f5xc_virtual_host Resource - terraform-provider-f5xc

f5xc_virtual_host (Resource)

Manages virtual host in a given namespace. in F5 Distributed Cloud.

~> Note For more information about this resource, please refer to the F5 XC API Documentation.

Example Usage

# Virtual Host Resource Example
# Manages virtual host in a given namespace. in F5 Distributed Cloud.

terraform {
  required_version = ">= 1.0"

  required_providers {
    f5xc = {
      source  = "f5xc-salesdemos/f5xc"
      version = ">= 0.1.0"
    }
  }
}

# Basic Virtual Host configuration
resource "f5xc_virtual_host" "example" {
  name      = "example-virtual-host"
  namespace = "staging"

  labels = {
    environment = "production"
    managed_by  = "terraform"
  }

  annotations = {
    "owner" = "platform-team"
  }

  # Resource-specific configuration
  # Advertise Policy allows you to define networks or sites w...
  advertise_policies {
    # Configure advertise_policies settings
  }
  # [OneOf: authentication, no_authentication; Default: no_au...
  authentication {
    # Configure authentication settings
  }
  # Reference to Authentication Config Object .
  auth_config {
    # Configure auth_config settings
  }
}

Argument Reference

🔶 High Risk Operations — Some operations on this resource have high danger level. Destructive operations may require confirmation.

Metadata Argument Reference

• name - Required String
Name of the Virtual Host. Must be unique within the namespace

• namespace - Required String
Namespace where the Virtual Host will be created

• annotations - Optional Map
Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata

• description - Optional String
Human readable description for the object

• disable - Optional Bool
A value of true will administratively disable the object

• labels - Optional Map
Labels is a user defined key value map that can be attached to resources for organization and filtering

Spec Argument Reference

• add_location - Required Bool
Add Location. X-example: true Appends header x-F5 Distributed Cloud-location = <RE-site-name> in responses. This configuration is ignored on CE sites

• advertise_policies - Optional Block
Advertise Policy allows you to define networks or sites where you want a VIP for this virtual host to be advertised. Each Policy rule can have different parameters, like TLS configuration, ports, optionally IP address to be used for VIP. If advertise policy is not specified then no VIP is
See Advertise Policies below for details.

-> One of the following: • append_server_name - Optional String
Specifies the value to be used for Server header if it is not already present. If Server Header is already present it is not overwritten. It is just passed

• default_header - Optional Block
Configuration parameter for default header

• pass_through - Optional Block
Configuration parameter for pass through

-> One of the following: • authentication - Optional Block
Authentication related information. This allows to configure the URL to redirect after the authentication Authentication Object Reference, configuration of cookie params etc
See Authentication below for details.

• buffer_policy - Optional Block
Some upstream applications are not capable of handling streamed data. This config enables buffering the entire request before sending to upstream application. We can specify the maximum buffer size and buffer interval with this config
See Buffer Policy below for details.

-> One of the following: • captcha_challenge - Optional Block
Enables loadbalancer to perform captcha challenge Captcha challenge will be based on Google Recaptcha. With this feature enabled, only clients that pass the captcha challenge will be allowed to complete the HTTP request. When loadbalancer is configured to do Captcha Challenge, it will redirect
See Captcha Challenge below for details.

• js_challenge - Optional Block
Enables loadbalancer to perform client browser compatibility test by redirecting to a page with JavaScript. With this feature enabled, only clients that are capable of executing JavaScript(mostly browsers) will be allowed to complete the HTTP request. When loadbalancer is configured to do
See Js Challenge below for details.

• coalescing_options - Optional Block
TLS connection coalescing configuration (not compatible with mTLS)
See Coalescing Options below for details.

• compression_params - Optional Block
Enables loadbalancer to compress dispatched data from an upstream service upon client request. The content is compressed and then sent to the client with the appropriate headers if either response and request allow. Only GZIP compression is supported
See Compression Params below for details.

• connection_idle_timeout - Required Number
The idle timeout for downstream connections. The idle timeout is defined as the period in which there are no active requests. When the idle timeout is reached the connection will be closed

• cors_policy - Optional Block
Cross-Origin Resource Sharing requests configuration specified at Virtual-host or Route level. Route level configuration takes precedence. An example of an Cross origin HTTP request GET /resources/public-data/ HTTP/1.1 Host: bar.other User-Agent: Mozilla/5.0 (Macintosh; U; Intel macOS X 10.5
See CORS Policy below for details.

• csrf_policy - Optional Block
To mitigate CSRF attack , the policy checks where a request is coming from to determine if the request’s origin is the same as its destination.the policy relies on two pieces of information used in determining if a request originated from the same host. 1. The origin that caused the user agent to
See CSRF Policy below for details.

• custom_errors - Optional Block
Map of integer error codes as keys and string values that can be used to provide custom HTTP pages for each error code. Key of the map can be either response code class or HTTP Error code. Response code classes for key is configured as follows 3 — for 3xx response code class 4 — for 4xx

-> One of the following: • default_loadbalancer - Optional Block
Configuration parameter for default loadbalancer

• disable_default_error_pages - Required Bool
Option to specify whether to disable using default F5XC error pages

• disable_dns_resolve - Required Bool
Disable DNS resolution for domains specified in the virtual host When the virtual host is configured as Dynamive Resolve Proxy (DRP), disable DNS resolution for domains configured. This configuration is suitable for HTTP CONNECT proxy

-> One of the following: • disable_path_normalize - Optional Block
Enable this option

• domains - Required List
List of domain names matched to this virtual host for routing incoming requests. Supports wildcard patterns like *.example.com for subdomain matching

• dynamic_reverse_proxy - Optional Block
In this mode of proxy, virtual host will resolve the destination endpoint dynamically. The dynamic resolution is done using a predefined field in the request. This predefined field depends on the ProxyType configured on the Virtual Host
See Dynamic Reverse Proxy below for details.

• enable_path_normalize - Optional Block
Enable this option

• http_protocol_options - Optional Block
HTTP protocol configuration OPTIONS for downstream connections
See HTTP Protocol Options below for details.

• idle_timeout - Required Number
Idle timeout is the amount of time that the loadbalancer will allow a stream to exist with no upstream or downstream activity. Idle timeout and Proxy Type: HTTP_PROXY, HTTPS_PROXY: Idle timer is started when the first byte is received on the connection. Each time an encode/decode event for

• max_request_header_size - Required Number
The maximum request header size in KiB for incoming connections. If un-configured, the default max request headers allowed is 60 KiB. Requests that exceed this limit will receive a 431 response

-> One of the following: • max_requests_per_connection - Optional Number
Sets the maximum number of requests a downstream client can send over a single connection to Envoy. Enter a value >=1 to define the request limit per connection

• no_authentication - Optional Block
Configuration parameter for no authentication

• no_challenge - Optional Block
Configuration parameter for no challenge

• no_request_limit_per_connection - Optional Block
Configuration parameter for no request limit per connection

• non_default_loadbalancer - Optional Block
Configuration parameter for non default loadbalancer

• proxy - Required String
Possible values are UDP_PROXY, SMA_PROXY, DNS_PROXY, ZTNA_PROXY, UZTNA_PROXY
[Enum: UDP_PROXY|SMA_PROXY|DNS_PROXY|ZTNA_PROXY|UZTNA_PROXY] ProxyType tells the type of proxy to install for the virtual host. Only the following combination of VirtualHosts within same AdvertisePolicy is permitted (None of them should have ’*’ in domains when used with other VirtualHosts in same AdvertisePolicy) 1. Multiple TCP_PROXY_WITH_SNI and

• rate_limiter_allowed_prefixes - Optional Block
References to ip_prefix_set objects. Requests from source IP addresses that are covered by one of the allowed IP Prefixes are not subjected to rate limiting
See Rate Limiter Allowed Prefixes below for details.

• request_cookies_to_add - Optional Block
Cookies are key-value pairs to be added to HTTP request being routed towards upstream. Cookies specified at this level are applied after cookies from matched Route are applied
See Request Cookies To Add below for details.

• request_cookies_to_remove - Required List
List of keys of Cookies to be removed from the HTTP request being sent towards upstream

• request_headers_to_add - Optional Block
Headers are key-value pairs to be added to HTTP request being routed towards upstream. Headers specified at this level are applied after headers from matched Route are applied
See Request Headers To Add below for details.

• request_headers_to_remove - Required List
List of keys of Headers to be removed from the HTTP request being sent towards upstream

• response_cookies_to_add - Optional Block
Cookies are name-value pairs along with optional attribute parameters to be added to HTTP response being sent towards downstream. Cookies specified at this level are applied after cookies from matched Route are applied
See Response Cookies To Add below for details.

• response_cookies_to_remove - Required List
List of name of Cookies to be removed from the HTTP response being sent towards downstream. Entire set-cookie header will be removed

• response_headers_to_add - Optional Block
Headers are key-value pairs to be added to HTTP response being sent towards downstream. Headers specified at this level are applied after headers from matched Route are applied

• response_headers_to_remove - Required List
List of keys of Headers to be removed from the HTTP response being sent towards downstream

• retry_policy - Optional Block
Retry policy configuration for route destination

• routes - Optional Block
HTTP routing rules that match incoming requests based on path, headers, or query parameters and forward them to appropriate backend origin pools

• sensitive_data_policy - Optional Block
Policy configuration for this feature

• server_name - Optional String
Specifies the value to be used for Server header inserted in responses. This will overwrite existing values if any for Server Header

• slow_ddos_mitigation - Optional Block
’Slow and low’ attacks tie up server resources, leaving none available for servicing requests from actual users

• timeouts - Optional Block

-> One of the following: • tls_cert_params - Optional Block
Certificate Parameters for authentication, TLS ciphers, and trust store

• tls_parameters - Optional Block
TLS configuration for downstream connections

• user_identification - Optional Block
Reference to user_identification object. The rules in the user_identification object are evaluated to determine the user identifier to be rate limited

• waf_type - Optional Block
WAF instance will be pointing to an app_firewall object

Attributes Reference

In addition to all arguments above, the following attributes are exported:

• id - Optional String
Unique identifier for the resource

---

Advertise Policies

An advertise_policies block supports the following:

• kind - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. ‘route’)

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

• uid - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid

Authentication

An authentication block supports the following:

• auth_config - Optional Block
Reference to Authentication Config Object
See Auth Config below.

• cookie_params - Optional Block
Specifies different cookie related config parameters for authentication
See Cookie Params below.

• redirect_dynamic - Optional Block
Configuration parameter for redirect dynamic

• redirect_url - Optional String
user can provide a URL for e.g HTTPS://abc.xyz.com where user gets redirected. This URL configured here must match with the redirect URL configured with the OIDC provider

• use_auth_object_config - Optional Block
Enable this option

Authentication Auth Config

An auth_config block (within authentication) supports the following:

• kind - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. ‘route’)

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

• uid - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid

Authentication Cookie Params

A cookie_params block (within authentication) supports the following:

• auth_hmac - Optional Block
HMAC primary and secondary keys to be used for hashing the Cookie. Each key also have an associated expiry timestamp, beyond which key is invalid
See Auth HMAC below.

• cookie_expiry - Optional Number
Specifies in seconds max duration of the allocated cookie. This maps to “Max-Age” attribute in the session cookie. This will act as an expiry duration on the client-side after which client will not be setting the cookie as part of the request

• cookie_refresh_interval - Optional Number
Specifies in seconds refresh interval for session cookie. This is used to keep the active user active and reduce RE-login. When an incoming cookie’s session expiry is still valid, and time to expire falls behind this interval, RE-issue a cookie with new expiry and with the same original session

• kms_key_hmac - Optional Block
Configuration parameter for kms key HMAC

• session_expiry - Optional Number
Specifies in seconds max lifetime of an authenticated session after which the user will be forced to login again. Default session expiry is 86400 seconds(24 hours)

Authentication Cookie Params Auth HMAC

An auth_hmac block (within authentication.cookie_params) supports the following:

• prim_key - Optional Block
SecretType is used in an object to indicate a sensitive/confidential field
See Prim Key below.

• prim_key_expiry - Optional String
Primary HMAC Key Expiry time

• sec_key - Optional Block
SecretType is used in an object to indicate a sensitive/confidential field
See Sec Key below.

• sec_key_expiry - Optional String
Secondary HMAC Key Expiry time

Authentication Cookie Params Auth HMAC Prim Key

A prim_key block (within authentication.cookie_params.auth_hmac) supports the following:

• blindfold_secret_info - Optional Block
BlindfoldSecretInfoType specifies information about the Secret managed by F5XC Secret Management
See Blindfold Secret Info below.

• clear_secret_info - Optional Block
ClearSecretInfoType specifies information about the Secret that is not encrypted
See Clear Secret Info below.

Authentication Cookie Params Auth HMAC Prim Key Blindfold Secret Info

Deeply nested Info block collapsed for readability.

Authentication Cookie Params Auth HMAC Prim Key Clear Secret Info

Deeply nested Info block collapsed for readability.

Authentication Cookie Params Auth HMAC Sec Key

A sec_key block (within authentication.cookie_params.auth_hmac) supports the following:

• blindfold_secret_info - Optional Block
BlindfoldSecretInfoType specifies information about the Secret managed by F5XC Secret Management
See Blindfold Secret Info below.

• clear_secret_info - Optional Block
ClearSecretInfoType specifies information about the Secret that is not encrypted
See Clear Secret Info below.

Authentication Cookie Params Auth HMAC Sec Key Blindfold Secret Info

Deeply nested Info block collapsed for readability.

Authentication Cookie Params Auth HMAC Sec Key Clear Secret Info

Deeply nested Info block collapsed for readability.

Buffer Policy

A buffer_policy block supports the following:

• disabled - Optional Bool
Disable buffering for a particular route. This is useful when virtual-host has buffering, but we need to disable it on a specific route. The value of this field is ignored for virtual-host

• max_request_bytes - Optional Number
The maximum request size that the filter will buffer before the connection manager will stop buffering and return a RequestEntityTooLarge (413) response

Captcha Challenge

A captcha_challenge block supports the following:

• cookie_expiry - Optional Number
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge

• custom_page - Optional String
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in base64 format

Coalescing Options

A coalescing_options block supports the following:

• default_coalescing - Optional Block
Configuration parameter for default coalescing

• strict_coalescing - Optional Block
Configuration parameter for strict coalescing

Compression Params

A compression_params block supports the following:

• content_length - Optional Number Defaults to 30
Minimum response length, in bytes, which will trigger compression. The

• content_type - Optional List
Set of strings that allows specifying which mime-types yield compression When this field is not defined, compression will be applied to the following mime-types: ‘application/JavaScript’ ‘application/JSON’, ‘application/xhtml+XML’ ‘image/svg+XML’ ‘text/CSS’ ‘text/HTML’ ‘text/plain’ ‘text/XML’

• disable_on_etag_header - Optional Bool
If true, disables compression when the response contains an etag header. When it is false, weak etags will be preserved and the ones that require strong validation will be removed

• remove_accept_encoding_header - Optional Bool
If true, removes accept-encoding from the request headers before dispatching it to the upstream so that responses do not GET compressed before reaching the filter

CORS Policy

A cors_policy block supports the following:

• allow_credentials - Optional Bool
Specifies whether the resource allows credentials

• allow_headers - Optional String
Specifies the content for the access-control-allow-headers header

• allow_methods - Optional String
Specifies the content for the access-control-allow-methods header

• allow_origin - Optional List
Specifies the origins that will be allowed to do CORS requests. An origin is allowed if either allow_origin or allow_origin_regex match

• allow_origin_regex - Optional List
Specifies regex patterns that match allowed origins. An origin is allowed if either allow_origin or allow_origin_regex match

• disabled - Optional Bool
Disable the CorsPolicy for a particular route. This is useful when virtual-host has CorsPolicy, but we need to disable it on a specific route. The value of this field is ignored for virtual-host

• expose_headers - Optional String
Specifies the content for the access-control-expose-headers header

• maximum_age - Optional Number
Specifies the content for the access-control-max-age header in seconds. This indicates the maximum number of seconds the results can be cached A value of -1 will disable caching. Maximum permitted value is 86400 seconds (24 hours)

CSRF Policy

A csrf_policy block supports the following:

• all_load_balancer_domains - Optional Block
Configuration parameter for all load balancer domains

• custom_domain_list - Optional Block
List of domain names used for Host header matching
See Custom Domain List below.

• disabled - Optional Block
Enable this option

CSRF Policy Custom Domain List

A custom_domain_list block (within csrf_policy) supports the following:

• domains - Optional List
List of domain names that will be matched to loadbalancer. These domains are not used for SNI match. Wildcard names are supported in the suffix or prefix form

Dynamic Reverse Proxy

A dynamic_reverse_proxy block supports the following:

• connection_timeout - Optional Number Defaults to 2000 Specified in milliseconds
The timeout for new network connections to upstream server. The (2 seconds)

• resolution_network - Optional Block
Reference to virtual network where the endpoint is resolved. Reference is valid only when the network type is VIRTUAL_NETWORK_PER_SITE or VIRTUAL_NETWORK_GLOBAL. It is ignored for all other network types
See Resolution Network below.

• resolution_network_type - Optional String Defaults to VIRTUAL_NETWORK_SITE_LOCAL
Possible values are VIRTUAL_NETWORK_SITE_LOCAL, VIRTUAL_NETWORK_SITE_LOCAL_INSIDE, VIRTUAL_NETWORK_PER_SITE, VIRTUAL_NETWORK_PUBLIC, VIRTUAL_NETWORK_GLOBAL, VIRTUAL_NETWORK_SITE_SERVICE, VIRTUAL_NETWORK_VER_INTERNAL, VIRTUAL_NETWORK_SITE_LOCAL_INSIDE_OUTSIDE, VIRTUAL_NETWORK_IP_AUTO, VIRTUAL_NETWORK_VOLTADN_PRIVATE_NETWORK, VIRTUAL_NETWORK_SRV6_NETWORK, VIRTUAL_NETWORK_IP_FABRIC, VIRTUAL_NETWORK_SEGMENT, VIRTUAL_NETWORK_MANAGEMENT
[Enum: VIRTUAL_NETWORK_SITE_LOCAL|VIRTUAL_NETWORK_SITE_LOCAL_INSIDE|VIRTUAL_NETWORK_PER_SITE|VIRTUAL_NETWORK_PUBLIC|VIRTUAL_NETWORK_GLOBAL|VIRTUAL_NETWORK_SITE_SERVICE|VIRTUAL_NETWORK_VER_INTERNAL|VIRTUAL_NETWORK_SITE_LOCAL_INSIDE_OUTSIDE|VIRTUAL_NETWORK_IP_AUTO|VIRTUAL_NETWORK_VOLTADN_PRIVATE_NETWORK|VIRTUAL_NETWORK_SRV6_NETWORK|VIRTUAL_NETWORK_IP_FABRIC|VIRTUAL_NETWORK_SEGMENT|VIRTUAL_NETWORK_MANAGEMENT] Different types of virtual networks understood by the system Virtual-network of type VIRTUAL_NETWORK_SITE_LOCAL provides connectivity to public (outside) network. This is an insecure network and is connected to public internet via NAT Gateways/firwalls Virtual-network of this type is local to

• resolve_endpoint_dynamically - Optional Bool
X-example : true In this mode of proxy, virtual host will resolve the destination endpoint dynamically. The dynamic resolution is done using a predefined field in the request. This predefined field depends on the ProxyType configured on the Virtual Host

Dynamic Reverse Proxy Resolution Network

A resolution_network block (within dynamic_reverse_proxy) supports the following:

• kind - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. ‘route’)

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

• uid - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid

HTTP Protocol Options

A http_protocol_options block supports the following:

• http_protocol_enable_v1_only - Optional Block
HTTP/1.1 Protocol OPTIONS for downstream connections
See HTTP Protocol Enable V1 Only below.

• http_protocol_enable_v1_v2 - Optional Block
Configuration parameter for HTTP protocol enable v1 v2

• http_protocol_enable_v2_only - Optional Block
Configuration parameter for HTTP protocol enable v2 only

HTTP Protocol Options HTTP Protocol Enable V1 Only

Deeply nested Only block collapsed for readability.

HTTP Protocol Options HTTP Protocol Enable V1 Only Header Transformation

Deeply nested Transformation block collapsed for readability.

Js Challenge

A js_challenge block supports the following:

• cookie_expiry - Optional Number
Cookie expiration period, in seconds. An expired cookie causes the loadbalancer to issue a new challenge

• custom_page - Optional String
Custom message is of type uri_ref. Currently supported URL schemes is string:///. For string:/// scheme, message needs to be encoded in base64 format

• js_script_delay - Optional Number
Delay introduced by JavaScript, in milliseconds

Rate Limiter Allowed Prefixes

A rate_limiter_allowed_prefixes block supports the following:

• kind - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. ‘route’)

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

• uid - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid

Request Cookies To Add

A request_cookies_to_add block supports the following:

• name - Optional String
Name of the cookie in Cookie header

• overwrite - Optional Bool Defaults to do
Should the value be overwritten? If true, the value is overwritten to existing values. not overwrite

• secret_value - Optional Block
SecretType is used in an object to indicate a sensitive/confidential field
See Secret Value below.

• value - Optional String
Value of the Cookie header

Request Cookies To Add Secret Value

A secret_value block (within request_cookies_to_add) supports the following:

• blindfold_secret_info - Optional Block
BlindfoldSecretInfoType specifies information about the Secret managed by F5XC Secret Management
See Blindfold Secret Info below.

• clear_secret_info - Optional Block
ClearSecretInfoType specifies information about the Secret that is not encrypted
See Clear Secret Info below.

Request Cookies To Add Secret Value Blindfold Secret Info

Deeply nested Info block collapsed for readability.

Request Cookies To Add Secret Value Clear Secret Info

Deeply nested Info block collapsed for readability.

Request Headers To Add

A request_headers_to_add block supports the following:

• append - Optional Bool Defaults to do
Should the value be appended? If true, the value is appended to existing values. not append

• name - Optional String
Name. Name of the HTTP header

• secret_value - Optional Block
SecretType is used in an object to indicate a sensitive/confidential field
See Secret Value below.

• value - Optional String
Value of the HTTP header

Request Headers To Add Secret Value

A secret_value block (within request_headers_to_add) supports the following:

• blindfold_secret_info - Optional Block
BlindfoldSecretInfoType specifies information about the Secret managed by F5XC Secret Management
See Blindfold Secret Info below.

• clear_secret_info - Optional Block
ClearSecretInfoType specifies information about the Secret that is not encrypted
See Clear Secret Info below.

Request Headers To Add Secret Value Blindfold Secret Info

Deeply nested Info block collapsed for readability.

Request Headers To Add Secret Value Clear Secret Info

Deeply nested Info block collapsed for readability.

Response Cookies To Add

A response_cookies_to_add block supports the following:

• add_domain - Optional String
Add domain attribute

• add_expiry - Optional String
Add expiry attribute

• add_httponly - Optional Block
Configuration parameter for add httponly

• add_partitioned - Optional Block
Configuration parameter for add partitioned

• add_path - Optional String
Add path attribute

• add_secure - Optional Block
Enable this option

• ignore_domain - Optional Block
Configuration parameter for ignore domain

• ignore_expiry - Optional Block
Configuration parameter for ignore expiry

• ignore_httponly - Optional Block
Configuration parameter for ignore httponly

• ignore_max_age - Optional Block
Configuration parameter for ignore max age

• ignore_partitioned - Optional Block
Configuration parameter for ignore partitioned

• ignore_path - Optional Block
Enable this option

• ignore_samesite - Optional Block
Enable this option

• ignore_secure - Optional Block
Enable this option

• ignore_value - Optional Block
Configuration parameter for ignore value

• max_age_value - Optional Number
Add max age attribute

• name - Optional String
Name of the cookie in Cookie header

• overwrite - Optional Bool Defaults to do
Should the value be overwritten? If true, the value is overwritten to existing values. not overwrite

• samesite_lax - Optional Block
Enable this option

• samesite_none - Optional Block
Enable this option

• samesite_strict - Optional Block
Enable this option

• secret_value - Optional Block
SecretType is used in an object to indicate a sensitive/confidential field
See Secret Value below.

• value - Optional String
Value of the Cookie header

Response Cookies To Add Secret Value

A secret_value block (within response_cookies_to_add) supports the following:

• blindfold_secret_info - Optional Block
BlindfoldSecretInfoType specifies information about the Secret managed by F5XC Secret Management
See Blindfold Secret Info below.

• clear_secret_info - Optional Block
ClearSecretInfoType specifies information about the Secret that is not encrypted
See Clear Secret Info below.

Response Cookies To Add Secret Value Blindfold Secret Info

Deeply nested Info block collapsed for readability.

Response Cookies To Add Secret Value Clear Secret Info

Deeply nested Info block collapsed for readability.

Response Headers To Add

A response_headers_to_add block supports the following:

• append - Optional Bool Defaults to do
Should the value be appended? If true, the value is appended to existing values. not append

• name - Optional String
Name. Name of the HTTP header

• secret_value - Optional Block
SecretType is used in an object to indicate a sensitive/confidential field
See Secret Value below.

• value - Optional String
Value of the HTTP header

Response Headers To Add Secret Value

A secret_value block (within response_headers_to_add) supports the following:

• blindfold_secret_info - Optional Block
BlindfoldSecretInfoType specifies information about the Secret managed by F5XC Secret Management
See Blindfold Secret Info below.

• clear_secret_info - Optional Block
ClearSecretInfoType specifies information about the Secret that is not encrypted
See Clear Secret Info below.

Response Headers To Add Secret Value Blindfold Secret Info

Deeply nested Info block collapsed for readability.

Response Headers To Add Secret Value Clear Secret Info

Deeply nested Info block collapsed for readability.

Retry Policy

A retry_policy block supports the following:

• back_off - Optional Block
Specifies parameters that control retry back off
See Back Off below.

• num_retries - Optional Number Defaults to 1
Specifies the allowed number of retries. Retries can be done any number of times. An exponential back-off algorithm is used between each retry

• per_try_timeout - Optional Number
Specifies a non-zero timeout per retry attempt. In milliseconds

• retriable_status_codes - Optional List
HTTP status codes that should trigger a retry in addition to those specified by retry_on

• retry_condition - Optional List
Specifies the conditions under which retry takes place. Retries can be on different types of condition depending on application requirements. For example, network failure, all 5xx response codes, idempotent 4xx response codes, etc The possible values are ‘5xx’ : Retry will be done if the

Retry Policy Back Off

A back_off block (within retry_policy) supports the following:

• base_interval - Optional Number
Specifies the base interval between retries in milliseconds

• max_interval - Optional Number Defaults to 10
Specifies the maximum interval between retries in milliseconds. This parameter is optional, but must be greater than or equal to the base_interval if set. The times the base_interval

Routes

A routes block supports the following:

• kind - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. ‘route’)

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

• uid - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid

Sensitive Data Policy

A sensitive_data_policy block supports the following:

• kind - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. ‘route’)

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

• uid - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid

Slow DDOS Mitigation

A slow_ddos_mitigation block supports the following:

• disable_request_timeout - Optional Block
Configuration parameter for disable request timeout

• request_headers_timeout - Optional Number Defaults to 10000
The amount of time the client has to send only the headers on the request stream before the stream is cancelled. The milliseconds. This setting provides protection against Slowloris attacks

• request_timeout - Optional Number

Timeouts

A timeouts block supports the following:

• create - Optional String (Defaults to 10 minutes)
Used when creating the resource

• delete - Optional String (Defaults to 10 minutes)
Used when deleting the resource

• read - Optional String (Defaults to 5 minutes)
Used when retrieving the resource

• update - Optional String (Defaults to 10 minutes)
Used when updating the resource

TLS Cert Params

A tls_cert_params block supports the following:

• certificates - Optional Block
Certificates. Set of certificates
See Certificates below.

• cipher_suites - Optional List
The following list specifies the supported cipher suite TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

• client_certificate_optional - Optional Block
Enable this option

• client_certificate_required - Optional Block
Enable this option

• maximum_protocol_version - Optional String Defaults to TLS_AUTO
Possible values are TLS_AUTO, TLSv1_0, TLSv1_1, TLSv1_2, TLSv1_3
[Enum: TLS_AUTO|TLSv1_0|TLSv1_1|TLSv1_2|TLSv1_3] TlsProtocol is enumeration of supported TLS versions F5 Distributed Cloud will choose the optimal TLS version

• minimum_protocol_version - Optional String Defaults to TLS_AUTO
Possible values are TLS_AUTO, TLSv1_0, TLSv1_1, TLSv1_2, TLSv1_3
[Enum: TLS_AUTO|TLSv1_0|TLSv1_1|TLSv1_2|TLSv1_3] TlsProtocol is enumeration of supported TLS versions F5 Distributed Cloud will choose the optimal TLS version

• no_client_certificate - Optional Block
Enable this option

• validation_params - Optional Block
Includes URL for a trust store, whether SAN verification is required and list of Subject Alt Names for verification
See Validation Params below.

• xfcc_header_elements - Optional List Defaults to XFCC_NONE
Possible values are XFCC_NONE, XFCC_CERT, XFCC_CHAIN, XFCC_SUBJECT, XFCC_URI, XFCC_DNS
[Enum: XFCC_NONE|XFCC_CERT|XFCC_CHAIN|XFCC_SUBJECT|XFCC_URI|XFCC_DNS] X-Forwarded-Client-Cert header elements to be set in an mTLS enabled connections. If none are defined, the header will not be added

TLS Cert Params Certificates

A certificates block (within tls_cert_params) supports the following:

• kind - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. ‘route’)

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

• uid - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid

TLS Cert Params Validation Params

A validation_params block (within tls_cert_params) supports the following:

• skip_hostname_verification - Optional Bool
When True, skip verification of hostname i.e. CN/Subject Alt Name of certificate is not matched to the connecting hostname

• trusted_ca - Optional Block
Root CA Certificate Reference. Reference to Root CA Certificate
See Trusted CA below.

• trusted_ca_url - Optional String
Inline Root CA Certificate

• verify_subject_alt_names - Optional List
List of acceptable Subject Alt Names/CN in the peer’s certificate. When skip_hostname_verification is false and verify_subject_alt_names is empty, the hostname of the peer will be used for matching against SAN/CN of peer’s certificate

TLS Cert Params Validation Params Trusted CA

A trusted_ca block (within tls_cert_params.validation_params) supports the following:

• trusted_ca_list - Optional Block
Root CA Certificate Reference. Reference to Root CA Certificate
See Trusted CA List below.

TLS Cert Params Validation Params Trusted CA Trusted CA List

Deeply nested List block collapsed for readability.

TLS Parameters

A tls_parameters block supports the following:

• client_certificate_optional - Optional Block
Enable this option

• client_certificate_required - Optional Block
Enable this option

• common_params - Optional Block
Information of different aspects for TLS authentication related to ciphers, certificates and trust store
See Common Params below.

• no_client_certificate - Optional Block
Enable this option

• xfcc_header_elements - Optional List Defaults to XFCC_NONE
Possible values are XFCC_NONE, XFCC_CERT, XFCC_CHAIN, XFCC_SUBJECT, XFCC_URI, XFCC_DNS
[Enum: XFCC_NONE|XFCC_CERT|XFCC_CHAIN|XFCC_SUBJECT|XFCC_URI|XFCC_DNS] X-Forwarded-Client-Cert header elements to be set in an mTLS enabled connections. If none are defined, the header will not be added

TLS Parameters Common Params

A common_params block (within tls_parameters) supports the following:

• cipher_suites - Optional List
The following list specifies the supported cipher suite TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

• maximum_protocol_version - Optional String Defaults to TLS_AUTO
Possible values are TLS_AUTO, TLSv1_0, TLSv1_1, TLSv1_2, TLSv1_3
[Enum: TLS_AUTO|TLSv1_0|TLSv1_1|TLSv1_2|TLSv1_3] TlsProtocol is enumeration of supported TLS versions F5 Distributed Cloud will choose the optimal TLS version

• minimum_protocol_version - Optional String Defaults to TLS_AUTO
Possible values are TLS_AUTO, TLSv1_0, TLSv1_1, TLSv1_2, TLSv1_3
[Enum: TLS_AUTO|TLSv1_0|TLSv1_1|TLSv1_2|TLSv1_3] TlsProtocol is enumeration of supported TLS versions F5 Distributed Cloud will choose the optimal TLS version

• tls_certificates - Optional Block
TLS Certificates. Set of TLS certificates
See TLS Certificates below.

• validation_params - Optional Block
Includes URL for a trust store, whether SAN verification is required and list of Subject Alt Names for verification
See Validation Params below.

TLS Parameters Common Params TLS Certificates

A tls_certificates block (within tls_parameters.common_params) supports the following:

• certificate_url - Optional String
TLS certificate. Certificate or certificate chain in PEM format including the PEM headers

• custom_hash_algorithms - Optional Block
Specifies the hash algorithms to be used
See Custom Hash Algorithms below.

• description_spec - Optional String
Description. Description for the certificate

• disable_ocsp_stapling - Optional Block
Configuration parameter for disable OCSP stapling

• private_key - Optional Block
SecretType is used in an object to indicate a sensitive/confidential field
See Private Key below.

• use_system_defaults - Optional Block
Configuration parameter for use system defaults

TLS Parameters Common Params TLS Certificates Custom Hash Algorithms

Deeply nested Algorithms block collapsed for readability.

TLS Parameters Common Params TLS Certificates Private Key

Deeply nested Key block collapsed for readability.

TLS Parameters Common Params TLS Certificates Private Key Blindfold Secret Info

Deeply nested Info block collapsed for readability.

TLS Parameters Common Params TLS Certificates Private Key Clear Secret Info

Deeply nested Info block collapsed for readability.

TLS Parameters Common Params Validation Params

A validation_params block (within tls_parameters.common_params) supports the following:

• skip_hostname_verification - Optional Bool
When True, skip verification of hostname i.e. CN/Subject Alt Name of certificate is not matched to the connecting hostname

• trusted_ca - Optional Block
Root CA Certificate Reference. Reference to Root CA Certificate
See Trusted CA below.

• trusted_ca_url - Optional String
Inline Root CA Certificate

• verify_subject_alt_names - Optional List
List of acceptable Subject Alt Names/CN in the peer’s certificate. When skip_hostname_verification is false and verify_subject_alt_names is empty, the hostname of the peer will be used for matching against SAN/CN of peer’s certificate

TLS Parameters Common Params Validation Params Trusted CA

Deeply nested CA block collapsed for readability.

TLS Parameters Common Params Validation Params Trusted CA Trusted CA List

Deeply nested List block collapsed for readability.

User Identification

An user_identification block supports the following:

• kind - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. ‘route’)

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

• uid - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid

WAF Type

A waf_type block supports the following:

• app_firewall - Optional Block
List of references to the app_firewall configuration objects
See App Firewall below.

• disable_waf - Optional Block
Configuration parameter for disable WAF

• inherit_waf - Optional Block
Configuration parameter for inherit WAF

WAF Type App Firewall

An app_firewall block (within waf_type) supports the following:

• app_firewall - Optional Block
References to an Application Firewall configuration object
See App Firewall below.

WAF Type App Firewall App Firewall

An app_firewall block (within waf_type.app_firewall) supports the following:

• kind - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then kind will hold the referred object’s kind (e.g. ‘route’)

• name - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then name will hold the referred object’s(e.g. Route’s) name

• namespace - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then namespace will hold the referred object’s(e.g. Route’s) namespace

• tenant - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then tenant will hold the referred object’s(e.g. Route’s) tenant

• uid - Optional String
When a configuration object(e.g. Virtual_host) refers to another(e.g route) then uid will hold the referred object’s(e.g. Route’s) uid

---

Common Types

The following type definitions are used throughout this resource. See the full definition here rather than repeated inline.

Object Reference {#common-object-reference}

Object references establish a direct reference from one configuration object to another in F5 Distributed Cloud. References use the format tenant/namespace/name.

Field	Type	Description
name	String	Name of the referenced object
namespace	String	Namespace containing the referenced object
tenant	String	Tenant of the referenced object (system-managed)

Transformers {#common-transformers}

Transformers apply transformations to input values before matching. Multiple transformers can be applied in order.

Value	Description
LOWER_CASE	Convert to lowercase
UPPER_CASE	Convert to uppercase
BASE64_DECODE	Decodebase64 content
NORMALIZE_PATH	Normalize URL path
REMOVE_WHITESPACE	Remove whitespace characters
URL_DECODE	Decode URL-encoded characters
TRIM_LEFT	Trim leading whitespace
TRIM_RIGHT	Trim trailing whitespace
TRIM	Trim both leading and trailing whitespace

HTTP Methods {#common-http-methods}

HTTP methods used for request matching.

Value	Description
ANY	Match any HTTP method
GET	HTTP GET request
HEAD	HTTP HEAD request
POST	HTTP POST request
PUT	HTTP PUT request
DELETE	HTTP DELETE request
CONNECT	HTTP CONNECT request
OPTIONS	HTTP OPTIONS request
TRACE	HTTP TRACE request
PATCH	HTTP PATCH request
COPY	HTTP COPY request (WebDAV)

TLS Fingerprints {#common-tls-fingerprints}

TLS fingerprint categories for malicious client detection.

Value	Description
TLS_FINGERPRINT_NONE	No fingerprint matching
ANY_MALICIOUS_FINGERPRINT	Match any known malicious fingerprint
ADWARE	Adware-associated fingerprints
DRIDEX	Dridex malware fingerprints
GOOTKIT	Gootkit malware fingerprints
RANSOMWARE	Ransomware-associated fingerprints
TRICKBOT	Trickbot malware fingerprints

IP Threat Categories {#common-ip-threat-categories}

IP address threat categories for security filtering.

Value	Description
SPAM_SOURCES	Known spam sources
WINDOWS_EXPLOITS	Windows exploit sources
WEB_ATTACKS	Web attack sources
BOTNETS	Known botnet IPs
SCANNERS	Network scanner IPs
REPUTATION	Poor reputation IPs
PHISHING	Phishing-related IPs
PROXY	Anonymous proxy IPs
MOBILE_THREATS	Mobile threat sources
TOR_PROXY	Tor exit nodes
DENIAL_OF_SERVICE	DoS attack sources
NETWORK	Known bad network ranges

Import

Import is supported using the following syntax:

# Import using namespace/name format
terraform import f5xc_virtual_host.example system/example