports the following:

• site - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Site below.

• virtual_site - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Virtual Site below.

Advertise Custom Advertise Where Vk8s Service Site

A site block (within advertise_custom.advertise_where.vk8s_service) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Advertise Custom Advertise Where Vk8s Service Virtual Site

Deeply nested Site block collapsed for readability.

Advertise On Public

An advertise_on_public block supports the following:

• public_ip - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Public IP below.

Advertise On Public Public IP

A public_ip block (within advertise_on_public) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Origin Pools Weights

An origin_pools_weights block supports the following:

• cluster - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Cluster below.

• endpoint_subsets - Optional Block
Upstream origin pool may be configured to divide its origin servers into subsets based on metadata attached to the origin servers. Routes may then specify the metadata that an endpoint must match in order to be selected by the load balancer For origin servers which are discovered in K8S or Consul

• pool - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Pool below.

• priority - Optional Number
Priority of this origin pool, valid only with multiple origin pools. Value of 0 will make the pool as lowest priority origin pool Priority of 1 means highest priority and is considered active. When active origin pool is not available, lower priority origin pools are made active as per the

• weight - Optional Number
Weight of this origin pool, valid only with multiple origin pool. Value of 0 will disable the pool

Origin Pools Weights Cluster

A cluster block (within origin_pools_weights) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Origin Pools Weights Pool

A pool block (within origin_pools_weights) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

Timeouts

A timeouts block supports the following:

• create - Optional String (Defaults to 10 minutes)
Used when creating the resource

• delete - Optional String (Defaults to 10 minutes)
Used when deleting the resource

• read - Optional String (Defaults to 5 minutes)
Used when retrieving the resource

• update - Optional String (Defaults to 10 minutes)
Used when updating the resource

TLS TCP

A tls_tcp block supports the following:

• tls_cert_params - Optional Block
Configuration parameter for TLS cert params
See TLS Cert Params below.

• tls_parameters - Optional Block
Configuration parameter for TLS parameters
See TLS Parameters below.

TLS TCP TLS Cert Params

A tls_cert_params block (within tls_tcp) supports the following:

• certificates - Optional Block
Select one or more certificates with any domain names
See Certificates below.

• no_mtls - Optional Block
Enable this option

• tls_config - Optional Block
Defines various OPTIONS to configure TLS configuration parameters
See TLS Config below.

• use_mtls - Optional Block
Validation context for downstream client TLS connections
See Use mTLS below.

TLS TCP TLS Cert Params Certificates

A certificates block (within tls_tcp.tls_cert_params) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

TLS TCP TLS Cert Params TLS Config

A tls_config block (within tls_tcp.tls_cert_params) supports the following:

• custom_security - Optional Block
Defines TLS protocol config including min/max versions and allowed ciphers
See Custom Security below.

• default_security - Optional Block
Enable this option

• low_security - Optional Block
Enable this option

• medium_security - Optional Block
Enable this option

TLS TCP TLS Cert Params TLS Config Custom Security

Deeply nested Security block collapsed for readability.

TLS TCP TLS Cert Params Use mTLS

An use_mtls block (within tls_tcp.tls_cert_params) supports the following:

• client_certificate_optional - Optional Bool
Client certificate is optional. If the client has provided a certificate, the load balancer will verify it. If certification verification fails, the connection will be terminated

• crl - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See CRL below.

• no_crl - Optional Block
Enable this option

• trusted_ca - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Trusted CA below.

• trusted_ca_url - Optional String
Upload a Root CA Certificate specifically for this Load Balancer

• xfcc_disabled - Optional Block
Enable this option

• xfcc_options - Optional Block
X-Forwarded-Client-Cert header elements to be added to requests
See Xfcc Options below.

TLS TCP TLS Cert Params Use mTLS CRL

Deeply nested CRL block collapsed for readability.

TLS TCP TLS Cert Params Use mTLS Trusted CA

Deeply nested CA block collapsed for readability.

TLS TCP TLS Cert Params Use mTLS Xfcc Options

Deeply nested Options block collapsed for readability.

TLS TCP TLS Parameters

A tls_parameters block (within tls_tcp) supports the following:

• no_mtls - Optional Block
Enable this option

• tls_certificates - Optional Block
Users can add one or more certificates that share the same set of domains. For example, domain.com and *.domain.com - but use different signature algorithms
See TLS Certificates below.

• tls_config - Optional Block
Defines various OPTIONS to configure TLS configuration parameters
See TLS Config below.

• use_mtls - Optional Block
Validation context for downstream client TLS connections
See Use mTLS below.

TLS TCP TLS Parameters TLS Certificates

A tls_certificates block (within tls_tcp.tls_parameters) supports the following:

• certificate_url - Optional String
TLS certificate. Certificate or certificate chain in PEM format including the PEM headers

• custom_hash_algorithms - Optional Block
Specifies the hash algorithms to be used
See Custom Hash Algorithms below.

• description_spec - Optional String
Description. Description for the certificate

• disable_ocsp_stapling - Optional Block
Configuration parameter for disable OCSP stapling

• private_key - Optional Block
SecretType is used in an object to indicate a sensitive/confidential field
See Private Key below.

• use_system_defaults - Optional Block
Configuration parameter for use system defaults

TLS TCP TLS Parameters TLS Certificates Custom Hash Algorithms

Deeply nested Algorithms block collapsed for readability.

TLS TCP TLS Parameters TLS Certificates Private Key

Deeply nested Key block collapsed for readability.

TLS TCP TLS Parameters TLS Certificates Private Key Blindfold Secret Info

Deeply nested Info block collapsed for readability.

TLS TCP TLS Parameters TLS Certificates Private Key Clear Secret Info

Deeply nested Info block collapsed for readability.

TLS TCP TLS Parameters TLS Config

A tls_config block (within tls_tcp.tls_parameters) supports the following:

• custom_security - Optional Block
Defines TLS protocol config including min/max versions and allowed ciphers
See Custom Security below.

• default_security - Optional Block
Enable this option

• low_security - Optional Block
Enable this option

• medium_security - Optional Block
Enable this option

TLS TCP TLS Parameters TLS Config Custom Security

Deeply nested Security block collapsed for readability.

TLS TCP TLS Parameters Use mTLS

An use_mtls block (within tls_tcp.tls_parameters) supports the following:

• client_certificate_optional - Optional Bool
Client certificate is optional. If the client has provided a certificate, the load balancer will verify it. If certification verification fails, the connection will be terminated

• crl - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See CRL below.

• no_crl - Optional Block
Enable this option

• trusted_ca - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Trusted CA below.

• trusted_ca_url - Optional String
Upload a Root CA Certificate specifically for this Load Balancer

• xfcc_disabled - Optional Block
Enable this option

• xfcc_options - Optional Block
X-Forwarded-Client-Cert header elements to be added to requests
See Xfcc Options below.

TLS TCP TLS Parameters Use mTLS CRL

A crl block (within tls_tcp.tls_parameters.use_mtls) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

TLS TCP TLS Parameters Use mTLS Trusted CA

Deeply nested CA block collapsed for readability.

TLS TCP TLS Parameters Use mTLS Xfcc Options

Deeply nested Options block collapsed for readability.

TLS TCP Auto Cert

A tls_tcp_auto_cert block supports the following:

• no_mtls - Optional Block
Enable this option

• tls_config - Optional Block
Defines various OPTIONS to configure TLS configuration parameters
See TLS Config below.

• use_mtls - Optional Block
Validation context for downstream client TLS connections
See Use mTLS below.

TLS TCP Auto Cert TLS Config

A tls_config block (within tls_tcp_auto_cert) supports the following:

• custom_security - Optional Block
Defines TLS protocol config including min/max versions and allowed ciphers
See Custom Security below.

• default_security - Optional Block
Enable this option

• low_security - Optional Block
Enable this option

• medium_security - Optional Block
Enable this option

TLS TCP Auto Cert TLS Config Custom Security

Deeply nested Security block collapsed for readability.

TLS TCP Auto Cert Use mTLS

An use_mtls block (within tls_tcp_auto_cert) supports the following:

• client_certificate_optional - Optional Bool
Client certificate is optional. If the client has provided a certificate, the load balancer will verify it. If certification verification fails, the connection will be terminated

• crl - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See CRL below.

• no_crl - Optional Block
Enable this option

• trusted_ca - Optional Block
Type establishes a direct reference from one object(the referrer) to another(the referred). Such a reference is in form of tenant/namespace/name
See Trusted CA below.

• trusted_ca_url - Optional String
Upload a Root CA Certificate specifically for this Load Balancer

• xfcc_disabled - Optional Block
Enable this option

• xfcc_options - Optional Block
X-Forwarded-Client-Cert header elements to be added to requests
See Xfcc Options below.

TLS TCP Auto Cert Use mTLS CRL

A crl block (within tls_tcp_auto_cert.use_mtls) supports the following:

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

TLS TCP Auto Cert Use mTLS Trusted CA

Deeply nested CA block collapsed for readability.

TLS TCP Auto Cert Use mTLS Xfcc Options

Deeply nested Options block collapsed for readability.

---

Common Types

The following type definitions are used throughout this resource. See the full definition here rather than repeated inline.

Object Reference {#common-object-reference}

Object references establish a direct reference from one configuration object to another in F5 Distributed Cloud. References use the format tenant/namespace/name.

Field	Type	Description
name	String	Name of the referenced object
namespace	String	Namespace containing the referenced object
tenant	String	Tenant of the referenced object (system-managed)

Transformers {#common-transformers}

Transformers apply transformations to input values before matching. Multiple transformers can be applied in order.

Value	Description
LOWER_CASE	Convert to lowercase
UPPER_CASE	Convert to uppercase
BASE64_DECODE	Decodebase64 content
NORMALIZE_PATH	Normalize URL path
REMOVE_WHITESPACE	Remove whitespace characters
URL_DECODE	Decode URL-encoded characters
TRIM_LEFT	Trim leading whitespace
TRIM_RIGHT	Trim trailing whitespace
TRIM	Trim both leading and trailing whitespace

HTTP Methods {#common-http-methods}

HTTP methods used for request matching.

Value	Description
ANY	Match any HTTP method
GET	HTTP GET request
HEAD	HTTP HEAD request
POST	HTTP POST request
PUT	HTTP PUT request
DELETE	HTTP DELETE request
CONNECT	HTTP CONNECT request
OPTIONS	HTTP OPTIONS request
TRACE	HTTP TRACE request
PATCH	HTTP PATCH request
COPY	HTTP COPY request (WebDAV)

TLS Fingerprints {#common-tls-fingerprints}

TLS fingerprint categories for malicious client detection.

Value	Description
TLS_FINGERPRINT_NONE	No fingerprint matching
ANY_MALICIOUS_FINGERPRINT	Match any known malicious fingerprint
ADWARE	Adware-associated fingerprints
DRIDEX	Dridex malware fingerprints
GOOTKIT	Gootkit malware fingerprints
RANSOMWARE	Ransomware-associated fingerprints
TRICKBOT	Trickbot malware fingerprints

IP Threat Categories {#common-ip-threat-categories}

IP address threat categories for security filtering.

Value	Description
SPAM_SOURCES	Known spam sources
WINDOWS_EXPLOITS	Windows exploit sources
WEB_ATTACKS	Web attack sources
BOTNETS	Known botnet IPs
SCANNERS	Network scanner IPs
REPUTATION	Poor reputation IPs
PHISHING	Phishing-related IPs
PROXY	Anonymous proxy IPs
MOBILE_THREATS	Mobile threat sources
TOR_PROXY	Tor exit nodes
DENIAL_OF_SERVICE	DoS attack sources
NETWORK	Known bad network ranges

Import

Import is supported using the following syntax:

# Import using namespace/name format
terraform import f5xc_tcp_loadbalancer.example system/example