f5xc_waf_exclusion_policy Resource - terraform-provider-f5xc
f5xc_waf_exclusion_policy (Resource)
Section titled “f5xc_waf_exclusion_policy (Resource)”Manages WAF exclusion policy. in F5 Distributed Cloud.
~> Note For more information about this resource, please refer to the F5 XC API Documentation.
Example Usage
Section titled “Example Usage”# WAF Exclusion Policy Resource Example# Manages WAF exclusion policy. in F5 Distributed Cloud.
terraform { required_version = ">= 1.0"
required_providers { f5xc = { source = "f5xc-salesdemos/f5xc" version = ">= 0.1.0" } }}
# Basic WAF Exclusion Policy configurationresource "f5xc_waf_exclusion_policy" "example" { name = "example-waf-exclusion-policy" namespace = "staging"
labels = { environment = "production" managed_by = "terraform" }
annotations = { "owner" = "platform-team" }
# Resource-specific configuration # WAF Exclusion Rules. An ordered list of rules. waf_exclusion_rules { # Configure waf_exclusion_rules settings } # Enable this option any_domain { # Configure any_domain settings } # Enable this option any_path { # Configure any_path settings }}Argument Reference
Section titled “Argument Reference”🔶 High Risk Operations — Some operations on this resource have high danger level. Destructive operations may require confirmation.
Minimum Configuration
Section titled “Minimum Configuration”Required fields:
namenamespacewaf_exclusion_rules
Example (API format):
apiVersion: v1kind: waf_exclusion_policymetadata: name: example-waf-exclusion namespace: defaultspec: waf_exclusion_rules: - metadata: name: exclude-health exact_path: "/health"Metadata Argument Reference
Section titled “Metadata Argument Reference”• name - Required String
Name of the WAF Exclusion Policy. Must be unique within the namespace
• namespace - Required String
Namespace where the WAF Exclusion Policy will be created
• annotations - Optional Map
Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata
• description - Optional String
Human readable description for the object
• disable - Optional Bool
A value of true will administratively disable the object
• labels - Optional Map
Labels is a user defined key value map that can be attached to resources for organization and filtering
Spec Argument Reference
Section titled “Spec Argument Reference”• timeouts - Optional Block
See Timeouts below for details.
• waf_exclusion_rules - Optional Block
WAF Exclusion Rules. An ordered list of rules
See WAF Exclusion Rules below for details.
Attributes Reference
Section titled “Attributes Reference”In addition to all arguments above, the following attributes are exported:
• id - Optional String
Unique identifier for the resource
Timeouts
Section titled “Timeouts”A timeouts block supports the following:
• create - Optional String (Defaults to 10 minutes)
Used when creating the resource
• delete - Optional String (Defaults to 10 minutes)
Used when deleting the resource
• read - Optional String (Defaults to 5 minutes)
Used when retrieving the resource
• update - Optional String (Defaults to 10 minutes)
Used when updating the resource
WAF Exclusion Rules
Section titled “WAF Exclusion Rules”A waf_exclusion_rules block supports the following:
• any_domain - Optional Block
Enable this option
• any_path - Optional Block
Enable this option
• app_firewall_detection_control - Optional Block
Define the list of Signature IDs, Violations, Attack Types and Bot Names that should be excluded from triggering on the defined match criteria
See App Firewall Detection Control below.
• exact_value - Optional String
Exact domain name
• expiration_timestamp - Optional String
Specifies expiration_timestamp the RFC 3339 format timestamp at which the containing rule is considered to be logically expired. The rule continues to exist in the configuration but is not applied anymore
• metadata - Optional Block
MessageMetaType is metadata (common attributes) of a message that only certain messages have. This information is propagated to the metadata of a child object that gets created from the containing message during view processing. The information in this type can be specified by user
during create
See Metadata below.
• methods - Optional List Defaults to ANY
See HTTP Methods
Methods. Methods to be matched
• path_prefix - Optional String
Path prefix to match (e.g. The value / will match on all paths)
• path_regex - Optional String
Define the regex for the path. For example, the regex ^/.*$ will match on all paths
• suffix_value - Optional String
Suffix of domain name e.g ‘xyz.com’ will match ‘*.xyz.com’ and ‘xyz.com’
• waf_skip_processing - Optional Block
Enable this option
WAF Exclusion Rules App Firewall Detection Control
Section titled “WAF Exclusion Rules App Firewall Detection Control”An app_firewall_detection_control block (within waf_exclusion_rules) supports the following:
• exclude_attack_type_contexts - Optional Block
Attack Types to be excluded for the defined match criteria
See Exclude Attack Type Contexts below.
• exclude_bot_name_contexts - Optional Block
Bot Names to be excluded for the defined match criteria
See Exclude Bot Name Contexts below.
• exclude_signature_contexts - Optional Block
Signature IDs to be excluded for the defined match criteria
See Exclude Signature Contexts below.
• exclude_violation_contexts - Optional Block
Violations to be excluded for the defined match criteria
See Exclude Violation Contexts below.
WAF Exclusion Rules App Firewall Detection Control Exclude Attack Type Contexts
Section titled “WAF Exclusion Rules App Firewall Detection Control Exclude Attack Type Contexts”Deeply nested Contexts block collapsed for readability.
WAF Exclusion Rules App Firewall Detection Control Exclude Bot Name Contexts
Section titled “WAF Exclusion Rules App Firewall Detection Control Exclude Bot Name Contexts”Deeply nested Contexts block collapsed for readability.
WAF Exclusion Rules App Firewall Detection Control Exclude Signature Contexts
Section titled “WAF Exclusion Rules App Firewall Detection Control Exclude Signature Contexts”Deeply nested Contexts block collapsed for readability.
WAF Exclusion Rules App Firewall Detection Control Exclude Violation Contexts
Section titled “WAF Exclusion Rules App Firewall Detection Control Exclude Violation Contexts”Deeply nested Contexts block collapsed for readability.
WAF Exclusion Rules Metadata
Section titled “WAF Exclusion Rules Metadata”A metadata block (within waf_exclusion_rules) supports the following:
• description_spec - Optional String
Description. Human readable description
• name - Optional String
Name of the message. The value of name has to follow DNS-1035 format
Common Types
Section titled “Common Types”The following type definitions are used throughout this resource. See the full definition here rather than repeated inline.
Object Reference {#common-object-reference}
Section titled “Object Reference {#common-object-reference}”Object references establish a direct reference from one configuration object to another in F5 Distributed Cloud. References use the format tenant/namespace/name.
| Field | Type | Description |
|---|---|---|
name | String | Name of the referenced object |
namespace | String | Namespace containing the referenced object |
tenant | String | Tenant of the referenced object (system-managed) |
Transformers {#common-transformers}
Section titled “Transformers {#common-transformers}”Transformers apply transformations to input values before matching. Multiple transformers can be applied in order.
| Value | Description |
|---|---|
LOWER_CASE | Convert to lowercase |
UPPER_CASE | Convert to uppercase |
BASE64_DECODE | Decodebase64 content |
NORMALIZE_PATH | Normalize URL path |
REMOVE_WHITESPACE | Remove whitespace characters |
URL_DECODE | Decode URL-encoded characters |
TRIM_LEFT | Trim leading whitespace |
TRIM_RIGHT | Trim trailing whitespace |
TRIM | Trim both leading and trailing whitespace |
HTTP Methods {#common-http-methods}
Section titled “HTTP Methods {#common-http-methods}”HTTP methods used for request matching.
| Value | Description |
|---|---|
ANY | Match any HTTP method |
GET | HTTP GET request |
HEAD | HTTP HEAD request |
POST | HTTP POST request |
PUT | HTTP PUT request |
DELETE | HTTP DELETE request |
CONNECT | HTTP CONNECT request |
OPTIONS | HTTP OPTIONS request |
TRACE | HTTP TRACE request |
PATCH | HTTP PATCH request |
COPY | HTTP COPY request (WebDAV) |
TLS Fingerprints {#common-tls-fingerprints}
Section titled “TLS Fingerprints {#common-tls-fingerprints}”TLS fingerprint categories for malicious client detection.
| Value | Description |
|---|---|
TLS_FINGERPRINT_NONE | No fingerprint matching |
ANY_MALICIOUS_FINGERPRINT | Match any known malicious fingerprint |
ADWARE | Adware-associated fingerprints |
DRIDEX | Dridex malware fingerprints |
GOOTKIT | Gootkit malware fingerprints |
RANSOMWARE | Ransomware-associated fingerprints |
TRICKBOT | Trickbot malware fingerprints |
IP Threat Categories {#common-ip-threat-categories}
Section titled “IP Threat Categories {#common-ip-threat-categories}”IP address threat categories for security filtering.
| Value | Description |
|---|---|
SPAM_SOURCES | Known spam sources |
WINDOWS_EXPLOITS | Windows exploit sources |
WEB_ATTACKS | Web attack sources |
BOTNETS | Known botnet IPs |
SCANNERS | Network scanner IPs |
REPUTATION | Poor reputation IPs |
PHISHING | Phishing-related IPs |
PROXY | Anonymous proxy IPs |
MOBILE_THREATS | Mobile threat sources |
TOR_PROXY | Tor exit nodes |
DENIAL_OF_SERVICE | DoS attack sources |
NETWORK | Known bad network ranges |
Import
Section titled “Import”Import is supported using the following syntax:
# Import using namespace/name formatterraform import f5xc_waf_exclusion_policy.example system/example